Multi-Factor Authentication (MFA) is now commonly a minimum requirement for cyber insurance. Stated bluntly: if MFA is not enabled in your computing environment, you are engaging in behavior so risky that insurance carriers will not offer cyber insurance coverage to your business.
If you are not familiar with MFA, you might be wondering:
- What is Multi-Factor Authentication?
- What MFA Controls Need to be Implemented?
- Why Has My Insurance Carrier Elevated MFA from a Recommendation to a Requirement?
- How Do I Implement MFA?
What is Authentication?
In the computing world, “authentication” is the process of verifying the identity of a user. When you log on to your computer, log on to applications or services, connect to a network, or request administrative access, you are typically asked to provide evidence that you are who claim to be. The authentication process then matches the evidence you have provided to a directory that specifies roles and permissions for users.
We are all familiar with using passwords as one form of authentication to gain access to computers, networks, applications, or other computing resources. We’ve been using passwords for decades.
The problem with passwords is that they can be cracked or discovered and distributed. (For detailed examples and illustrations read the blog post “Your Pa$$word doesn’t matter,” by Alex Weinert, Director of Identity Security at Microsoft.)
Without other controls in place, anyone who knows your password(s) can impersonate you and gain access to resources with all your privileges.
Relying on passwords alone to protect your business is risky. In fact, Bloomberg News recently reported that the absence of multi-factor authentication may have been the vulnerability that enabled the ransomware attack that shut down Colonial Pipeline.
“The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password… The VPN account, which has since been deactivated, didn’t use multifactor authentication, a basic cybersecurity tool, allowing the hackers to breach Colonial’s network using just a compromised username and password.”
–Bloomberg Cybersecurity “Hackers Breached Colonial Pipeline Using Compromised Password”
What is Multi-Factor Authentication?
Multi-Factor Authentication adds another layer of protection, in addition to your passwords. It requires that a user provides multiple credentials (factors) to validate his or her identity. The factors used to validate identity typically consist of some combination of three things:
- Something you KNOW
- Something you HAVE
- Something you ARE
A password or an answer to a challenge question (“What is your mother’s maiden name?”) is an example of something that you know.
Something that you have could include a cell phone, a key card, or a USB dongle.
Finally, a fingerprint or other unique biometric identifier is an example of something that you are.
Sally logs on to her computer using a password that she knows and is immediately prompted by her cell phone to approve the log-in attempt.
John uses the fingerprint scanner to log into his computer and is also prompted to enter a time sensitive, 6-digit code provided to him via an application on his cell phone.
These processes are simple. The inconvenience is usually minimal.
What MFA Controls Need to be Implemented in Order to Qualify for Cyber Insurance?
Most carriers now require these MFA controls in place:
- Multi-factor authentication for remote networks
- Multi-factor authentication for administrative access
- Multi-factor authentication for remote access to email
MFA for remote networks reduces the potential for a network security breach caused by a cracked, lost, or stolen password.
MFA for administrative access limits an attacker’s ability to gain broader access to a compromised network.
MFA for email reduces the potential for access and control of corporate email accounts. Keep in mind that with access to a corporate email account an attacker not only has access to sensitive data contained in email; the attacker also likely has the ability to perform self-service resets of passwords that protect other services.
Why Has My Insurance Carrier Elevated MFA from a Recommendation to a Requirement?
Multi-factor authentication is extraordinarily effective. In fact, Microsoft famously reported, “By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks. With MFA, knowing or cracking the password won’t be enough to gain access.”
If passwords are your only protection, a hacker can crack your password and immediately gain access to all services available to you. With MFA in place, that same hacker will also need access to your cell phone, a USB dongle, a one-time code, specialized knowledge, or your warm fingerprints in order to gain access.
MFA places an incredibly challenging obstacle before an attacker. Faced with this sort of obstacle, an attacker will likely move on to another attack vector or another target altogether.
Multi-factor authentication is an integral part of a zero trust security model. A zero trust security model (sometimes referred to as “perimeterless security”) is one that assumes that threats and bad actors may be present anywhere—not just outside of the network perimeter. Zero trust security aims to prevent a breach of perimeter security AND ALSO prevent a bad actor from enjoying lateral access to resources once inside the network perimeter.
Cyber attacks are on the rise in the COVID era. As Gina Raimondo, US Secretary of Commerce stated yesterday,
“businesses should assume that these attacks are here to stay and, if anything, will intensify. …some very simple steps, like two-factor authentication, having proper backups and backup technology, can be enormously helpful against a wide variety of these attacks. So it is clear that the private sector needs to be more vigilant, by the way, including small and medium sized companies.”
–Gina Raimondo, US Secretary of Commerce, on “This Week with George Stephanopoulos” ABC News.
Presumably, insurance underwriters agree. Small and medium-sized companies need to be vigilant. Insurance carriers now recognize that networks without MFA are exposed to significantly higher levels of risk than those that have MFA protections in place. With cyber attacks on the rise, MFA is now a requirement in order to be eligible for cyber insurance coverage.
How Do I Implement MFA?
Fortunately, there are many products and services available that enable you to protect your workforce with simple yet robust access security. EXP has a wealth of experience in evaluation and implementation of MFA solutions. Here are a few high-level recommendations:
Utilize Conditional Access Policy to Secure Microsoft 365
We have extensive experience implementing layers of security to protect hosted services. Microsoft has made great strides in enhancing security of their hosted services. Conditional Access policies available in Azure Active Directory (Azure AD) integrated products allow administrators to specify conditions (geographic location, trusted device, for example) and access controls (MFA) to prevent unauthorized access to services.
Deploy Access Security Tools to Control Access Security to Servers, Workstations, Remote Desktops
There are many products on the market that can help with implementation and administration of multi-factor authentication. We often recommend Duo MFA which, at a list price of $3/user per month, is a relatively inexpensive tool that will protect your workforce with simple yet robust access security.
EXP Technical’s cybersecurity experts are available to define strategy, implement solutions, write policy, and provide continuous administration of security services.
If you are in the early stages of implementation of multi-factor authentication, we are happy to serve as your guide.
If you are considering cyber insurance and are now faced with a Multi-Factor Authentication Attestation we are well qualified to evaluate the systems currently in place, implement new solutions where necessary, assist with technical attestation, and serve as your advocate to third party auditors, regulators, and underwriters.