April 27, 2022 • 30 mins
Join Todd Sorg (COO and CISO) and Nate Schmitt (Director of Cybersecurity) from CIT as they chat about all things MFA. Whether it's examples of MFA/2FA or addressing employee concerns when implementing MFA they've got advice for your small to medium-sized business.
Want to connect with our speakers? Email info@cit-net.com or call 651.255.5780.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
To the first CIT Tech for Business podcast today,
(00:04):
we're sitting down with Nate and Todd,
and we're going to talk about multi-factor authentication.
Our first acronym, we're kicking it off strong, MFA.
Leading in you guys, first off,
let us know a little bit about you and what is MFA?
Thanks, Kelsey. I am Todd.
I am CIT's Chief Operations Officer.
I am also our Chief Information Security Officer.
(00:26):
I'll let Nate introduce himself and he can kick off
the MFA overview as well.
Yeah. My name is Nate.
I'm our Director of Cybersecurity here at CIT.
Just help oversee the operational components of our department.
Multi-factor authentication,
also known as two-factor authentication,
is really at the core is basically another form of authentication.
(00:56):
There's multiple variants to this,
but essentially it's a mix of something that you have,
something you know, and something that you are.
As long as you have two of the three of those to log into a system,
that's what multi-factor or two-factor authentication is.
What does that look like for something that you know,
(01:17):
is something likely going to be like a password or something like a pin code,
then there's something that you are,
that's something that's going to be like biometrics.
For example, in order to log into some computers,
you need to touch your fingerprint or you see things on some of those crime shows
(01:37):
where they're doing the iris scanning to get into the secure facilities.
That's something that you are.
Then there's something that you have,
and this is where this is most common in business due to privacy concerns with the biometrics and everything.
But something you have is something that's going to look like
either your cell phone and in order to do a push notification to it,
(02:03):
it's going to be something that could be a USB that you have to plug in.
I have in front of me a hardware token that in order to log in after I put in my password,
I plug this into my computer,
I touch it and it just activates and sends off another code.
(02:23):
That's another form.
Then they even have ones I have another little hardware token in front of me,
which looks like a little credit card.
This is something where it has a little battery in it.
I click on it, it generates a six-digit code.
Then from there, I enter in that code as well.
So I've put in both my password and a code from something that is in my possession.
(02:47):
So that's what multi-factor is in general.
Where is it used is a whole different discussion and I'll let Todd take that over.
I want to back up just to hear before we went too far where we use it.
It's been around for decades.
It's not a new technology.
People have been using it for banking where you've
(03:10):
get a text message or something along those lines.
That's typically referred to as 2FA.
But the reason why I interrupted Nate is I just wanted to back up and say,
why do we use it? The biggest reason that typically comes up and
everybody here can expand on it.
But what ends up happening is that people typically have issues with passwords.
Passwords are painful, they're difficult to remember,
(03:31):
so people tend to make them easy to remember.
That's your phone number, your childhood,
best friend, whatever it is, your pet.
What makes matters worse is that people then use that password everywhere.
If you're looking at social media or LinkedIn,
your work email and accounts, etc., more often than not,
most people tend to reuse it over and over again.
(03:53):
Inherently, what ends up happening is if something ever happens and it could be
anything from if you're in the Twin Cities,
there was a Starter Be-Un hack.
There was also a hack that happened on the Meters Downtown Minneapolis where they
were able to take account names and passwords and post that
on to what's referred to the dark web.
(04:13):
Once that's been out there, if you've ever had that information harvested from you,
it's now out in the wild.
So how do you protect it?
That's where multi-factor comes in.
So just want to make sure we covered that piece real briefly so
we've got that whole picture of what it is, where it came from, why we're worried about it.
The answer is passwords are bad, people hate them.
We could get into that a little bit later on.
(04:35):
What can we do about it?
Can we rely more on biometrics at some point in the future?
But it's a little bit off topic of where we're at at the moment.
Where most people will try to implement a multi-factor authentication tool set is on
anything that's quote unquote internet facing.
More often than not, one of the larger threats that we're seeing in our business,
(04:56):
and this has been true for years, we've been kind of banging the drum on multi-factor for
about five years at least.
And that's how I've been at CIT, so you can kind of see a correlation there.
But email is probably the biggest.
So Microsoft has done a really nice job of pushing everybody to the cloud.
Google's doing the same, they're huge providers.
(05:16):
Once people move their email to the cloud, some of the inherent security that was in
having email inside an organization started to be exposed to the internet.
And typically most people were signing in with an email address,
which is more often than not, first name, last name, first letter, last name, or vice versa.
And then at the company, so that part's super easy to figure out, and then you just start
(05:38):
going down the list, right?
It's winter 2022 exclamation point and so on, and I'm in.
So in order to protect that, that's where multi-factor is coming along.
Yeah, quick, quick stat that comes to mind.
So this is all the way back in 2019, but Microsoft did push out an article.
I'm sure that the numbers have only increased since then, just given the nature that people
(06:01):
continue to move to the cloud.
But back in 2019, Microsoft put out an article that said their login services for their, sorry,
their cloud services have attempted logins over 300 million times a day that were fraudulent.
And so the article is saying, if you implement multi-factor authentication on the accounts,
(06:26):
it reduces the risk of account compromise by 99.9%.
Right?
It's everyone, there's a couple different attacks that people are going to take to try
and get to your account.
Fishing, you know, we've talked about fishing here at CEIT many, many times, but fishing
(06:46):
for those that don't have the full understanding on that is an attacker will send you a fraudulent
email attempt to elicit your username and password, and then they'll use that to then
log into your account.
So it's a fraudulent way of capturing your credentials.
That's one method.
One of the other common methods, which for example, Todd had mentioned is password reuse.
(07:10):
If you're a compromise on one account, you reuse the same password and it's leaked out
on the dark web.
You take that and go attempt to log into other services with that.
And then the last one is just what they call password spraying.
So you just, or password stuffing, you just attempt to push as many passwords as possible
for a particular user until one is successful.
