As organizations rely more and more on remote workers, one of their primary focuses has to be security. The days of secure air-gapped networks are long gone, and a large number of employees are now expected to be able to work from anywhere. This means that the number of vulnerabilities that must be addressed has increased. While there is no one magic solution, there are things that can be done to make remote workers more secure.
MFA is short for multi-factor authentication, and it is an extra layer of security that is used to confirm a user's identity. By requiring more than just a password, MFA makes it harder for hackers to break into online accounts. It's simply a combination of two or more authentication methods, like something you know (such as a password) and something you have (such as your phone). One of the most popular ways to implement MFA is using a software-based authenticator.
While MFA is not a new technology, it is one that is increasingly being used to protect workstations across enterprises. It has been a popular tool for many years to secure organizations against unauthorized access to mobile devices, particularly in organizations that allow employees to bring their own devices (BYOD) to work.
So, is MFA enough to protect remote workers? It can be—if used in conjunction with other measures. With the rise of BYOD and remote working, MFA is one of the easiest things you can implement to protect your organization. The problem is that most people also log in from personal devices and unsecured networks, increasing the chance of someone being able to bypass MFA.
Possible Attacks with Multi-factor Authentication
MFA can be an effective strategy to reduce the risk of attacks. However, there are several types of attacks that MFA doesn't protect against. For example, attackers can use phishing to trick a user, or a vulnerable application, into giving up their second factor. While MFA additionally requires the user to validate their identity in other ways (e.g., by typing a PIN code), these types of attacks often rely on convincing a user to click on a malicious link or download a malicious file, and thus, they are still effective.
Some of the threats MFA cannot protect against include:
- Social engineering: Social engineering is the act of manipulating people into performing actions or divulging confidential information, and is responsible for the majority of data breaches. In a network session hijack, hackers trick users with phishing emails to steal credentials. Users input their information into a fake website, which hackers can later exploit.
- SIM swapping: "SIM Switching" refers to a criminal tactic in which a fraudster contacts a mobile service provider to report that their SIM card has been lost, stolen, damaged, or blocked, and they want to move their phone number to a new device. The fraudster requests a new SIM card be issued, and if successful, will move the old SIM card to a new device. The fraudster can then use the phone's new number to access the victim's bank, credit card, and other personal accounts.
- Security questions: If a hacker can't steal your password, then he might try to find answers to your recovery questions. A hacker can easily find out your mother's maiden name, or what street you grew up on, or what your favorite color is. It's all information that's easy to find on the Internet or in public records.
Additional Security Measures to Use In Conjunction With MFA
Remote workers are often reminded of the importance of protecting personal information and data. Although organizations cannot put their companies' databases on lockdown, their employees can take precautions that limit the chances of unauthorized access to computers, tablets, and mobile phones. For example, if devices are stolen, employees can ensure that personal and company information is protected. Here are several ways employees can protect their details while working from home:
- Educate employees on MFA's security limits: Make sure your employees understand ways in which an attacker can get past an MFA. For example, attackers might use specific techniques that are a product of remote work, such as Zoom bombing, which is when an uninvited attendee attends a meeting. They can gather personal details to use later for another attack. Additionally, vishing has become more common with an increase in remote work, which is phishing through phone calls rather than emails. The phone call will appear to be from a trusted source whose aim is to steal your information.
- Consider using biometric or behaviour-based MFA: Using a combination of standard authentication methods is a great first step, but you should also consider using biometric or behavior-based multi-factor authentication. It goes beyond the standard methods and can be great for adding protection to your organization's security.
- Implement Voice over Internet Protocol (VoIP) phone for MFA: To verify that a person is who they say they are, it's recommended that the company have a means of verifying the identity of these remote employees to ensure they are actually who they say they are. The best way to do this is by using multi-factor authentication (MFA) and a Voice over Internet Protocol (VoIP) phone can be the best way to do MFA.
- Use a password manager: One of the best ways to get your employees on the same page is to require them to use a password manager. A password manager allows users to store all their passwords in a single, secure application that can be accessed from anywhere. It generates unique passwords for each site the user accesses and manages the user's access to those sites, ensuring that the user has access to the accounts. The generated passwords will be much more challenging to guess, and as a result, reduce the risk of attacks.
Have a Team on Call
While strong authentication measures are an important security control to have in place, it is not effective if not enforced. Security awareness training programs can be helpful in getting people on the same page and creating a mindset within your organization of cybersecurity. A security solutions providers can support businesses entering emerging markets, helping them to effectively navigate numerous security challenges.
About the Author
Anas Chbib is one of the most respected leaders in the security industry, known for his unmatched business ethics, inspirational entrepreneurial spirit, and fierce desire to offer organizations worldwide highly-secured environments in order to ensure business continuity and better service. Anas is currently the Founder and CEO of AGT, a highly respected, international cybersecurity firm.
- Blog2022.05.02Lupo - Malware IOC Extractor and Debugging module for Malware Analysis Automation
- Blog2022.05.02DDexec - a technique to run binaries filelessly and stealthily on Linux using dd to replace the shell with another process
- Blog2022.04.28ADReaper - A fast enumeration tool for Windows Active Directory Pentesting written in Go
- Blog2022.04.27Shhhloader - SysWhispers Shellcode Loader