{"id":4983,"date":"2024-08-21T18:27:44","date_gmt":"2024-08-21T23:27:44","guid":{"rendered":"https:\/\/www.darkreading.com\/cybersecurity-operations\/the-silver-bullet-of-mfa-was-never-enough"},"modified":"2024-08-21T18:27:44","modified_gmt":"2024-08-21T23:27:44","slug":"the-silver-bullet-of-mfa-was-never-enough","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/08\/21\/the-silver-bullet-of-mfa-was-never-enough\/","title":{"rendered":"The Silver Bullet of MFA Was Never Enough"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

COMMENTARY<\/span><\/span><\/p>\n

The unfolding story of recent attacks on high-profile organizations is shaping up to be the cybersecurity equivalent of action movies. As a child, I stared in rapt attention at the screen as the hero fought valiantly to overcome the malice of the antagonist in the story. There would be trials and tribulations and the protagonist would invariably find a way to overcome the adversity much to the joy of the audience. <\/span><\/p>\n

Often that victory would come in the guise of an almost magical solution. In some cases, these proverbial silver bullets would make their appearance to bring an end to the vampires or werewolves. We were led to believe that silver bullets would solve our difficult situations. Unfortunately that was never our reality. <\/span><\/p>\n

The temptation to believe that silver bullets can solve our most difficult situations lives on in the world of modern cybersecurity. How many times have we heard declarations that \u201c[insert name] technology\u201d is dead!\u201d and that some other solution is swooping in to solve all of the ills across the security landscape?<\/span><\/p>\n

Multi-factor authentication (MFA) has been cast in the role of a silver bullet this summer \u2014 but unfortunately, there is no magical cure-all in cybersecurity.<\/span><\/p>\n

What MFA Can\u2019t Do<\/h2>\n

The focus on MFA makes sense. The attacks on cloud-based data platforms that have dominated the news have been primarily credential-based, with hyperscaler Snowflake determining that compromised customer accounts didn\u2019t have MFA in place. MFA is a solid tool for reducing risks to an organization, and Snowflake\u2019s decision to launch features making MFA mandatory was wise. <\/span><\/p>\n

But MFA isn\u2019t enough, and it never was. Even with MFA, there is the potential for social engineering. I have personally received text messages purporting to come from the CEO of a company I was working for, claiming they had lost their phone and asking me to text an MFA token back to them so they could log in. While this example may seem laughable to those of us with a security background, it has been shown to work. <\/span><\/p>\n

MFA doesn\u2019t prevent attackers from setting up malicious Wi-Fi hotspots or using Domain Name System (DNS) spoofing to redirect users to a fake login page\u2014two techniques for capturing MFA codes and session tokens. Used the coffee shop Wi-Fi lately? <\/span><\/p>\n

The third example I\u2019ll point to is SIM swapping, in which the attacker takes control of the user\u2019s phone number to intercept MFA codes sent via SMS. MFA is not always MFA: If your authentication code is sent to the same compromised device you\u2019re using to access an app, there\u2019s nothing \u201cmultiple\u201d about it. SMS codes are a poor substitute for good security. <\/span><\/p>\n

Beyond MFA<\/h2>\n

In light of the scores of data breaches in the news of late, we need to be able to do even better. How do security teams improve their situation and reduce the risks to their organization? The Ron Popeil method of \u201cset it and forget it\u201d does little to improve matters from a security perspective. <\/span><\/p>\n

There are many steps that can be taken to protect an organization. Passkeys, for example, will allow users to log in to their accounts without needing to remember or enter passwords. <\/span><\/p>\n

A second step is checking the security posture of the devices that are connecting to your organization\u2019s resources. Is that laptop connecting from a foreign country, as an example, supposed to be doing so? Do you have anyone there who  works for your organization? Is the laptop\u2019s software and operating system patched to current? <\/span><\/p>\n

Finally, Passwords are the control that we often overlook in the enterprise. How are they managed? Are the passwords being used  unique in their composition? Even with MFA  in place, we\u2019re still stuck with passwords as part of the mix. They\u2019re not going anywhere soon. If your employees use weak easy-to-remember passwords because they lack the right tools, your organization can be at risk. <\/span><\/p>\n

There is No Silver Bullet<\/h2>\n

We all want to be the hero of our own stories. But the magical triumphs that capped my favorite childhood movies simply do not translate to the world of modern cybersecurity.<\/span><\/p>\n

MFA is an important solution. It can certainly help. But it is by no means the silver bullet that will save the day. <\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

COMMENTARY The unfolding story of recent attacks on high-profile organizations<\/p>\n","protected":false},"author":12,"featured_media":4984,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-4983","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/the-silver-bullet-of-mfa-was-never-enough-scaled.jpg?fit=2560%2C1920&ssl=1",2560,1920,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/the-silver-bullet-of-mfa-was-never-enough-scaled.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/the-silver-bullet-of-mfa-was-never-enough-scaled.jpg?fit=300%2C225&ssl=1",300,225,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/the-silver-bullet-of-mfa-was-never-enough-scaled.jpg?fit=640%2C480&ssl=1",640,480,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/the-silver-bullet-of-mfa-was-never-enough-scaled.jpg?fit=640%2C480&ssl=1",640,480,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/the-silver-bullet-of-mfa-was-never-enough-scaled.jpg?fit=1536%2C1152&ssl=1",1536,1152,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/the-silver-bullet-of-mfa-was-never-enough-scaled.jpg?fit=2048%2C1536&ssl=1",2048,1536,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/the-silver-bullet-of-mfa-was-never-enough-scaled.jpg?fit=1024%2C768&ssl=1",1024,768,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/the-silver-bullet-of-mfa-was-never-enough-scaled.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/the-silver-bullet-of-mfa-was-never-enough-scaled.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/the-silver-bullet-of-mfa-was-never-enough-scaled.jpg?fit=2560%2C1920&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4983","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=4983"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4983\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/4984"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=4983"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=4983"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=4983"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}