to the first cit tech for business podcast today we're sitting down with nate and todd and we're going to talk about multi-factor authentication our first acronym we're kicking off strong mfa leading in you guys first off let us know a little bit about you and what is mfa uh thanks kelsey i am todd i am cit's chief operations officer i am also our chief information security officer i'll let nate introduce himself and he can kick off the mfa overview as well yeah and my name's nate i'm our director of cyber security here at cit just help oversee the operational components of our department so multi-factor authentication also known as two-factor authentication um is really in the yeah at core is basically another form of authentication um and there's multiple variants to this but essentially it's a mix of something that you have something you know and something that you are and as long as you have two of the three of those to log into a system that's what multi-factor or two-factor authentication is um so what does that look like for something that you know is something likely going to be like a password or something like a pin code then or something that you are that's something that's going to be like biometrics so for example in order to log into some computers you need to cut your fingerprint or you know you see things on you know some of those crime shows right they're doing the iris scanning to get into the secure facilities that's something that you are then there's something that you have and this is where this is most common in business due to you know privacy concerns with the biometrics and everything but something you have is something that's going to look like either your cell phone and you know in order to do like a push notification to it it's going to be something that could be a usb that you have to plug in so i have in front of me a hardware token that in order to log in after i put in my password i plug this into my computer i touch it and it just activates and sends off another code uh so that's another form and then they even have ones i have another little hardware token in front of me which looks like a little credit card this is something where it has a little battery in it i click on it it generates a six digit code and then from there i enter in that code as well so i've put in both my password and a code from something that i is in my possession so that's what multi-factor is in general where is it used um is a whole different discussion and i'll let todd take that over well i wanted to back up just to hear before we went too far where we use it um it's been around for for decades it's not a new technology people have been using it for banking where you get a text message or something along those lines that's typically referred to as 2fa but the reason why what reason why i interrupted nate is i just kind of wanted to kind of back up and say why do we use it right and the biggest reason that typically comes up and and everybody that's here can kind of expand on it but what ends up happening is that people typically have issues with passwords passwords are painful they're difficult to remember so people tend to make them easy to remember and that's you know your phone number your childhood best friend whatever it is your pet and what makes matters worse is that people then use that password everywhere and if you're looking at social media or linkedin your work your work email and accounts etc more often than not most people tend to reuse it over and over and over again inherently what ends up happening is if something ever happens and it could be anything from if you're in the twin cities there was a star tribune hack um there was also a hack that happened on um the meters downtown minneapolis where they were able to take account names and passwords and post that onto what's referred to the dark web and once that's been out there if you've ever had that information harvested from you it's now all in the wild so how do you protect it that's where multi-factor comes in so i just want to make sure we covered that piece real briefly so we've got that whole picture of what it is where it came from why we're worried about it the answer is passwords are bad people hate them and we could get into that a little bit later on you know what can we do about it can we rely more on biometrics at some point in the future but it's a little bit off topic of where we're at at the moment um where most people will try to implement a multi-factor authentication tool set is on anything that's quote unquote internet facing more often than not one of the larger threats that we're seeing in our business and this has been true for for years we've we've been kind of banging the drum on multi-factor for about five years at least and that's how i've been at cit so you can kind of see a correlation there but um email is probably the biggest so microsoft has done a really nice job of pushing everybody to the cloud google's doing the same they're huge providers once people move their email to the cloud some of the inherent security that was in having email inside an organization started to be exposed to the internet and typically most people were signing in with a email address which is more often than not first name last name first letter last name or vice versa and then at the company so that part's super easy to figure out and then you just start going down the list right it's winter 2022 exclamation point and so on and i'm in so in order to protect that that's where multi-factor is coming along uh quick stat that comes to mind so this is all the way back in 2019 but microsoft did push out an article i'm sure that the numbers have only increased since then uh just given the nature that people continue to