Blog

Our thoughts on cybersecurity risk management

Critical Control: Deploy Advanced User Account Protection

Critical Control: Deploy Advanced User Account Protection

This article is part of our weekly series on how to manage cybersecurity risk for businesses. If you'd like to download the complete 8-point guide, click here to sign up and get the entire guide for free!

This week, we'll discuss how to make sure your SMB clients have secure accounts and passwords. We discuss the various types of multi-factor authentication, the dangers of password reuse, and how to use password managers to protect sensitive account information.

In the discussion about Strategy, we mentioned that 95% of all intrusions start with email phishing attacks. There are two general ways that attackers use email-based attacks to break into companies, and the 4th and 5th controls of this guide will cover how to protect businesses from each of these "attack vectors." One of the most common ways that we see attackers get access to user accounts is by creating a phishing email that leads the victim to a website that looks just like a site they log into, like their online email system (e.g. Office365, Google, or similar), bank account, or other web-based application. Once the user puts their credentials (username and password) into the bogus site, the attacker redirects them to a fake error page, and the user is left to ponder what happened. In the meantime, the attacker is springing into action to log into their account and steal data, add forwarding and deletion rules, and other malicious activity.

This is just one example of how account compromise occurs. The lesson remains the same: account information can be stolen, so it requires additional protection. The most effective way to do this today is by enabling Multi-Factor Authentication (or MFA). MFA requires more than just a username or password. For example, the username/password is coupled with a code that gets sent to the user as an SMS text message when they try to log in, or it is a pre-shared key generated code that is provided as an app on their smartphone. That way, even if an account's username and password get compromised, the bad guys can't use them without the MFA token or passcode.

In addition to securing internet-accessible accounts with MFA wherever possible, using a password manager to keep track of multiple username and password combinations is highly recommended. Password managers usually work by having an MFA-enabled master account that users log into in order to gain access to all their other account usernames and passwords. By using a password manager, users can ensure that they are able to have strong and unique passwords for each account they have to manage, and not have to worry about forgetting the username/password combination.

Finally, password complexity should be enforced across all user accounts. Attackers are using several different methods to find accounts with weak passwords and gain access to systems protected by them. A good rule of thumb for setting password complexity requirements is to make sure passwords are at least 8 characters in length, include upper- and lower-case, and numbers or special characters.

Here are some important rules of thumb when it comes to securing user accounts:

MFA Must Be Enforced Across Cloud-Based and Remote User Accounts

One of the biggest benefits of Cloud computing is that it's accessible from anywhere that has an Internet connection; however, that also means that if an attacker gets access to your credentials, they can log in from anywhere as well! MFA stops this problem because the token or passcode can't be stolen by tricking users into giving up usernames as passwords. Today, there are some attacks that leverage automation to log into a given cloud service by requiring users to put their MFA token into a fake site; however, those types of attacks generally are rare and don't last very long once the cloud provider identifies them. The Bottom Line: any account that can be accessed from anywhere should be protected with MFA. This includes remote access accounts like VPN accounts that users can use to log into corporate networks remotely.

Use Password Managers to Reduce Account Password Reuse and Fatigue

Another common way that users get their accounts compromised is by reusing the same password across multiple accounts. If a website with their reused password gets hacked, then every account that shares that password is potentially vulnerable. Password managers help by allowing the user to have a different password for each account, letting them know which accounts have shared passwords so they can be changed, and taking the burden of having to remember lots of different passwords off of the user's shoulders. This means that security and account access/ease of use both get better because users are following good security practices and not having to bend over backwards to do so!

DO NOT ALLOW REMOTE DESKTOP PROTOCOL ACCESS FROM THE INTERNET

This is in all caps for a reason! Remote Desktop Protocol (also known as RDP) is a Microsoft remote access tool that allows users to log into their computers or administrators to log into servers and get their desktops as if they were sitting at a console. This very powerful tool can be attacked in many different ways, and MUST be protected from access, most commonly by requiring an MFA-enabled VPN connection to the corporate network before RDP can be accessed. The FBI has issued warnings about how prevalent RDP-based intrusions have become, and there are vulnerabilities that have been discovered that allow complete account bypass, meaning the protocol is inherently insecure and should be protected from any unauthorized access.

In summary, user account security is one of the most important parts of a proactive security strategy. Multi-factor authentication, password managers, complexity, and other risk management controls can all work together to make sure that user accounts stay secure. If you need help with implementing these controls or other cybersecurity risk management techniques, be sure to contact us so that Ingalls Information Security can help!

Join us next week when we discuss Advanced Endpoint Protect, Detection & Response, and why legacy anti-virus is having a hard time keeping up with today's malware. Thanks for reading!

This article is part of our weekly series on how to manage cybersecurity risk for businesses. If you'd like to download the complete 8-Point Guide, click here to sign up and get the entire guide for free!

Ingalls Information Security
TOP