A few years ago, there was a very public cyber insurance denial case. As I understand it, the business contracted with Travelers for cyber insurance. They filled out their questionnaire and stated that they had multi-factor authentication (MFA) everywhere. The policy was issued. The business had a cyber breach. They submitted a claim. The post-mortem analysis apparently found that the business had their MFA configured to "fail open". This means that if the MFA client on a server or workstation could not "phone home" to get the appropriate authentication token and line up with the proper code, it would just simply turn MFA "off" so as not to deny users access to their computers.
Amazingly, early default implementations of Cisco DUO MFA were configured to do this!
The attackers quickly realized the weakness. They started creating conditions where the MFA client on the server or endpoint under attack could not reach the cloud-based authentication server in hopes it would simply shut down. If the attacker had already derived the passwords, they easily took over the device.
I was involved in a breach in the region last Christmas weekend. Because the Huntress and SentinelOne SOCs responded so quickly to the attack, I was literally remoted inside the network with the attackers all around me. It was a crazy time.
In that brief encounter, I saw that the attacker purposefully launched an attack to selectively disrupt that district's internet access and intentionally test all the servers to see if any of them were configured to "fail open."
Do you know what happens if you deny internet access to your servers or workstations that are configured with MFA? Do you know what happens when you try to go into Safe Mode on an MFA-protected server or workstation?
If you don't, you must figure that out and remedy any "fail open" situation.
Here are a couple of closing thoughts:
- Never misrepresent your actual security status on any of those cyber insurance questionnaires. If you don't have something but believe you will soon, the only defensible answer is "you don't have it." You can write a side note, but in so many cases, we find that "we will have it soon" ends up as wishful thinking.
- Ensure you know your MFA won't just turn itself off if your system is denied internet.
- In the case of Cisco DUO MFA, we can easily force all endpoints to fail closed via a simple Group Policy regardless of how and when the client was installed.
- Over and over again, VPN and MFA misconfiguration are the number one source of entry into the network. You need a continual process to check and re-check the configurations of these items to prevent human mistakes that open you to an easy attack.
If you need help sorting out my list, give us a call. We are happy to help.
-Scott Quimby, CISSP
You must be logged in to post a comment.