Tech for Business Multi-Factor Authentication MFA The basics and why does my business need it

Show video

to the first cit tech for business podcast today  we're sitting down with nate and todd and we're   going to talk about multi-factor authentication  our first acronym we're kicking off strong mfa   leading in you guys first off let us know  a little bit about you and what is mfa   uh thanks kelsey i am todd i am cit's chief  operations officer i am also our chief information   security officer i'll let nate introduce himself  and he can kick off the mfa overview as well   yeah and my name's nate i'm our  director of cyber security here at cit   just help oversee the operational components of  our department so multi-factor authentication   also known as two-factor authentication um  is really in the yeah at core is basically   another form of authentication um and there's  multiple variants to this but essentially it's   a mix of something that you have something  you know and something that you are and   as long as you have two of the three of those  to log into a system that's what multi-factor or   two-factor authentication is um so what does  that look like for something that you know   is something likely going to be like a password or  something like a pin code then or something that   you are that's something that's going to be like  biometrics so for example in order to log into   some computers you need to cut your fingerprint or  you know you see things on you know some of those   crime shows right they're doing the iris scanning  to get into the secure facilities that's something   that you are then there's something that you have  and this is where this is most common in business   due to you know privacy concerns  with the biometrics and everything   but something you have is something that's going  to look like either your cell phone and you know   in order to do like a push notification  to it it's going to be something that   could be a usb that you have to plug in so i  have in front of me a hardware token that in   order to log in after i put in my password  i plug this into my computer i touch it   and it just activates and sends off another code  uh so that's another form and then they even   have ones i have another little hardware token in  front of me which looks like a little credit card   this is something where it has a little battery  in it i click on it it generates a six digit code   and then from there i enter in that code as  well so i've put in both my password and a code   from something that i is in my possession  so that's what multi-factor is in general   where is it used um is a whole different  discussion and i'll let todd take that over well   i wanted to back up just to hear before we went  too far where we use it um it's been around for   for decades it's not a new technology people have  been using it for banking where you get a text   message or something along those lines that's  typically referred to as 2fa but the reason why   what reason why i interrupted nate is i just  kind of wanted to kind of back up and say   why do we use it right and the biggest  reason that typically comes up and and   everybody that's here can kind of expand on  it but what ends up happening is that people   typically have issues with passwords passwords  are painful they're difficult to remember so   people tend to make them easy to remember  and that's you know your phone number your   childhood best friend whatever it is your pet and  what makes matters worse is that people then use   that password everywhere and if you're looking at  social media or linkedin your work your work email   and accounts etc more often than not most people  tend to reuse it over and over and over again   inherently what ends up happening is if something  ever happens and it could be anything from if   you're in the twin cities there was a star tribune  hack um there was also a hack that happened on   um the meters downtown minneapolis where they  were able to take account names and passwords   and post that onto what's referred to the dark  web and once that's been out there if you've ever   had that information harvested from you it's  now all in the wild so how do you protect it   that's where multi-factor comes in so i just want  to make sure we covered that piece real briefly so   we've got that whole picture of what it is where  it came from why we're worried about it the answer   is passwords are bad people hate them and we could  get into that a little bit later on you know what   can we do about it can we rely more on biometrics  at some point in the future but it's a little bit   off topic of where we're at at the moment um where  most people will try to implement a multi-factor   authentication tool set is on anything that's  quote unquote internet facing more often than   not one of the larger threats that we're seeing  in our business and this has been true for   for years we've we've been kind of banging the  drum on multi-factor for about five years at least   and that's how i've been at cit so you can kind of  see a correlation there but um email is probably   the biggest so microsoft has done a really nice  job of pushing everybody to the cloud google's   doing the same they're huge providers once people  move their email to the cloud some of the inherent   security that was in having email inside an  organization started to be exposed to the internet   and typically most people were signing in with a  email address which is more often than not first   name last name first letter last name or vice  versa and then at the company so that part's super   easy to figure out and then you just start going  down the list right it's winter 2022 exclamation   point and so on and i'm in so in order to protect  that that's where multi-factor is coming along uh quick stat that comes to mind so this is all  the way back in 2019 but microsoft did push out   an article i'm sure that the numbers