There has been a recent surge in cyberattacks that bypass multi-factor authentication (MFA) security measures, putting data center systems at risk. The challenge for data centers is the need to align with an overarching enterprise security strategy that can retain legacy MFA protocols and the need to move beyond traditional MFA to meet the unique security needs of data centers. .
In August, attackers tricked a Cisco employee into accepting an MFA request and were able to access critical internal systems.
In September, attackers bought the password of an Uber contractor on the dark web and attempted multiple times to log in with the stolen credentials, Uber reported. At first, login attempts were blocked by MFA, but eventually the contractor accepted the request and the attackers entered. They were able to access a number of company tools, including G-Suite and Slack.
More embarrassingly, in August the attackers were able compromise Twilio’s widely used MFA service. To do this, they tricked several Twilio employees into sharing their MFA credentials and permissions. Over a hundred Twilio clients were compromised, including Okta and Signal.
What the MFA Network Protection Changes Mean for You
In addition to compromising MFA platforms and tricking employees into approving illegitimate access requests, attackers also use adversary-in-the-middle attacks to bypass MFA authentication, according to a report published by Microsoft’s Threat Intelligence Center this summer. More than 10,000 organizations have been targeted by these attacks over the past year, which work by waiting for a user to successfully log into a system and then hijacking the current session.
“The most successful MFA cyberattacks are based on social engineering, with all types of phishing being the most commonly used,” said Walt Greene, founder and CEO of consulting firm QDEx Labs. “These attacks, when carried out correctly, have a fairly high probability of success for the unsuspecting user.”
Clearly, MFA alone is no longer enough, and data center cybersecurity managers need to start planning ahead for a post-password security paradigm. Until then, additional security measures should be put in place to tighten access controls and limit lateral movement in data center environments.
And data centers should not only know how they use multi-factor authentication to secure data center operations and how they work with business units or other customers to support their MFA efforts.
Progress Beyond Legacy MFA
Last spring, Apple, Google and Microsoft all committed to a common passwordless login standard.
The new approach, based on the FIDO security standard, promises to be more secure than traditional multi-factor security, such as one-time passwords sent via SMS. It should become widely available next year.
In a statement released earlier this monthJen Easterly, director of the Cybersecurity & Infrastructure Security Agency, urged every organization to put FIDO on their MFA implementation roadmap.
“FIDO is the gold standard,” she said. “Aim for gold.”
In particular, she urged system administrators to start using MFA, noting that less than 50% currently use it.
“System administrators are particularly big targets and they need to properly protect these accounts,” she said.
She also urged cloud service providers to adopt 100% FIDO authentication. “After the eruption of MFA bypass compromises this year, it’s clear that being a ‘trustworthy’ cloud provider means ‘we won’t lose your data, even if our staff falls for a phishing ruse’. credentials “.”
Add controls to secure legacy MFA
Even before moving to a FIDO-based passwordless authentication platform, data centers need to tighten their security controls.
Moreover, even as new passwordless technologies become more widespread, some of these additional controls, such as user behavior analysis, will continue to be useful.
For most security teams, these compensating controls will be the standard approach, said Gartner vice president and analyst Ant Allan.
For example, a check to confirm that the login is from the same geographic location as the user’s phone will reduce the risk of phishing, he said.
“And stifling the number of failed mobile push authentications can mitigate rapid bombardment,” he added. Rapid bombardment is an attacker strategy where they keep trying to login, and users get so many MFA requests that they get annoyed and accept the requests out of sheer frustration.
There are also AI-based security measures that security teams can use to spot suspicious user behavior that may indicate account compromise.
“While MFA is a necessary first step, investing in advanced analytics — including machine learning — will provide more flexibility and resilience,” Allan said.
Data centers should also invest more in identity threat detection and response capabilities, he said. That doesn’t necessarily mean buying new tools, he added. Data center security managers could do more with the identity access management and infrastructure security tools they already have.
“The White House memo M-22-09 that requires phishing-resistant MFA is likely an indicator for other regulatory requirements,” he added. “But it’s unclear if this requires entirely new methods or if compensating controls are sufficient.”
And the existing MFA infrastructure will continue to serve a purpose, said Jason Rader, chief information security officer at consulting firm Insight.
Threat actors will usually start by trying to break into accounts with the weakest security, he said. “If they systematically go through a list of accounts, they’ll try until they find one that doesn’t have an MFA requirement. That’s why all accounts should have it enabled.
Unfortunately, some of the legacy applications that data centers use for operations management may not support MFA at all.
This is especially true for data centers that have been around for a decade or more, Rader said.
“The bad guys are going to exploit this and completely bypass the MFA,” he said. “I would say adversaries will be successful a high percentage of the time if they can locate an account without MFA enabled or if they have legacy authentication enabled, because all they have to do is guess the password.”
As enterprises continue to shift their data centers to hybrid and cloud models, MFA becomes more critical as traditional on-premises data center security systems become less relevant.
Fortunately, cloud providers generally make MFA an option for all of their users. Unfortunately, many do not take advantage of it. Alex Weinert, vice president of identity security at Microsoft, at a conference last month, said that only 26.64% of Azure AD accounts use MFA. In fact, personal accounts are 50 times less likely to be compromised than corporate accounts because Microsoft has automatic security policies in place for its home users. Companies are expected to manage their own security policies.
Enterprise data centers are always part of a larger MFA security strategy
A data center manager would also have a role to play if an enterprise MFA tool is housed in the infrastructure they manage, said Allan of Gartner.
“MFA for all workforce use cases would fall under the aegis of the chief cybersecurity officer or chief information security officer,” he told Data Center Knowledge. . “The data center manager – among others – would be responsible for the correct integration of a company MFA tool within the infrastructure for which they are responsible.
Therefore, data center managers running on-premises, hybrid or cloud data centers for enterprises would have an interest in enterprise-wide MFA, which is used by employees, contractors, business partners and customers.
“The data center manager – again, among other things – should have a seat on the security board or committee that governs the organization’s security program, making decisions on policy, technology choices, etc. “, said Allan