Issue 5: Bullet-proofing credential management through multi-factor authentication

by Smart Grid Forums on March 12, 2021

Cyberweekly No.5

According to recent research by Microsoft and Google, over 80% of recent hacking related data breaches were caused by stolen or weak passwords. And yet over 99% of account hacks can now be prevented through the use of next generation Multi-Factor Authentication.

So, how effective is your organisation’s current credential management policy and practice? Do you have an enterprise-wide password management system in place ensuring that every single one of your users is able to apply only the strongest password to your IT and OT doorways? Is this system enhanced with multi-factor authentication to shrink any attack window to less than 60 seconds? Is your MFA fully adaptive to changing user, system, location and business needs, in light of work from home and bring your own device trends?

If the answer to any one of these questions is currently ‘no’, you most definitely have some work to do, but you are certainly not alone! With the Solar Winds hack on US government systems reminding us that using simple passwords such as ‘solarwinds123’ is only likely to lead to tears, there is no better time to bullet-proof your credential management and send your would-be hackers into early retirement!

But first, there must be radical acceptance that securing your accounts using a password alone is as good as not securing your accounts at all! Today’s best practice in credential management recommends three core elements to a bullet-proofed strategy: 1) Strong alpha-numeric password generated by a fully encrypted password management system, 2) Multi-factor authenticator generating TOTP or OTP codes via mobile app or hardware key such as Google Titan or Yubikey, 3) Biometrics that are unique to the user.

And under no circumstances must you use SMS based MFA as we now know that SMS is extremely easy to intercept both through social engineering of the mobile phone company to activate a SIM swap, and more directly through Man-in-the-Middle attacks on SMS infrastructure. Instead, there are a host of next generation MFA mobile apps and hardware keys that cannot be easily bypassed or hacked, massively boosting your infrastructure security, protecting your data privacy and maintaining your workforce productivity.

Please enjoy this week’s selection of news, views and resources below, and feel free to share this newsletter with colleagues in other departments, and peers in other organisations.

Kind Regards,

13491583329318294

Mandana White
CEO | Smart Grid Forums

News, Views & Resources

BENCHMARK REPORT: Duo Security. Two-factor authentication evaluation guide.
Two-factor authentication is the simplest, most effective way to make sure users really are who they say they are. It protects your applications and data against unauthorised access due to credential theft by verifying your users’ identities before they access your data. But not every two-factor solution is the same. In this guide you will get: a comprehensive set of criteria to customise your evaluation to your organisation’s needs, an overview of the hidden costs of a two‑factor solution and how to determine your return on investment (ROI), what to look for to ensure your solution can protect against the risk of a data breach, a list of resources needed to deploy, provision and integrate your solution, an overview of the different strategic business initiatives, and how your solution fits into them.
To download the report, click here!

MARKET REPORT: Ping Identity. Enable seamless secure access, with adaptive authentication and authorisation
Whether you’re managing employee, partner or customer identities, adaptive control over user authentication and authorisation has become a necessity. Given the risks and costs associated with an attack or breach, it’s more important than ever to move beyond passwords to a more secure and flexible form of authentication. Adaptive authentication and authorisation allow you to evaluate contextual, behavioural and correlated data to make a more informed decision and gain a higher level of assurance about a user’s identity. As attack vectors become more sophisticated, adaptive policies allow you to strengthen your security posture. Adaptive authentication and authorisation controls can reduce your attack surface by automatically requiring a higher level of assurance for users authenticating from certain IP addresses or geolocations.
To download the report, click here!

ETHICAL HACKER E-BOOK: KnowBe4. 12 ways to hack multi-factor authentication.
While MFA does reduce, and in some cases, significantly reduce particular computer security risks, most of the attacks that could be successful against single-factor authentication can also be successful against MFA solutions. This white paper is dedicated to describing over a dozen different ways to hack MFA solutions and how to defend against those attacks. In order to understand the different methods used to hack MFA, it helps to understand the basic components of authentication and MFA.
To download the e-book, click here!

ON-DEMAND WEBINAR: KnowBe4. 12 ways to defeat multi-factor authentication.
Watch Roger A. Grimes, KnowBe4's Data-Driven Defence Evangelist, and security expert with over 30-years’ experience, in this on-demand webinar where he will explore 12 ways hackers can and do get around your favourite MFA solution. The on-demand webinar includes a (pre-filmed) hacking demo by KnowBe4's Chief Hacking Officer Kevin Mitnick, and real-life successful examples of every attack type. It will end by telling you how to better defend your MFA solution so that you get maximum benefit and security. You'll learn about the good and bad of MFA and become a better computer security defender in the process, including: 12 ways hackers get around multi-factor authentication, how to defend your multi-factor authentication solution, the role humans play in a blended-defence strategy.
To watch the webinar, click here!

YOUTUBE VIDEO: ScottiesTech.Info. The truth about two-factor authentication.
It's everywhere these days: 2FA (two-factor authentication). More and more, you must use something more than just a password to secure your online accounts. Some sites, like PayPal, are apparently requiring 2FA for everyone. So, what types of 2FA are there? Do you have to use a smartphone? Is there an alternative to SMS-based 2FA? And most importantly, is it that much safer? Finally, I reveal the other reason why everyone is pushing 2FA so much - and it doesn't have anything to do with your security or privacy!
To watch the video, click here!

CyberAware Webinar Series

Screen Shot 2021-03-02 at 13.49.00

 

 
 
 
 

Topics: CyberAware