(07:32):
Right?
And by having the multi-factor, all of those methods are defeated.
There is some considerations to take into play, which we can get into a little bit later
too.
But for the majority, if you just implement multi-factor, you reduce about 99.9% of all
attempts to log into the system fraudulently.
(07:53):
So you kind of mentioned that already about the statistics.
Do you have a rough idea of what number of attacks are coming from email?
So we can use our own examples of what we're seeing most of our customers suffer from.
Does it typically end up being in the world of cybersecurity?
They refer to it as business email compromise.
Do you have a sense in how many attacks we see coming in through email specifically?
(08:18):
Thousands.
Even if we take a look at CIT systems, if I pull up any given day, there's hundreds
of them.
Right?
It's just the simple fact of the password spraying is real.
Right?
Everyone has our email addresses.
It's either in someone's database dump, right, because, for example, if we continue to push
(08:44):
on things like the Star Tribune or the Minneapolis parking that was compromised, right, and they
had the email addresses, if you have ever used your work account for that, it's floating
out there.
It's on a list.
People are just going to attempt it with all the common passwords.
There's some big password lists out there that are known to be highly effective because
(09:06):
people tend to just pick bad passwords across the board.
Yeah, it's hundreds of times a day for any organization, even if you're small.
Yeah.
I think that's great.
It's a great key.
Once upon a time, we were used to talk about organization sites, and people used to say,
hey, I'm way too small to be attacked.
(09:27):
That really isn't the case anymore.
Statistically, it's something along the lines of 56, 60% of all attacks happen against small
businesses, and the reason is because it's easy.
They don't always have the wherewithal, the technical ability to understand what they should
be doing, and so on and so forth.
The attacks are real, and it does impact everybody.
I'm sure people see it even happening at home.
(09:49):
I get stuff from PayPal and Apple, and you name it.
I get attacked all the time that I need to click on something or reset something all
the time.
Staying on statistics, the reason why I asked Nate about the percent of attacks is, I think
it's still somewhere in the high 90s of all attacks that are coming in tend to be fishing,
and that's somewhere in the high 90s.
As he mentioned, if you can protect services and your identity with 99.9%, that's significant,
(10:17):
and the number one tool being MFA, there are some statistics.
We can share this out too.
For those that are listening, we'll be able to see this, but we can share it in the channel,
and if you're interested, we can find ways to get you the information as well.
But there was the United National Cybersecurity Chief said that 80 to 90% of all attacks,
not just email, all attacks can be circumvented by having multi-factor in.
(10:41):
How we started out this meeting is, what is it?
What's the threat, and what are you doing about it?
Ultimately, that's why we keep talking about multi-factor authentication.
One last statistic in case you're wondering, well, sure, this has been something you've
talked about for years.
We've got it.
Statistically, there was 55% of all organizations have multi-factor enabled, only 55%, so only
(11:05):
half.
Even in those cases, a lot of times people are very picky and choosy on how they do it,
so they may only do it with their tech team, or they may only do it with their administrators.
Small number of organizations, I shouldn't say small, because half is a significant number,
but half still don't have it.
It's a major problem, and it is still where we see most attacks coming from and can be
(11:28):
circumvented by putting multi-factor in place.
So, Todd and me, I have a question about that.
You mentioned that there's over half organizations that don't have that.
Why do you think that is?
What barriers are they looking at to be like, I don't have time to do MFA.
Talk a little bit more as to why that's the case.
(11:50):
I think that, right?
If your question answered one of them, they don't see that they have time to implement
it.
Right?
Often, these are slightly lengthlier engagements.
It doesn't need to be complicated, but the more time you put into ensuring that it's
a smooth process, the smoother the adoption is going to be.
(12:11):
It's easy to just go into a system and say, everyone has it on.
That's where your user friction is going to come into play, and absolutely everyone is
going to be upset that day as they are trying to sign into things.
User adoption is one of those items that you need to be pretty cognizant of when you're
(12:32):
implementing it.
There's also some additional strategies that you need to take in order to actually implement
it successfully.
For example, if the user friction is, I don't want to put this code in every single time
I'm logging in.
You can do things to say, well, maybe let's bypass multi-factor from within the office.
(12:53):
There is some residual risk there that maybe the organization is willing to accept because
for the most part, if someone does have the password and they are attempting to log in,
it will likely come from outside of the office.
That doesn't mean that maybe that user's computer is compromised and there's some type of script
that calls in from internally.
(13:15):
But again, the likelihood is significantly reduced.
If your employees are constantly working from the office, you could still bypass multi-factor.
The larger you put that bypass, maybe it's the state, the country, the bigger the risk
becomes.
(13:36):
But there are strategies that you can implement with that.
I'd say the other one is cost.
There's a lot of different multi-factor solutions out on the market.
If you're only looking at doing something like email, all of the major email providers
now are offering it for free.
(13:56):
You can implement it in Office 365, G Suite.
There's no additional cost.
If you're looking to use some type of third-party service, then you're going to start seeing
those licensing costs for more of a per user cost there.
(14:18):
The other component that I would say is how far do you want to implement multi-factor across
the organization?
Todd mentioned that the most common one that's going to be abused is going to be your email
system.
Start there.
Then you can start looking at other services as well, such as your VPN, critical business
(14:40):
applications.
Once you start wanting to implement multi-factor on those additional systems, that's where
some of the paid services come into play because they do extend out to additional services
and different protocols.
User friction costs.
Maybe the other big one that I'll let Todd expand on a little bit more is executive buy-in.
(15:08):
I would say the two things that I would say by far are the biggest thing that I see as
resistance is more often than not, when you go through it, you are going to put a little
bit of friction in between your employees and them getting work done.
The typical pushback that you will get back from that employee is, I'm holding up my
phone.
The company doesn't pay for it.
(15:29):
I'm not putting your business application on my phone.
The reality is, there are ways to start to build the adoption.
You can be a little forceful with it and you say, okay, great, well, we're just going
to give you a token.
We're going to give you a business phone.
