Testing MFA Controls: Learning from the CISA Cybersecurity Advisory

You thought you did everything right. You enabled multi-factor authentication (MFA) on all of your accounts and configured it so that all employees and customers are required to use it. You have automated checks set up to make sure MFA is still required. And yet you still experience a data breach. This is exactly what happened to the non-governmental organization (NGO) described in the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA)’s recently released joint Cybersecurity Advisory (CSA).

In May 2021, a Russian state-sponsored actor took advantage of a misconfigured account with default MFA settings. The actor was able to register a new device for MFA and access the NGO’s network by exploiting a critical Windows Print Spooler vulnerability called “PrintNightmare.” This vulnerability allowed the Russian state-sponsored actor to run arbitrary code with system privileges, ultimately permitting them to gain access to important documents within the company’s cloud and email accounts.

This incident proves why internal audits conducted by a third-party are so important. The purpose of internal audits is to provide your organization with total assurance that your information security program is actually keeping your company’s sensitive data safe. Sometimes people will hang their hat on automated audit results that provide false assurances. An automated check can say that MFA is enabled, but an experienced professional looks at it more thoroughly than that to make sure the configurations are working as they were intended to.

We’ve seen that many of our clients are vulnerable to this same type of incident. During one of our audits, the auditor realized that the company’s developers were completely bypassing the MFA/VPN requirement. The developers were connecting to the production environment using SSH with no MFA. If the auditor had stopped after only the automated tests, the results would have said that the VPN was in place and MFA was enabled. And while those would be true statements, they don’t accurately reflect the security posture of that company’s development practices. The company would still be at risk despite the results of their audit because automation doesn’t understand the context of what the employees’ processes look like. Only a real-life person can verify these processes are working (or not working) like they are intended to, so that a company can have total confidence in their security practices.

A Cybersecurity Checklist Isn’t Enough

If your organization wants total confidence that its security practices are keeping the company safe, it isn’t enough to put a checkmark by “MFA enabled.” Your organization needs to be performing comprehensive tests over the functionality of its configurations. While we believe a cybersecurity checklist will never be enough to fully provide your organization with the assurance it needs, reviewing or testing the following security best practices are a good place for your organization to start:

  • Test the MFA enrollment process
  • Test whether disabled accounts can be used to bypass MFA requirements
  • Review the VPN configuration to ensure 256-bit encryption through modern protocols like OpenVPN or IKEv2
  • Review the VPN configuration to ensure MFA is enforced
  • Identify the method of administrative access in place to segment remote systems from production (i.e., jump server (bastion host), AWS Systems Manager, etc.) is properly segmenting systems and users
  • Review protocols enabled to administrate systems and their source (i.e., SSH or RDP over VPN from jump server only…no direct access from the Internet)
  • Review cloud application or production configuration to ensure they may only be administrated from approved network devices, once authenticated over VPN
  • Allow remote desktop access only over a VPN with MFA (no direct access from the Internet)

Only an Audit with an Experienced Security Professional Can Give You the Assurance Your Organization Needs

While all of the above steps are good practices for your organization’s configuration management processes, conducting a third-party audit with a firm like KirkpatrickPrice is the best way to gain the assurance your company needs. Only an internal audit or continuous penetration testing conducted by an experienced security professional can prove that your organization has implemented the best security controls for the protection of your sensitive data and that those controls are functioning correctly. An automated tool can check that those controls are in place, but they can’t evaluate their functionality. Our experts can find exactly how your configurations are working and provide you the guidance needed to strengthen your organization’s security posture. Because at the end of the day, it isn’t enough to just have MFA enabled. You need to be sure that your MFA configurations are keeping bad actors away from your valuable data.

KirkpatrickPrice Can Give You That Assurance

Let KirkpatrickPrice give you the assurance you need through an audit or penetration test. Contact our experts today to see which services are right for you and make sure you’re secure.

Guide to Industry-Accepted Hardening Standards

The goal of systems hardening is to further protect your organization by reducing vulnerabilities in your applications, systems, and information technology infrastructure. By doing so, you’re creating less opportunity for malicious attacks and operational malfunctions because you are removing unnecessary programs, applications, and access points that increase the security of your system. Just as removing unnecessary hazards on a busy interstate increases traffic flow and reduces risk of accidents, removing unnecessary technology in your system decreases the risk of malicious activity and can increase overall operational productivity.