have only  increased since then uh just given the nature that   people continue to move to the cloud but back in  2019 microsoft put out a article that said their   login services for their sorry their cloud  services have attempted logins over 300 million   times a day that were fraudulent and so the  article is saying if you implement multi-factor   authentication on the accounts it reduces the  risk of account compromise by 99.9 um right it's   everyone there's a couple different attacks  uh that people are going to take to try and   get to your account um fishing you know we've  talked about fishing here at cit many many times   but fishing for those that don't uh have the  full understanding on that is an attacker will   send you a fraudulent email attempt to elicit  your username and password and then they'll   use that to then log into your account so it's  a fraudulent way of capturing your credentials   that's one method one of the other common methods  uh which for example todd had mentioned is   password reuse if you're compromising one account  you reuse the same password and it's leaked out on   the dark web you take that and go attempt to log  into other services with that and then the last   one is just what they call password spraying so  you just or password stuffing you just attempt to   push as many passwords as possible for a  particular user until one is successful   right and by having the multi-factor  all of those methods are defeated   there is some considerations to take into play  which we can get into a little bit later too   but for the majority if you just implement  multi-factor you reduce about 99.9 percent   of all attempts to log into the system  fraudulently so you kind of mentioned that already   about the statistics do you have a rough idea of  what number of attacks are coming from email um so   we can use our own examples of what we're  seeing most of our customers suffer from   does it typically end up being in the world of  cyber security they refer to it as business email   compromise do you have a sense in how many attacks  we see coming in through email specifically thousands even if we take a look at cit systems if i pull up  any given day there's hundreds of them right it's   it's just the simple fact of the password spring  is real right everyone has our email addresses   it's either in someone's database dump  right because for example if we continue   to push on things like the star tribune or the  minneapolis um the parking that was compromised   right and they had the email addresses if  you've ever used your work account for that   it's floating out there it's on a list  people are just going to attempt it with   all the common passwords there's some big  password lists out there that are known to be   highly effective because people  tend to just pick bad passwords   across the board so yeah it's hundreds of times  a day for any organization even if you're small   yeah yeah i think that's great it's a great key  i once upon a time we were used to talk about   organization sites and people used to say hey  i'm way too small to be attacked and and that   really isn't the case anymore statistically  it's something along the lines of 56 60   of all attacks happen against small businesses  and the reasons because it's easy they don't   always have the wherewithal the techno technical  ability to understand what they should be doing   and so on and so forth so the attacks are real  and it does impact everybody uh i'm sure people   see it even happening at home you i get i get  stuff from paypal and apple and you name it i   get attacked all the time that i need to click  on something to reset something all the time um   staying on statistics the reason why i asked nate  about the percent of a taxes i think it's still   somewhere in the high 90s of all attacks that are  coming in tend to be fishing and that's somewhere   in the high 90s and as he mentioned if you can  protect services and your identity with 99.9   i mean that's significant right and and the number  one tool being mfa there are some statistics we   can share this out too um you know you probably  for those that are listening won't be able to   see this but we can share it in the channel and  if you're interested we can find ways to get you   the information as well but there was the united  national cyber security chief said that 80 to 90   percent of all attacks not just email all attacks  can be circumvented by having multi-factor in   so how we started out this meeting is what is it  what's the threat and what are you doing about   it ultimately that's why we keep talking about  multi-factor authentication one last statistic   in case you're wondering well sure this has  been something you've talked about for years   we've got it statistically there was um 55 of  all organizations have multi-factor enabled   only 55 so only half and even in those cases a  lot of times people are very picky and choosy   on how they do it so they may only do it  with their tech team but they may only do it   with their administrators and so small number of  organizations i shouldn't say small because half   is a significant number but half still don't  have it so it's a major problem and it is still   where we see most attacks coming from and can  be circumvented by putting multi-factor in place i have a question about that you mentioned  that there's over half organizations that   don't have that why do you think that is like  what barriers are they looking at to be like   i i don't have time to do mfa talk a little bit  more as to why that's the case i think that right   your question answered one of them they don't  see that they have time to implement it right   is often these are slightly lengthier engagements  uh you know it doesn't need to be complicated   but the more time you put into ensuring  that it's a smooth process the smoother   the adoption is going to be it's easy to just  to go into a system