Bear with me when I walk through some of this because I'm not actually encouraging you to
(15:51):
go out and buy 100 phones.
When you start to go, hey, employee, I'm going to give you a phone and they've got the
phone.
They're going to be like, I don't want two phones just to avoid putting in the six digit
code and they'll usually adopt it.
Or you give them a token and they're like, this is inconvenient.
I have to make sure I have it with me.
When I'm logging in from home, I got to go grab my keys because it's on my key chain,
(16:12):
whatever the case may be.
That's usually where they're kind of pushing back.
Then inevitably what ends up happening is you go, okay, well, here's a solution.
Here's a solution.
Here's a solution.
They're like, the reality is it's so convenient to just have it on my phone that I carry with
me everywhere anyway.
I'll just go ahead and do it.
The reality is it's not really all that complex.
It's not a heavyweight thing.
(16:34):
It's not dipping into any of your personal information.
It's just an app and it's only doing a couple of things.
It's either generating a six digit code or longer or it's pushing you with content that
says, is this you?
Nate's correct when it comes to executive adoption.
It is inconvenient.
A lot of people don't want to be bothered by it.
I'll give a good example and as I said, multi-factor has been around for ages.
(16:58):
Back many, many years ago, early 2000s, I had joined an organization and the very first
thing I did was our remote connections is really insecure.
Let's implement multi-factor and I implemented it and it probably lasted about a month before
the CEO said I can't stand to turn it off.
The security threats weren't nearly what they are today, but I learned a lot during that
(17:20):
time too.
One of the strategies or several of the strategies Nate covered already is you start small, you
start going, well, let's start with a small group that are my power users.
Maybe it's IT and then you get a few other people that go, okay, it's working.
It really isn't that bad and you start to expand it or you lessen some of the security
requirements.
(17:40):
As Nate said, you can make an area trusted.
It's work.
Work is trusted.
I've got the adoption in.
People are getting used to the fact that when I'm at work, I don't get prompted when I'm
at home.
I do.
Okay.
We're going to ratchet it up a little bit.
We're going to add another location.
We're going to add another application.
We're going to whatever.
You can continue to build on the security and you can get that by and just naturally.
(18:05):
Probably many people have heard the term and I don't mean this in a derogatory way.
It's a bit of the boiled frog scenario is as you start to do what they realize, it really
isn't that bad.
Not that we're trying to boil our employees, but conceptually, you just do it a little
bit at a time and you're improving your security as you go.
One last user friction that I wanted to call out.
(18:27):
It's not as common, but it does come up from time to time is union policies.
If you want to have an employee start downloading an application on their phone or start carrying
around a phone just for phone calls and stuff, sometimes union policies will say, well, you
(18:48):
need to start reimbursing the employees for that.
There is a cost associated with that.
So that definitely feeds into some of the other considerations that sometimes where
hardware tokens come into play.
It's maybe a $20 hardware token.
That's one time cost.
It's not reoccurring.
(19:09):
You can still implement multi-factor without having to start reimbursing for cell phones
or paying for the phones outright.
It's one that I don't commonly hear, but on more of the production environments, I'm
not going to get deep into compliance here, but things like CMMC, it's starting to ask
(19:31):
for multi-factor.
CMMC tends to be a lot of the manufacturing firms where there's a lot of union employees.
I'll expand on the compliance piece too.
There's a lot coming.
If you're in any compliance industry, healthcare finance, you name it as Nate mentioned, manufacturing,
(19:51):
it's going to be something that you're probably already experiencing.
As I mentioned, you've been being prompted for an additional code from your bank for
days, for weeks, months, years, whatever the case may be.
It is coming.
This is just me expanding a little bit.
My opinion, compliance is coming and it's going to be expanding over the next five years.
There are going to be reasons why you're going to have to adopt something like this.
(20:15):
If the threat of cyber attacks isn't enough, there are going to be other things.
You can already see it's happening.
This is why I'm saying it.
If you look over the last year, the Biden administration had come out and said the cyber
attacks are getting worse and worse.
We're spending tons of money.
We're constantly under attack.
What are we going to do about it?
They built out an executive order and they specifically say, yeah, got to have MFA.
(20:40):
If that's not enough, the insurance companies are doing it too.
If you're looking at cybersecurity insurance and almost everybody's asking for it at this
point, they're going to be looking for it as well.
As I'm going down this compliance thing, I'll wrap this up briefly and I'll pass it back
to Nate.
As you're looking at the compliance thing, I was actually working with one of our customers
(21:03):
and they were going through the insurance process and they don't have any of the compliance
from CMMC, healthcare, any of that.
The insurance organization had come in and they did what I would consider pretty much
a full IT audit where they were looking at data diagrams.
They're looking at security protocols.
(21:23):
I mean, it was everything.
I actually went on site and met with the insurance adjuster just to make sure that we covered
all the information that we needed to cover.
It was significant.
It took an hour and obviously MFA is included in that.
It's the way life insurance used to be where life insurance you could just sign on the
dotted line off you went, you got a whole bunch of coverage and that's changed over the years
(21:45):
too.
The underwriting is going now I need blood work and I need to wait you and I need health
background and family history and yada yada.
It's just going to get worse is where I was going with it.
Like I said, I was going to wrap that up quickly and I didn't.
I'll stop talking and pass it back to Nate.
I can interrupt for just a hot second as we've gone down the compliance path and all of these
(22:08):
good things.
I'm kind of looking at right if you're having user friction and you're having people that
are like, I don't want to do it.
I don't want to have this code pushed in my phone.
It's too much work.
Why is it effective at actually preventing these attacks?
What is it doing for me?
I'm like, yeah, I get it.
I get the phone.
I put it in and congratulations.
So we're saying, yeah, it's 99 or over 99% effective.
Why?
(22:29):
Yeah.
Good question there.
Before I jump into that, while Todd was talking, I decided to go look at our, I don't know,
system here just to see how many of that password spraying attempt I saw in our system.
In the last 24 hours, it was just shy of 200 attempts.
I can see the logs.
