Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everybody, welcome back to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you with us here today as we round out our discussion of the dirty 13, the top 13 most common audit issues we see. No asterisk when auditing CPA firms, but like we say, I think practically every episode that we've done on the dirty 13, it's not just CPA and financial firms.
These are really the top issues we see when performing any type of information security audits. So it has been quite a few weeks in the making, but now we are rounding out with the last of the dirty 13 and this one's kind of wild, but just a complete lack of multifactor authentication. So we will get into that, all the different, all the different ways that you can make your organization more secure with multifactor.
And if I'm honest, I think a lot of podcasts, a lot of articles, there's tons of stuff out there on multifactor. And I think we'll talk about what we're seeing in audits and really some actual best practices, things you probably haven't heard in other areas and things that could really save your bacon when things go sideways because multifactor can go sideways to make things really bad. Before we get into that, please click that subscribe if you like what you're hearing, if you like what you listen to, subscribe, follow, whether it's on Apple Podcasts, Spotify, or on YouTube, we'd love to have you and please leave us some comments.
Let us know some things that you would like to see and have us talk about on the show. So with that said, as I clear this eyelash out of my eye, with that said, let's get into the last of the dirty 13. Lack of MFA.
Now, I don't know how much I can really talk about the actual issue because the issue is just that, well, a lot of firms, a lot of companies still are not enforcing multifactor or they only have it on a couple of accounts or it's only on certain systems and not all systems. I think that pretty much covers the entire issue that with multifactor, you have to have it fully enabled on practically every single one of your accounts on every single one of your systems. And I say practically because there are some accounts that you may not want to have it on, which we'll actually get into talking about like a break glass account.
But as far as MFA goes, you have to have it enabled, you have to have it set up. And here's the really big thing with that. MFA, it has been preached about now for so long and with so many different information security standards, with so many regulations, with so many privacy laws now, it's becoming an absolute requirement.
And if you don't have multifactor, it can actually lead to, if you have a data breach, to where your insurance company will most likely not cover that claim. It could get your insurance claims denied because you're supposed to have multifactor authentication. And if you read your fine print in your insurance contracts, and you should, but if you read that, one of the things that it typically says in there is that you're setting up multifactor on all of your systems.
So don't let that snag you. Another big thing is with it being, again, such a low hanging fruit and a requirement of so many different regulations, if you don't have it set up, it could also lead to a potential regulatory fine or possible criminal penalties, depending on really how egregious it is. So I can't overstate how important multifactor is to set up.
And I don't know if this is the best place to go into a real deep explanation of what multifactor is. I guess we'll have it, we'll have a companion article, we'll talk about it in some other areas. But high level overview, it's something, oh man, I'm going to do it right off the top of my head here and probably flub it up.
It's something you know, something you are, biometrics, something you have, like a PASKE or perhaps even a UBKEY, somewhere you are, geolocation. I feel like I'm missing one. In any case, multifactor is, it has to be at least two of those.
So you can't have two something you knows, like a password and a PIN, that's not multifactor. That is, both of those things are something you know, so that doesn't qualify. But if, say, you had a password and an OTP, a one-time password, that gives you the typically the six digits or an authenticator app, well that's something that you have.
So something you know, your password, something you have, your authenticator app, there you have multifactor. I realize that it would be an incredibly short episode if we just cut it short there, but beyond saying that the audit findings that people don't have MFA and they need to have it, there's not a whole lot more to say on the MFA subject. So rather than harp on that, what I want to do is dive into some good best practices for your MFA.
These are things that as you're setting it up, you want to make sure you consider, you want to make sure you set it up the right way, because as great as multifactor authentication is, it can also lead to a lot of headache, it can lead to a lot of aggravation, it can even get you locked out of your accounts. So you want to be very careful with how you set up, set it up so that you're securing things, not making it more difficult for yourself, for your clients, for your business. So getting into these best practices, the first one we have here is creating a break glass account.
And we've talked about this with, as we've talked about other systems, having that account that everything goes sideways, you can get into it, you can reset systems, you can reset passwords, you can reset people's multifactor authentication. It's really the, everything else is broken, this is the only way we can get in. You want to make sure to have a break glass account.
And it depends on how your system is set up, how your environment is set up, whether or not you want to have multifactor on that account. There is not a always yes or always no answer here. It really depends on your situation and how you can set it up to make sure that, again, you're not getting yourself locked out, but you're securing your systems appropriately.
Some things to consider with your break glass account is making sure that you limit the scope of that account. Either it can only say access or manage certain accounts, so it would only be able to do one or two accounts and those could get you into others. It would definitely be a thing of, it is only used for these emergency purposes.
It is never used for administrative activities, it's definitely not used for daily activities. It is put on the shelf, it's put behind that glass pane and you only access it, you only break that glass when you absolutely have to. Another really good practice is using very, very strong passwords for your break glass account as long as you can.