System Hardening Standards

For all the parts of your ever-changing systems, you want to prevent attacks and vulnerabilities as best you can. Hardening your network, servers, applications, database, and operating systems is a great start to meeting industry-accepted configuration standards. Your hardening standards will vary as your systems and technology will differ, but you can focus on developing standards to implement these five areas of system hardening:

Network Hardening

  • Firewall configuration
  • Regular network auditing
  • Limit users and secure access points
  • Block unnecessary network ports
  • Disallow anonymous access

Server Hardening

  • Administrative access and rights are allocated properly
  • Secure your data center where servers are located
  • Disallow shut down initiation without log in

Application Hardening

  • Application access control
  • Remove default passwords
  • Implement password best practices
  • Configure account lockout policy

Database Hardening

  • Implement admin restrictions on access
  • Encrypt data entering and leaving the database
  • Remove unused accounts

Operating System Hardening

  • Apply necessary updates and patches automatically
  • Remove unnecessary files, libraries, drivers, and functionality
  • Log all activity, errors, and warnings
  • Limit sharing and system permissions
  • Configure file system and registry permissions

The implementation of these hardening techniques is by no means a comprehensive approach to security, but it’s a great start to ensure your organization is headed in the right direction for a more secure information security program. By gathering the right tools and techniques, you can set yourself up for security success.

Industry-Recognized Experts on System Hardening

The information security industry has endless information on industry-accepted system hardening standards through experts such as CIS, NIST, and SANS. You can dive deeper into hardening standards through NIST’s National Checklist Program for IT Products, NIST’s Guide to General Server Security, and security hardening checklist examples from SANS and The University of Texas at Austin. These experts have extensive resources to provide you with industry-accepted standards for all your security needs. At KirkpatrickPrice, our security practices are influenced and built upon the foundation of these industry-recognized experts. As you establish your own system hardening techniques, you can turn to these experts and the information security specialists at KirkpatrickPrice for security guidance. Contact us, today, to learn how we can help you further establish your security presence.

More Resources

Compliance is Never Enough: Hardening and System Patching

PCI Requirement 6.2 – Ensure all Systems and Software are Protected from Known Vulnerabilities

SOC 2 Academy: Detect and Monitor Changes in Your System Configurations

5 Network Monitoring Tools and Techniques

Network monitoring is an important piece of information security that every organization should be implementing. Using helpful network monitoring tools, you can track performance issues and security problems to mitigate potential issues quickly. But, with such a saturated market, it can be overwhelming to choose a network monitoring tool that best fits your organization. To help you better track and monitor the security of your network continuously, we’ve pulled together five network monitoring tools to consider using.

5 Network Monitoring Tools

These network monitoring tools monitor various aspects of your network and include features such as SNMP, alerts, bandwidth monitoring, uptime/downtime, baseline threshold calculation, network mapping, network health, customizable reports, wireless infrastructure monitoring, and network performance. In no particular order, these five tools were discovered to aid in some of the top network security needs.

ManageEngine OpManager

ManageEngine OpManager is a network monitoring tool that continuously monitors devices such as routers, switches, firewalls, load balancers, wireless LAN controllers, servers, VMs, printers, and storage devices. Manage Engine OpManager must be installed on-site, but it comes with pre-configured network monitor device templates for increased ease-of-use.

Key features include:

  • Real-time network monitoring
  • Physical and virtual server monitoring
  • Multi-level thresholds
  • Customizable dashboards
  • WAN Link monitoring
  • SNMP monitoring
  • Email and SMS alerts
  • Automatic discovery

Paessler PRTG Network Monitor

Paessler PRTG Network Monitor allows organizations to monitor all their systems, devices, traffic, and applications in their IT infrastructure without additional plugins. You can choose between a number of sensors that will monitor areas of your network, such as bandwidth monitoring sensors, hardware parameters sensors, SNMP sensors, VOIP and QoS sensors, and others.

Key features include:

  • Integrated Technologies (SNMP, WMI, SSH, HTTP requests, SQL, and more)
  • Live-status dashboards
  • Email, push, or HTTP request alerts
  • Threshold-based alert system
  • Reports system
  • Scan for devices by IP segment

Solarwinds NPM

While Solarwinds Network Performance Manager has performance in the name, it is still a valuable network security monitoring tool because of the tracking of network elements such as servers, switches, and applications. Solarwinds NPM can jump from SNMP monitoring to packet analysis to give your organization greater control over the segmentation monitoring of your network and increase network security.

Key features include:

  • Critical path visualization
  • Intelligent mapping
  • WiFi monitoring and heat maps
  • Advanced alerting
  • SNMP monitoring
  • Discovers connected devices automatically


Nagios is a monitoring and alerting engine designed to run natively on Linux systems. The open-source model of Nagios provides the opportunity for organizations to customize and adapt the system to meet their needs. The tool breaks down statuses into three categories – Current Network Status, Host Status Totals, and Service Status Totals. Through the use of APIs, you can integrate other services for true flexibility.