(22:50):
So again, we're not a big company by any means.
It happens all the time.
Why is it so effective?
If I just called out, there's nearly 200 attempts in the last 24 hours to password spray our
environment there.
The reason why it's so effective is even if a password is compromised, the threat actor
(23:13):
is not going to have the other form of multi-factor or the other form, the second form or the
third form of multi-factory in order to get into the system.
So password, I've showed this to people before is I say, here's a dummy account in like a
Gmail or something, right?
Here's the password.
(23:34):
I'll give you a hundred bucks if you can get into that because I have the multi-factor
keys here.
It just doesn't happen.
I've never paid someone out because they would have to retrieve that file from me or
that hardware token from me in order to get into place.
So where we typically see multi-factor fail is not the technology in itself.
(24:00):
It's still the user.
So there are websites that will try and capture the multi-factor token and pass it through
to the legitimate site and then redirect the user.
So they'll still log in, but it's the user who has fallen for a fraudulent website, still
entered in their password and given up the multi-factor code, gave it both of them to
(24:24):
the attacker, then the attacker just goes logs in.
And there is a timing on these tokens where maybe they're good for five minutes, maybe
they're good for 15 minutes.
It allows for users to have a grace period to access their phone sitting on the desk,
access the email, access the text message.
So if you give it up right away and then you hand it over to someone immediately, they're
(24:47):
going to use it first, right?
I just worked with another organization where their multi-factor was a phone call, right?
So this was actually a pretty common attack method at the moment.
It's called MFA bombing.
So what you do is you just bug the user enough until they just say, I can't take it anymore,
(25:09):
except the phone call.
And that was the phone call that was the MFA prompt and the attacker just logs in, right?
So in the instance that I was looking at with that other customer, it was attacker-gid to
log in, was prompted with a six-digit code.
They weren't able to get that.
So then they switched over to the backstop, which was a phone call, sent the user a phone
(25:34):
call.
It failed because the user didn't accept it.
30 seconds later, sent another one.
It failed.
Sent the next one.
The user said, I'm sick of this call.
Accept.
And the attacker logged in.
So another one I'll throw in.
We don't see this as often.
And the endpoint of this is you still need training when you deploy the tool.
But we have seen people that have deployed the push technology.
(25:57):
So that is, I log in and you get a push to your phone that says, was this really you?
We have had people that have been attacked where someone was like, yeah, I just logged
in and they've allowed the attacker in, even though they didn't personally sign in.
So there is kind of a training aspect that goes with it.
One last thing that I kind of wanted to dive into.
I know we talked about the threats and the attacks and whatnot.
(26:18):
But as we're wrapping this up, I just kind of wanted to kind of reillustrate some of
the real concerns.
And ultimately, we talked about compliance.
We talked about the threats.
We talked about all of that stuff.
The reality is the reason behind that is because of the cost.
And the cost is built up from a lot of different things.
It's from the ransomware.
If you get attacked from ransomware, ransomware is more often than not.
(26:40):
They start nowadays, they start around a million dollars and they start to get talked down
to something real.
It includes downtime, it includes unprotected employees, et cetera.
Looking statistically, the last time I looked at it, we were somewhere on average.
So that's average across all SMB market, not you're a bigger company, you get bigger ransomware,
et cetera.
It's about $500,000.
(27:01):
Downtime, about two weeks.
So that's fairly significant.
And if I can deploy something like MFA and protect 90% to 99.9, it's something you really
got to start to consider and go, boy, I can reduce my risk by $500,000 in a given year.
(27:22):
That's probably something for a little bit of friction, a little bit of build up.
We can find a way to move forward.
It's a good way to start looking at it and thinking about it and go, where do we go from
here?
Yeah.
And the one thing that I'd add to that is the cost is going to be dependent on the application
or system that the threat actor is obtaining access to.
(27:43):
So Todd was mentioning ransomware, that could have been multi-factor on a VPN, for example.
Someone had a compromised password, attacker gets into the VPN.
Most companies don't have a dedicated demilitarized or DMZ zone for VPN users.
They just say, once you pass through, you have full access to the network.
(28:04):
That's where those ransomware costs are going to come into play.
It could be something like your email system, someone's in there just obtaining data.
It's a fraudulent wire transfer that they're trying to set up.
Whatever that number is, it could be 10,000.
It could be, I've dealt with the ones that are $500,000 wire transfers.
It's just a matter of what are they accessing, what are the costs, and whatever the remediation
(28:30):
costs are, I promise it's less, sorry, I promise that it's far more than the cost of implementing
multi-factor at the end of the day.
Yeah, so kind of as a last thought from me, and they can jump in on this too if he's
got any, but the last thing I have is we did talk about sometimes there's friction, sometimes
there's a technical hurdle, if you will, because there are ways to go about it.
(28:53):
There's paid solutions, et cetera.
Obviously if you need help, reach out to your trusted partners.
There's a lot of help out there.
Of course, you can go do your Google searches as well.
In the end, when you need help, reach out to those that you trust and you can get some
good support from.
Yeah, I guess my final closing thought is everyone's scared of user friction, but in
(29:14):
almost every case, it ends up being more of a concern that doesn't always come to fruition.
The impact is actually fairly minimal if you implement it correctly.
So a lot of those concerns are unfortunately just not fully grounded based on facts, just
(29:38):
feelings.
Awesome.
Thank you so much, Todd and Nate for sitting down and chatting about MFA and all of the
things that we could go into it.
I'm sure that you guys would love to chat with anybody for an extended period of time
about any of this that we could tangent on a lot of things.
That wraps up our first check for business podcast here today.
(29:59):
If you guys have more questions that you want to ask Todd and Nate, feel free to reach out
to info at cit-net.com or give us a call 651-255-5780 or else we're also online at www.cit-net.com
but that's our little marketing spiel on there that they're here to answer your questions
at any time about any cybersecurity needs or technology for business and we will chat
(30:20):
with you guys next week.
To the first CIT Tech for Business podcast today,
(00:04):
we're sitting down with Nate and Todd,
and we're going to talk about multi-factor authentication.