move to the cloud but back in 2019 microsoft put out a article that said their login services for their sorry their cloud services have attempted logins over 300 million times a day that were fraudulent and so the article is saying if you implement multi-factor authentication on the accounts it reduces the risk of account compromise by 99.9 um right it's everyone there's a couple different attacks uh that people are going to take to try and get to your account um fishing you know we've talked about fishing here at cit many many times but fishing for those that don't uh have the full understanding on that is an attacker will send you a fraudulent email attempt to elicit your username and password and then they'll use that to then log into your account so it's a fraudulent way of capturing your credentials that's one method one of the other common methods uh which for example todd had mentioned is password reuse if you're compromising one account you reuse the same password and it's leaked out on the dark web you take that and go attempt to log into other services with that and then the last one is just what they call password spraying so you just or password stuffing you just attempt to push as many passwords as possible for a particular user until one is successful right and by having the multi-factor all of those methods are defeated there is some considerations to take into play which we can get into a little bit later too but for the majority if you just implement multi-factor you reduce about 99.9 percent of all attempts to log into the system fraudulently so you kind of mentioned that already about the statistics do you have a rough idea of what number of attacks are coming from email um so we can use our own examples of what we're seeing most of our customers suffer from does it typically end up being in the world of cyber security they refer to it as business email compromise do you have a sense in how many attacks we see coming in through email specifically thousands even if we take a look at cit systems if i pull up any given day there's hundreds of them right it's it's just the simple fact of the password spring is real right everyone has our email addresses it's either in someone's database dump right because for example if we continue to push on things like the star tribune or the minneapolis um the parking that was compromised right and they had the email addresses if you've ever used your work account for that it's floating out there it's on a list people are just going to attempt it with all the common passwords there's some big password lists out there that are known to be highly effective because people tend to just pick bad passwords across the board so yeah it's hundreds of times a day for any organization even if you're small yeah yeah i think that's great it's a great key i once upon a time we were used to talk about organization sites and people used to say hey i'm way too small to be attacked and and that really isn't the case anymore statistically it's something along the lines of 56 60 of all attacks happen against small businesses and the reasons because it's easy they don't always have the wherewithal the techno technical ability to understand what they should be doing and so on and so forth so the attacks are real and it does impact everybody uh i'm sure people see it even happening at home you i get i get stuff from paypal and apple and you name it i get attacked all the time that i need to click on something to reset something all the time um staying on statistics the reason why i asked nate about the percent of a taxes i think it's still somewhere in the high 90s of all attacks that are coming in tend to be fishing and that's somewhere in the high 90s and as he mentioned if you can protect services and your identity with 99.9 i mean that's significant right and and the number one tool being mfa there are some statistics we can share this out too um you know you probably for those that are listening won't be able to see this but we can share it in the channel and if you're interested we can find ways to get you the information as well but there was the united national cyber security chief said that 80 to 90 percent of all attacks not just email all attacks can be circumvented by having multi-factor in so how we started out this meeting is what is it what's the threat and what are you doing about it ultimately that's why we keep talking about multi-factor authentication one last statistic in case you're wondering well sure this has been something you've talked about for years we've got it statistically there was um 55 of all organizations have multi-factor enabled only 55 so only half and even in those cases a lot of times people are very picky and choosy on how they do it so they may only do it with their tech team but they may only do it with their administrators and so small number of organizations i shouldn't say small because half is a significant number but half still don't have it so it's a major problem and it is still where we see most attacks coming from and can be circumvented by putting multi-factor in place i have a question about that you mentioned that there's over half organizations that don't have that why do you think that is like what barriers are they looking at to be like i i don't have time to do mfa talk a little bit more as to why that's the case i think that right your question answered one of them they don't see that they have time to implement it right is often these are slightly lengthier engagements uh you know it doesn't need to be complicated but the more time you put into ensuring that it's a smooth process the smoother the adoption is going to be it's easy to just to go into a system and say everyone has it on that's where your user friction