Key features include:

  • Performance dashboard
  • API integration
  • Availability reports
  • Alerting
  • Extended add-ons
  • Upgrade capabilities for Nagios XI

WhatsUp Gold

WhatsUp Gold is a tool that pulls infrastructure management, application performance management, and network monitoring all into one tool. It’s a user-friendly tool based on features with customizable pricing packages to fit your organization’s exact structure and network security needs.

Key features include:

  • Hybrid cloud monitoring
  • Real-time performance monitoring
  • Automatic report generation
  • Network mapping
  • Easy-to-use monitoring dashboard

Things to Consider When Choosing a Network Monitoring Tool

Scalability – Depending on the size of your organization and corresponding network size, you need to look for a tool that is able to accommodate that scale. Choose a network monitoring tool that grows in capability as your network grows in size.

Security vs. Performance Tracking – Network monitoring tools vary in the type of monitoring they perform. Network performance tracking tools focus on performance issues and data such as network traffic analysis and network delays. If your goal is to decrease security threats by early detection and prevention tactics, you should consider network security tracking tools.

Cost – The good news about the number of network monitoring tools out in the world is that there is an option for every organization. Whether you’re looking for a free tool to start with or ready to invest funds into a quality networking monitoring tool, there are plenty of options for you.

If you want to learn more about the various tools and techniques you can use to properly secure your network, contact KirkpatrickPrice today. As a firm, we do not partner with any of these tools, but we are passionate about consulting on which solution could benefit your network monitoring techniques.

More Resources

What is Network Penetration Testing?

Think Like a Hacker: Common Vulnerabilities Found in Networks

Know Your Options: Levels of Service for External Network Penetration Tests

Anti-Virus Best Practices: 5 Tools to Protect You

Anti-virus versus anti-malware – what’s the difference? These two categories of protective tools are often misunderstood. It stems from confusion between viruses and malware. A virus is code that can damage your computer, system, and data by copying itself. Malware is used as a catch-all term for malicious software such as spyware, ransomware, trojans, adware, worms, and viruses. Malware is ever evolving whereas viruses have been around for a long time and continue to stay generally the same. Wendy Zamora of Malwarebytes Labs expands further on these differences for you to gain better understanding as you follow anti-virus best practices.

Once you grasp these differences, you can turn your focus to the policies and tools you need to implement to protect against malicious attacks. We’ve gathered a list of five tools to get you started on proper anti-virus protection and a few tips on establishing thorough anti-virus policies to be implemented by your employees.

Protecting Through Anti-Virus Tools

In the world of information security, we often see Internet searches looking for help with Windows Defender or anti-virus for Macs, as well as questions about which anti-virus tools are the best to use. While this list isn’t exhaustive, it’s a good starting place if you’re looking to protect your systems with anti-virus software.

  1. Bitdefender – Bitdefender has enterprise security solutions for all business sizes that helps you manage your security from endpoint, to network, to cloud all of which can include anti-virus and anti-malware software.
  2. Kapersky – Kapersky has solutions to predict, prevent, detect, and respond to cyber threats through a number of adaptive security services.
  3. AVG Business – AVG Business offers security tools geared to small business security needs with software that automatically updates to keep your security up to date always. KirkpatrickPrice uses AVG Business to protect our own devices from viruses and various threats.
  4. McAfee – McAfee offers security solutions designed around your business outcomes – transformation, risk management, or automation and efficacy. All of these solutions come with protection against viruses and malware.
  5. Norton – Norton Small Business provides a single solution security service to protect all your devices according to your specific security needs, including malware protection and anti-virus software implementation.

Keep your data secure with anti-virus software that will detect threats, remove all malware, and protect against new threats. Once you’ve implemented anti-virus tools, you can turn your focus to developing detailed policies regarding anti-virus software.

Establishing Anti-Virus Policies

Don’t drop the ball by just adding anti-virus programs to company laptops and expecting that to protect you from all threats. Create policies that expand your protective efforts to ensure your software is patched, anti-virus tools are working effectively, and anti-virus mechanisms are maintained. The PCI framework includes a number of requirements regarding anti-virus and anti-malware software that can be referenced to develop your own policies. Let’s take a look at a few of the PCI requirements that can guide your anti-virus practices:

  • PCI Requirement 5.1.1 requires that your organization’s anti-virus program is capable of detecting all types of malware, removing all known types of malware, and protecting against all known types of malware.
  • PCI Requirement 5.2.1 states, “For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.”
  • PCI Requirement 5.2 exists to, “Ensure that all anti-virus mechanisms are maintained as follows: are kept current, perform periodic scans, and generate audit logs which are retained per PCI DSS Requirement 10.7”
  • PCI Requirement 5.3 states, “Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.”

