{"id":6407,"date":"2019-02-19T12:17:39","date_gmt":"2019-02-19T20:17:39","guid":{"rendered":"http:\/\/www.ucright.com\/new\/?p=6407"},"modified":"2019-02-19T16:40:10","modified_gmt":"2019-02-20T00:40:10","slug":"the-importance-of-mfa","status":"publish","type":"post","link":"https:\/\/www.ucright.com\/new\/2019\/02\/19\/the-importance-of-mfa\/","title":{"rendered":"The importance of MFA"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

<\/p>\n

As is so often the case in IT, the importance of a particular process, technology or requirement only becomes apparent to end users and\/or management when something bad happens.<\/p>\n

\u00a0<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

Many times when there is a major “fire”, management is finally willing to pay for that colo or cloud service you\u2019ve been suggesting.\u00a0 A critical server crashes, they finally approve the upgrade to the backup system you\u2019ve been begging for.\u00a0 Major security flaw discovered in your firewall\u2019s firmware \u201csure we will finally pay for the support agreement\u201d so you can upgrade the code.<\/p>\n

\u00a0<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

Similar to those examples; MFA becomes a hot topic for management anytime an executive\u2019s email gets hacked or another article hits the news about a major breach that could have been easily avoided if MFA were in place.<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

\u00a0<\/p>\n

A recent example comes directly from US Homeland Security in\u00a0the form of an emergency directive\/notification sent out last month:<\/p>\n

<\/p>\n

<\/p>\n

https:\/\/cyber.dhs.gov\/ed\/19-01\/<\/a><\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

\u00a0<\/p>\n

This directive details an ongoing attack, which is believed to the be the work of a foreign nation\u2019s intelligence agency, against companies and organizations across the globe.\u00a0<\/p>\n

\u00a0<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

The attack is relatively simple in its implementation:\u00a0<\/p>\n

<\/p>\n

<\/p>\n

\u00a0<\/p>\n

First hack into a company\u2019s external DNS provider.\u00a0 How do they do this?\u00a0 Well, who would have guessed – Password1 is not a secure password.<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

\u00a0<\/p>\n

Then once you have access to the DNS entries, reroute them to your own webserver after which you proxy them back to the site you\u2019ve hacked.\u00a0 For the end user of that site it seems like they are still getting to the right place, which they are\u2026however the hacker\u2019s server is now doing a man in the middle attack allowing them to capture your session, credentials, etc\u2026\u2026.<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

\u00a0<\/p>\n

You might be thinking well what good is that (and if that was all that was happening, you wouldn\u2019t be wrong)\u2026..\u201dwon\u2019t the SSL lock in the browser protect me against that happening?\u201d\u00a0 Well it would, except that now that the attacked controls your public DNS , they are able to issue a valid SSL certificate using any public certificate authority.\u00a0 Once a hacker has control of your external DNS, they have the ability to issue a valid SSL certificate for your domain name and then install it on their own webserver.<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

\u00a0<\/p>\n

And so, in case it\u2019s not immediately clear as to what would have stopped this from the get go\u2026\u2026MFA on your DNS\/CA provider ensures that even if your password really was that bad, the hacker still wouldn\u2019t have gotten in without physical access to \u201csomething you have\u201d.<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

\u00a0<\/p>\n

Although it may not be something you think is that common; we all probably use MFA and have been for decades.\u00a0 An ATM card, as an example, is a form of MFA.\u00a0 The best description I\u2019ve heard in the past is that MFA is \u2018something you know\u2019 paired \u2018with something you have\u2019.\u00a0 I.e. an ATM card and your pin.<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

\u00a0<\/p>\n

MFA in the IT world comes in many flavors and levels of sophistication\/security.\u00a0\u00a0 Whether a simple, and not incredibly secure, message emailed or texted to your phone to confirm a login, an authenticator service\/app from DUO, Okta, Microsoft, Google, or, even a more secure, crypto token or fob\u2026\u2026having at least one of these methods in place should be a priority for all IT admins and for all IT resources like your DNS\/CA\/Registrar, etc.<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

\u00a0<\/p>\n

Further as attacks continue to become more and more common across all types of organizations, we as IT influencers should be pushing our critical end users (think CxOs, Directors and other VIPs) to start using MFA to protect their businesses and reputations.\u00a0<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

\u00a0<\/p>\n

Finally, while we understand the challenges of deploying new technology to end users, especially ones that require additional levels of effort by those end users, we at UCRIGHT firmly believe that in the short to near term future that it\u2019s going to become a necessity to deploy advanced MFA to all users in your environment to fully safeguard your business.<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

\u00a0<\/p>\n

There is obviously a cost associated with each new technology you deploy – Google recently released a great study around it\u2019s internal deployment of crypto keys made by Yubico which you can read more about here: https:\/\/www.yubico.com\/2016\/02\/use-of-fido-u2f-security-keys-focus-of-2-year-google-study\/<\/a><\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

\u00a0<\/p>\n

An interesting take way from the study was that even with the cost of the keys, the time and money saved by not having password lockouts, reducing IT intervention to fix, paid for 2 keys per user.\u00a0 This was in addition to the time savings across the enterprise by not having to manually enter codes for each login.<\/p>\n

<\/p>\n

<\/p>\n

\u00a0<\/p>\n

<\/p>\n

<\/p>\n

Here at UCRIGHT we realize not every company is like Google and may not have the know how or resources to go down this path by themselves.\u00a0 That\u2019s why we\u2019ve partnered with leading companies in the MFA space and can help you design and implement a solution for your company.<\/p>\n

\u00a0<\/p>\n

<\/p>\n

<\/p>\n

Contact us<\/a> today for help tailoring the right MFA solution for your needs!<\/p>\n

<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

As is so often the case in IT, the importance of a particular process, technology or requirement only becomes apparent […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-6407","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.ucright.com\/new\/wp-json\/wp\/v2\/posts\/6407","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ucright.com\/new\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ucright.com\/new\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ucright.com\/new\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ucright.com\/new\/wp-json\/wp\/v2\/comments?post=6407"}],"version-history":[{"count":7,"href":"https:\/\/www.ucright.com\/new\/wp-json\/wp\/v2\/posts\/6407\/revisions"}],"predecessor-version":[{"id":6426,"href":"https:\/\/www.ucright.com\/new\/wp-json\/wp\/v2\/posts\/6407\/revisions\/6426"}],"wp:attachment":[{"href":"https:\/\/www.ucright.com\/new\/wp-json\/wp\/v2\/media?parent=6407"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ucright.com\/new\/wp-json\/wp\/v2\/categories?post=6407"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ucright.com\/new\/wp-json\/wp\/v2\/tags?post=6407"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}