Is Multifactor Authentication Enough?

As more organizations are moving to multifactor authentication (see our reference article “Who are you…who who?”), cyberattackers are finding ways around the authentication method.  As reported in Dark Reading, cyberattackers are using objects called session cookies that are temporary text files that identify you when accessing a web site.  Because browsing is a stateless (every new request is independent of any previous request) environment, session cookies are needed to know who is making the request.  These cookies are deleted when you complete a session, like logging out of a bank website, or closing the browser.  However, if you have a session open and appropriate malware is downloaded, the information stored in the session cookies can be stolen and used to bypass the multifactor authentication process used to protect the targeted system.

The way to prevent this type of attack according to the Dark Reading article is to have software that detects the theft of the cookies.  Andy Thompson, global research evangelist at CyberArk Labs, said in the article that rather than pushing users to adopt password managers and MFA and call that sufficient, companies need to adopt some sort of endpoint control as well.

Talking about authentication, a blog post by SPECOPS, back in May of 2022, pointed out that just having password complexity requirements does not always mean that passwords are safe.  In research done by the organization, 83% of Known Compromised Passwords would satisfy regulatory requirements.  Some examples of compromised passwords listed in the post include:

  • Password1
  • qwertyuiop
  • 22pink22
  • ihatekitens
  • ihateapples

The recommendation on how to prevent password attacks that use a compromised password list is to validate passwords against an application that checks for this issue.  There are many such applications that can be found on the Internet that address this problem.

In May of this year, Cybersecurity authorities from the U.S., the U.K., Canada, the Netherlands, and New Zealand outlined some common practices that threat actors used to gain initial access to victim networks.  The advisory listed a number of “common weak security controls, poor configurations, and poor security practices to employ the initial access techniques.”  Issues flagged by the advisory include the lack of multifactor authentication, lack of software patching, strong password requirements not implemented, and poor endpoint detection and response among others.  Mitigations recommended include access control measures, disabling or changing vendor supplied passwords and usernames, monitoring various system logs, employ a software patching methodology, and employ anti-malware programs.

A recent report by NordLocker, small businesses face the highest risks of suffering from ransomware in the U.S. and account for nearly two-thirds of all attacks nationwide.  The report also says that ransomware attacks worldwide targeted industries that play a “critical role” in domestic and international supply chains.  The report indicates that ransomware attacks “have grown exponentially” in reviewing databases of more that 5200 U.S. and international incidents form 2020 until January 2022.

Looking at all these problems and recommended solutions might give the small business owner the feeling that no matter what you do, it is not enough.  But I think of comparing cybersecurity like securing an automobile.  If they want your car, they are going to get your car.  However, if you take steps like not leaving the keys in the car, locking the doors and maybe having a car alarm, they will think taking your car is too much work and go onto another vehicle that is easier to steal.

Subscribe to our newsletter.

Never miss a new article by joining our mailing list!