The Driver Behind This
Single factor authentication is like locking a screen door. Sure, you’ll keep out the small pests, but the neighbor’s German shepherd is going to get in. When an adversary gets into a network (or gets credentials from any number of data dumps), they’re going to capture credentials via any number of relatively easy methods (passive monitoring is second only to reviewing freely accessible anonymous file share). This allows an adversary the ability to move, largely undetected, throughout the network. If an organization is using single-factor authentication on their VPN or email, it’s not difficult to find weak passwords through password spraying. When done properly, you’ll never see it coming. Once the adversary finds those credentials, they’re now the insider – same permissions, levels of access, read/writes on shares, databases, etc. Because compromised credentials look like, well valid credentials.
Processes, Practices, and Activities That Address This Question
Any privileged user (e.g., root, domain administrator, database admin) should 1) be using a totally separate account and 2) be using Multi-Factor Authentication (MFA) to access that account. We commonly find privileged accounts being used to surf the web, check email or do non-privileged work with. You’re making it easier for the adversary. When a threat actor compromises that account, everything that account has access to, every privilege they have, the adversary will have it, too.
When it comes to VPNs and remote mail systems specially, yes, they can increase productivity – BUT they are a direct path into your organization (more on this later). Require MFA (and training on how it works) for anyone who is coming in via a VPN or accessing a web-based mail portal. This goes for remote workers but includes third parties as well – basically anyone who accesses your systems and data. Keep a current inventory of who has access, learn the behaviors of the remote users. If Alice and Bob work remotely and regularly access during core business hours, you shouldn’t see them logging in at 3am should you?
- “Making excuses on why not to do it – it costs too much or it’s too complex.”
- “Using solutions that only address a handful of systems – think holistically, find the best fit for your organization.”