It (Should) Be an MFA World, We Are Just Living in It

Last week I was working in front of my laptop (happily, for any Compass staff reading) when I got an incoming text message. It was from Verizon. They had received my service request and were working on it. It was quickly followed by another text saying I could check the status of my request if I clicked this link. I was super impressed by their responsiveness and communications, until I realized I never made any request.

Now, being someone who looks at security for a living, I’ve seen these texts come in plenty of times before, trying to get me to click on the link to enter credentials to be stolen, or install filthy ransomware on my system. But not me, I was too smart for that! I’ve told dozens of clients to never trust links when you aren’t expecting them! I applauded myself for listening to my own advice and logged directly onto Verizon on my laptop to prove this was a texting phish. Maybe I could make a blog out of it!

Upon logging in, I quickly saw that there WAS a service request put in, requesting copies of my billing statements. Crap. There goes the phishing blog. More importantly, since I didn’t put in the request, and I don’t know who did, now I have ANOTHER issue to worry about. Who put in the request? I could see it went in 15 minutes ago, but that was it. I cancelled the request and realized that someone might have compromised my Verizon credentials. Now I had some work to do.

I looked at the account information; no other changes or issues I could see. So, I went and changed my password immediately, again as a good security auditor should, and was prompted to add multi-factor authentication (MFA) to my account, which I quickly said, “Heck Yeah”, set it up, and tested it out. I use a password vault, changed that master password, and changed my Gmail password too (on the off chance they got that first and started trolling my email for accounts I own – security guys get paranoid easily).

I will be honest; I use MFA on my work accounts. I have passwords and biometrics on my phone. And SOME of my accounts have been set up with MFA. But there are so many of them, and many were set before MFA was even offered. Or maybe they just had a challenge question (how to set those up is a whole other blog). So even I haven’t gone through EVERY account I own to see if they offer MFA. I was lucky in this case, and I haven’t seen a sign of anything else. I never was able to determine if and how my account might've been compromised. It could've been that my password turned up in a data breach and was floating around on the dark web, but I can't say for certain.

Now, I typed up that story because it is an example of one small instance of things that could end up giving me a headache that might have been avoided if I had MFA installed. And yes, I know it isn’t a silver bullet, and yes, I know there are ways to defeat it, but I always use my house analogy to explain the defense in depth model. You’re an old-time crook with a long evil mustache and yellow teeth. You’re walking down the street to rob a house. You see three. One has a lock on the door. That’s your username. One has a lock AND a deadbolt. The deadbolt is your password. The third has a lock, a deadbolt, and what sounds to be a very large, angry, hungry dog inside. The dog is MFA. Can you get by the dog? Possibly. But the crook is a lot more likely to go to house #1 than house #3. Even if they like dogs.

Let’s look at the business world now instead of the personal world. Just like me, at work you (most likely) have multiple accounts. But now you’re dealing with other people’s data. You have access to corporate data, customer data, etc. For a long time now we’ve been recommending the use of MFA if you are accessing systems from home. For many security standards, it is a requirement. But those requirements are growing. PCI DSS, the standard that regulates debit and credit card payment security, started by requiring that secure remote access into the environment needed to have MFA. Now it has grown so that if you’re accessing critical systems INSIDE your own environment (firewalls, key database servers, etc.) you also need to use some form of MFA.

The reason behind this is simple. The two biggest ways that bad actors access your environment is through system vulnerabilities (not patching and fixing issues), or through compromised credentials. Phishing attacks and other malware love to get users to reveal usernames and passwords. At Compass IT Compliance, we offer tests and training to help avoid that exact scenario because it is so common. And once you have access, you can do a LOT with it in most environments, especially because many users still use the same password on multiple systems. If you get one set of credentials, more than likely it opens more than one door. MFA forces people to take an additional authentication step, usually by entering a one-time code to prove the person entering the password is who they claim to be. While this in no way eliminates the chance of compromise, it makes it much more difficult.

Which leads me to the recommendation of this post. I’m sorry it took so long to get here, but I wanted to set the stage. If you’re still with me, thanks! With all the compromises we see in the news and even personally, I would recommend that you consider using MFA inside your organization as well as outside, for ANY access to your network. I’ve seen many companies require it for only IT staff, only remote users, only people who work on Thursdays, whatever. Not only does that leave open security holes, but it makes it harder to keep track of who has what for authentication, and how to properly manage it. Enabling MFA for all users means that managing the access is identical for everyone, making it easier on IT and security because there aren’t different sets of rules to adhere to. From a security perspective, nobody gets on your network without having that second factor of authentication. It doesn’t matter if you’re working from home, working at the office, or sitting on a beach. These solutions are relatively inexpensive now, and easy to implement. Many organizations use soft tokens through employee’s phones, but higher security options (hardware token keys like YubiKey for example) are available.

Watching the news and looking at the looming threat of cyberattacks can be quite frightening. There are many tools and steps to prevent these attacks and mitigate risks. One of the easiest steps is to protect the access to your organization. Close the door, lock the door, get a dog. Like most good things, it may cause some pain in the beginning, but I guarantee it will pay off in the long run!