THE BLOG
-
Jun 30, 2022MFA is a Requirement (but Not Perfect)
In the age of sophisticated phishing attacks and credential harvesting, multi-factor authentication (MFA) is a crucial part of any security program. It is often trivial for attackers to gain access to a user’s credentials through password spraying or phishing campaigns. Even though most organizations educate users regarding phishing threats, a percentage of employees will still likely fall for them, providing their credentials unknowingly to attackers. In an environment of distractions, users will fail to see the 'external' banner, the mistyped domains, and the lack of encryption on the web page collecting their credentials – some of the common tell-tale signs of a phishing attack.
You can enforce user lockouts for login pages and put technology in place to block most phishing attempts, but it is very likely that something, or someone, will get through. MFA gives your organization the peace of mind to know that if a user does fall victim to credential theft, a breach to the environment is less likely since an MFA token would be needed for access.
Note, it is not good enough to just lockdown VPN, all external access points into the environment must be protected: VPN, Webmail, Collaboration Tools, etc. Services that allow for multi-factor bypass (like EWS) should be limited or shut off completely. Users should not be allowed 'exceptions' to bypass this control.
Keep in mind that MFA is not a magic pill answer to every problem. Sophisticated phishing attacks can trick a user into allowing the attacker into the environment by providing the passcode or acceptance to a push request, but these happen less frequently than other types of attacks. User education about the specifics of what a 'real' phishing attack of today looks like will help as well. Without MFA you are not only susceptible to attack, but there could be a hard-to-spot attacker in your internal network environment right now. Depending on the compromised account without MFA, the attacker may have significant access privileges.
What we know is that no security measure is perfect or infallible. The security layers in place – with MFA close to the top of the list (right up there with logging!) – will help to create an environment that will hold up to many of today's malicious activities.
-
May 31, 2022Trust but Verify
The landscape of technology has changed drastically over the past two decades. Companies trying to do it all themselves is a thing of the past. SaaS, PaaS and IaaS are all the rage and organizations are adopting solutions to run many aspects of their businesses. With this evolution comes risk. Even as companies look to lessen their burden of onsite data and regulatory obligations by pushing them off to third party vendors, security remains a major concern.
Today, organizations must enter into relationships with trust, but not trust alone. Contracts are a must and verification of security practices is too. All too often, companies look past the security concerns assuming that if the software they are going to use is out in the marketplace, that it must be secure.
Unfortunately, there are many software companies that go to market without a clear security plan, and without the proper controls in place. It is imperative that organizations take the time to ask about security practices and obtain attestation letters stating the solution has been penetration tested appropriately. Also important is to receive concrete assurances that security protocols are being followed, delivering upon the regulatory needs of the company, and aligning to the risk appetite of the organization.
Be sure to look at new third party vendors and ask security questions ahead of signing the contract. Before a signature, the vendor is more likely to share information quickly as it is holding up the contract from being executed. Additionally, you can make decisions about moving forward without the legal trouble of undoing a contract if this information is requested early enough in the process.
If you decide to move forward despite security gaps, track the risk and follow up with the company periodically to see if the risks have been remediated. And if your third-party software vendor doesn’t have penetration test results feel free to send them our way.
