6 Ways IT Mismanagement Stifles Business Growth
In the rapidly evolving landscape of modern business, the role of IT has outgrown the idea that it’s simply a support function. It’s now a driver of...
5 min read
Sagiss, LLC
:
January 5, 2023 at 3:43 PM
Multifactor authentication (MFA) is an effective tool for stopping unauthorized access to networks and websites, even if passwords are compromised. Like any other security measure, though, cybercriminals and threat actors are amazingly efficient at finding ways around the defenses.
Just ask the security teams at Uber, Cisco, and Microsoft, who watched as their employee accounts got compromised even with MFA in place. A group called Lapsus$ leaked 37 gigs of source code it stole from Microsoft after an employee fell victim to what’s increasingly being called “MFA fatigue.”
So, what is MFA fatigue, and how can you prevent it? We’ll explain, but first, let’s talk about the strengths and weaknesses inherent in multifactor authentication and why you may not be as secure as you think.
The increasing number of resources being deployed in the cloud, the move to increased use of SaaS platforms and on-demand instances, and the increase in remote and hybrid work environments create a complex infrastructure for most companies.
MFA is an essential cybersecurity tool, requiring users to validate the access request. With MFA, users enter their password and receive an authorization request through a separate channel. Usually that results in an email or push notification containing a randomly generated PIN or code for one-time use. Until the second authorization is acknowledged or the user types the PIN into the platform, the user cannot proceed with access to the site or application.
The key benefit of MFA is that hackers would not be able to access your systems even if they obtained usernames and passwords — unless they also had access to a user’s email or a physical device. Since more than 80% of cyber breaches are the result of weak or stolen passwords, MFA provides an effective additional layer of security over the traditional approach of username/password alone.
Effective, yes, but MFA isn’t a foolproof solution for protecting your systems and data. For example, in the infamous SolarWinds hack, attackers stole the private keys for single sign-on (SSO). These keys allowed them to bypass MFA altogether. More than 400 Fortune 500 companies used Orion, SolarWinds network management system (NMS) software, which put all of them potentially at risk.
Some companies still rely on multiple access passwords rather than PINs or push notifications. For example, they prompt users to prove their identity by providing answers to a series of “security questions.” This method has proven less effective as social engineering has become prevalent as a way of learning a person’s likely answers to questions such as pet names, first jobs, mother’s maiden name, and so on.
MFA can also be susceptible to:
Cybercriminals' newest attack, inducing or magnifying MFA fatigue, is almost low-tech by comparison, but it can be just as devastating to organizations if successful.
MFA fatigue may sound like a user simply getting weary of dealing with the extra steps required by MFA to access a site, an application, or data. However, the term means something entirely different. MFA fatigue is a form of social engineering used by hackers to prey on victims. MFA spamming and MFA fatigue attacks bombard users with requests to validate access attempts. Through email or push notifications, attackers overwhelm users with repeated prompts to authenticate access.
The goal of MFA fatigue attacks is not to get the user to disable MFA entirely, but rather to get the user to approve the notification (by entering their credentials) to make the incessant notifications stops. Once that happens, the attacker can use the stolen or compromised passwords to gain access.
Employees are common targets of this technique, as it is difficult for large corporations to keep track of activity across all accounts.
In some cases, attackers will follow up the repeated requests for authentication with emails pretending to be from IT support, asking them to take action.
Like everything in cybersecurity, securing your organization against MFA attacks requires a layered security approach.
Companies should review how they are deploying MFA. Security experts recommend disabling push notifications that simply ask to click to authenticate. Instead, requiring random numbers sent to a phone or a separate authentication app is more effective and makes it more difficult for attackers.
Limiting the number of authentication requests is another option. On some systems, you can limit the number of requests sent so that when employees see more than that number, they know something malicious is likely happening.
Identity and access management (IAM) solutions also help organizations centralize and automate the management of user accounts and privileges. An IAM solution, available through Microsoft 365, provides a central platform that lets you automate account updates/adjustments, helping you keep track of employee accounts.
IAM also helps restrict lateral movement within the network by ensuring users only have access to the systems they need to do their jobs. IAM can also prevent users from escalating privileges, a common tactic of hackers who have gained access to your system. The Cybersecurity & Infrastructure Security Agency (CISA) has plenty of examples of attackers using employee accounts or exploiting software flaws to gain access and escalate privileges.
Organizations also need to provide consistent end-user education to make them aware of the latest tactics that threat actors are using. In regard to MFA fatigue, this includes educating them to be on the lookout for:
The overwhelming number of data breaches are a result of human error. The World Economic Forum (WEF) study on global risks reports that 95% of all cybersecurity issues result from human errors. Hackers can compromise even the most secure environment without proper user training and reinforcement.
The goal of multifactor authentication is to make it much harder for attackers to steal credentials and use them to gain access. The best MFA solutions enforce a zero-trust approach when it comes to logins.
Strong MFA is an essential component of zero trust by adding a layer of security to access data. However, MFA is also only one layer in a comprehensive security approach. A holistic approach to zero trust across all networks, applications, and endpoints is crucial to optimizing protection.
Zero trust network access (ZTNA) requires all users and devices — inside a network’s perimeter or outside — to authenticate to gain access to networks and individual applications. Zero trust assumes a breach has occurred and takes proactive measures to limit exposure.
At a strategic level, ZTNA can establish, monitor, and maintain secure perimeters and endpoints within the network by forcing reauthentication at each endpoint or application.
The adoption of MFA can dramatically reduce the number of malicious logins. By adding another security layer, it can mitigate damage from stolen credentials. However, attackers continue to find new ways to exploit security flaws and act on human nature.
It takes a solid, comprehensive security strategy, robust identity access management, network segmentation, and end-user education to prevent attackers from launching successful MFA fatigue attacks.
Sagiss can help. As a Managed Service Provider specializing in cloud management, security, and IT. Based in Irving, Texas, we serve clients across North Texas. Contact the security specialists at Sagiss today to find out more.
In the rapidly evolving landscape of modern business, the role of IT has outgrown the idea that it’s simply a support function. It’s now a driver of...
Information Technology is often the heartbeat of an organization, fueling its operations and future ambitions. When strategizing the role of IT...
The on-boarding and off-boarding of employees are integral processes that demand meticulous planning and execution. The Information Technology team...