and say everyone has it on   that's where your user friction is going to  come into play and absolutely everyone is going   to be upset that day as they are trying  to sign into things so user adoption is   one of those items that you need to be pretty  cognizant of when you're implementing it there's   also some additional strategies that you need  to take in order to actually implement it   successfully so for example if the user  friction is i don't want to put this   code in every single time i'm logging  in you can do things to say well maybe let's bypass multi-fact from within the  office right there is some residual risk there   that maybe the organization is willing to accept  because for the most part if someone does have   the password and they are attempting to log in  it will likely come from outside of the office   that doesn't mean that maybe that user's computer  is compromised and there's a some type of script   that calls in from internally but again the  likelihood is significantly reduced so if your   employees are constantly working from the office  you could still bypass multi-factor um the larger   you put that bypass you know maybe it's the state  the the country right the bigger the risk becomes   um but there are strategies that you can implement  with that i'd say the other one is cost so   there's a lot of different multi-factor solutions  out on the market so if you're only looking at   doing something like email all of the major  email providers now are implementing it or   offering it for free right you can implement it  in office 365 g suite there's no additional cost   if you're looking to use some type of  third-party service then you're going   to start seeing those licensing costs for you  know more of a per user cost there and then the the other component that i would say is how  far do you want to implement multi-factor across   the organization right you know todd mentioned  that the most common one that's going to be   abused is going to be your email system so start  there then you can start looking at other services   as well such as your vpn critical business  applications once you start wanting to implement   multi-factor on those additional systems that's  where some of the paid services come into play   because they do extend out to additional  services and different protocols so   user friction cost and maybe i think the other  big one that i'll let todd maybe expand on a   little bit more is executive buy-in yeah i i  would say the two things that i would say by far   are the biggest thing that i see as resistance is  more often than not when you go through it you are   going to put a little bit of friction in between  your employees and and them getting work done um   the typical pushback that you will get back from  that employee is i'm holding up my phone this is   my phone the company doesn't pay for it i'm not  putting your business application on my phone um   the reality is is there are ways to start to build  um the the adoption right so you can be a little   forceful with it and you say okay great well we're  just going to give you a token we're going to give   you a business phone and bear with me when i walk  through some of this because i'm not actually   encouraging you to go out and buy a hundred  phones but when you start to go hey employee i'm   gonna give you two i'm gonna give you a phone and  they've got their own person they're gonna like   i don't want two phones just to avoid putting in  the six digit code and they'll usually adopt it   or you give them a token and they're like this  is inconvenient i have to make sure i have it   with me when i'm logging in from home i got to go  grab my keys because it's on my keychain whatever   the case may be that's usually where they're kind  of pushing back and then inevitably what ends up   happening is you go okay well here's a solution  here's a solution here's a solution they're like   the reality is it's it's so convenient to  just have it on my phone that i carry with   me everywhere anyway i'll just go ahead and  do it and the reality is it's not really all   that complex it's not a heavyweight thing it's not  dipping into any of your personal information it's   just an app and it's only doing a couple of things  it's either generating a six digit code or longer   or it's pushing you with content that says  is this you nate's correct when it comes to   executive adoption it is inconvenient a lot  of people don't want to be bothered by it   um i'll give a good example and as i  said multi-factor's been around for ages   back at uh many many years ago early 2000's i had  joined an organization and the very first thing i   did was our remote connections is really insecure  let's implement multi-factor and i implemented it   and it probably lasted about a month before  the ceo said i can't stand to turn it off now   the security threats weren't nearly what they are  today but i learned a lot during that time too so   one of the strategies or several of the strategies  nate covered already is you start small he starts   going well let's let's start with a small group  that are my power users maybe it's it and then you   get a few other people that go okay it's working  it really isn't that bad and you start to expand   it or you lessen some of the security requirements  as nate said you can make an area trusted it's   work work is trusted i've got the adoption in  people are getting used to the fact that when   i'm at work i don't get prompted when i'm at home  i do okay it's not a big deal and then you go   okay we're gonna ratchet it up a little bit we're  gonna add another location we're gonna add another   application we're gonna whatever and so you can  continue to build on the security and you can get   that buy-in just naturally um you know probably  many people have heard the term and i don't mean   this in a derogatory way is it's a bit about the  boiled frog scenario is as you start