Security vendors and professionals have been proclaiming that the perimeter is dead for years. The concept of an “inside” and “outside” of the network, where the primary goal was to implement a perimeter defense to keep them separate was eroded away by mobile devices, cloud computing, virtual machines, containers, and SaaS (software-as-a-service) applications. However, the situation we have now with entire companies working from home in response to the COVID-19 pandemic puts the lack of perimeter in a completely new perspective. Organizations must now address the challenge of streamlining remote productivity without sacrificing security.
One solution for improving security is to strengthen the identity verification process using two-factor (2FA) or multifactor authentication (MFA). We addressed what MFA is, how it can be an effective defense against credential harvesting and phishing attacks, and how attackers are already developing new techniques to bypass basic MFA in Part 1 of this series. In Part 2, we went into more detail on some of the MFA attacks that we are seeing, and provided some recommendations on how to minimize those risks.
Embracing the New Standard
When employees are logging in at the office, they tend to use standardized, company-issued devices that are connected to a designated range of IP addresses that the company manages. That alone does not make them impervious to attack, but it makes it much easier to verify identity. The challenge of verifying that a user is who they claim to be and preventing credential harvesting attacks is significantly more complex when you’re dealing with a workforce that is running from diverse geographic locations and a range of devices.
Most companies intend to return to the office at some point, but right now it’s anyone’s guess when that might be. Many states and businesses have extended stay-at-home orders for months—some through the end of 2020. There are also a handful of very large companies that have announced that they are adopting work-from-home on a permanent basis. Whether companies continue working from home for another month or embrace this model long term, this is the new normal and IT security teams need to have tools and processes in place to maintain security.
In Part 2, we provided a number of recommendations to help you minimize your exposure to risk from services using weak, legacy MFA implementations. As we’ve had interactive conversations with our customers around best practices learned from deployments and how to effectively implement SSO and MFA, we have more guidance to offer to help you stay secure.
Approval Process for MFA
Before you introduce or scale up availability of MFA for your remote workers, make sure you have a process in place to approve and register users. Some organizations have allowed users to register themselves without including a time restriction and threat actors have managed to jump ahead of the legitimate user and register for MFA on the user’s behalf using publicly available credentials to infiltrate and establish persistence. Don’t make the process unnecessarily complex or cumbersome—because then users are unlikely to use it at all—but make sure you have a way to ensure the user registering for MFA is verified.
Limit Remote Access
You can limit your attack surface and exposure to risk of MFA attacks by limiting who you grant remote access to in the first place. With the COVID-19 quarantine and users working from home en masse, the number of users with a legitimate need for secure remote access has grown exponentially, but that doesn’t necessarily mean that every single user needs MFA access. Consider the role of the individual user and the applications and services they need access to in order to do their jobs to determine whether MFA access is necessary.
Implement FIDO / U2F Strategically
Implementing FIDO / U2F across the company would be ideal, but the COVID-19 quarantine took most companies by surprise. If your organization is not prepared to support FIDO / U2F on such a massive scale, consider applying it strategically to specific personnel who would be more likely or higher value targets for attack. Start with executive leadership and individuals with access to very sensitive or highly confidential resources to ensure they have the best protection possible. You can continue to roll out FIDO / U2F across the company over time but start with the individuals who pose the greatest risk.
Enabling Secure Access for a Remote Workforce
Set Solutions is teaming up with Okta for an informative Lunch & Learn session on the challenge of protecting the “front door” in a work-from-home world. We will cover a range of information on multifactor authentication, and how to secure apps with a highly available, on-demand authentication system while also staying focused on the experience of the end user.
Contact your Account Manager to join us or fill out the form online.