How a Single Security Measure Could Have Protected Millions of People from a Cyber Nightmare

Can One Simple Step Prevent a Major Cyber Disaster?

It’s a nightmare scenario for any business – a ransomware attack leaking private data belonging to millions. This was the reality for Change Healthcare, whose breach exposed millions of Americans' health information on the dark web.

What if there was a simple, effective measure that could have prevented this catastrophe? How would you feel if you failed to use it? Multi-Factor Authentication (MFA) is that critical tool, often overlooked - but oh, so important!

This blog post will guide you through MFA: What is it? Why is it essential? Where should you implement it immediately? This is the first in a series that will cover key components of a strong cybersecurity strategy, using lessons from the Change Healthcare breach. Future posts will discuss network segmentation, penetration testing during mergers and acquisitions, and budgeting for cyber insurance. This series will help you enhance your cybersecurity.

Let’s get to the main event – MFA (also known as 2FA) and discover how it can protect your business in a big way.

The Importance of Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) adds an extra layer of security by requiring multiple forms of verification before granting access to an account. Here’s how it works:

1. First, you enter your password or pin (something you know).
2. Next, you provide a second factor, such as a code sent to your smartphone, a security token, or an app-generated code (something you have).
3. Sometimes, a third factor like a fingerprint or facial recognition is used (something you are).

These multiple steps ensure that even if one factor is compromised, unauthorized access is still prevented.

Basic Elements of MFA

The Risk You Take Without MFA

The Change Healthcare ransomware attack is a masterclass in the risks associated with relying solely on passwords. It is estimated that a third of Americans had their health information leaked to the dark web due to this attack. Could it have been avoided? According to the U.S. Committee on Energy and Commerce concluded “The attack occurred because UnitedHealth wasn’t using multifactor authentication [MFA], which is an industry standard practice, to secure one of their most critical systems.".

Implementing MFA could have significantly reduced the chances of unauthorized access. Had MFA been implemented, the attackers would have needed an additional verification step, such as a code from a mobile app or biometric data, making unauthorized access significantly more difficult. According to a Microsoft report “more than 99.9% of compromised accounts don’t have MFA, leaving them vulnerable to password spray, phishing, and password reuse.”  

Understanding How MFA Works

The value of MFA (also known as 2FA) could be illustrated using another common scam known as the Grandparent Scam. In this situation a person receives a call from a “grandchild” claiming he is in dire need of money either due to a run-in with the law, an accident, or a robbery. The scammer may trick the grandparent into revealing the name of a grandchild making it more convincing. But imagine if the real grandchild and grandparent had already agreed upon a codeword which would positively identify them in such a situation. The scammer would have no way of possessing that information. That codeword is effectively a form of MFA stopping the scam in its tracks.

Similarly, picture a scammer who has cracked a password to an Amazon account. He’s excited to get into that account and harvest payment information, maybe even order himself something nice. But… this user has enabled MFA on the account and the scammer is faced with a screen asking him to enter the six-digit TOTP (Time-Based One-Time Password) code that is only available from the authenticator app on the account owner’s mobile phone. He is blocked from getting any further and the account remains safe. 

“more than 99.9% of compromised accounts don’t have MFA, leaving them vulnerable to password spray, phishing, and password reuse.”

Implementing MFA in Your Organization

1. Develop Policies: Specify which systems and applications require MFA and outline acceptable authentication methods.
2. Enforce MFA: Ensure compliance by integrating it into login procedures for all critical systems.
3. Employee Training: Educate employees about the importance of MFA, providing training on how to use it effectively.
4. IT Partner Assistance: An IT partner can offer expertise, ensure seamless integration, and provide ongoing support to address any issues.

What are the Most Vital Systems and Applications Requiring MFA?

Your IT partner would doubtlessly recommend enabling MFA on all accounts and applications when available. This is definitely the best practice and the standard to aim for. However, there are certain systems and applications that are the most critical and vulnerable. Here are some examples where you should enforce MFA immediately:

• Email Accounts: Protect against phishing and unauthorized access.
• Remote Access Systems: Secure VPNs and remote desktop access.
• Financial Systems: Safeguard financial transactions and sensitive financial data.
• Cloud Services: Ensure secure access to cloud-based applications and data storage.
• Customer Relationship Management (CRM) Systems: Protect customer data and interactions.
• Human Resources Systems: Secure employee records and personal information.
• Administrative Accounts: Protect high-privilege accounts.
• Computer Logins: Prevent unauthorized use and protect local data.

