A door without a lock does not provide a layer of security to an opportunistic thief. 如果门是锁着的,你至少有一层安全保障. 现在, 想象一下,门上还有一个卡片或指纹识别器,必须与钥匙一起使用才能打开门. 这样,你就有了多层安全保障. 而一个熟练的小偷或攻击者仍然可以想象进入, 这需要更多的时间, 他们可能会转移到更容易的目标.
While attacks on organizations have become more complex over the years, basic attacks—such as 网络钓鱼邮件这些几乎任何人都可以做的事情,仍然是获取组织最敏感和关键信息的相当有效的方法.
多因素身份验证已经发展成为使组织免受远程攻击的最有效的控制方法,并且在正确实现的情况下, can prevent most threat actors from easily gaining an initial foothold into your organization, 即使凭证被泄露.
多因素身份验证 is the process of identifying users by validating two or more “factors,或该用户独有的特征.
Three different characteristics are often used as factors in the authentication process:
Common implementations of two-factor authentication include the “你知道的” factor (i.e. 密码)和“你拥有的东西”(i.e. 一次性密码发送到您的智能手机或通过令牌提供).
While authentication is the process by which a computer validates the identity of a user (i.e. 用户名及密码), 多因素身份验证增加了一层额外的保护和安全性,以防止最常见的泄露类型之一——泄露凭证. Without the added layer of security through multi-factor authentication, 因为密码仍然很容易被猜出,所以要真正验证访问系统的用户就是他们所说的那个人就更加困难了, 裂纹, 或者偷.
本期《明升app》, Derek Rush joins Bill Dean to discuss multifactor authentication (MFA). 许多组织已经转向MFA来维护数据安全. The goal is to go beyond pass词s 和 make it more difficult for cyber criminals to attack. 然而, MFA并不是应对所有安全威胁的灵丹妙药, 尽管最好有个合适的地方, 这不是万无一失的. 在这一集里, 明升体育app下载专家将讨论MFA实施的问题, 以及我们建议客户采取的不同做法.
多因素身份验证, when connecting to services on the internet, is similar. It’s a simple matter for user credentials to become compromised through pass词 和 phishing attacks. 而员工则需要接受 安全意识培训, phishing threats are becoming more sophisticated 和 users may not 充分了解风险 a network is exposed to if a hacker takes advantage of compromised credentials.
而不是创造一个强有力的传球短语 (不及格)词),当提示时,他们只做最少的工作. Threat actors know this 和 will take advantage of it when they can. 和, 如果您的网络连接到Internet, 你没有使用多重身份验证登录, 那些威胁分子可以直接从前门进来.
The need for multi-factor authentication extends beyond your immediate network, too. If your organization uses the assistance of any third-party services, 他们还应该使用多因素身份验证.
原因如下:
你可以强制执行 密码复杂度规则, but you can’t force people to use different pass词s for all the third-party services used by your company. 现在, imagine a threat actor has obtained a user’s pass词 by guessing it or successfully phishing the user. They attempt to use the compromised credential to log in to your corporate network—where you have MFA installed. 第一个因素是成功, 但是当谈到第二个因素时, 恶意用户无法成功登录.
他们可能会拿着受损的凭证,在组织常用的第三方服务上进行尝试,直到它在某个地方起作用. So, while the threat actor might not directly gain access to your network, 如果您没有在这些第三方服务上安装MFA,他们仍然可以访问敏感数据或业务流程.
另一个需要MFA的场景是在包含高度敏感数据的网络分段区域内, 例如持卡人数据环境(CDE). Even if multi-factor authentication is required to log in to your network, 您仍然需要添加一个额外的MFA层来登录cde -即使它没有直接连接到互联网.
这一额外的安全层不仅有助于遵从性, but it’s also important for protection of the most sensitive data held by your organization. Because, while multi-factor authentication is effective if executed correctly, it’s not infallible.
考虑一下这个例子:
You implement MFA for your network, teach employees to use it properly, 和 move on. You’ve got MFA installed 和 active for all corporate services (email, 远程访问, (包括第三方服务),将用户重定向到需要MFA的单点登录(SSO)身份验证门户. 你可以走了,对吧?
不完全是.
在一个未公开的地点,一个威胁行为者试图访问你的一个新员工的账户,这个新员工可能在新员工安全意识培训期间没有密切关注. 这名员工一直在手机上收到来自他们开始在公司工作时安装的MFA应用程序的提醒.
