Recent high profile attacks show that the bad guys don’t hack into organizations, they simply log in. This is especially true of supply chain attacks where credential compromise continues to be the most predominant vector of attack that bad actors use in order to gain access into target networks that are often interconnected.
Typical supply chain attack using compromised credentials
So how can organizations protect themselves against supply chain attacks specifically and compromised credentials in general? The underlying rule should be to expand modern and multi-factor authentication to all users and applications in your organization, whether those apps reside on-prem or in the cloud.
There is a tendency to enforce MFA for so called privileged users only. However experience shows that bad actors will hone in on an organization’s weakest link. That weak link could be a regular user whose credentials were stolen and which could be used to access another enterprise application. It is therefore important to expand MFA coverage to all users and apps.
Not all Authentication Methods are Created Equal
Most organizations today rely on authenticator apps and Push OTP for MFA. However, there are many situations where users cannot rely on Push OTP. These include:
- Users in ‘mobile free’ environments such as medical labs, hospital wards, factory floors, engineering environments
- Users who don’t have corporate issued devices
- Users who don’t agree to install corporate software on their personal devices
- Situations where cellular connectivity is limited
To address these types of situations, it is important to be able to offer a range of authentication methods, including certificate-based PKI authentication (smart cards), FIDO devices, or pattern-based authentication.
There are also complexities relating to hybrid IT environments which may affect the type of authentication solution that an organization can use. Recent breaches show that malicious actors are targeting on-prem solutions like RDP servers as well as cloud services. It’s important therefore to ensure your authentication solution can easily support legacy apps via RADIUS for example, OT environments, as well as cloud apps with modern authentication protocols such as SAML.
Below are some pointers for protecting different solutions with MFA:
RDP Server Protection
- As a rule, do not publish unprotected remote desktops on the internet. If this is an absolute necessity, make sure the RDP access point is protected with multi-factor authentication (MFA) to ensure that only validated users can enter the RDP.
- Use RDP gateways. Remote desktops should be protected behind reverse proxy gateways to obfuscate the standard RDP port 3389. RDP gateways are accessed over HTTPS connections (port 443) protected through the TLS encryption protocol.
- Apply MFA to access the RDP gateway. Even the strongest passwords can be compromised.
- Apply MFA to the network logon. Once inside the remote desktop, implement another layer of security by applying MFA to the network logon point.
- Ensure that access to VPNs is always protected by multi-factor authentication (MFA). MFA should be enabled for ALL users.
Protecting Cloud Services
In the current threat environment all apps and users, especially cloud services are valid targets. For example, enforcing MFA for Office 365 but not for Workday, or other cloud services, will leave holes in an organization’s security footprint. Therefore, CISOs should deploy modern authentication combined with policy-based access controls and MFA for all cloud services. This will ensure that users are not overburdened by superfluous authentication requests while still maintaining good levels of access security.
Key Take Aways
As noted above, there is a tendency in many organizations to apply MFA to privileged users or IT admins, but not necessarily to other users. In the current threat environment, cyber-criminals will find the weakest link into your network. So the best way to prevent bad actors simply logging in with stolen credentials is to make sure that all apps and users are protected with modern and multi-factor authentication.
Download and read the 2022 Thales Data Threat Report which discusses some of the top threats and challenges organizations face today.