In today’s world, we’re seeing more and more prevalence of vendors insisting that users implement a multi-factor authentication solution for their applications and systems. A lot of business leaders, especially those who are less technical, have difficulty understanding why they need these solutions.
There are many use cases for MFA and real-world scenarios that any business could find themselves in. To help make sense of it all from a business standpoint, I’ve written this article to explain what MFA really is, what types of attacks MFA addresses, and what types of scenarios MFA could be used in to better protect an organization.
What is Multi-factor Authentication?
When logging into company-based devices and applications, users typically have to authenticate in some fashion that they are who they say they are. Most commonly, this is done with a username and password. Through massive amounts of research, it has been proven that passwords are an incredibly weak layer of security.
Users often reuse passwords for multiple accounts; they use things they can remember (anniversary dates, dog’s name, the dreaded “Password12345”, etc.) and sometimes write them down to have a place to find them. It’s the most common factor of authentication, but one of the easiest to crack. Having a second or third factor of authentication significantly increases protection.
Microsoft and Google, some of the most-attacked platforms in the world, who each host billions of user accounts across their various services, have both gone on record to say that multi-factor will stop 99.9% of account attacks.
MFA is broken down into three major categories.
- Something you know (password)
- Something you have (smart card, cell phone)
- Something you are (fingerprint, facial recognition)
Having an MFA solution implemented means that two of the items above are used to fully confirm that the user or administrator is in fact who they say they are.
Now one might ask, why does it really matter, and what does this really protect from? The key attack vector that we’re trying to address with Multi-Factor Authentication is Identity-Based Attacks and I’ll go into that a bit below.
What is an Identity Based Attack?
An identity-based attack is when an attacker obtains a user’s credentials to perform malicious actions. The actions could go very far depending on the user’s level of access. The attacker could steal intellectual property, delete major pieces of systems, hold systems hostage, carry out actions as the user, etc. Using credential theft, the attacker can also move laterally to gain access to critical data away from their initial entry point and perform their attack.
Now that we’re through some definitions, it still may be difficult for many to put this into real-world scenarios that they or their users are in. I’ve built out several real-world examples that we have personally encountered at PEI with clients. For all examples, usernames have been modified for confidentiality (and because I’m enjoying coming up with these other names. What’s your favorite combo? Let me know in the comments below).
Example #1: Email Phishing Attack and Wire Transfer
Mufasa is the VP of Finance for a manufacturing company, authorizing a great deal of purchases, sales, and transfers for their partners and clients. Mufasa gets an email stating that he has a pending message from his own company’s Office 365 name, stating there is a message that was pending delivery and he needs to approve it.
He clicks the link to approve it (below is an example of one of those types of emails I received today, albeit not a greatly crafted one).
Once clicked, it sends Mufasa to an Office 365 login page (or what looks to be one). He puts in his credentials, and the link simply reroutes him to outlook.office.com where he doesn’t see anything waiting for him and assumes this was just an error.
This attacker (let’s call him Scar) now has Mufasa’s username and password to do with it as he pleases.
Scar logs into Mufasa’s Outlook account and begins investigating the type of mail he gets, the design of the Purchase Orders and Invoices, the number structure, and their common partners and clients.
Scar begins crafting his attack.
Scar logs in as Mufasa, sends a completely phony invoice to Mufasa’s purchasing manager, and sends this same invoice to expedite payment to their vendor. This invoice is using a new routing number that Scar has put in there.
Before the company even knows there’s been a breach, payment has been made and can never be retrieved.
In our client’s case, they lost $200K immediately.
Had the company had multifactor authentication in place, the second Scar tried to use Mufasa’s credentials, the real Mufasa would have seen an authentication prompt on his phone (or whatever the 2nd form of authentication was), and he would have known someone was trying to use his credentials.
Mufasa could then block the attempt, reset his account credentials, and go on with business as usual.
Example #2: Wireless Hijacking and MFA
Mr. Krabs is a small business owner who travels a lot to build his business and meet with prospective clients. Mr. Krabs is waiting for his flight at a small airport in Mississippi and wants to catch up on email.
He doesn’t have great cell service and sees a network called “Biloxi Public Free Wifi 5G.” He joins the network and logs into his Office 365 account to finish his correspondence before his flight.
Little did he know, the Biloxi airport didn’t build the 5G network and he just joined a network that an attacker (let’s call him Plankton) created. Plankton is using wireless hijacking to broadcast his laptop as a wireless access point.
The attacker monitored Mr. Krabs’ activity and then stolen his credentials.
Plankton then uses Mr. Krabs’ credentials to login to his Office 365 environment and send a piece of malware to his customers in a PDF that closely mimics typical PDFs sent by Mr. Krabs.
Plankton now has infected several of Mr. Krabs’ contacts with his malware, which the clients have tracked back to Mr. Krabs as the source, severely damaging Mr. Krabs’s relationships with his clients and losing his business.
Similar to the first example, if Plankton had tried to use Mr. Krabs’s credentials and MFA was in place, he would have been stopped at the gate with no harm caused.
Example #3: Disgruntled Employee Could Have Been Stopped with MFA
Brutus is a call center employee for an engineering company, and he constantly needs the IT team to help with his workstation. One day, their systems administrator, let’s call him Caesar, needs to help Brutus install some software on his workstation since Brutus doesn’t have local admin rights.
While in front of him at his keyboard, Brutus sees and writes down Caesar’s password, intending to use it only so he doesn’t have to go through the process of asking next time he needs to download something.
A month later, Brutus gets passed up for a promotion he felt he deserved and is fed up with the company.
Brutus uses Caesar’s credentials to login to their SharePoint environment, where the engineering department keeps its intellectual property.
Brutus decides to quit his job, but first downloads all of the files onto a zip drive and takes the credentials with him.
This IP makes its way over to a competitor’s company, rapidly advancing their product development and hurting the market strength of Caesar’s company.
After the fact, there is an internal audit, which points to Caesar’s account being the account that downloaded the files, leading to Caesar’s wrongful termination after the backstabbing Brutus is long gone.
With MFA turned on, Brutus would never have been able to use Caesar’s credentials to access any data, keeping the company’s IP safe.
Where to go from here? How to Get Started with Multi-Factor Authentication.
Hopefully some of these examples showed the benefits of how MFA can thwart attack attempts for your company. One of the biggest objections I hear for implementing MFA is not wanting to inconvenience the user–whether that’s the frequency of MFA prompts or any hinderance to working seamlessly from anywhere.
Multi-factor authentication is very easy for end-users to use, but even so, there are ways to implement MFA that limit the frequency of prompts and focus on actually risky sign-in attempts.
If you’re not sure where to start, watch this Ten Minute Tech Talk as as a first step. PEI and Microsoft have teamed up to answer the most frequent questions and concerns we get about multi-factor authentication and demo how Office 365 MFA would work for your users.
As a Microsoft Gold partner, our preferred platform is Azure Active Directory for MFA. We have the ability to set very granular conditions for MFA using Conditional Access or enable Security defaults, which is a set of basic identity security mechanisms recommended by Microsoft.
Azure AD Premium can also integrate 3rd party applications into Azure AD for single sign-on, creating a truly single identity source.
Hopefully this blog was beneficial, and if you’re interested in deploying MFA to your organization, we’d love to provide assistance. Feel free to reach out to firstname.lastname@example.org and ask for Martin, and I’d be happy to speak with you about how MFA fits into your security strategy!
Martin Feehan, Director of Client Relations