is going to come into play and absolutely everyone is going to be upset that day as they are trying to sign into things so user adoption is one of those items that you need to be pretty cognizant of when you're implementing it there's also some additional strategies that you need to take in order to actually implement it successfully so for example if the user friction is i don't want to put this code in every single time i'm logging in you can do things to say well maybe let's bypass multi-fact from within the office right there is some residual risk there that maybe the organization is willing to accept because for the most part if someone does have the password and they are attempting to log in it will likely come from outside of the office that doesn't mean that maybe that user's computer is compromised and there's a some type of script that calls in from internally but again the likelihood is significantly reduced so if your employees are constantly working from the office you could still bypass multi-factor um the larger you put that bypass you know maybe it's the state the the country right the bigger the risk becomes um but there are strategies that you can implement with that i'd say the other one is cost so there's a lot of different multi-factor solutions out on the market so if you're only looking at doing something like email all of the major email providers now are implementing it or offering it for free right you can implement it in office 365 g suite there's no additional cost if you're looking to use some type of third-party service then you're going to start seeing those licensing costs for you know more of a per user cost there and then the the other component that i would say is how far do you want to implement multi-factor across the organization right you know todd mentioned that the most common one that's going to be abused is going to be your email system so start there then you can start looking at other services as well such as your vpn critical business applications once you start wanting to implement multi-factor on those additional systems that's where some of the paid services come into play because they do extend out to additional services and different protocols so user friction cost and maybe i think the other big one that i'll let todd maybe expand on a little bit more is executive buy-in yeah i i would say the two things that i would say by far are the biggest thing that i see as resistance is more often than not when you go through it you are going to put a little bit of friction in between your employees and and them getting work done um the typical pushback that you will get back from that employee is i'm holding up my phone this is my phone the company doesn't pay for it i'm not putting your business application on my phone um the reality is is there are ways to start to build um the the adoption right so you can be a little forceful with it and you say okay great well we're just going to give you a token we're going to give you a business phone and bear with me when i walk through some of this because i'm not actually encouraging you to go out and buy a hundred phones but when you start to go hey employee i'm gonna give you two i'm gonna give you a phone and they've got their own person they're gonna like i don't want two phones just to avoid putting in the six digit code and they'll usually adopt it or you give them a token and they're like this is inconvenient i have to make sure i have it with me when i'm logging in from home i got to go grab my keys because it's on my keychain whatever the case may be that's usually where they're kind of pushing back and then inevitably what ends up happening is you go okay well here's a solution here's a solution here's a solution they're like the reality is it's it's so convenient to just have it on my phone that i carry with me everywhere anyway i'll just go ahead and do it and the reality is it's not really all that complex it's not a heavyweight thing it's not dipping into any of your personal information it's just an app and it's only doing a couple of things it's either generating a six digit code or longer or it's pushing you with content that says is this you nate's correct when it comes to executive adoption it is inconvenient a lot of people don't want to be bothered by it um i'll give a good example and as i said multi-factor's been around for ages back at uh many many years ago early 2000's i had joined an organization and the very first thing i did was our remote connections is really insecure let's implement multi-factor and i implemented it and it probably lasted about a month before the ceo said i can't stand to turn it off now the security threats weren't nearly what they are today but i learned a lot during that time too so one of the strategies or several of the strategies nate covered already is you start small he starts going well let's let's start with a small group that are my power users maybe it's it and then you get a few other people that go okay it's working it really isn't that bad and you start to expand it or you lessen some of the security requirements as nate said you can make an area trusted it's work work is trusted i've got the adoption in people are getting used to the fact that when i'm at work i don't get prompted when i'm at home i do okay it's not a big deal and then you go okay we're gonna ratchet it up a little bit we're gonna add another location we're gonna add another application we're gonna whatever and so you can continue to build on the security and you can get that buy-in just naturally um you know probably many people have heard the term and i don't mean this in a derogatory way is it's a bit about the boiled frog scenario is as you start to do it they realize you know