What is MFA?

MFA is simply using a combination of different methods to prove you are who you say you are. The following methods are combined to do this:

• Knowledge (something you know) – Examples could include a password, passphrase, pin number, or answer to a security question.
• Possession (something you have) – For example, security token devices, cell phones, and smart-cards.
• Inherence (something you are) – Traditionally these are bio-metric related such as fingerprint, facial recognition, voice, iris, or even keystroke dynamics.

Keep in mind, for it to be MFA you must combine at least two separate methods from different groups. It’s a common mistake that we see in failed MFA implementations and usually results in no increased security.

Why is MFA important?

Implementing MFA is one of our most recommended solutions to organizations that we do security assessments for. The reason being, we break into a lot of client assets with password attacks that are often exploited by malicious attackers. Most users think “no one would ever target me”, “who would really attempt this password”, or the infamous “I can’t remember all these different passwords, so I’ll make it simple”. It’s easy to slide into this mindset with all the other demanding priorities in our lives but performing online reconnaissance is usually a trivial matter when things exist like LinkedIn, password breach disclosures, and your organizations online footprint.  By utilizing previously disclosed breach data or attempting common passwords (Spring2020, <CompanyName>1, Password123) for every user in your organization (aka Password Spraying) it starts to become more real. The fact of the matter is an attacker has to only be right once and you have to be right every time. Do you really trust that ALL your employees are utilizing sophisticated, hard to guess, unique, and lengthy passwords for every resource they authenticate to? We find more often than not that the answer to that question is no.

By implementing an MFA solution this takes the burden off the user to only know, have, or be something that they likely already possess. It drastically increases your businesses security posture by eliminating or reducing the exposure to some popular attack methods.

What are the disadvantages of MFA?

There’s no “silver bullets” or all-encompassing solutions that will reduce all your risk to zero, so the following disadvantages should be noted:

• Usability – As with all thing’s security, there’s a tightrope walk between usability and protection. If you have a forgetful employee, they could forget their phone/security token. Additionally, they may also get frustrated at having to authenticate multiple times too.
• Not a foolproof solution – Yes, MFA can be circumvented in some instances and this has proven to have happened in the wild. These occurrences are rare but are typically the result of a poorly implemented MFA solution or easily circumvented “fallback” option such email or SMS.
• Can be costly – MFA doesn’t have to put you in the red but depending on your selection it could be a costly solution.

What’s the best MFA solution for my small business?

Each organization is different in how they operate, what they are trying to protect, how many users they have, and what resources are available to them so, there is no umbrella response pointing at a specific vendor. Instead you should focus on a few key criteria when finding the right solution for your small business. First being usability, you need to figure out what type of information or tool that is suitable for your users. You want each of your employees to have the methods readily available to them such as a cellphone or security token. If your type of business restricts these in certain areas, then that may become an issue. Next criteria, future planning or what we often refer to as scalability. You may choose to focus your MFA authentication against your VPN or email first and slowly roll it out to additional applications. Make sure that what you’re choosing will allow for easy integration into all authentication portals that you have in the foreseeable future. Lastly and certainly not least important, it comes down to cost. There are solutions that may cost more than you may bring in from your small business, so you want to ensure that you pick one that you can afford. Luckily there are multiple tiers of solutions from a cost perspective. You can choose a costly solution (ex. RSA Tokens), moderately priced (YubiKey/Duo), or even free solutions (Google Authenticator, Authy, LastPass Authenticator, Microsoft Authenticator).

Conclusion

Even after taking in the above criteria it can be difficult to ensure you’re using the right solution. In our experience the expensive solutions are not used by small businesses, but rather large ones. Moderately priced options are typically easier to roll out and usually they support more devices. Free ones in many cases are restricted to certain device types or portal applications which can be limiting, but has proven to be satisfactory for many business use cases. If you

The post MFA and Your Small Business appeared first on Threat Potential.

Patch

Configuration management can be difficult but ensure that you know what exists on your network, remove what you don’t need, and that security patches have been applied. Applying security patches is imperative to the overall health of your network and the data that’s held within. However, a vulnerability scan will do a couple of things for you, inventory the items in scope and discover common vulnerabilities. Due to the success rate that outdated versions bring, this is usually an attacker’s first stop.

Change default credentials

As a penetration tester, attempting default credentials to any system that we come across is second nature. Failure to change default credentials is often attributed to simply setting the system up and merely forgetting to change it afterwards. This is where you can implement some rigor around processes such as utilizing hardening checklists. Anytime a project, application, or system is introduced into your environment, you should ensure a hardening checklist is incorporated in the plan. Often applications and appliances have more than just one default account so make sure not to forget those as well.

Implement a password filter

Password spraying has become a common way to infiltrate organizations. Having a 10-character minimum, mixed case, numbers, and special character sounds decent right? Well “Password123!”, “Spring2020!”, “YourCompanyName2020!” satisfy the requirements but doesn’t reduce the likelihood of an attacker guessing those credentials. If you force users to rotate their password often then they are more likely to fall into this trap of using seasons, years, or simply incrementing numbers to keep up with their password. Be sure to utilize a tool that will blacklist these type passwords. Don’t forget to not allow them to use part of their name or username as a password as well!

Implement MFA

As with anything, multi-factor authentication is not a “hacker proof” solution. However, it does limit a significant number of attacks and increases your overall security posture. The good news is that the MFA realm has become commonplace in most applications and the implementation of those solutions have improved dramatically over the last couple of years. It’s important that you test these as backup options and some weak secondary factors can be easily circumvented. Check out MFA and your business to learn more.

Have separate administrative accounts

I’ve found that practicing least privilege is seldom found during penetration testing. However, it has led to a significant amount of domain takeovers and one of the big eye-openers that our clients often see. Any administrators in your domain should have separate accounts, one to perform administrative duties and one as their regular user account. The accounts should always have separate passwords and the administrative account should have additional security features applied such as password length, complexity, and additional monitoring.

Have unique local administrator accounts

Once an attacker has landed on a machine it’s usually trivial to obtain local passwords or to perform privilege escalation. If your organization is using the same local administrator credential on all your machines, then it makes for moving laterally in your network extremely easy. Doing this manually would be over burdensome for many but luckily there’s a more automated solution and best of all it’s free! Microsoft came out with Local Administrator Password Solution (LAPS) to assist in rectification of this issue. It essentially automates the process of changing the passwords for every local administrator account and stores it for you.

Summary

The goal of your penetration test is to measure the security of your organization and provide actionable steps towards improvement. Even if you don’t get a sterling report back, it’s much more important to know what your risks are. Comment below and let us know how you improve your penetration test results!

The post Top 6 ways to improve your penetration test results appeared first on Threat Potential.