Not Adopting MFA has Hidden Risks

Most organizations have realized that MFA provides a potent level of security that significantly reduces the risk of exposed assets being exploited. 

What’s the worst that can happen?

Most organizations have realized that multi-factor authentication (MFA) provides a potent level of security that, when coupled with strong password policies and other security controls, significantly reduces the risk of exposed assets being exploited.

Unfortunately, many organizations still hesitate to deploy MFA for all users and all possible systems within the organization.

They worry that it:

• May be an imposition on users
• May be costly to implement
• May interrupt the normal flow of business

Others also feel that enabling MFA just to protect remote access is all that is necessary. While these may be valid concerns, there is an even greater risk that most organizations haven’t considered.

The Process

Sadly, it is no longer uncommon to hear of another company that was compromised, and data was exposed. This happens through various techniques—vulnerability exploitation, social engineering, password capture, and other methods.

Organizations protect themselves by implementing various controls – patch management, user training, password management, MFA, and network-level monitoring. Each of these controls plays a critical role in identifying, stopping, and limiting an attack.

Attackers exploit loopholes or gaps in coverage to gain unauthorized access to a network. This is made easier if MFA is not enforced and often allows the attack to go unnoticed.

The Hidden Risks

Once the attacker has gained access to an environment and administrative credentials, they can do some real damage. The attacker will have free rein within the network to do anything local administrators can do. This includes making new accounts, establishing persistence, copying/exporting data, and deleting critical data like backups and audit logs.

This ALSO lets an attacker enable and enforce MFA for all the users of a system or service. They can force the MFA registration to a device they own, preventing legitimate users from accessing the environment to undo the damage.

The very tool that can keep an attacker out can now be used to keep YOU out. This makes recovery significantly more difficult and increases the damage done by the attacker.

The Damage

Imagine coming to work and hearing the news that your company has been hit with ransomware. You initiate your Incident Response plan and start assessing the damage. You try to log in to your firewall only to find it’s asking for an MFA token that you don’t have. You then go to your SIEM and it’s also asking for an MFA token. Same with your Anti-Virus portal, Data Backup solution, and Cloud Services.

Not only are you unable to access local computers, but you’ve also lost access to the systems that you would use to identify the activity, the nature, and scope of the security event. This adds additional, costly, and time-consuming steps to the recovery process.

Conclusion

Enabling MFA for ALL systems, services, and accounts significantly reduces your risk of a successful compromise. This is even more critical for accounts with administrative access.

Consider:

• Internal systems
• Email platforms
• SaaS applications
• Cloud accounts
• Social Media accounts

If accounts are shared, then using a password manager with temporary one-time passwords (TOTP) can help preserve access to these accounts and prevent an attacker from locking you out.

Next Steps

If you don’t have a password manager or aren’t sure if MFA is enabled for EVERYTHING possible in your environment, please reach out to us and let us help protect your access and assets.

Todd Welfelt has an Information Technology career spanning more than 25 years. He has turned his extensive experience with hands-on management and maintenance of computer systems into practical assessment and implementation of security tools to meet the needs of compliance frameworks, as well as provide real-world risk reduction.