The Feds know you’re dragging your feet

A joint advisory and a recent survey call out some serious security hygiene woes
article cover

Francis Scialabba

· 4 min read

The Five Eyes are watching, and they’re not exactly thrilled by how many basic cybersecurity hygiene measures aren’t being undertaken.

A joint advisory issued by the international intelligence alliance and their partners at the FBI, NSA, and CISA on Friday basically pleads with organizations to adopt measures like multi-factor authentication (MFA)—and suggests that those organizations are perhaps moving a bit too slowly for their tastes.

The advisory lists the top ten initial access vectors “routinely” exploited by malicious parties, with “MFA is not enforced” at the top of the list and specifically noted as critical to preventing takeovers and ransomware infections. The other usual suspects, described in the joint advisory, include incorrectly configured permissions and access control lists, outdated software, use of default passwords and configurations, and insufficient protection of some systems (like remote-access software, cloud services, open ports, and email).

The advisory emphasizes establishing strict access controls, preferably on a zero-trust basis and with limited remote privileges for administrators, as well as the implementation of MFA on (at the very least) “all VPN connections, external-facing services, and privileged accounts.”

Other recent data backs up the emphasis on MFA and credential hardening. From the 2022 Cyber Security Breaches Survey authored by the UK government’s Department for Digital, Culture, Media & Sports:

  • 39% of UK businesses had identified a cyber attack in the preceding year.
  • Of those, 83% reported at least one phishing attempt.
  • Just 37% of businesses and 31% of charities mandated two-factor authentication for all users

Security experts told IT Brew that the UK survey’s findings broadly mirror the security environment stateside, where many organizations are scrambling to implement MFA but are often hindered by concerns about the costs and difficulty of introducing the new measures to staff. That lines up with the survey, which found that large organizations in the UK with more resources, such as medium (64%) and large (79%) businesses and high-income charities (67%), already had MFA rules in place.

“The organization absolutely gets that it’s a value to help protect the assets within their environment,” according to Dave Lewis, global advisory chief information security officer at Cisco Secure. “But the end user has to understand why they’re doing this.”

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

“One of the main reasons organizations do not implement MFA is due to employee sentiment,” Elizabeth Bassler, director of public relations at LastPass, wrote via email. She referred to a 2018 poll of 200+ enterprise IT managers conducted by Decision Analyst. That survey found that many organizations lack a clear idea of which users have access to which systems, and that 63% of respondents experienced backlash “from employees resistant to initiating”  multi-factor authentication.

Steep costs are another potential hindrance, Basler wrote, adding that “LastPass’s IDC (International Data Corporation) survey found that 45% of companies acknowledged that more complex identity solutions, such as SSO and MFA, would be nice to have, but they’re unable to implement because of the budget or resource restrictions.”

According to the 2021 Duo Trusted Access Report, average daily authentications using MFA rose 11% that year, while in the UK, that number was 40%.

Lewis said that introducing MFA to the workplace can go more smoothly when users are informed of how it can offer streamlined security, such as reducing the number of separate accounts they need to keep track of.

“It’s about the human element,” Lewis said. “If we are making security being the flaming sword of justice, you know, running around saying the answer to everything is no, you’re not going to achieve anything of success within your organization. People will find ways around things. So if you can give them tools that are going to facilitate them the ability to do their job safely and securely there in a way that makes sense to them, then it’s going to be a lot better for your organization in the long term.”

“Attackers, when they try to breach sites, they’ll try to take password dumps and then replay them against other sites,” Lewis added. “But if these other sites are using multi-factor authentication, the attacker is going to move on to the next site because it’s not worth their time and effort.”—TM

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.