How Multi-Factor Authentication Can Bring Out the Best in Your Cyber Insurance Plan
Applying MFA helps you get the most out of your cyber insurance policy
By Greg Otto (At-Bay) and Yiftach Keshet (Silverfort)
It’s a simple premise: criminals want their jobs to be as easy as possible, so they go after any and every entry point they can access.
In our digital world, those access points are credentials — the usernames and passwords that grant access to all of the systems that power our organizations. Credentials are highly desirable to cyber criminals, making them highly vulnerable to attacks.
Cyber insurers have taken note of how important credentials are to an organization’s overall cyber security strategy. Most insurers now consider the protection of credentials — largely through multi-factor authentication (MFA) — a standard practice before granting coverage to an organization.
Although implementing MFA within an organization may seem simple, it’s not a solution that can be built with a few clicks. Security teams need to know about the different types of MFA and how each can fit into their own unique IT stack. They also need to understand how it can work in conjunction with their cyber insurance policy as there may be requirements that must be met to be covered in the event of a claim.
In this blog, we explain the different types of MFA available, the nuances that can arise when determining how it fits into your organization, and how it can be a complement to your organization’s overall security strategy.
What is Multi-Factor Authentication?
Multi-Factor Authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.
Typically, MFA involves at least two of the following:
- Something you know (such as a password or a PIN)
- Something you have (like a physical card, a security token, or a mobile device)
- Something you are (biometric data, including fingerprints, voice recognition, or facial recognition)
By requiring multiple methods of identification, MFA makes it much harder for unauthorized users to gain access to sensitive information or systems, as they would need to compromise more than one form of authentication. These additional factors help thwart cyber criminals by establishing multiple layers of identity verification, making it significantly harder for unauthorized individuals to access sensitive information or accounts, thus reducing an organization’s risk exposure.
There are several solutions that can be used as part of an MFA setup:
- Hardware Tokens: Physical devices used as a second factor to generate and display one-time passwords or connect to a computer via a USB port.
- Software Tokens: Similar to hardware tokens, software tokens are virtual, typically generated and stored on a mobile device or computer. They can be used in conjunction with a password or PIN for authentication.
- Smart Cards: A combination of hardware and software, smart cards are credit-card-sized plastic cards embedded with a computer chip. They securely store authentication data and can be used for physical or digital access control as an authentication factor.
- Biometrics: This type of authentication relies on unique biological characteristics of the user, such as fingerprints, retina or iris scans, facial recognition, or voice recognition.
How Does MFA Work With an Insurance Policy?
An organization’s choice of MFA type depends on the level of security required, user convenience, the resources available, and system compatibility. When it comes to insurance policies, the industry type and level of coverage also play a role in determining what’s best for your organization.
While businesses can get some types of insurance without implementing MFA, any policy that covers a possible ransomware attack is highly likely to require MFA. Furthermore, organizations that fit into the following industry verticals are very likely to be required to implement MFA before a policy is agreed upon:
- Educational Services
- Financial Services
- Healthcare & Social Assistance
Additionally, levels of coverage will be contingent upon what services have been enrolled in MFA. These may include:
- Cloud Services
- Remote Access/VPNs
- Administrative Accounts
- Customer Portals
- Payment Systems
What Type of Attacks Can MFA Stop?
1. Credential Stuffing: An attack where automated tools are used to systematically input stolen usernames and passwords from one website or service into another, exploiting the tendency of individuals to reuse credentials across multiple accounts. An example is an incident in 2019 where thousands of Dunkin Donuts accounts were targeted using credential stuffing.
2. Phishing: An attempt by malicious actors to deceive someone into disclosing credentials by posing as a trustworthy entity through email, text message, or another communication channel. The infamous Target breach in 2014 started after a third-party HVAC company was compromised via a phishing attack.
3. Identity Theft: The act of stealing someone’s personal information, including credentials, with the intent to impersonate or defraud the victim. Identity theft scams work well with SIM swapping, where attackers take control of a target’s mobile phone number by tricking or bribing the company’s employees to reassign the numbers to attacker-controlled SIM cards.
Best Practices for Setting Up MFA Inside Your Organization
Every organization will have a unique MFA implementation based on its specific needs, existing infrastructure, and security requirements. While some IT teams at growing organizations may consider MFA to be an impediment for employees to perform their jobs, MFA has been shown to meaningfully reduce cyber security incidents at all sizes of companies without becoming a nuisance.
A well-known example of MFA’s capability comes from Google. The search giant published a seminal study in 2016 that showed that security keys were universally well-received by the company’s 50,000 employees while also protecting internal assets.
Here are some key findings from that study:
- Authentication time was cut by two-thirds
- Authentication failures were reduced to zero
- Keys were found to stop password reuse, phishing, and man-in-the-middle attacks
Additionally, Microsoft found that MFA can block over 99.9% of account compromise attacks.
When considering any form of MFA, organizations should look into:
- Identifying systems to protect: Assess the services, systems, and accounts that require MFA. Start by prioritizing critical systems and sensitive data that are at higher risk of being targeted
- Creating policies and procedures: Apply device management practices to ensure only trusted devices can access critical systems. Enforce policies that align with your insurance policy to maintain and update devices with the latest security patches and firmware.
- Integrating with current systems: Apply MFA not only for remote access but also for internal access to critical systems and privileged accounts. This includes VPNs, cloud services, email accounts, administrative consoles, and other services used by employees, contractors, and third parties. An organization may want to consider providing backup options in case of device loss or authentication issues.
What Are Some Limitations of MFA You Should be Aware of?
While MFA can be a solid part of an organization’s security plan once it’s implemented, that process can be challenging if an organization’s IT system is reliant on on-premise infrastructure. For example, traditional MFA solutions may be difficult to integrate into on-premise software instances if an organization is still using older versions of Microsoft’s Active Directory, since there is no native MFA feature in that particular software program. It is possible to link a third-party authentication system, but there will be upfront costs and configuration work involved in the process.
While MFA adds an extra layer of security, it’s essential to be aware of its potential weaknesses to properly safeguard your information. If possible, use app-based MFA (like Google Authenticator or Microsoft Authenticator) over SMS tokens, as SMS tokens can also be stolen by attackers. Also, avoid logging in to sensitive accounts on shared, public, or non-secure devices, and always ensure that all account recovery options (email address, mobile devices, etc.) are secure.
Additionally, an MFA strategy will have to consider how to guard service accounts. These accounts are automated, specialized accounts used by applications, systems, or services to interact with other resources or perform specific tasks within an IT system. While programs like Active Directory provide a good way to keep track of accounts that are operated by users, organizations often refrain from monitoring and changing the credentials for service accounts. Attackers are aware of these organizational tendencies, which lead them to target service accounts in their attacks, particularly for lateral movement.
This problem is often exacerbated by changes in employment. If an IT administrator establishes service accounts and then leaves an organization, all knowledge of how these sensitive, high-privileged accounts operate effectively is lost. If the IT staff has no way of monitoring the behavior of those accounts, there is a high probability that malicious activity tied to these accounts will go unnoticed.
A Multi-Factored Security Strategy
For a security strategy to work, it must be multi-faceted and holistic. Both MFA and cyber insurance should be included in that strategy as both aim to reduce the risks and impacts of cyber threats. They complement each other through risk reduction and due diligence, and strengthen a broader overall security strategy of businesses.
MFA can be a vital part of an organization’s front-line defense, preventing cyber attacks before they become successful. Additionally, InsurSec can provide proactive warnings about an organization’s security posture and a safety net in the event of a breach. When used together as part of a comprehensive security strategy, these preventative measures can help organizations diminish the chances of a devastating cyber attack.