really isn't that bad not that we're trying to boil our employees but you know conceptually is you just do it a little bit at a time and you're improving your security as you go so one last user friction that i wanted to call out just it's not as common but it does come up from time to time is union policies so if you want to have a employee start downloading an application on their phone or start carrying around you know a phone just for phone calls and stuff sometimes union policies will say well you need to start reimbursing the employees for that there is a cost associated with that and so that definitely feeds into some of the other considerations that's sometimes where hardware tokens come into play um you know it's maybe a 20 hardware token right or that's one time cost it's not reoccurring so you can still implement multi-factor without having to you know start reimbursing for cell phones or paying for the phones all right it's one that i don't commonly hear but on more of the the production environments you know and i'm not going to get deep into compliance here but things like cmmc uh right it's starting to ask for multi-factor cmmc tends to be a lot of the manufacturing firms where there's a lot of union employees so yeah i'll expand on the compliance piece too i mean there's a lot coming um if you're in any compliance industry healthcare finance you name it as nate mentioned manufacturing it's going to be something that you're probably already experiencing as i mentioned you know you've been being prompted for an additional cold from your bank for days for weeks months years whatever the case may be it is coming in this is just me expanding a little bit in my opinion compliance is coming and it's going to be expanding over the next five years so there are going to be reasons why you're going to have to adopt something like this so if the threat of cyber attacks isn't enough there are going to be other things and you can already see it's happening so this is why i'm saying it if you look over the last year the biden administration had come out and said the cyber attacks are getting worse and worse we're spending tons of money we're constantly under attack what are we going to do about it they built out an executive order and they specifically say you gotta have mfa if that's not enough the insurance companies are doing it too so if you're looking at cyber security insurance and almost everybody's asking for it at this point um they're going to be looking for it as well uh as i'm going down this compliance thing i'll i'll wrap this up real briefly and i'll pass it back to nate but as you're looking at the compliance thing i was actually working with one of our customers and they were going through the insurance process and they don't have any of the compliance from cmmc healthcare any of that but the insurance organization had come in and they did what i would consider pretty much a full it audit where they're they were looking at data diagrams they're looking at security protocols i mean with everything so i actually went on site and met with the insurance adjuster just to make sure that we covered all the information that we needed to cover and it was significant it took an hour and obviously mfa is included in that it's kind of the way life insurance used to be where lice insurance you could just sign on the dotted line off you went you got a whole bunch of coverage and that's changed over the years too right the underwriting is going now i need blood work and i need to weight you and i need health background and family history and yada yada it's just gonna get worse is where i was going with it and like i said i was going to wrap that up quickly and i didn't so i'll stop talking and pass it back to nate yeah I could interrupt for just a hot second as we've kind of gone down the compliance path and all of these good things kind of looking at right if you're having user friction and you're having people that are like I don't want to do it I don't have this code pushed to my phone it's too much work why is it effective at actually preventing these attacks what is it doing for me I'm like yeah I get it I get the phone I put it in and congratulations so we're saying yeah it's 99 or over 99 effective why yeah uh good question there um before i jump into that while todd was talking i decided to go look at our system here just to see how many uh of that password spring attempt i saw in our system in the last 24 hours it was just shy of 200 attempts right i can see the the logs so again we're not a big company by any means it happens all the time so um why is it so effective right so if i just called out there's nearly 200 attempts in the last 24 hours to password spray our environment there the reason why it's so effective is even if a password is compromised the threat actor is not going to have the other form of multi-factor or the the other form the second form or the third form of multi-factor in order to get into the system so password i've showed this to people before is i say here's a dummy account and like a gmail or something right here's the password i'll give you 100 bucks if you can get into that because i have the multi-factor keys here it just doesn't happen i've never paid someone out because they would have to retrieve that file from me or that hardware token from me in order to get into place so where we typically see multi-factor fail is not the the technology in itself it's still the user so there are websites that will try and capture the multi-factor token and pass it through to the legitimate site and then redirect the user so they'll still log in but it's the user who has fallen for a fraudulent website still entered in their password and given up the multi-factor code