Skip to content

Why Is MFA So Important to Online Security

 

Connor Swalm

Welcome to Gone Phishing, a show diving into cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swam, CEO of Phin Security, and welcome to Gone Phishing.

Hey everyone. Welcome back to another episode of Gone Fishing. I'm your host, Connor, the CEO at Phin, and today I am joined by Nick Wolf, the director of partner acquisitions at Evo Security.

Nick, how are you today?

Nick Wolf

I'm doing great. Thanks for having me on, Connor.

Connor Swalm

Oh, anytime.

Thanks for joining and thanks for helping. Well, and also me understand just some things about security that we are completely unaware of, or at least I'm unaware of at most times. So, quick question.

Today we're going to talk about MFA. If you could describe MFA for those that are listening. For those who don't know, what is that?

Nick Wolf

Yeah, so the dumbed down version of MFA, also known as multi factor authentication, is really verifying that a user is who they say they are. So is Mary from marketing really logging into her computer as Mary from marketing? Or did the bad guys on the Internet steal her username and password and is trying to act like Mary for marketing or Bob, the CFO, to gain access to data?

Connor Swalm

Got it. And so I've heard two factor authentication a lot.

What's the difference between MFA and two fa?

Nick Wolf

Yeah, so two FA. MFA. It's really used synonymously with multifactor authentication. Typically it's other authentication methods other than just like an SMS code, which is more popular with two FA. So we see things like push notifications being able to be approved with MFA, as well as things like hardware tokens, FIdOs, ubikeys, things of that nature.

Connor Swalm

Really. Anything know, in addition to a username and a password, what's typically the most recommended? I guess it's recommended because it's the most secure. So what's the most secure form of MFA?

Nick Wolf

Yeah, it comes down to user preference, but we see a lot of our users here at Evo adopting the geolocation push. It's much harder to compromise an application of an MFA vendor than it is a cell phone number. So that's why you're going to be seeing in the future. A lot of vendors and a lot of cybersecurity insurance requirements are really going to have you shy away from using MFA codes as an MFA method due to things like sim hijacking, MFA spoofing, and things of that nature. So geolocation pushes is definitely the popular choice. Hey Mary from marketing, are you trying to log in through Tampa, Florida or New York City right now?

Connor Swalm

If so, accept that makes a lot of sense. I get those notifications now with my Google account, but I don't think anything else. So I guess it's on by default for some tools that you use. Yep. And actually you bring up a good point of the sim hijacking.

We just saw that happen in Microsoft. One of the largest companies in the world.

So it's like typically, well, larger companies. Typically have a more secure maturity posture, but they also have a wider, much larger attack surface. However, even companies like Microsoft are vulnerable to things like SIM hijacking and those. Absolutely.

Nick Wolf

And that's actually one of the reasons why we recommend MSPs and their customers not necessarily to use Microsoft Authenticator as their MFA tool. We would highly recommend using a different third party tool, whether it's Evo or one of the other MFA vendors that are out there really for your MFA source. Not that there's anything necessarily wrong with Microsoft Authenticator, but it's very risky to have all your eggs in one basket in case Microsoft gets breached. Because if Microsoft gets breached again now, in theory, your users could be compromised because Microsoft is hosting the username, the password and the MFA code. That's why you always want to break off that MFA code and have it stored with a third party vendor.

Connor Swalm

And I guess if you did store that with Microsoft, you're trusting that they stored all of those in such a way that they couldn't be accessible in one location. But maybe that's not the case. Yeah, so if MFA. A couple of things I'm thinking about, MFA sounds incredibly easy to implement. Like it's a text notification, it's a push notification, it's an app on your phone.

It's a little key. I used to have a little key, actually, for World of Warcraft. I played World of Warcraft and I had that for my account because it kept getting stolen. So if it's in practice, or at least we can state it to be something that's simple.

Why do people find it hard to adopt MFA? And let's start with the MSP, and then we'll talk about their client.

Nick Wolf

Yeah, so I think it comes down to user easiness. Some MSPs and some of their users are old fashioned, right? They want to log in with their username and their basic password of 12345.

And they don't want to have to update and rotate that password every 30 days, every two weeks and have an uppercase, lowercase exclamation point number sign added to that password. They want things that are simple. But ultimately, when you have simple passwords and no MFA, you're prone to getting a breach. One of the great statistics I like to bring up is from Microsoft that just by having MFA enabled, that will stop 99.9% of identity and account breaches. So just by having MFA enabled.

