This month we continue our discussions around Cybersecurity Awareness and implementing layers of defense by taking a deeper look at each of the four topics mentioned last time (MFA, InfoSec Training, InfoSec Policies, and IR/DR). Multi-factor authentication (MFA) at one time was said to be 99.9% effective in stopping cyber-attacks.
As with all things cyber, new ways to compromise MFA have been devised by malicious actors. Regardless, MFA is still highly valuable as part of a defense-in-depth strategy. Passwords are often reused amongst many different user accounts, including personal accounts.
Tips for implementing MFA:
- Like any behavioral change, “Campaign and Train” your end users about MFA and the implementation to come
- Have a plan
- Start with Admin accounts
- Consider “conditional access”
- Measure and monitor
One final item to investigate in this area is passwords that have been compromised. HaveIBeenPwned is a great, free resource to be made aware of these password compromises.