And another good way to do those passwords, if you can, is break it up in half and give one half to one person, one half to another person. And that way, again, if things go sideways, those two can come together, kind of the two keys and lets you into the account. With any break glass account, you also want to monitor its use.
When that account logs in, if at all possible, warning bells should go off, logs should light up, you should get alerts. Practically everybody that monitors your systems should know that that account has just logged in and they should be reaching out to confirm that it was supposed to. Better yet, you should have already let them know that you're using the account so they know what to expect.
Finally, two finales. Restrict access to it, that goes into limiting the scope, and periodically test it. Don't assume that that break glass account is always going to work.
I would suggest at least annually testing it to make sure that it works, it can get you in, and that when you go to use it, all the alerts, all the notifications, everybody's responding appropriately. Because that account should never be used except in the whole crap moments. So if it is being logged into, you want to make sure that's not a malicious actor.
Okay. The next one. And I see this a lot.
It's, which is kind of a good thing because it means that people are using password managers. When people are using password managers, a lot of them now even allow you to set up your one-time passwords right within that password manager, which is kind of neat. Because then when you go to log in, it shows your password, it shows your OTP, and you're right in.
It makes things a little bit less complicated, makes it easier to get in, which there is utility in that. However, if somebody gains access to your password manager, well now they have all of your multi-factor authentication. They have all of those OTPs, which means that the one password or the one system that they breach now gives them access to everything.
If you have your password manager with all of your passwords, but you have your authenticators or one-time passwords at another location, even if somebody breaches your password manager, which would suck, but it wouldn't be catastrophic because your one-time passwords, your multi-factor would be in another location. It would separate those, so it wouldn't be complete keys to the kingdom. So as much as you can, do not store or use your password manager as your authenticator, as your multi-factor.
This also goes to don't store your multi-factor backup codes, your restore codes, in your password manager. Even if your multi-factor is at some other location, if all the restore codes, all the recovery codes are in the password manager, well now I can just reset all of the multi-factor as I'm gaining access to the account. So it still gives that one data breach gives access to everything.
Make sure to keep those separate. If you can, utilizing a YubiKey or other hardware authenticator is a great solution. The thing I like about the YubiKeys, the little pass keys, is that one, it's a completely separate device.
It's something that I have. I can even configure that for different systems to where it's got to be plugged in, I've got to touch it to unlock the system. It's a great multi-factor.
What's also great about those though, is that depending on how you set up your multi-factor, typically a lot of times scanning in a QR code, you can actually create backups. So in a vault, we actually have a backup of some of our YubiKeys so that if one of them breaks or one of them gets lost, we can get into the accounts, we can reset all of those multi-factor, and it also gives the flexibility to where if you have multiple administrators of an account, that they don't necessarily have to share a phone, they can each have their separate pass key just coded the same way so that they can access the account. That's another neat way to leverage some of the break-glass accounts.
You can do some cool things with it, but the short of it, longly stated, but the short of it is that YubiKeys give a very good multi-factor something you have solution and one of the very few solutions to actually create a backup of your multi-factor. Some other points here, I think the final two points are if you can, avoid text, avoid SMS. It is relatively easy to clone somebody's cell phone, and God forbid that happens, now somebody can get your one-time passwords, they can get that multi-factor to the device that they just cloned, and they're completely sidestepping your multi-factor methods.
This also relates to if you can, avoid using email as your multi-factor. A lot of systems default to this, a lot of systems don't allow you to do anything else other than use the email, but if you can, avoid it. And that just goes back to a lot of the same issue with putting your OTPs, your multi-factor, in your password manager, or the recovery keys in the password manager.
If your email gets compromised, now I've got the capability to not only log into an account, but most likely I can reset the password by emailing the password link, and now I'm getting the multi-factor to that same account that I just compromised. It creates a situation to where it is almost adding complexity, adding aggravation to every time you log in, without really providing as much of the security benefit. So, if you can, avoid using email as your multi-factor.
Now, that was a quick down and dirty of some best practices with multi-factor. There are a lot of others, there are a lot of ways that you can structure it, and as with everything information security, as with everything risk management, it all really comes down to your business needs, your business structure, and what works best for your organization and for your users. And it's always about managing security, capability, being secure, being productive.
But, keep these in mind when setting everything up, and it will help you, one, make everything more secure, and make it easier on your users. Thank you very much for listening to today's Cache in the Cyber Sheets. Can't wait to have you back next week.
Please check out all of the links for all of the other links and other podcast episodes of The Dirty Thirteen, and we also have, if it's not already up, it will be soon, the e-book on The Dirty Thirteen that goes through everything that we've talked about in all of these podcast episodes and puts it into one nice little spot, easy to reference. So, thank you again for listening. Until next time.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.