Our first acronym, we're kicking it off strong, MFA.
Leading in you guys, first off,
let us know a little bit about you and what is MFA?
Thanks, Kelsey. I am Todd.
I am CIT's Chief Operations Officer.
I am also our Chief Information Security Officer.
(00:26):
I'll let Nate introduce himself and he can kick off
the MFA overview as well.
Yeah. My name is Nate.
I'm our Director of Cybersecurity here at CIT.
Just help oversee the operational components of our department.
Multi-factor authentication,
also known as two-factor authentication,
is really at the core is basically another form of authentication.
(00:56):
There's multiple variants to this,
but essentially it's a mix of something that you have,
something you know, and something that you are.
As long as you have two of the three of those to log into a system,
that's what multi-factor or two-factor authentication is.
What does that look like for something that you know,
(01:17):
is something likely going to be like a password or something like a pin code,
then there's something that you are,
that's something that's going to be like biometrics.
For example, in order to log into some computers,
you need to touch your fingerprint or you see things on some of those crime shows
(01:37):
where they're doing the iris scanning to get into the secure facilities.
That's something that you are.
Then there's something that you have,
and this is where this is most common in business due to privacy concerns with the biometrics and everything.
But something you have is something that's going to look like
either your cell phone and in order to do a push notification to it,
(02:03):
it's going to be something that could be a USB that you have to plug in.
I have in front of me a hardware token that in order to log in after I put in my password,
I plug this into my computer,
I touch it and it just activates and sends off another code.
(02:23):
That's another form.
Then they even have ones I have another little hardware token in front of me,
which looks like a little credit card.
This is something where it has a little battery in it.
I click on it, it generates a six-digit code.
Then from there, I enter in that code as well.
So I've put in both my password and a code from something that is in my possession.
(02:47):
So that's what multi-factor is in general.
Where is it used is a whole different discussion and I'll let Todd take that over.
I want to back up just to hear before we went too far where we use it.
It's been around for decades.
It's not a new technology.
People have been using it for banking where you've
(03:10):
get a text message or something along those lines.
That's typically referred to as 2FA.
But the reason why I interrupted Nate is I just wanted to back up and say,
why do we use it? The biggest reason that typically comes up and
everybody here can expand on it.
But what ends up happening is that people typically have issues with passwords.
Passwords are painful, they're difficult to remember,
(03:31):
so people tend to make them easy to remember.
That's your phone number, your childhood,
best friend, whatever it is, your pet.
What makes matters worse is that people then use that password everywhere.
If you're looking at social media or LinkedIn,
your work email and accounts, etc., more often than not,
most people tend to reuse it over and over again.
(03:53):
Inherently, what ends up happening is if something ever happens and it could be
anything from if you're in the Twin Cities,
there was a Starter Be-Un hack.
There was also a hack that happened on the Meters Downtown Minneapolis where they
were able to take account names and passwords and post that
on to what's referred to the dark web.
(04:13):
Once that's been out there, if you've ever had that information harvested from you,
it's now out in the wild.
So how do you protect it?
That's where multi-factor comes in.
So just want to make sure we covered that piece real briefly so
we've got that whole picture of what it is, where it came from, why we're worried about it.
The answer is passwords are bad, people hate them.
We could get into that a little bit later on.
(04:35):
What can we do about it?
Can we rely more on biometrics at some point in the future?
But it's a little bit off topic of where we're at at the moment.
Where most people will try to implement a multi-factor authentication tool set is on
anything that's quote unquote internet facing.
More often than not, one of the larger threats that we're seeing in our business,
(04:56):
and this has been true for years, we've been kind of banging the drum on multi-factor for
about five years at least.
And that's how I've been at CIT, so you can kind of see a correlation there.
But email is probably the biggest.
So Microsoft has done a really nice job of pushing everybody to the cloud.
Google's doing the same, they're huge providers.
(05:16):
Once people move their email to the cloud, some of the inherent security that was in
having email inside an organization started to be exposed to the internet.
And typically most people were signing in with an email address,
which is more often than not, first name, last name, first letter, last name, or vice versa.
And then at the company, so that part's super easy to figure out, and then you just start
(05:38):
going down the list, right?
It's winter 2022 exclamation point and so on, and I'm in.
So in order to protect that, that's where multi-factor is coming along.
Yeah, quick, quick stat that comes to mind.
So this is all the way back in 2019, but Microsoft did push out an article.
I'm sure that the numbers have only increased since then, just given the nature that people
(06:01):
continue to move to the cloud.
But back in 2019, Microsoft put out an article that said their login services for their, sorry,
their cloud services have attempted logins over 300 million times a day that were fraudulent.
And so the article is saying, if you implement multi-factor authentication on the accounts,
(06:26):
it reduces the risk of account compromise by 99.9%.
Right?
It's everyone, there's a couple different attacks that people are going to take to try
and get to your account.
Fishing, you know, we've talked about fishing here at CEIT many, many times, but fishing
(06:46):
for those that don't have the full understanding on that is an attacker will send you a fraudulent
email attempt to elicit your username and password, and then they'll use that to then
log into your account.
So it's a fraudulent way of capturing your credentials.
That's one method.
One of the other common methods, which for example, Todd had mentioned is password reuse.
(07:10):
If you're a compromise on one account, you reuse the same password and it's leaked out
on the dark web.
You take that and go attempt to log into other services with that.
And then the last one is just what they call password spraying.
So you just, or password stuffing, you just attempt to push as many passwords as possible
for a particular user until one is successful.
(07:32):
Right?
And by having the multi-factor, all of those methods are defeated.
There is some considerations to take into play, which we can get into a little bit later
too.
But for the majority, if you just implement multi-factor, you reduce about 99.9% of all
attempts to log into the system fraudulently.
(07:53):
So you kind of mentioned that already about the statistics.
Do you have a rough idea of what number of attacks are coming from email?
So we can use our own examples of what we're seeing most of our customers suffer from.
Does it typically end up being in the world of cybersecurity?
