Despite all our network security efforts, attackers continue to compromise our private data and systems at an alarming rate. What’s worse, they do this using the same chain of steps. They find some way to get access to the internal network, they find a way to navigate around the network, they elevate their privileges and, voila! They can toy with your data and systems to the level of their expertise and rapaciousness.
The thing is, if we can break any one of these steps, we can most often keep the attackers from reaching their goals. And one of the most useful and available tools out there to help organizations disrupt the chain is multi-factor authentication (MFA). MFA can be very effective in preventing initial access to the network, it can also be very effective in preventing elevation of privileges and, therefore, can help prevent attackers navigating around the network. Because of this, we at MicroSolved plead with all of our customers and readers to employ MFA to the fullest possible extent.
Certainly, users should be required to employ MFA when accessing the network remotely. This is necessary to prevent attackers who have accessed users’ credentials from getting that initial foothold on the network. I personally advocate using MFA for any network or AD access.
The Center for Internet Security (CIS) V8 Security Controls also require employing MFA for all externally-exposed enterprise or third-party applications wherever supported. They also state that enforcing MFA for this purpose can be accomplished safely through the use of a directory service or SSO provider.
CIS V8 controls also require the use of MFA for administrative access. This also needs to be accompanied by requiring that all network administration be accomplished using dedicated administrator accounts. Administrators should use separate access accounts for all other network activities. These controls help tremendously in preventing attackers from elevating their privileges by simply gaining access to a normal user account.
In these dangerous times, all organizations should at least employ MFA as described above. When combined with encryption of sensitive data across your network and backups, these controls pose a formidable obstacle for attackers to overcome.