Prevent Unauthorized Access with Multifactor Authentication
“Every year, cyber criminals become savvier with their phishing attacks and have tried-and-tested methods to deceive and steal from their victims.” [Source : Terranova Security] To illustrate this, Zdnet’s shocking cyber security report states that “Microsoft cloud services are seeing 300 million fraudulent sign-in attempts every day.” That is unbelievable! How can you prevent this from happening to your organization and avoid the risk of data loss/theft and potential interruption of your business continuity?
The Phishing is Easy
So, what is phishing? Malwarebytes notes, “Phishing is an attack in which the threat actor poses as a trusted person or organization to trick potential victims into sharing sensitive information or sending them money.”
Often this starts with an email. “Under the guise of someone trusted, the attacker will ask the recipient to click a link, download an attachment, or to send money. When the victim opens the message, they find a scary message meant to overcome their better judgement by filling them with fear. The message may demand that the victim go to a website and take immediate action or risk some sort of consequence. If users take the bait and click the link, they’re sent to an imitation of a legitimate website. From here, they’re asked to log in with their username and password credentials. If they are gullible enough to comply, the sign-on information goes to the attacker, who uses it to steal identities, pilfer bank accounts, and sell personal information on the black market.”
Ask yourself:
- Despite all the security training provided by companies today, how many mistakes does it take to cause a breach or loss of control over sensitive information?
- What will happen to your personal and company proprietary data if a bad actor succeeds in obtaining your username and password?
- Guess what simple action you can take to prevent 99.9 percent of attacks on your accounts?
It may be surprising but roughly 20% of people online use identical logins and passwords across many websites and apps. This is particularly risky for accounts with sensitive information. Although, you can encrypt passwords using a password manager or randomly generate your passwords, cyber experts are recommending a second security step that utilizes Multi-Factor Authentication (MFA).
Reeling in the Logins
Email phishing typically aims to capture your username and password. Then it’s off to the races hijacking your social media accounts or ordering products from your favorite online merchants. Worse, most people use a small number of passwords and variations of passwords to access all kinds of information including the applications and remote access to your company’s confidential data!
Besides phishing, there are other cyber-attack methods out there. Maybe a virus slips past defenses at work or on a personal device that we have no control over, and the payload is a simple key logger. Now every keystroke including passwords are being captured for easy theft.
We need more than a simple username and password for access to our most sensitive business applications. And we certainly need more than a username and password for remote access to private networks.
MFA Blocks Access by “Successful” Password Thieves
Multifactor Authentication, or MFA, provides an additional level of security in the case a bad actor steals your login credentials. We’ve been discussing CIS Controls which provide best practice recommendations for companies to follow in thwarting theft of login credentials. CIS Controls 6.3 and 6.4, “Require all externally exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard. Require MFA for remote network access.”
Tech Talk in Plain English
What these recommendations mean is that with MFA, a person trying to gain access to specific information must have more than just a username and password. An example of MFA in action is when you try to log into your bank account, the bank sends you a 6-digit code that you must enter before logging you into the account. This method protects you and your account. How? Well, even if a bad actor has your user ID and password, he or she cannot possibly gain access without knowledge of the correct 6-digit code from your bank. The code verifies your identity.
MFA comes in many forms. Here at CCI Managed Services, we use a tool called Authpoint which can be setup to “push” a simple Approve/Deny to the user’s smart phone. This saves transcription time while alerting the user to the attempted access by someone else. This method makes effective use of MFA fast, easy and painless. For further information, refer to this additional article about how we manage MFA and what our customers are saying.
CCI Managed Services can help your business determine where MFA is needed and implement a solution that is simple and effective. It’s just one of dozens of areas we can investigate for your safety when you hire us to inspect your network security and provide a concise report card spelling out the risks you have today and how to solve them.