So I know that it might seem like a pain, but it's really necessary. And what you're going to see from a business standpoint is that in the future, and it's even happening now, most users, most employees are used to MFA because of their personal life. Most banks now require it. Right. If you want to transfer a large amount of money. Hey, is this really you? Are you supposed to be sending $1,500 for rent to this account number? If so, text us to your MFA code so I think you're going to see it more and more. Sounds like most people say this is inconvenient, and I don't want to do it.

Yeah, it definitely is. But again, it's for their own good. Who looks forward to security awareness training? But it's something you got to do.

Connor Swalm

Yeah. Especially with cyber insurance and regulation and new compliance frameworks coming out.

And a statement that I keep making is what I see happening is not only for MSPs, but for smaller and smaller businesses, all the way down to, like, two or three person companies.

You're going to have to be buying cyber insurance. You're going to have some form of security posture, if that's the case.

And you're going to need some partner to do that, because if you're running a small business, you have all the expertise to do that, but you don't have the time, the energy, a lot of the times, the money, or the knowledge to know what a good security partner would be and how to choose them properly.

Nick Wolf

And that's why a lot of small businesses really rely on their managed service provider to get that type of expertise.

Connor Swalm

Yeah, absolutely. In one of our previous podcast episodes I mentioned that I used to do a lot of presentations for small business development centers, and most of the, I want to say, the existing knowledge level of people who are running small businesses.

And joining my side, mine was aimed at beginners. It's like, hey, I'm going to give you three things to do, and if you do these three things, you are in an infinitely better spot. And one of them was MFA.

And then inevitably, I'd have people ask, no, that's inconvenient. I'm not doing that. I'm not going to have my phone with me, or the little key, or I don't want to get a text message. I'm okay. And then I would always go through this analogy. Raise your hand here on this call if you run your entire life through your personal email, and then more than half of the room raising their hand in the zoom chat, like, great, okay.

How many of you actually don't even tell me because I really don't want to know how many of you don't have MFA on that, where you have to get a text or you have to click yes on the authenticator? How many of you?

I know it's more than half. Just has to be.

So you're telling me if somebody can guess your password, which you probably made this account 13 years ago, and your password is something along the lines of your dog's name, the year you were born, and the letter J or something. Like that's not a very secure password. You're telling me your entire life would be upended until you could get that account back. Just because you don't want to use MFA, because just because your password get hacked doesn't mean your MFA got hacked.

And sometimes that is the last line of defense because of the amount of breaches that occur that your passwords get rolled up into. Absolutely.

Nick Wolf

There's a reason why when you go to a bank or an ATM, your card isn't good enough. You need your ATM pin code as. So, you know, without having MFA, it's like basically just having your ATM card, swiping it. And here's as much money as you want, versus again, having that MFA code enabled is your ATM pin only you should know it.

Connor Swalm

Yeah, that's another thing I would always say is if anyone calls you and says, I need your password to help you with X, Y, or Z, it's like, get off the phone.

It's your password, it's not theirs. Absolutely. So, a question I have around the implementation of MFA. I don't know if it's changed, but I remember a day when enabling MFA was basically, you had to enable it on each individual tool, and then each individual tool would have its own way to do it.

Whether that was they made you use an app, or whether that was they would send you text messages like my MFA for YouTube or Google, I had to enable separate from my MFA for let's just say, my bank or Facebook. Is there like a unified solution?

Maybe that's what you had mentioned in.

Nick Wolf

MFA manager depends on the MFA vendor that you're working with. Some MFA vendors, they do consolidation and single sign on. So one of the things that I like to use with my MFA platform is you sign in once, and once you're logged into that MFA session, you could sign into your laptop, your server, your office 365, your Google apps, your firewall, really everything that's on the network. Whereas several years ago it was more spread. This, this application was doing it via text. This application was doing it via this app. This application was doing it via that app. So yeah, I know that a lot of SMBs as well as their MSPs are looking to standardize. So definitely pick an MFA vendor that offers that sort of consolidation.

Connor Swalm

That makes a lot of sense. That also sounds like it kind of cuts through the this is inconvenient argument that a lot of people would have. Yep. So when MSPs are trying to roll this out, what advice would you give to them? If their clients coming to them and saying, we're not doing this, other than get rid of that client, how would you suggest that MSP work with that person?

