Something you know, something you have or something you are.

by
Something you know, something you have or something you are. Cyber Awake

We are going to take a break from the insider threat for a couple of weeks – I am working on an insider threat “playbook” for a client that will also include some online video training and I need to concentrate on that. But that does not mean these articles are going to stop.

I was thinking about “passwordlessness”* as today’s topic and then the US Government Cybersecurity and Infrastructure Security Agency (CISA) released an advice document about multi-factor authentication and phishing. Two of my favourite subjects! (CISA, 2022)

Before we start – MFA

Multi-factor authentication (MFA) uses a combination of something you know, something you have, or something you are and in some cases somewhere you are to confirm your identity. This makes it more difficult for threat actors to get access to your accounts, systems, and more importantly your information.

For a more detailed description of MFA I have provided a link below to the CISA MFA Overview document.

Always use MFA when it is available – no excuses.** MFA or 2FA or DFA, call it what you will, it has its issues and can be broken but it is still one of the best steps in enforcing your cyber security – so use it.

MFA Vulnerability

The CISA document briefly goes into the vulnerabilities of MFA:

Phishing attacks where users are deceived by a convincing message into going to a spoof login page. There they fill in their credentials and then the OTP provided by the authentication app. This information is then used by the threat actor’s systems to gain access and compromise the account – as the attack is usually computer driven it happens very quickly.

“Accept” fatigue where the threat actor has the username and password from another successful compromise and sets up a computer to continually login, and consequently the system continually sends MFA requests to the legitimate user. A careless or very busy user may just hit to accept without thinking and the threat actor is in. This can be an issue with accounts used by multiple users, possibly administrator accounts where there is shared responsibility. (You should have a system in place to deal with multiple user accounts – we do.)

Exploitation of mobile phone protocols or SIM cards. These are both difficult or ridiculously easy, if the threat actor pretends to be you to your phone provider. App based authenticators are not vulnerable to these types of attacks.

FIDO Authentication

This is the current, easily implemented, “gold standard” of MFA that all users can access. I have written about FIDO and passwordlessness* here:

FIDO – the new word in identity authentication UPDATED 11 May 2022

So everyone should all be moving towards this – we are. But getting everyone onto MFA can be a challenge. We have had to deal with MFA rollouts many times and every time there is a new challenge the client and their team make excuses as to why they should be the exception to the rule.

The MFA Challenge

If you are trying to implement MFA across your organisation here is some advice to make it easier to roll out. You need a spreadsheet and two lists.

  1. Assess and list the most sensitive/important information – and who has access to it.
  2. Access who your most vulnerable personnel are.
  3. Order these lists by sensitive/important/vulnerable.
  4. Now you have a place to start and an argument as to why MFA has to be done and used.

Training

When people understand the benefits of any cyber security (or business) process they will accept it better, so run some training. Or sign up to our online training – where we have modules discussing multi-factor authentication.

Next time…

We are going to look more closely at the “accept fatigue” cyber attack and what your team can do to mitigate the threat.


Clive Catton MSc (Cyber Security) – by-line and other articles

* “passwordlessness” – I freely admit to having made this word up.

** Read this linked snippet of a blog I wrote about BYOD, for an excuse not to use MFA, when it is being enforced across an organisation and how we developed a secure work around: Are you using Bring Your Own Device – BYOD – to save money?

Further Reading

Multi-Factor Authentication Fact Sheet (cisa.gov)

FIDO – the new word in identity authentication UPDATED 11 May 2022 – Smart Thinking Solutions

References

CISA. (2022). Implementing phishing-resistant MFA. Cybersecurity and Infrastructure Security Agency. Retrieved November 2, 2022, from https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf

Contact us for consultation

Wake up to cyber threats..

Something you know, something you have or something you are. Cyber Awake
HQ Based between Newark and Lincoln

Get in touch

CyberAwake
Unit 2 Kingsley Court
Kingsley Road
Lincoln
LN6 3TA
United Kingdom

01522 508089

useful links

Website Cookies Icon

This website uses cookies to ensure you get the best experience on our website. Click for more information.

accept & Close