We are steaming through October’s cybersecurity awareness month. We have talked about how ignoring the everyday scams, malware and data grabs is detrimental to individuals as well as your organization’s risk posture. In fact, passwords are still the number one attack vector. Don’t think for a moment that the password problem has gone away.
In 2017, a Verizon report stated that 95% of web application attacks take advantage of weak or stolen user credentials.
Cracking weak passwords is normally a first port of call for a digital attacker. As most people are still unclear about how to create and remember complex passwords, it makes sense that an attacker take a few moments to run some dictionary attacks against a login system to see what pops up.
Just consider the most commonly used 12 passwords on this 2017 list:
So companies without a strong password policy within the office are likely to see their users use this type of easy-to-crack password. It is inevitable that individual workers will seek to simplify their day-to-day work. Without proper instruction on how to create a hard to crack password, your business cannot rely on this intrinsic barrier to unauthorized entry.
Even after Hurricane Florence, there were reports of a password spraying technique used, where attackers tried to take advantage of the disruption to attack thousands of inboxes with a single password to see if they could gain access to any of them. All they needed was to break into one to consider the attack a success.
Identity theft is an easy, low-risk, high-reward type of crime and a threat to all businesses. It is the fastest-growing type of crime and is now more profitable than drug-related crimes.
However, in the last few years, an additional authorization method has become much more available across personal and business services. That is multi-factor authentication, also known as two-factor authentication.
There are some clear advantages to adopting multi-factor authentication.
It works. Solely relying on a user to create a unique and complex password is considered by some to be an unrealistic expectation, especially when sensitive data is at stake. The idea behind multi-factor is to provide an additional barrier to entry, one that relies on different data points to authorize an identity. For example, using multi-factor authentication, the user’s attempt to access a locked account will require a passcode and fingerprint or code that was sent to another account or device. It requires that the attacker has access to both authentication methods in order to be granted access. As most attacks are opportunistic, like the password spraying example we glanced at earlier, having multi-factor authentication would stop most of these attacks, even if the password has been compromised.
Takes onus away from user. By introducing multi-factor authentication to access your services, administrators remove some of the dependence on the user’s behavior. This approach can be managed by IT. This is where you set how the multi-factor authentication will work. Combine this with password best practice training, and you have significantly strengthened your cyber defenses.
It supplements other security. Think about it: no matter what firewalls and anti-malware and fixed vulnerabilities you have. If an attacker gets hold of active, powerful user credentials, s/he effectively sidesteps your arsenal and walks in via the open door. multi-factor authentication makes this sidestepping much more difficult. See point 1.
Multi-factor authentication is not just for businesses and governments. Individuals ought to lock down every single web and application service with multi-factor authentication where it is available. This is especially important for key services, like email and social accounts. Most banks have already led the way in this regard, forcing users to adopt multi-factor authentication, where other services where they are not financially penalized for losing their data, make this security an option rather than a mandatory feature. The reasoning, it adds friction to on-boarding new users.
If you want assistance in helping you strengthen your cybersecurity posture, get in touch. We are here to help.