Nick Wolf

Yeah. So a lot of MSPs are now making MFA really a part of their standard cybersecurity stack. So hey, if you're going to be my customer, you're doing cybersecurity awareness training, you're installing EDR XDR antivirus, you're using some sort of email security, email phishing product. You're using MFA, you're using this core stack. And if you're not using this stack, then you're not a customer of mine. So really making MFA mandatory is going to save the MSP in the long run. It's also going to help the end user qualify for things like cybersecurity insurance. And it's really important that when you're turning on MFA, you really need to be turning it on for all users, for everything that's on the network. Just don't turn it on for Bob the CEO logging into his laptop.

Turn it on for everybody, whether it's Bob the CEO or Mike the janitor. And don't just do it for one application. Do it for everything. Do it for the servers, the workstations, the web applications, as well as the firewalls. Otherwise, your cybersecurity insurance claims are likely to get denied. I was reading the article the other day, it was by travelers insurance. They actually denied a cybersecurity insurance claim because the end user, they filled out that they were using MFA, which they were, they had MFA enabled on the firewalls. However, the attack happened on the servers, and there was no MFA on the server. So the bad guys, they got the username and the password of the server. They were able to extract all that data, install ransomware, and it was not a good time, and the insurance claim got denied.

So turn on MFA. Turn it on for all users in all places.

Connor Swalm

All users, all places, all the time. Yeah, that brings me to a good friend of mine is a guy by the name of West Spencer. We talk about cyber insurance a lot and maybe he brought up the exact same story, but I do remember him talking specifically about a thing called, I believe it was carve out, and it was basically like, if you do any of these things, there's, like, no shot we're going to pay out your policy. Are you all at Evo dealing with any cyber insurance stuff right now?

Do you have any guidance for any of your MSP partners? Anything you'd like to share there?

Nick Wolf

So just by, again, having MFA enabled, we'll definitely help you out with your cybersecurity insurance policy, as well as help you meet CIS controls. So, yeah, we're more than happy to help, but we are not a cybersecurity insurance vendor. We're an IAM vendor. But we're happy to add our expertise wherever we can in those conversations.

Connor Swalm

Awesome. For those of you listening, CIS is the Center for Internet Security.

It is a cyber security framework that's, like, self attested. It's like, basically it's rules that you can decide to implement and measure up to, and it's best practice according to a lot of people. I've mentioned it a bunch of times on separate episodes of the podcast, for sure.

And for those of you who are listening, we have some previous episodes with West Spencer, where we go over.

There's five main things required by cyber insurance policy today.

One of them is MFA. Then it's like immutable backups, EDR, managed AV, and then awareness training.

Those five things are required by all cyber insurance policies that most people see to this day.

So MFA is one of them. There's a reason these aren't just pulled out of a hat. Well, they might have been initially, but actually it looks like they're.

Nick Wolf

Well, it goes back to the statistic, right? 99.9% of attacks will be blocked just by having MFA turned on, per Microsoft.

Connor Swalm

Yeah, that's absolutely right. A lot of cybersecurity tax and the resulting breaches are just crimes of opportunity. A statement I made one of our last podcast episodes is be the second slowest person when you're running from a bear.

That's it. Somebody else is going to be slower. Congrats. You made it through the filter.

You're fine for now. So for folks that are listening, what's one last piece of advice you'd like to leave them?

Whether that's in having that conversation with their client, in beginning to implement MFA, or places, even resources they can use to learn a little bit more, what would you suggest to folks that are yeah, definitely.

Nick Wolf

So my last bit of advice is make sure you're setting a complex password because your password is your first line of defense. Make sure you're having MFA installed as your second line of defense. If someone calls you and is trying to offer you support over the phone, but they need your username, they need your password, they need your MFA code, do not give it to them. Nobody's ever going to ask for it. The only place that you should be inputting your MFA code is again on the actual website that you and only you are trying to access.

Connor Swalm

Do not share your credentials at all. Thank you for that piece of advice.

And thank you so much for joining me. Nick, we didn't even get time to talk about privileged access management or Pam. Would you like to come back on another episode of the podcast and talk about that?

Nick Wolf

Sure. Please have me on.

Connor Swalm

Awesome. Well, Nick, thank you so much for joining me once again to everyone listening. I'm Connor, host of the Gone Fishing podcast, and you've been listening with us for just a little bit. Thanks for joining.

Bye.

Nick Wolf

Thank you.

Connor Swalm

Thanks so much for tuning in to Gone Phishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out finsecurity at Phinsec IO. That's p h I n s e c IO. Or click all of the wonderful links in our show notes. Thanks for fishing with me today and we'll see you next time.