Decades ago, the internet was built to give people a way to access and share information fast. What it wasn’t built for was safety, which is how we ended up with an entire month dedicated to cybersecurity. And after the year we’ve just had, it’s fitting that Cybersecurity Awareness Month 2022 is focused so heavily on Identity Security behaviors. But if you’re looking for another post on why your organization should be using multifactor authentication (MFA), this isn’t it.
As a fellow cybersecurity professional, I imagine you already know MFA can help block up to 99.9% of account compromise attacks, reduce reliance on risky passwords and simplify user authentication experiences with the help of behavior-based analytics. You understand many security teams (possibly even your own) have taken their first step toward Zero Trust by implementing MFA. You’re also very aware that attackers have gotten better at tricking users into giving up their second authentication factors, and in some instances, they’ve found ways to bypass MFA mechanisms completely.
Your MFA controls need a checkup this Cybersecurity Awareness Month. Start with these seven questions.
Thanks to repeated front-page news coverage, MFA fatigue attacks are likely high on your radar. For these, threat actors employ various digital and voice-based phishing techniques to steal credentials and then send repeated MFA push requests to a target’s mobile device to successfully dupe employees and third-party vendors.
Yes, employee training is an important preventative step. But taking a hard look at how — and where — you’re deploying MFA is even more important. As you do, review these seven questions help make sure your organization is making the most of its MFA deployment.
Is your MFA system currently…
1. Using standards-based single sign-on (SSO)? Since credentials are inherently vulnerable to compromise, look for every opportunity to use fewer of them. Combining MFA with SSO eliminates user friction by reducing logons and swapping passwords for more intuitive methods like device certificates or biometrics. When possible, use or build SSO tools supporting standard protocols such as SAML or OpenID Connect.
2. Locking down MFA registrations? When MFA is provisioned to a user, you need ways to verify that each user is who they claim to be. Otherwise, attackers can steal passwords and try to register their own devices as authentication factors. To reduce risk, consider using an out-of-band process such as a phone call to check if a registration request was legitimate, only allowing registration for one device per user and requiring a valid physical ID, such as a passport, as part of the user registration process.
3. Limiting MFA prompts? When users get bombarded with requests, they may respond without thinking or out of exasperation. Setting thresholds for the number of MFA prompts a user can get within a certain period can help fight user fatigue and make things harder for attackers.
4. Strengthened with privileged access management (PAM) controls to protect all channels? This is critical for protecting sensitive resources. With this approach, credentials for accessing a sensitive server, for example, are stored in a centralized vault. MFA is required to log into the vault and check out the credential for the server. Intelligent privileged controls make it possible to isolate sessions, so the credential is not exposed on the endpoint, and monitor all credential usage, regardless of channel.
5. Using analytics to balance security and productivity? You’re part of a rock-star team, but at some point, you all need to sleep. Leaning on AI and machine learning makes it possible to assess each access request based on historical user behavior, device and network patterns in real time. If this context is not “normal,” the system can adapt controls such as requesting reauthentication or adjusting the level of access and automatically detect risky activity earlier in the attack lifecycle. Analytics can help to minimize end-user friction by putting up gates only when absolutely necessary, based on a risk score. What’s more, 90% of organizations employing contextually aware automation can quantify reduced IT effort and costs.
6. Configured to record and monitor user activity in web applications? If not, digging through logs after an incident won’t do you much good. Eighty percent of organizations report employee misuse or abuse of access to business applications, yet nearly half (48%) have limited ability to view user logs and audit user activity. This makes it difficult to understand and control how employees and third-party partners are using web apps and handling confidential data. Take steps to configure your system to record user actions within protected apps, create complete and searchable audit trails and re-prompt users for reauthentication during high-risk sessions (via a QR code scan, for instance). Also consider endpoint controls that prevent users from copying data or downloading files.
7. Supported by layered defense-in-depth controls? Even the most masterfully configured MFA systems aren’t fail-proof. That’s why layering Identity Security controls and practices — such as consistently enforcing least privilege and removing standing access to sensitive infrastructure and cloud consoles — is so critical. If one system falls down, another stands ready to block attacks and keep sensitive assets out of harm’s way.
I hope these questions prompt even more questions about how a unified Identity Security strategy — centered on intelligent privilege controls — can help you and your team #BeIdentitySmart and better defend against attacks, satisfy audit and compliance, enable the digital business and drive operational efficiencies.
If you’re looking to better understand the identity attack chain, brush up on best practices this Cybersecurity Awareness Month or pinpoint identity-based weaknesses in your environment, the CyberArk Blueprint for Identity Security Success is a great place to start.