Think that 2-Factor Authentication(2-FA) is keeping you safe? Think again!
As I’ve been talking with IT teams over the past few weeks, I continue to hear numerous people telling me that 2-factor authentication is keeping them and their users safe.
Hearing leaders in IT say this concerns me. 2-FA is a good solution, but it is not going to keep anyone secure. I want to redirect the conversation to getting people on your teams to start thinking about what we can do to make sure 2-FA effective.
Why am I so concerned about 2-FA?
Remember way back last year before the pandemic that hit us without warning, that MSP based out of the Denver area that got all of its dental practice clients infected with ransomware (Sodinokibi, to be exact)?
The way hackers got onto that network was through misconfigured 2-FA.
It turns out that a technician on the Complete Technology Solutions (CTS)—that Englewood, Colorado-based MSP that was hacked last December—turned off 2-FA. The attack involved software that did not have 2-FA turned on.
I fear this could happen to you…
I fear a story like CTS could happen to your team, too. And I have the data to prove it.
A large number of MSPs I’ve audited have had technicians store passwords in less-than-secure places on their network—passwords leading to all sorts of data treasure troves. Passwords to RMMs, CRMs, accounting software, O365 and other software.
What most respond with when I hand over a list of cracked passwords is 2FA. ‘There’s no way we’re in jeopardy because 2FA is set up! ‘
2 Factor Authentication is definitely a great addition and I agree that it should be used where possible to help protect users and businesses, but it is not in and of itself your security. And even more, it is not guaranteed.
Not guaranteed?
When you say I have 2-FA, I’m secure! You think that your 2-FA is (1) turned on and (2) configured properly to protect all of your accounts on a platform.
When I talk to leaders, they test their accounts (never check technicians). When I ask about shared accounts or shared logins, I never really get an answer about 2-FA.
In a large amount (nearly 60%) of cases where MSPs have been hacked, 2-FA is partially to blame and its not from 2-FA inherently failing, it’s from someone either turning it off or not setting it up correctly. That’s why there is no guarantee when you use 2-FA in my opinion.
Could you imagine waking up in the middle of the night to one of your engineers alerting you to all of your servers offline? And then a half hour later, emergency calls from some of your best clients wanting to know how long their systems will be down (not even knowing yet that their networks were infected)?
How much would you bet on your 2-FA working? Would you guarantee it working enough to wager your clients and your business continuity?
Is everything really working the way you expect?
The problem with a lot of IT systems—and I just use 2-FA here simply because it is one people lean on quite a bit and expect to work, even when their other controls, like password hygiene, are admittedly not keeping their data or network super secure—is that we trust too much.
We expect things to work just as our clients do. And the big problem is technology NEVER works this way (I’m sure you’ve experienced something in the last month or two that blew up that you didn’t want to have to fix). Problems with technology pop up all the time, what makes 2-FA any different?
Right now there are nearly a half dozen popular ways for hackers to bypass 2-FA—even when you have it working properly. What makes you so sure it’s your saving grace?
They are breaking into O365 accounts—bypassing 2-FA—with legacy protocols, exchange protocols and Directory Federation Services.
They are by-passing SMS authenticators through brute force attacks, as they would your passwords (if they know your passwords, all they need is one brute force attack!).
They are using PowerShell scripts or Console to break past DUO’s authenticator. DUO has even admitted that in some cases, it’s authenticator does not work (depending on device and configuration settings).
They are using Man-in-the-Browser attacks for your web-based applications.
The list goes on from here and as research grows on the 2-FA or MFA domain within cybersecurity, be assured that hackers are watching.
If Complete Technology Solutions could be hacked through 2-FA vulnerabilities, what sets you apart?
