多因素身份验证, when connecting to services on the internet, is similar. It’s a simple matter for user credentials to become compromised through pass词 和 phishing attacks. 而员工则需要接受 安全意识培训, phishing threats are becoming more sophisticated 和 users may not 充分了解风险 a network is exposed to if a hacker takes advantage of compromised credentials.
而不是创造一个强有力的传球短语 (不及格)词),当提示时,他们只做最少的工作. Threat actors know this 和 will take advantage of it when they can. 和, 如果您的网络连接到Internet, 你没有使用多重身份验证登录, 那些威胁分子可以直接从前门进来.
The need for multi-factor authentication extends beyond your immediate network, too. If your organization uses the assistance of any third-party services, 他们还应该使用多因素身份验证.
原因如下:
你可以强制执行 密码复杂度规则, but you can’t force people to use different pass词s for all the third-party services used by your company. 现在, imagine a threat actor has obtained a user’s pass词 by guessing it or successfully phishing the user. They attempt to use the compromised credential to log in to your corporate network—where you have MFA installed. 第一个因素是成功, 但是当谈到第二个因素时, 恶意用户无法成功登录.
他们可能会拿着受损的凭证,在组织常用的第三方服务上进行尝试,直到它在某个地方起作用. So, while the threat actor might not directly gain access to your network, 如果您没有在这些第三方服务上安装MFA,他们仍然可以访问敏感数据或业务流程.
另一个需要MFA的场景是在包含高度敏感数据的网络分段区域内, 例如持卡人数据环境(CDE). Even if multi-factor authentication is required to log in to your network, 您仍然需要添加一个额外的MFA层来登录cde -即使它没有直接连接到互联网.
这一额外的安全层不仅有助于遵从性, but it’s also important for protection of the most sensitive data held by your organization. Because, while multi-factor authentication is effective if executed correctly, it’s not infallible.
考虑一下这个例子:
You implement MFA for your network, teach employees to use it properly, 和 move on. You’ve got MFA installed 和 active for all corporate services (email, 远程访问, (包括第三方服务),将用户重定向到需要MFA的单点登录(SSO)身份验证门户. 你可以走了,对吧?
不完全是.
在一个未公开的地点,一个威胁行为者试图访问你的一个新员工的账户,这个新员工可能在新员工安全意识培训期间没有密切关注. 这名员工一直在手机上收到来自他们开始在公司工作时安装的MFA应用程序的提醒.
员工 knows they’re not trying to log in, but they brush it off as a technical malfunction. 员工最终会厌倦自己的手机铃声, 所以用户确认从MFA应用程序的登录请求.
和, just like that, a threat actor has entered your network, even though you’ve got MFA installed.
信息安全没有保证. 而你可以尽可能地为自己做好准备, user error should always play a factor in your decision making 和 infrastructure. Are abundant successful logins but failed MFA attempts being alerted on within security monitoring processes?
The needs of networks can vary based on the size 和 type of organization. 决定如何最好地保护你的资产和教育你的员工可能会带来意想不到的独特挑战. So, if you’re looking for some guidance on how to best secure your network or implement MFA, 让我们知道我们很乐意今天就帮你开始工作.