to do it they   realize you know really isn't that bad not that  we're trying to boil our employees but you know   conceptually is you just do it a little bit at a  time and you're improving your security as you go   so one last user friction that i wanted to call  out just it's not as common but it does come up   from time to time is union policies so if you  want to have a employee start downloading an   application on their phone or start carrying  around you know a phone just for phone calls   and stuff sometimes union policies will say well  you need to start reimbursing the employees for   that there is a cost associated with that and  so that definitely feeds into some of the other   considerations that's sometimes where hardware  tokens come into play um you know it's maybe a 20   hardware token right or that's  one time cost it's not reoccurring   so you can still implement multi-factor without  having to you know start reimbursing for cell   phones or paying for the phones all right  it's one that i don't commonly hear but on   more of the the production environments  you know and i'm not going to get deep into   compliance here but things like cmmc uh  right it's starting to ask for multi-factor   cmmc tends to be a lot of the manufacturing  firms where there's a lot of union employees so   yeah i'll expand on the compliance  piece too i mean there's a lot coming um   if you're in any compliance industry  healthcare finance you name it as nate   mentioned manufacturing it's going  to be something that you're probably   already experiencing as i mentioned you  know you've been being prompted for an   additional cold from your bank for days for  weeks months years whatever the case may be   it is coming in this is just me expanding a  little bit in my opinion compliance is coming   and it's going to be expanding over the next five  years so there are going to be reasons why you're   going to have to adopt something like this so  if the threat of cyber attacks isn't enough   there are going to be other things and you can  already see it's happening so this is why i'm   saying it if you look over the last year the  biden administration had come out and said the   cyber attacks are getting worse and worse we're  spending tons of money we're constantly under   attack what are we going to do about it they built  out an executive order and they specifically say   you gotta have mfa if that's not enough  the insurance companies are doing it too   so if you're looking at cyber security insurance  and almost everybody's asking for it at this point   um they're going to be looking for it as well uh  as i'm going down this compliance thing i'll i'll   wrap this up real briefly and i'll pass it back to  nate but as you're looking at the compliance thing   i was actually working with one of our customers  and they were going through the insurance process   and they don't have any of the compliance from  cmmc healthcare any of that but the insurance   organization had come in and they did what  i would consider pretty much a full it audit   where they're they were looking at data diagrams  they're looking at security protocols i mean with   everything so i actually went on site and met  with the insurance adjuster just to make sure   that we covered all the information that we needed  to cover and it was significant it took an hour   and obviously mfa is included in that it's kind  of the way life insurance used to be where lice   insurance you could just sign on the dotted  line off you went you got a whole bunch of   coverage and that's changed over the years too  right the underwriting is going now i need blood   work and i need to weight you and i need health  background and family history and yada yada   it's just gonna get worse is where i was  going with it and like i said i was going   to wrap that up quickly and i didn't so  i'll stop talking and pass it back to nate yeah I could interrupt for just a hot second as  we've kind of gone down the compliance path and   all of these good things kind of looking  at right if you're having user friction   and you're having people that are like I don't  want to do it I don't have this code pushed to   my phone it's too much work why is it effective  at actually preventing these attacks what is it   doing for me I'm like yeah I get  it I get the phone I put it in and   congratulations so we're saying yeah  it's 99 or over 99 effective why yeah uh good question there um before i jump into  that while todd was talking i decided to go look   at our system here just to see how many uh of that  password spring attempt i saw in our system in   the last 24 hours it was just shy of 200 attempts  right i can see the the logs so again we're not a   big company by any means it happens all the time  so um why is it so effective right so if i just   called out there's nearly 200 attempts in the last  24 hours to password spray our environment there   the reason why it's so effective is even if a  password is compromised the threat actor is not   going to have the other form of multi-factor or  the the other form the second form or the third   form of multi-factor in order to get into the  system so password i've showed this to people   before is i say here's a dummy account and like  a gmail or something right here's the password   i'll give you 100 bucks if you can get into  that because i have the multi-factor keys here   it just doesn't happen i've never paid someone out  because they would have to retrieve that file from   me or that hardware token from me in order to get  into place so where we typically see multi-factor   fail is not the the technology in itself it's  still the user so there are websites that   will try and capture the multi-factor token  and pass it through to the legitimate site   and then redirect the user so they'll still  log in but it's the user who has fallen for   a fraudulent website still entered in their  password and given up the multi-factor