MFA is a requirement most insurers insist upon: For example, they mandated that all remote access, including VPN access and all remote monitoring and management (RMM) solutions, such as remote desktop protocol (RDP), be protected by multifactor authentication (MFA), mandating that it should also be enforced on email access and any remote access to critical resources, including third-party and vendor access.They also required that I implement MFA authentication protection on all network administrator accounts and any other user accounts with elevated permissions within your network.They wanted me to enable an endpoint detection and response (EDR) solution on all endpoints so that all detected endpoint activity is monitored 24 hours a day, 7 days a week, and 365 days of the year.
Is MFA and EDR enough? How about password managers and zero trust?: However, I think they missed some things when it comes to remote access and multifactor mandates. For example, one that I think should be a mandate is a password manager program that enforces longer passwords and passphrases.But I wouldn’t stop with merely mandating a password manager program. For anyone who has network administrator rights, there should be an additional biometric or similar process that protects not only the administrator login of the password manager software but all cloud portals that control Azure, Google, or Amazon Web services, key cloud services.Nor did the insurers mention best practices such as zero-trust network access or other processes that network administrators should be using when they remote in to a network or administer a network.While training on phishing attacks was also recommended, broader training regarding the use of remote access and the sensitivity of sending data through the internet was not discussed. I was also surprised to see no mention of the use of artificial Intelligence and no questions about any policies I might have regarding the use of such techniques.
Many risks aren’t required to be addressed by insurers: Often these cyber insurance policies recommend that there are enterprise policies and processes in place to ensure that operating system updates are installed in a timely manner following recommendations from industry agencies such as CISA and others, but they don’t address other sources of patching risks in a firm.For example, I found no mention of having processes of controlling patching for appliances, internet of things devices or other hardware that might need software updates or bios updates in order to maintain a secure posture.Multifactor authentication isn’t without it’s own risks and vulnerabilities. Attackers are using techniques such as phishing, vishing, and smishing to trick users into divulging their MFA codes.Phishing uses social engineering to trick victims into paying money, handing over sensitive information, or downloading malware. Smishing (SMS phishing) involves sending malicious text messages and tricking the user into approving an authentication prompt. Through vishing (voice phishing), scammers impersonate professionals such as help desk technicians over the phone to trick them into revealing sensitive data or transferring money. The risks of endpoint compromise should never be overlooked as attackers can enter a system with malware and steal session cookies or create shadow sessions. In addition, you could accidentally lock someone out if connectivity is impacted or the user loses access to an MFA device, such as a cellphone or a hardware token. Training users on how to properly use MFA, as well as planning ahead for those times when you have problems using MFA, should be part of any firm’s long-term security planning process.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3854674/youre-always-a-target-so-it-pays-to-review-your-cybersecurity-insurance.html