These requirements express the need to create policies that will ensure your anti-virus software is kept up to date, effective, and purposeful as part of your information security program. Establish procedures that your organization can implement to further secure your systems and protect against malicious malware and unwanted viruses.

Educating Your Employees on Anti-Virus Best Practices

Once you’ve implemented an anti-virus tool, created policies to maintain that software, and established procedures to follow, you need to educate your employees on anti-virus best practices. Anti-virus training should be included in your annual organization-wide security awareness training. User education should be a top focus to ensure the work you’ve put into mitigating these threats is implemented all devices. Any small gap can lead to big problems, but your employees can be the first line of defense against these threats. If you’re interested in learning more about security awareness training and how regular education can improve your security posture, contact KirkpatrickPrice today.

More Resources

10 Ways to Conduct Patch Management

Security Awareness Training Compliance Requirements: SOC 2, PCI, HIPAA, and More

15 Must-Have Information Security Policies

Best Practices for Vulnerability Scanning

Vulnerability management should be a priority in any organization’s information security program so that there’s an established approach for identifying and rating issues affecting in-scope systems in a given environment. Vulnerability scans are a main component of vulnerability management, allowing you to evaluate your systems, software, and infrastructure for unpatched holes and gaps in need of remediation. Let’s talk through some best practices for vulnerability scanning to help you protect your assets.

How Often Should You Perform Vulnerability Scanning?

The frequency of vulnerability scanning depends on a few factors: organizational changes, compliance standards, and security program goals. If your organization is looking to maintain a high level of security, vulnerability scanning needs to be added to your information security program. Vulnerability scans should be conducted after any major system, organization, or infrastructure change to ensure you’re aware of any security gaps. And, of course, to comply with various regulations, annual, quarterly, or monthly vulnerability scanning may be required as part of your  information security program.

Overall, an industry best practice is to perform vulnerability scanning at least once per quarter. Quarterly vulnerability scans tend to catch any major security holes that need to be assessed, but depending on your unique organizational needs, you may end up performing scans monthly or even weekly. The best way to assess vulnerability scanning frequency is to thoroughly understand your own security structure and the threats you face.

Framework Requirements for Vulnerability Scanning

On your compliance journey, you’ll realize many compliance standards include requirements for regular vulnerability scanning. Some standards require a higher frequency of vulnerability scanning than others, yet most include vulnerability management to some degree. You can expect to see requirements for vulnerability scanning from these industry compliance and regulatory standards:

  • ISO 27001: Requires quarterly external and internal vulnerability scans
  • HIPAA: Requires a thorough risk assessment and vulnerability process, which can be identified with vulnerability scanning
  • PCI DSS: Requires quarterly external and internal scans conducted by an ASV (Approved Scanning Vendor)
  • FISMA: Requires documentation and implementation of a vulnerability program to protect the availability, confidentiality, and integrity of IT systems
  • NIST: Requires either quarterly or monthly vulnerability scans depending on the particular NIST framework (8001-171, 800-53, etc.)

How to Perform Vulnerability Scanning

Vulnerability scans are often confused with penetration tests, however they serve different purposes in your information security program. Vulnerability scanning is an automated process designed to highlight issues on a wide range of systems at regular intervals. With vulnerability scans, you can discover issues such as missing patches and vulnerable software packages. Penetration testing, however, is performed in both manual and automated forms with a more targeted goal in mind. Understanding the difference and value of these two tools is important so that you can conduct vulnerability scanning with the right expectations.

Vulnerability scanning is conducted with a variety of tools, such as the tools found in OWASP’s list, that can scan systems for various security vulnerabilities. When you hire someone to conduct your vulnerability scans, you’re hiring someone to use a tool on your system. Sometimes, other auditing firms will charge high fees for “manual vulnerability management,” when in reality, they’re using an automated tool to scan your environment. Don’t be fooled into overpriced services that complete the same scan as any helpful vulnerability scanning tool does.

At KirkpatrickPrice, we pride ourselves on honesty and integrity. When you look to us to perform vulnerability scanning services, you’ll know our processes and tools upfront. You can expect a thorough scan of your networks, system, and equipment to detect and classify any vulnerabilities. Interested in learning more about our vulnerability scanning services? Contact us, today.

More Vulnerability Management Resources

Auditor Insights: Vulnerability Assessments vs Penetration Testing

PCI Requirement 11.2.2 – Perform Quarterly External Vulnerability Scans via an Appropriate Scanning Vendor

10 Ways to Conduct Patch Management