code   gave it both of them to the attacker then the  attacker just goes logs in and you know there is   a timing on these tokens where maybe they're good  for five minutes maybe they're good for 15 minutes   it allows for users to have a grace period to  access their phone sitting on the desk access the   email access the text message so if you give it  up right away and then you hand it over to someone   immediately they're going to use it first right  um i just worked with another organization where   their multi-factor was a phone call all  right so this is actually a pretty common   attack method at the moment it's called  um mfa bombing so what you do is you just   bug the user enough until they just say i  can't take it anymore except the phone call   and that was the phone call that was the mfa  prompt and the attacker just logs in right so   in the instance that i was looking at with that  other customer it was attacker tried to log in was   prompted with a six digit code they weren't able  to get that so then they switched over to the back   stop which was a phone call sent the user a phone  call it failed because the user didn't accept it   30 seconds later sent another one it failed sent  the next one the user said i'm sick of this call   except and the attacker logged in so yeah another  one i'll throw in we don't see this as often   and the end point of this is you still  need training when you deploy the tool but   we have seen people that have deployed the push  technology so that is i log in and you get a push   to your phone that says was this really you um  we have had people that have been attacked where   someone was like yeah i just logged in and  they've allowed the attacker in even though   they didn't personally sign in so there is  kind of a training aspect that goes with it   um one last thing that i kind of wanted to dive  into i know we talked about the threats and the   attacks and whatnot but as we're wrapping  this up i just kind of wanted to kind of   re-illustrate some of the real concerns and  and ultimately i we talked about compliance   we talked about the threats we talked about all  of that stuff the reality is the reason behind   that is because of the cost and the cost is built  up from a lot of different things it's from the   ransomware if you get attacked from ransomware  ransomwares more often than not they start   nowadays they start around a million dollars and  they start to get talked down to something real   it includes downtime it includes unproductive  employees etc um looking statistically the last   time i looked at it we were somewhere on average  so that's average across all smb market not   you're a bigger company you get bigger ransomwares  etcetera it's about 500 000 downtime about two   weeks so that's fairly significant and if i can  deploy something like mfa and protect 90 to 99.9   it's something you really got to start to  consider and go boy i can reduce my risk by 500   000 in a given year that's probably something for  a little bit of friction a little bit of build up   we can find a way to move forward it's a good  way to start looking at it and thinking about   it and go where do we go from here yeah  and the one thing that i'd add to that   is the cost is going to be dependent on the the  application or system that the threat actor is   obtaining access to right so todd was mentioning  ransomware that could have been multi-factor   on a vpn for example right someone had a  compromise password attacker gets into the vpn   most companies don't have a dedicated  demilitarized or dmz zone for vpn users they just   say once you pass through you have full access to  the network um that's where those ransomware costs   are going to come into play it could be something  like your email system right someone's in there   just obtaining data maybe it's a fraudulent wire  transfer that they're trying to set up whatever   that number is it could be 10 000 it could  be i've dealt with the ones that are 500 000   wire transfers right it's just a matter of  what are they accessing what are the costs and   whatever the um the remediation costs are i  promise it's less very sorry i promise that   it's far more than the cost of implementing  multi-factor at the end of the day so   yeah so so kind of as a last thought from me and  they can jump in on this too if he's got any but   the last thing i have is we did talk about  sometimes there's friction sometimes there's   um a technical hurdle if you will because there  are ways to go about it there's paid solutions etc   obviously if you need help reach out to  your trusted partners there's a lot of   help out there of course you can go do your  google searches as well so in the end when   you need help read out reach out to those that  you trust and you can get some good support from   yep i guess my final closing thought is  everyone's scared of user friction but   in almost every case it ends up being more of a  a concern that doesn't always come to fruition   right is the impact is actually fairly  minimal if you implement it correctly so um   a lot of those concerns are unfortunately just not  fully grounded based on facts right just feelings awesome thank you so much todd and Nate for  sitting down and chatting about MFA and all   of the things and we could go into it I'm sure  that you guys would love to chat with anybody for   an extended period of time about any of this that  we could tangent on a lot of things but that wraps   up our first check for business podcast here  today if you guys have more questions that you   want to ask todd and Nate feel free to reach  out to info cit dashnet.com or give us a call at 651-255-5780 or else we're also online  www.cit-net.com but that's our little  

marketing spiel on there that they're here to  answer your questions anytime about any cyber   security needs or technology for business  and we will chat with you guys next week

2022-05-03

Show video