员工 knows they’re not trying to log in, but they brush it off as a technical malfunction. 员工最终会厌倦自己的手机铃声, 所以用户确认从MFA应用程序的登录请求.
和, just like that, a threat actor has entered your network, even though you’ve got MFA installed.
信息安全没有保证. 而你可以尽可能地为自己做好准备, user error should always play a factor in your decision making 和 infrastructure. Are abundant successful logins but failed MFA attempts being alerted on within security monitoring processes?
The needs of networks can vary based on the size 和 type of organization. 决定如何最好地保护你的资产和教育你的员工可能会带来意想不到的独特挑战. So, if you’re looking for some guidance on how to best secure your network or implement MFA, 让我们知道我们很乐意今天就帮你开始工作.
跨组织的面向internet的资产实现多因素身份验证是防止对敏感数据进行未经授权访问的最有效方法之一. 多因素身份验证, 当实现正确时, 可以用来保护经常被忽视的身份验证点吗, 例如电子邮件和商业应用程序. 没有这层额外的保护, 攻击者可以利用暴露的电子邮件帐户或破坏保护较差的应用程序来访问其他用户信息——甚至更糟, use the compromise as a “foothold” to escalate privileges 和 gain superuser access to the entire environment.
当威胁参与者试图对启用了多因素身份验证的帐户进行身份验证时,可以看到多因素身份验证的一个经常被忽视的好处, 和 the targeted employee receives the second authentication factor. 员工, 如果训练得当, 是否应该意识到这种危害,并将其报告给他或她的安全或it部门,以便解决和进一步预防.
多因素身份验证可以用于任何场景(内部或外部),在这些场景中需要额外的保护和安全层,以防止凭据受损. 多因素身份验证最重要的应用之一是远程访问和管理网络环境. 因为访问远程环境不需要攻击者在场就能获得对计算资源的访问, it creates a layer of anonymity that an attacker can use to their advantage. 无论何时谈到远程访问, 我们还想考虑像多因素身份验证这样的辅助控制,以确保访问远程资源的人确实是他们所说的那个人. 多因素身份验证在远程环境中提供这种保证,强烈建议用于任何远程访问, 对于云服务的远程管理尤其如此.
随着对组织的网络攻击的增加, 密码强度不能作为组织防止威胁参与者获得未经授权访问的唯一保护层. 虽然不是防弹的, multi-factor authentication is a proven way to lessen the likelihood of a data 违反 via a compromised pass词.
坏人总是在寻找阻力最小的道路, 和 one of the easiest ways to gain unauthorized access is by stealing credentials from approved users. 这就是网络钓鱼攻击背后的思想, but it also represents a driving force in targeting user credentials in instances such as the 2016 Yahoo! 违反, in which the account information 和 encrypted pass词s of at least 500 million accounts were stolen.
用户重复使用密码/口令总是一个问题, 当然,员工在创建第三方网站账户时使用自己的工作凭证也并不罕见. 因此, 如果第三方数据泄露导致数亿用户名和密码组合被广泛公开披露, those could be used to successfully gain 远程访问 to your environment by an unauthorized user.
这种未经授权的访问可能表现为通过VPN远程登录或访问在线Web门户(特别是电子邮件)。. 远程访问需要第二个身份验证因素, 比如发送到用户手机上的短信, 有助于降低泄露的密码或密码短语授予未经授权的用户对组织环境和/或资源的外部访问权的可能性. Many organizations already use two-factor authentication for VPN access, 但在线门户网站和电子邮件往往被忽视. 从这些门户获得的信息对于恶意行为者在执行侦察时非常有用, 因此,在考虑是否对外部门户和电子邮件访问使用双因素时,请考虑对环境的这种风险.
System administrators certainly are not immune to pass词/pass短语 re-use issues. Due to their constant work with highly sensitive resources 和 information within the organization, system admins should be required to use two-factor authentication for both local 和 远程访问. 他们在你的组织中拥有很大的权力, 和, 借用一个老漫画书的比喻, with great power comes great responsibility – 和 the need for two-factor authentication.
Our team at is ready to assist with a wide range of network defense services.
希望了解更多关于LBMC专家如何通过多因素身份验证帮助您的组织防止攻击的信息? 明升体育app下载 今天!
