Testing MFA Controls: Learning from the CISA Cybersecurity Advisory

by Hannah Grace Holladay / April 3rd, 2022

You thought you did everything right. You enabled multi-factor authentication (MFA) on all of your accounts and configured it so that all employees and customers are required to use it. You have automated checks set up to make sure MFA is still required. And yet you still experience a data breach. This is exactly what happened to the non-governmental organization (NGO) described in the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA)’s recently released joint Cybersecurity Advisory (CSA).

In May 2021, a Russian state-sponsored actor took advantage of a misconfigured account with default MFA settings. The actor was able to register a new device for MFA and access the NGO’s network by exploiting a critical Windows Print Spooler vulnerability called “PrintNightmare.” This vulnerability allowed the Russian state-sponsored actor to run arbitrary code with system privileges, ultimately permitting them to gain access to important documents within the company’s cloud and email accounts.

This incident proves why internal audits conducted by a third-party are so important. The purpose of internal audits is to provide your organization with total assurance that your information security program is actually keeping your company’s sensitive data safe. Sometimes people will hang their hat on automated audit results that provide false assurances. An automated check can say that MFA is enabled, but an experienced professional looks at it more thoroughly than that to make sure the configurations are working as they were intended to.

We’ve seen that many of our clients are vulnerable to this same type of incident. During one of our audits, the auditor realized that the company’s developers were completely bypassing the MFA/VPN requirement. The developers were connecting to the production environment using SSH with no MFA. If the auditor had stopped after only the automated tests, the results would have said that the VPN was in place and MFA was enabled. And while those would be true statements, they don’t accurately reflect the security posture of that company’s development practices. The company would still be at risk despite the results of their audit because automation doesn’t understand the context of what the employees’ processes look like. Only a real-life person can verify these processes are working (or not working) like they are intended to, so that a company can have total confidence in their security practices.

A Cybersecurity Checklist Isn’t Enough

If your organization wants total confidence that its security practices are keeping the company safe, it isn’t enough to put a checkmark by “MFA enabled.” Your organization needs to be performing comprehensive tests over the functionality of its configurations. While we believe a cybersecurity checklist will never be enough to fully provide your organization with the assurance it needs, reviewing or testing the following security best practices are a good place for your organization to start:

  • Test the MFA enrollment process
  • Test whether disabled accounts can be used to bypass MFA requirements
  • Review the VPN configuration to ensure 256-bit encryption through modern protocols like OpenVPN or IKEv2
  • Review the VPN configuration to ensure MFA is enforced
  • Identify the method of administrative access in place to segment remote systems from production (i.e., jump server (bastion host), AWS Systems Manager, etc.) is properly segmenting systems and users
  • Review protocols enabled to administrate systems and their source (i.e., SSH or RDP over VPN from jump server only…no direct access from the Internet)
  • Review cloud application or production configuration to ensure they may only be administrated from approved network devices, once authenticated over VPN
  • Allow remote desktop access only over a VPN with MFA (no direct access from the Internet)

Only an Audit with an Experienced Security Professional Can Give You the Assurance Your Organization Needs

While all of the above steps are good practices for your organization’s configuration management processes, conducting a third-party audit with a firm like KirkpatrickPrice is the best way to gain the assurance your company needs. Only an internal audit or continuous penetration testing conducted by an experienced security professional can prove that your organization has implemented the best security controls for the protection of your sensitive data and that those controls are functioning correctly. An automated tool can check that those controls are in place, but they can’t evaluate their functionality. Our experts can find exactly how your configurations are working and provide you the guidance needed to strengthen your organization’s security posture. Because at the end of the day, it isn’t enough to just have MFA enabled. You need to be sure that your MFA configurations are keeping bad actors away from your valuable data.

KirkpatrickPrice Can Give You That Assurance

Let KirkpatrickPrice give you the assurance you need through an audit or penetration test. Contact our experts today to see which services are right for you and make sure you’re secure.

About the Author

Hannah Grace Holladay

Hannah Grace Holladay is an experienced content marketer with degrees in both creative writing and public relations. She has earned her Certificate in Cybersecurity (CC) certification from (ISC)2 and has worked for KirkpatrickPrice since November 2019, starting first as a Professional Writer before moving to the marketing team as our Content Marketing Specialist. Her experience at KirkpatrickPrice and love for storytelling inspires her to create content that educates, empowers, and inspires the cybersecurity industry.