There’s a new trend in cybercrime: why go to the trouble of hacking systems when you can exploit compromised login/password credentials to just log right in?
Passwords Aren’t “Safe”
Research from Verizon and others indicates that over 80% of data breaches resulting from cyber attack were perpetrated using compromised credentials. Weak passwords are painfully easy to crack and vast repositories of stolen credentials are available on the dark web. If those approaches don’t work, credential stuffing attacks are increasingly easy, effective and prevalent, thanks to prebuilt kits and relentless credential harvesting attacks.
Identity and authentication is the new front line of IT security
These days, no password is “safe.” Identity and authentication is the new front line of IT security, and defending that line with passwords alone is like taking on a tank with a pitchfork. Hackers will breach your perimeter with relative ease, then move laterally around your network prospecting for privileged accounts and credentials that lead to critical systems and data.
Recognizing their exposed posture, 80% of US businesses expect a critical breach in 2019. In response, regulations like PCI DSS, NY DFS, NAIC, NIST, and the EU’s PSD2 framework and GDPR, are requiring stronger controls, including multi-factor authentication (MFA) based on robust techniques like public key cryptography.
For example, NY DFS mandates that MFA must be used when accessing internal networks from an external network, unless equivalent or even stronger controls are in place. Similarly, NIST Special Publications (SP) 800-171 requires robust MFA for government contractors, who face fines and loss of contracts for non-compliance.
Organizations Need to Act
With policies rapidly becoming stricter on MFA and also raising awareness about best practices, now is clearly the time for organizations to add MFA and other strong authentication solutions to their access controls—and more and more are doing so.
Popular 2FA and MFA options currently include:
- A hardware token, fob, smart card or chip
- 2FA smartphone apps
- One-time passwords (OTPs) delivered via a mobile authenticator app, voice call, text or email
- A fingerprint, facial recognition or other biometric identification factor
- PINs, security questions and other knowledge-based methods
- FIDO security keys
- “Adaptive” MFA (including “cloud MFA”) that combines strong passwords with multiple additional factors like tokens, biometrics, IP address and geofencing/geolocation, along with device health and risk analysis algorithms.
The growing range of new and established MFA technology is helping to simplify both implementation and adoption. But no single approach works for every use case, and the technical issues and options can be daunting. Integrating MFA into the overall security strategy can be a further challenge.
If you’re thinking about MFA and would benefit from expert guidance to help you identify risks and requirements, frame key questions for vendors and otherwise support your due diligence, contact Pivot Point Security.