There has been a recent surge in cyber attacks which dodge past multi-factor authentication (MFA) security measures, putting data center systems at risk. The challenge for data centers lies in the need to align with an overall enterprise security strategy that may hold onto legacy MFA protocols and the need to progress past traditional MFA to meet the unique security needs of data centers.
In August, attackers tricked a Cisco employee into accepting an MFA request, and were able to access critical internal systems.
In September, attackers bought the password of an Uber contractor on the dark web, and repeatedly tried logging in the stolen credentials, Uber reported. At first, the login attempts were blocked by MFA, but eventually the contractor accepted the request and the attackers got in. They were able to access a number of company tools, including G-Suite and Slack.
More embarrassingly, in August, attackers were able to compromise Twilio’s widely-used MFA service. They did so by tricking multiple Twilio employees into sharing their credentials and MFA authorizations. More than a hundred Twilio customers were compromised, including Okta and Signal.
What Changes in MFA Network Protection Means for You
In addition to compromising MFA platforms and tricking employees into approving illegitimate access requests, attackers are also using adversary-in-the-middle attacks to bypass MFA authentication, according to a report released by Microsoft’s Threat Intelligence Center this summer. More than 10,000 organizations have been targeted by these attacks over the past year, which work by waiting for a user to successfully log into a system, then hijacking the ongoing session.
“The most successful MFA cyber-attacks are based in social engineering, with all types of phishing being the most commonly used,” said Walt Greene, founder and CEO at consulting firm QDEx Labs. “These attacks, when carried out properly, have a fairly high probability of success to the unsuspecting user.”
It’s clear that MFA alone is no longer enough and data center cybersecurity managers need to start planning ahead for a post-password security paradigm. Until then, additional security measures should be put in place to strengthen access controls and limit lateral motion through data center environments.
And data centers should not only be aware of how they use multi-factor authentication to secure data center operations and in how they work with business units or other customers in supporting their MFA efforts.
Progress Beyond Legacy MFA
This past spring, Apple, Google and Microsoft all committed to a common password-less sign-in standard.
The new approach, which is based on the FIDO security standard, promises to be more secure than traditional multi-factor security, such as one-time passwords sent over text messages. It is expected to become widely available sometime next year.
In a statement issued earlier this month, Jen Easterly, director of the Cybersecurity & Infrastructure Security Agency, urged every organization to put FIDO on their MFA implementation roadmap.
“FIDO is the gold standard,” she said. “Go for the gold.”
In particular, she urged system administrators to begin using MFA, noting that fewer than 50% currently use it.
“System administrators are particularly high-value targets, and they need to properly protect those accounts,” she said.
She also urged cloud services providers to embrace 100% FIDO authentication. “After the rash of MFA bypass compromises this year, it’s clear that being a ‘trustworthy’ cloud provider means ‘we won’t lose your data, even when our staff fall for a credential phishing ruse.’”
Add Controls to Secure Legacy MFA
Even before they move to a password-less, FIDO-based authentication platform, data centers need to step up their security controls.
Plus, even when new password-less technologies do become mainstream, some of these additional controls, like user behavior analytics, will continue to be useful.
For most security teams, these compensating controls will be the standard approach, said Gartner vice president and analyst Ant Allan.
For example, a check to confirm that the login is coming from the same geographical location as the user’s phone will reduce phishing risks, he said.
“And choking the number of failed mobile push authentications can mitigate prompt bombing,” he added. Prompt bombing is an attacker strategy where they keep trying to log in, and users get so many MFA requests that they get annoyed and accept the requests out of sheer frustration.
There are also AI-based security measures that security teams can use to spot suspicious user behaviors that may indicate account compromise.
“While MFA is a necessary first step, investment in advanced analytics — including machine learning — will provide more flexibility and resilience,” Allan said..
Data centers should also be investing more in identity threat detection and response capabilities, he said. This doesn’t necessarily mean buying new tools, he added. Data center security managers could be doing more with the identity access management and infrastructure security tools they already have.
“The White House memo M-22-09 that demands phishing-resistant MFA is likely a bellwether for other regulatory requirements,” he added. “But it’s unclear if that requires wholly new methods or if compensating controls are enough.”
And existing MFA infrastructure will continue to serve a purpose, said Jason Rader, chief information security officer at consulting firm Insight.
Threat actors will usually start by trying to break into accounts that have the weakest security, he said. “If they’re systematically going through a list of accounts, they’ll try until they find one that doesn’t have an MFA requirement. This is why all accounts should have it enabled.”
Unfortunately, some of the legacy applications that data centers use for operations management might not have any support for MFA at all.
This is particularly true for data centers that have been around for a decade or more, said Rader.
“The bad guys will exploit this and bypass MFA altogether,” he said. “I would say the adversaries will be successful a high percentage of the time if they can locate an account without MFA enabled or if legacy authentication is enabled — because all they have to do is guess the password.”
As enterprises continue to move their data centers to hybrid and cloud models, MFA becomes more critical, as the traditional security systems of on-prem data centers become less relevant.
Fortunately, cloud providers usually make MFA an option for all their users. Unfortunately, many don’t take advantage of this. Alex Weinert, Microsoft VP of Identity Security, speaking at a conference last month, said that only 26.64% of Azure AD accounts use MFA. In fact, consumer accounts are 50 times less likely to be compromised than enterprise accounts — because Microsoft has automatic security policies in place for their consumer users. Enterprises are expected to manage their own security policies.
Enterprise Data Centers Remain Part of a Broader MFA Security Strategy
A data center manager would also have a role to play if an enterprise MFA tool is hosted within the infrastructure that they manage, said Gartner’s Allan.
“MFA for all workforce use cases would fall under the aegis of the cybersecurity manager or chief information security officer,” he told Data Center Knowledge.. “The data center manager – among others – would be responsible for the correct integration of an enterprise MFA tool within the infrastructure they’re responsible for.”
As a result, data center managers running on-prem, hybrid or cloud data centers for enterprises would have a stake in enterprise-wide MFA, which is used by company employees, contractors, partners, and customers.
“The data center manager – again, among others – should have a seat on the security council or committee that governs the organization’s security program, making decisions about policy, technology choices and so on,” said Allan