gave it both of them to the attacker then the attacker just goes logs in and you know there is a timing on these tokens where maybe they're good for five minutes maybe they're good for 15 minutes it allows for users to have a grace period to access their phone sitting on the desk access the email access the text message so if you give it up right away and then you hand it over to someone immediately they're going to use it first right um i just worked with another organization where their multi-factor was a phone call all right so this is actually a pretty common attack method at the moment it's called um mfa bombing so what you do is you just bug the user enough until they just say i can't take it anymore except the phone call and that was the phone call that was the mfa prompt and the attacker just logs in right so in the instance that i was looking at with that other customer it was attacker tried to log in was prompted with a six digit code they weren't able to get that so then they switched over to the back stop which was a phone call sent the user a phone call it failed because the user didn't accept it 30 seconds later sent another one it failed sent the next one the user said i'm sick of this call except and the attacker logged in so yeah another one i'll throw in we don't see this as often and the end point of this is you still need training when you deploy the tool but we have seen people that have deployed the push technology so that is i log in and you get a push to your phone that says was this really you um we have had people that have been attacked where someone was like yeah i just logged in and they've allowed the attacker in even though they didn't personally sign in so there is kind of a training aspect that goes with it um one last thing that i kind of wanted to dive into i know we talked about the threats and the attacks and whatnot but as we're wrapping this up i just kind of wanted to kind of re-illustrate some of the real concerns and and ultimately i we talked about compliance we talked about the threats we talked about all of that stuff the reality is the reason behind that is because of the cost and the cost is built up from a lot of different things it's from the ransomware if you get attacked from ransomware ransomwares more often than not they start nowadays they start around a million dollars and they start to get talked down to something real it includes downtime it includes unproductive employees etc um looking statistically the last time i looked at it we were somewhere on average so that's average across all smb market not you're a bigger company you get bigger ransomwares etcetera it's about 500 000 downtime about two weeks so that's fairly significant and if i can deploy something like mfa and protect 90 to 99.9 it's something you really got to start to consider and go boy i can reduce my risk by 500 000 in a given year that's probably something for a little bit of friction a little bit of build up we can find a way to move forward it's a good way to start looking at it and thinking about it and go where do we go from here yeah and the one thing that i'd add to that is the cost is going to be dependent on the the application or system that the threat actor is obtaining access to right so todd was mentioning ransomware that could have been multi-factor on a vpn for example right someone had a compromise password attacker gets into the vpn most companies don't have a dedicated demilitarized or dmz zone for vpn users they just say once you pass through you have full access to the network um that's where those ransomware costs are going to come into play it could be something like your email system right someone's in there just obtaining data maybe it's a fraudulent wire transfer that they're trying to set up whatever that number is it could be 10 000 it could be i've dealt with the ones that are 500 000 wire transfers right it's just a matter of what are they accessing what are the costs and whatever the um the remediation costs are i promise it's less very sorry i promise that it's far more than the cost of implementing multi-factor at the end of the day so yeah so so kind of as a last thought from me and they can jump in on this too if he's got any but the last thing i have is we did talk about sometimes there's friction sometimes there's um a technical hurdle if you will because there are ways to go about it there's paid solutions etc obviously if you need help reach out to your trusted partners there's a lot of help out there of course you can go do your google searches as well so in the end when you need help read out reach out to those that you trust and you can get some good support from yep i guess my final closing thought is everyone's scared of user friction but in almost every case it ends up being more of a a concern that doesn't always come to fruition right is the impact is actually fairly minimal if you implement it correctly so um a lot of those concerns are unfortunately just not fully grounded based on facts right just feelings awesome thank you so much todd and Nate for sitting down and chatting about MFA and all of the things and we could go into it I'm sure that you guys would love to chat with anybody for an extended period of time about any of this that we could tangent on a lot of things but that wraps up our first check for business podcast here today if you guys have more questions that you want to ask todd and Nate feel free to reach out to info cit dashnet.com or give us a call at 651-255-5780 or else we're also online www.cit-net.com but that's our little
marketing spiel on there that they're here to answer your questions anytime about any cyber security needs or technology for business and we will chat with you guys next week
2022-05-03