Article by Ben Taylor, Executive Director at Cannabis Information Sharing & Analysis Organization, and Chris Clai a Cannabis Information Security Professional
While the legacy market, and a cash-based legal market have forced the cannabis industry to keep physical security thinking at the forefront, the importance of cybersecurity is just starting to gain the attention it requires.
As October is officially Cybersecurity Awareness Month, we want to take an opportunity to look at one of the best defenses an organization can implement to enhance their security, multi-factor authentication (MFA).
One of the first lines of defenses a cannabis company should consider is guarding authentication into their digital environments.
One of the most effective ways to start is by leveraging MFA to help reduce account takeovers or unauthorized access.
The Cybersecurity & Infrastructure Security Agency (CISA) has produced alerts specifically on how weak security controls are routinely exploited for initial access, and implementing MFA remains one of the first mitigation steps for preventing data breaches.
In 2020 Microsoft reported that 99.9% of compromised accounts did not use MFA. While utilizing MFA is essential, not all MFA is created equally.
This article will briefly review types of MFA solutions, recent examples of how threat actors are bypassing MFA protocols, and what mitigating steps the cannabis industry should be implementing to fortify their data security.
What’s the deal with MFA?
Multi-Factor Authentication (MFA) is a security layer many organizations utilize to help secure how staff login to their systems. It requires the user to provide a combination of two or more factors to verify their identity before gaining system access.
Security is naturally enhanced because even if one factor (like your password) becomes compromised, unauthorized users would have to bypass the second factor before gaining access.
What’s types of MFA exist?
There are a variety of MFA strategies, and deciding which one makes most sense for your organization may depend on the sensitivity of the information that users have access to.
The methods below are presented from most to least secure.
Physical Key: Users will insert or tap the physical key into the device or computer to access information. Often, companies will offer physical keys to their highest value users, though recently a growing number have started issuing them to all users to make their MFA more phishing resistant.
It is not recommended that keys be shared amongst employees. The FIDO Alliance developed FIDO Authentication standards based on public key cryptography for authentication that is more secure than passwords and SMS OTPs, simpler for consumers to use, and easier for service providers to deploy and manage.
FIDO Authentication enables password-only logins to be replaced with secure and fast login experiences across websites and apps.
Authenticator App: The authenticator app is an application that you download to your phone. The app will typically provide you with two authentication options.
The first is known as a push notification, which is where the authentication app notifies you that someone is trying to access your account, and it prompts you to approve or decline the attempt. This method offers a combination of security and ease of use.
The second option which is more widely used, is where the app generates a time-sensitive code that you enter on the login screen when prompted.
Biometric Verification: This can be anything from facial recognition technology to fingerprint verification.
It is important to note that biometric verification should still be used in combination with another factor. As a standalone solution it does not constitute as MFA and still allows for security gaps.
Municipality specific laws around storage of biometric data may limit the usefulness of this factor to only systems that are dedicated to a specific employee and do not store their data to a central database, so be sure to check with your legal team on applicable limits if you want to consider biometrics.
SMS: Texts and call one-time passwords (OTP) are a common method for MFA. After a username and password are entered, a one-time password in the form of a PIN is either texted or read via a call.
This method has the drawbacks of having time limits and can also be more vulnerable to threat actors than some previous methods discussed.
Email: Email authentication works similarly to the SMS OTP method. It also shares some similar risk factors. Emails can be hacked, and if a threat actor has access to your email or that of the provider, they can defeat MFA. While like SMS, this is a common form of MFA, but not the most secure.
How are threat actors bypassing MFAs?
A method that has gained notoriety lately is known as “MFA Fatigue”, and was the tactic used in the recent Uber breach.
This method is possible once the threat actor has obtained the initial access control (typically username and password), and repeatedly sends the target push requests to authenticate. By continually sending the pushes, the threat actor hopes that authentication will be accepted on accident or done in order to stop the pushes all together.
According to Kevin Beaumont, a renowned cybersecurity expert, the Uber attack went as follows:
- The threat actor spammed an Uber employee with push authentication app for several hours before contacting them on WhatsApp and claiming to be from Uber IT
- The attacker then indicated the victim needed to accept the push notification to get them to stop.
- The employee accepted the “guidance,” and the threat actor enrolled another device (that the attacker controlled) into the Multifactor Authentication (MFA) enrollment portal. At that point, the adversary has full access to whatever privileged information the target user had.
Lapsus$, the extortion gang recently identified as the group that breached Microsoft, Okta, and Nvidia claimed to have also worn down victims with repeated MFA push notifications, including a Microsoft employee.
According to a message captured from Lapsus$ Telegram channel, “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”
In addition to mass MFA bombing, sending only one or two MFA prompts per day to attract less attention can also be effective.
You can learn about additional techniques to bypass MFA here.
What are mitigation strategies and best practices?
For the cannabis industry to reduce the risk and protect organizations and users from succumbing to MFA bypass, consider the following in your MFA implementation:
- Train it. Include MFA bypass themes, like the ones highlighted in this report, in simulated phishing exercises and awareness education and discussions.
- Configure it. Ensure MFA settings are properly configured to protect against things like “fail open,” re-enrollment, or initial device enrollment scenarios.
- Randomize it. Make sure user session identifiers are unique and randomly generated.
- Fake it. Encourage users to never use real answers in response to recovery questions (and to use a password manager).
- Expire it. Configure timeouts before requiring MFA to a minimum acceptable timeframe (preferably at each login) so a threat actor cannot maintain persistence with a stolen session token. Avoid having MFA expire unexpectedly on users which can lead to unintentional approvals on push notifications.
- Force it. If a user reports repeated unauthorized MFA push notifications, immediately force a password reset and clear existing sessions.
- Disable it. Disable inactive accounts uniformly in active directory, MFA, etc. so they cannot be leveraged to reenroll in MFA.
- Monitor it. Monitor network logs continuously for suspicious activity.
- Alert it. Implement appropriate security policies to alert on things like impossible logins.
- Harden it. Implement a FIDO2-compliant security key (e.g., YubiKey) for multi-factor authentication, encourage adoption of authenticator apps, limit the use of SMS or Email based methods, rate-limit push notifications, and consider newer forms of push notifications when available such as those that offer a challenge, asking you to match the code shown on the screen to that on your phone.
Need a little more Bluntness in your life? Subscribe for our newsletter to stay in the loop.