They refer to it as business email compromise.
Do you have a sense in how many attacks we see coming in through email specifically?
(08:18):
Thousands.
Even if we take a look at CIT systems, if I pull up any given day, there's hundreds
of them.
Right?
It's just the simple fact of the password spraying is real.
Right?
Everyone has our email addresses.
It's either in someone's database dump, right, because, for example, if we continue to push
(08:44):
on things like the Star Tribune or the Minneapolis parking that was compromised, right, and they
had the email addresses, if you have ever used your work account for that, it's floating
out there.
It's on a list.
People are just going to attempt it with all the common passwords.
There's some big password lists out there that are known to be highly effective because
(09:06):
people tend to just pick bad passwords across the board.
Yeah, it's hundreds of times a day for any organization, even if you're small.
Yeah.
I think that's great.
It's a great key.
Once upon a time, we were used to talk about organization sites, and people used to say,
hey, I'm way too small to be attacked.
(09:27):
That really isn't the case anymore.
Statistically, it's something along the lines of 56, 60% of all attacks happen against small
businesses, and the reason is because it's easy.
They don't always have the wherewithal, the technical ability to understand what they should
be doing, and so on and so forth.
The attacks are real, and it does impact everybody.
I'm sure people see it even happening at home.
(09:49):
I get stuff from PayPal and Apple, and you name it.
I get attacked all the time that I need to click on something or reset something all
the time.
Staying on statistics, the reason why I asked Nate about the percent of attacks is, I think
it's still somewhere in the high 90s of all attacks that are coming in tend to be fishing,
and that's somewhere in the high 90s.
As he mentioned, if you can protect services and your identity with 99.9%, that's significant,
(10:17):
and the number one tool being MFA, there are some statistics.
We can share this out too.
For those that are listening, we'll be able to see this, but we can share it in the channel,
and if you're interested, we can find ways to get you the information as well.
But there was the United National Cybersecurity Chief said that 80 to 90% of all attacks,
not just email, all attacks can be circumvented by having multi-factor in.
(10:41):
How we started out this meeting is, what is it?
What's the threat, and what are you doing about it?
Ultimately, that's why we keep talking about multi-factor authentication.
One last statistic in case you're wondering, well, sure, this has been something you've
talked about for years.
We've got it.
Statistically, there was 55% of all organizations have multi-factor enabled, only 55%, so only
(11:05):
half.
Even in those cases, a lot of times people are very picky and choosy on how they do it,
so they may only do it with their tech team, or they may only do it with their administrators.
Small number of organizations, I shouldn't say small, because half is a significant number,
but half still don't have it.
It's a major problem, and it is still where we see most attacks coming from and can be
(11:28):
circumvented by putting multi-factor in place.
So, Todd and me, I have a question about that.
You mentioned that there's over half organizations that don't have that.
Why do you think that is?
What barriers are they looking at to be like, I don't have time to do MFA.
Talk a little bit more as to why that's the case.
(11:50):
I think that, right?
If your question answered one of them, they don't see that they have time to implement
it.
Right?
Often, these are slightly lengthlier engagements.
It doesn't need to be complicated, but the more time you put into ensuring that it's
a smooth process, the smoother the adoption is going to be.
(12:11):
It's easy to just go into a system and say, everyone has it on.
That's where your user friction is going to come into play, and absolutely everyone is
going to be upset that day as they are trying to sign into things.
User adoption is one of those items that you need to be pretty cognizant of when you're
(12:32):
implementing it.
There's also some additional strategies that you need to take in order to actually implement
it successfully.
For example, if the user friction is, I don't want to put this code in every single time
I'm logging in.
You can do things to say, well, maybe let's bypass multi-factor from within the office.
(12:53):
There is some residual risk there that maybe the organization is willing to accept because
for the most part, if someone does have the password and they are attempting to log in,
it will likely come from outside of the office.
That doesn't mean that maybe that user's computer is compromised and there's some type of script
that calls in from internally.
(13:15):
But again, the likelihood is significantly reduced.
If your employees are constantly working from the office, you could still bypass multi-factor.
The larger you put that bypass, maybe it's the state, the country, the bigger the risk
becomes.
(13:36):
But there are strategies that you can implement with that.
I'd say the other one is cost.
There's a lot of different multi-factor solutions out on the market.
If you're only looking at doing something like email, all of the major email providers
now are offering it for free.
(13:56):
You can implement it in Office 365, G Suite.
There's no additional cost.
If you're looking to use some type of third-party service, then you're going to start seeing
those licensing costs for more of a per user cost there.
(14:18):
The other component that I would say is how far do you want to implement multi-factor across
the organization?
Todd mentioned that the most common one that's going to be abused is going to be your email
system.
Start there.
Then you can start looking at other services as well, such as your VPN, critical business
(14:40):
applications.
Once you start wanting to implement multi-factor on those additional systems, that's where
some of the paid services come into play because they do extend out to additional services
and different protocols.
User friction costs.
Maybe the other big one that I'll let Todd expand on a little bit more is executive buy-in.
(15:08):
I would say the two things that I would say by far are the biggest thing that I see as
resistance is more often than not, when you go through it, you are going to put a little
bit of friction in between your employees and them getting work done.
The typical pushback that you will get back from that employee is, I'm holding up my
phone.
The company doesn't pay for it.
(15:29):
I'm not putting your business application on my phone.
The reality is, there are ways to start to build the adoption.
You can be a little forceful with it and you say, okay, great, well, we're just going
to give you a token.
We're going to give you a business phone.
Bear with me when I walk through some of this because I'm not actually encouraging you to
(15:51):
go out and buy 100 phones.
When you start to go, hey, employee, I'm going to give you a phone and they've got the
phone.
They're going to be like, I don't want two phones just to avoid putting in the six digit
code and they'll usually adopt it.
Or you give them a token and they're like, this is inconvenient.
I have to make sure I have it with me.
When I'm logging in from home, I got to go grab my keys because it's on my key chain,
(16:12):
whatever the case may be.