Main Types of Multi-Factor Authentication (MFA) 

Implementing Multi-Factor Authentication (MFA) is crucial for enhancing security by requiring additional verification steps beyond just a password. Here are the main types of MFA, ranked from best (strongest) to good in terms of security:

1. Hardware Tokens:
   • Description: Physical devices like YubiKeys that generate or store one-time codes. Users must insert the device into their computer or tap it on their mobile device.
   • Pros: Extremely secure, phishing-resistant.
   • Cons: Costly, risk of losing the device.
   • Security Rating: BEST
2. Biometric Authentication:
   • Description: Utilizes unique biological characteristics such as fingerprints, facial recognition, or iris scans for authentication.
   • Pros: High security, convenient, difficult to fake.
   • Cons: Requires specialized hardware, privacy concerns.
   • Security Rating: BEST
3. Authenticator Apps:
   • Description: Apps like Google Authenticator or Microsoft Authenticator generate time-based one-time passwords (TOTP) that users must enter to authenticate.
   • Pros: More secure than SMS, works offline, easy to use.
   • Cons: Requires a mobile device, installation and setup of an app.
   • Security Rating: BEST
4. Push Notifications:
   • Description: Users receive a notification on their mobile device screen and must approve the login attempt.
   • Pros: User-friendly, quick, and more secure than SMS or email.
   • Cons: Requires a smartphone with internet connection. User may approve a login attempt mistakenly.
   • Security Rating: BETTER
5. SMS Text-Based:
   • Description: Users receive a one-time code via SMS to their registered mobile number, which they must enter to complete the login process.
   • Pros: Easy to implement and use, no additional apps required.
   • Cons: Vulnerable to SIM swapping attacks and interception.
   • Security Rating: GOOD
6. Email-Based:
   • Description: Users receive a one-time code or link via email to authenticate.
   • Pros: Easy to implement, no additional apps required.
   • Cons: Email accounts can be compromised. Slower than other authentication methods.
   • Security Rating: GOOD
7. Knowledge-Based Authentication:
   • Description: Users must answer personal security questions or provide specific information known only to them.
   • Pros: Easy to implement, no additional hardware or software needed.
   • Cons: Less secure, can be guessed or found through social engineering.
   • Security Rating: GOOD

Choosing the Right MFA Method

Selecting the appropriate MFA method depends on various factors such as the level of security required, user convenience, and available resources. For highly sensitive applications, combining multiple MFA methods can provide enhanced security. For instance, using biometric authentication along with a hardware token ensures robust protection against unauthorized access.

For most users, our recommendation would be an Authenticator App. Such an app is an excellent choice since most people already have a smartphone, keep it with them all the time, and know how to install something from the AppStore. This method of authentication is more secure than an email or SMS text, it’s easy to use, and doesn’t require purchasing any additional hardware. 

You Should Enable and Enforce MFA Now!

There you have it – our first lesson from the Change Healthcare breach. Implementing Multi-Factor Authentication (MFA) is a simple yet powerful step that significantly reduces the risk of unauthorized access to your systems and protects sensitive data.

MFA is really a no-brainer for any business, regardless of size or industry. This measure ensures that even if one layer of security is compromised, additional layers are in place to prevent unauthorized access. Neglecting such an essential security practice can have devastating consequences.

Three Things You Need to Do Right Away:

We Are Ready to Help!

At allCare IT, we specialize in providing comprehensive cybersecurity services, including the implementation of MFA, Cyber Awareness Training, and other advanced security measures. Our managed cybersecurity services are designed to protect your business from cyber threats, ensuring the safety and integrity of your data.

Don’t wait for a security breach to take action. Contact allCare IT today to schedule a consultation and learn how we can help you secure your business with cutting-edge cybersecurity solutions.