That's usually where they're kind of pushing back.
Then inevitably what ends up happening is you go, okay, well, here's a solution.
Here's a solution.
Here's a solution.
They're like, the reality is it's so convenient to just have it on my phone that I carry with
me everywhere anyway.
I'll just go ahead and do it.
The reality is it's not really all that complex.
It's not a heavyweight thing.
(16:34):
It's not dipping into any of your personal information.
It's just an app and it's only doing a couple of things.
It's either generating a six digit code or longer or it's pushing you with content that
says, is this you?
Nate's correct when it comes to executive adoption.
It is inconvenient.
A lot of people don't want to be bothered by it.
I'll give a good example and as I said, multi-factor has been around for ages.
(16:58):
Back many, many years ago, early 2000s, I had joined an organization and the very first
thing I did was our remote connections is really insecure.
Let's implement multi-factor and I implemented it and it probably lasted about a month before
the CEO said I can't stand to turn it off.
The security threats weren't nearly what they are today, but I learned a lot during that
(17:20):
time too.
One of the strategies or several of the strategies Nate covered already is you start small, you
start going, well, let's start with a small group that are my power users.
Maybe it's IT and then you get a few other people that go, okay, it's working.
It really isn't that bad and you start to expand it or you lessen some of the security
requirements.
(17:40):
As Nate said, you can make an area trusted.
It's work.
Work is trusted.
I've got the adoption in.
People are getting used to the fact that when I'm at work, I don't get prompted when I'm
at home.
I do.
Okay.
We're going to ratchet it up a little bit.
We're going to add another location.
We're going to add another application.
We're going to whatever.
You can continue to build on the security and you can get that by and just naturally.
(18:05):
Probably many people have heard the term and I don't mean this in a derogatory way.
It's a bit of the boiled frog scenario is as you start to do what they realize, it really
isn't that bad.
Not that we're trying to boil our employees, but conceptually, you just do it a little
bit at a time and you're improving your security as you go.
One last user friction that I wanted to call out.
(18:27):
It's not as common, but it does come up from time to time is union policies.
If you want to have an employee start downloading an application on their phone or start carrying
around a phone just for phone calls and stuff, sometimes union policies will say, well, you
(18:48):
need to start reimbursing the employees for that.
There is a cost associated with that.
So that definitely feeds into some of the other considerations that sometimes where
hardware tokens come into play.
It's maybe a $20 hardware token.
That's one time cost.
It's not reoccurring.
(19:09):
You can still implement multi-factor without having to start reimbursing for cell phones
or paying for the phones outright.
It's one that I don't commonly hear, but on more of the production environments, I'm
not going to get deep into compliance here, but things like CMMC, it's starting to ask
(19:31):
for multi-factor.
CMMC tends to be a lot of the manufacturing firms where there's a lot of union employees.
I'll expand on the compliance piece too.
There's a lot coming.
If you're in any compliance industry, healthcare finance, you name it as Nate mentioned, manufacturing,
(19:51):
it's going to be something that you're probably already experiencing.
As I mentioned, you've been being prompted for an additional code from your bank for
days, for weeks, months, years, whatever the case may be.
It is coming.
This is just me expanding a little bit.
My opinion, compliance is coming and it's going to be expanding over the next five years.
There are going to be reasons why you're going to have to adopt something like this.
(20:15):
If the threat of cyber attacks isn't enough, there are going to be other things.
You can already see it's happening.
This is why I'm saying it.
If you look over the last year, the Biden administration had come out and said the cyber
attacks are getting worse and worse.
We're spending tons of money.
We're constantly under attack.
What are we going to do about it?
They built out an executive order and they specifically say, yeah, got to have MFA.
(20:40):
If that's not enough, the insurance companies are doing it too.
If you're looking at cybersecurity insurance and almost everybody's asking for it at this
point, they're going to be looking for it as well.
As I'm going down this compliance thing, I'll wrap this up briefly and I'll pass it back
to Nate.
As you're looking at the compliance thing, I was actually working with one of our customers
(21:03):
and they were going through the insurance process and they don't have any of the compliance
from CMMC, healthcare, any of that.
The insurance organization had come in and they did what I would consider pretty much
a full IT audit where they were looking at data diagrams.
They're looking at security protocols.
(21:23):
I mean, it was everything.
I actually went on site and met with the insurance adjuster just to make sure that we covered
all the information that we needed to cover.
It was significant.
It took an hour and obviously MFA is included in that.
It's the way life insurance used to be where life insurance you could just sign on the
dotted line off you went, you got a whole bunch of coverage and that's changed over the years
(21:45):
too.
The underwriting is going now I need blood work and I need to wait you and I need health
background and family history and yada yada.
It's just going to get worse is where I was going with it.
Like I said, I was going to wrap that up quickly and I didn't.
I'll stop talking and pass it back to Nate.
I can interrupt for just a hot second as we've gone down the compliance path and all of these
(22:08):
good things.
I'm kind of looking at right if you're having user friction and you're having people that
are like, I don't want to do it.
I don't want to have this code pushed in my phone.
It's too much work.
Why is it effective at actually preventing these attacks?
What is it doing for me?
I'm like, yeah, I get it.
I get the phone.
I put it in and congratulations.
So we're saying, yeah, it's 99 or over 99% effective.
Why?
(22:29):
Yeah.
Good question there.
Before I jump into that, while Todd was talking, I decided to go look at our, I don't know,
system here just to see how many of that password spraying attempt I saw in our system.
In the last 24 hours, it was just shy of 200 attempts.
I can see the logs.
(22:50):
So again, we're not a big company by any means.
It happens all the time.
Why is it so effective?
If I just called out, there's nearly 200 attempts in the last 24 hours to password spray our
environment there.
The reason why it's so effective is even if a password is compromised, the threat actor
(23:13):
is not going to have the other form of multi-factor or the other form, the second form or the
third form of multi-factory in order to get into the system.
So password, I've showed this to people before is I say, here's a dummy account in like a
Gmail or something, right?
Here's the password.
(23:34):
I'll give you a hundred bucks if you can get into that because I have the multi-factor
keys here.
It just doesn't happen.
I've never paid someone out because they would have to retrieve that file from me or
that hardware token from me in order to get into place.
So where we typically see multi-factor fail is not the technology in itself.
(24:00):
It's still the user.
So there are websites that will try and capture the multi-factor token and pass it through
to the legitimate site and then redirect the user.
So they'll still log in, but it's the user who has fallen for a fraudulent website, still
entered in their password and given up the multi-factor code, gave it both of them to
(24:24):
the attacker, then the attacker just goes logs in.
And there is a timing on these tokens where maybe they're good for five minutes, maybe
they're good for 15 minutes.
It allows for users to have a grace period to access their phone sitting on the desk,
access the email, access the text message.
So if you give it up right away and then you hand it over to someone immediately, they're
(24:47):
going to use it first, right?
I just worked with another organization where their multi-factor was a phone call, right?
So this was actually a pretty common attack method at the moment.
It's called MFA bombing.
So what you do is you just bug the user enough until they just say, I can't take it anymore,
(25:09):
except the phone call.
And that was the phone call that was the MFA prompt and the attacker just logs in, right?
So in the instance that I was looking at with that other customer, it was attacker-gid to
log in, was prompted with a six-digit code.
They weren't able to get that.
So then they switched over to the backstop, which was a phone call, sent the user a phone
(25:34):
call.
It failed because the user didn't accept it.
30 seconds later, sent another one.
It failed.
Sent the next one.
The user said, I'm sick of this call.
Accept.
And the attacker logged in.
So another one I'll throw in.
We don't see this as often.
And the endpoint of this is you still need training when you deploy the tool.
But we have seen people that have deployed the push technology.
(25:57):
So that is, I log in and you get a push to your phone that says, was this really you?
We have had people that have been attacked where someone was like, yeah, I just logged
in and they've allowed the attacker in, even though they didn't personally sign in.
So there is kind of a training aspect that goes with it.
One last thing that I kind of wanted to dive into.
I know we talked about the threats and the attacks and whatnot.
(26:18):
But as we're wrapping this up, I just kind of wanted to kind of reillustrate some of
the real concerns.
And ultimately, we talked about compliance.
We talked about the threats.
We talked about all of that stuff.
The reality is the reason behind that is because of the cost.
And the cost is built up from a lot of different things.
It's from the ransomware.
If you get attacked from ransomware, ransomware is more often than not.
(26:40):
They start nowadays, they start around a million dollars and they start to get talked down
to something real.
It includes downtime, it includes unprotected employees, et cetera.
Looking statistically, the last time I looked at it, we were somewhere on average.
So that's average across all SMB market, not you're a bigger company, you get bigger ransomware,
et cetera.
It's about $500,000.
(27:01):
Downtime, about two weeks.
So that's fairly significant.
And if I can deploy something like MFA and protect 90% to 99.9, it's something you really
got to start to consider and go, boy, I can reduce my risk by $500,000 in a given year.
(27:22):
That's probably something for a little bit of friction, a little bit of build up.
We can find a way to move forward.
It's a good way to start looking at it and thinking about it and go, where do we go from
here?
Yeah.
And the one thing that I'd add to that is the cost is going to be dependent on the application
or system that the threat actor is obtaining access to.
(27:43):
So Todd was mentioning ransomware, that could have been multi-factor on a VPN, for example.
Someone had a compromised password, attacker gets into the VPN.
Most companies don't have a dedicated demilitarized or DMZ zone for VPN users.
They just say, once you pass through, you have full access to the network.
(28:04):
That's where those ransomware costs are going to come into play.
It could be something like your email system, someone's in there just obtaining data.
It's a fraudulent wire transfer that they're trying to set up.
Whatever that number is, it could be 10,000.
It could be, I've dealt with the ones that are $500,000 wire transfers.
It's just a matter of what are they accessing, what are the costs, and whatever the remediation
(28:30):
costs are, I promise it's less, sorry, I promise that it's far more than the cost of implementing
multi-factor at the end of the day.
Yeah, so kind of as a last thought from me, and they can jump in on this too if he's
got any, but the last thing I have is we did talk about sometimes there's friction, sometimes
there's a technical hurdle, if you will, because there are ways to go about it.
(28:53):
There's paid solutions, et cetera.
Obviously if you need help, reach out to your trusted partners.
There's a lot of help out there.
Of course, you can go do your Google searches as well.
In the end, when you need help, reach out to those that you trust and you can get some
good support from.
Yeah, I guess my final closing thought is everyone's scared of user friction, but in
(29:14):
almost every case, it ends up being more of a concern that doesn't always come to fruition.
The impact is actually fairly minimal if you implement it correctly.
So a lot of those concerns are unfortunately just not fully grounded based on facts, just
(29:38):
feelings.
Awesome.
Thank you so much, Todd and Nate for sitting down and chatting about MFA and all of the
things that we could go into it.
I'm sure that you guys would love to chat with anybody for an extended period of time
about any of this that we could tangent on a lot of things.
That wraps up our first check for business podcast here today.
(29:59):
If you guys have more questions that you want to ask Todd and Nate, feel free to reach out
to info at cit-net.com or give us a call 651-255-5780 or else we're also online at www.cit-net.com
but that's our little marketing spiel on there that they're here to answer your questions
at any time about any cybersecurity needs or technology for business and we will chat
(30:20):
with you guys next week.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Boysober
Have you ever wondered what life might be like if you stopped worrying about being wanted, and focused on understanding what you actually want? That was the question Hope Woodard asked herself after a string of situationships inspired her to take a break from sex and dating. She went "boysober," a personal concept that sparked a global movement among women looking to prioritize themselves over men. Now, Hope is looking to expand the ways we explore our relationship to relationships. Taking a bold, unfiltered look into modern love, romance, and self-discovery, Boysober will dive into messy stories about dating, sex, love, friendship, and breaking generational patterns—all with humor, vulnerability, and a fresh perspective.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com