As part of our research on Cybersecurity Perceptions Versus Reality, we developed a survey in collaboration with Serene-risc, a knowledge mobilization network in cybersecurity based in Canada, on the perceptions and practices of cybersecurity professionals. The survey aimed at understanding how defenders perceive specific security measures and whether these measures were implemented in their respective organizations. We then combined the survey results with our penetration testing experience to confront two perspectives: the defenders’ and the pentesters’, the latter standing as proxies for real attackers. This blog post summarizes the results related to multifactor authentication.

Download the complete Cybersecurity Perceptions Versus Reality report, also available in French.

Defenders: Importance versus Implementation

In the survey, respondents were asked about multifactor authentication (MFA), a security measure requiring that a user presents at least two factors, such as: “something that you know” and “something that you have”, before being granted access to a system. When asked, on a scale from 1 to 5, how important multifactor authentication is for the security of their organization, 93.3% said important or very important. When asked whether such a measure was implemented in their organization on their external network, 45% replied yes, 41.7% partially, and 13.3% no, as shown in Figure 1.

Cybersecurity Perceptions Versus Reality

Figure 1 -Multi-Factor Authentication at the External Perimeter

Cybersecurity Perceptions Versus Reality

Figure 2 – Multi-Factor Authentication at the Internal Perimeter

When asked if multi-factor authentication was implemented on their internal network – a measure that could prevent an attacker who has breached a system to pivot internally in the organization to more valuable assets – the response distribution was more conservative, as shown in Figure 2. A total of 23.3% of respondents mentioned that they fully implemented multi-factor authentication on the internal network, 40.8% partially and 35.8% said that they did not implement this security measure.
When asked if multi-factor authentication was implemented on their internal network – a measure that could prevent an attacker who has breached a system to pivot internally in the organization to more valuable assets – the response distribution was more conservative, as shown in Figure 2. A total of 23.3% of respondents mentioned that they fully implemented multi-factor authentication on the internal network, 40.8% partially and 35.8% said that they did not implement this security measure.
Cybersecurity Perceptions Versus Reality

Figure 2 – Multi-Factor Authentication at the Internal Perimeter

Pentesters’ Experience

We then asked our pentesters their perspective and experience with multifactor authentication. According to them, penetration test results show that multi-factor authentication is very efficient at blocking attackers. However, such a measure must be implemented on all externally exposed services, not only the email service, the most common MFA location. Moreover, they mentioned that it is important to note that a secret question is not a second factor: a password and a secret question are both based on a user’s knowledge. Each factor must come from a different authentication vector: a password is what one knows, and an RSA OTP (One Time Password) number is what one has, for example.

Moreover, GoSecure pentesters were surprised that 23% of the respondents said that they implemented multi-factor authentication on the internal network, as they have rarely encountered such security measures in organizations internally. They added that even if critical services have two-factor authentication, day-to-day activities are usually unprotected, such as RDP access to servers or file share access.

Pro Tips on Multifactor Authentication

As a reference for readers, below are some pro tips related to implementing multifactor authentication on corporate networks.

  • Focus on implementing multifactor authentication on all services.
  • SMS-based multi-factor authentication is better than single-factor authentication.
    Keep in mind that for critical services that could be targeted by highly motivated attackers, SMS-based multi-factor authentication could be bypassed using a technique called SIM Swapping.
  • An affordable multi-factor authentication solution is the use of software tokens. These rely on an application on your phone or a computer containing a secret feed instead of relying on a physical token like an RSA key. This is one of the cases where open source solutions exist, but their management and integration are relatively complex. You might consider using a commercial solution if ease of implementation is a concern.
    Be aware that the information sent to the user to enroll the token can sometimes be reused by an attacker if the attacker gets access to it. Thus, it is important to encourage users to destroy the file or email once they have registered their software token.

Conclusion

These findings are part of the Cybersecurity Perceptions Versus Reality report that highlights the key results of a two-year long study that aimed at understanding a disconnect that exists between how defenders perceive the value of their implemented security controls, and the most common attack vectors leveraged by penetration testers acting as potential attackers. The report is available in French and the microdata of the survey is available online.

GoSecure Titan® Managed Extended Detection & Response (MXDR)​

GoSecure Titan® Managed Extended Detection & Response (MXDR)​ Foundation

GoSecure Titan® Vulnerability Management as a Service (VMaaS)

GoSecure Titan® Managed Security Information & Event Monitoring (Managed SIEM)

GoSecure Titan® Managed Perimeter Defense​ (MPD)

GoSecure Titan® Inbox Detection and Response (IDR)

GoSecure Titan® Secure Email Gateway (SEG)

GoSecure Titan® Threat Modeler

GoSecure Titan® Identity

GoSecure Titan® Platform

GoSecure Professional Security Services

Incident Response Services

Security Maturity Assessment

Privacy Services

PCI DSS Services

Penetration Testing Services​

Security Operations

MicrosoftLogo

GoSecure MXDR for Microsoft

Comprehensive visibility and response within your Microsoft security environment

USE CASES

Cyber Risks

Risk-Based Security Measures

Sensitive Data Security

Safeguard sensitive information

Private Equity Firms

Make informed decisions

Cybersecurity Compliance

Fulfill regulatory obligations

Cyber Insurance

A valuable risk management strategy

Ransomware

Combat ransomware with innovative security

Zero-Day Attacks

Halt zero-day exploits with advanced protection

Consolidate, Evolve & Thrive

Get ahead and win the race with the GoSecure Titan® Platform

24/7 MXDR FOUNDATION

GoSecure Titan® Endpoint Detection and Response (EDR)

GoSecure Titan® Next Generation Antivirus (NGAV)

GoSecure Titan® Security Information & Event Monitoring (SIEM)

GoSecure Titan® Inbox Detection and Reponse (IDR)

GoSecure Titan® Intelligence

OUR SOC

Proactive Defense, 24/7

ABOUT GOSECURE

GoSecure is a recognized cybersecurity leader and innovator, pioneering the integration of endpoint, network, and email threat detection into a single Managed Extended Detection and Response (MXDR) service. For over 20 years, GoSecure has been helping customers better understand their security gaps and improve their organizational risk and security maturity through MXDR and Professional Services solutions delivered by one of the most trusted and skilled teams in the industry.

EVENT CALENDAR

LATEST PRESS RELEASE

GOSECURE BLOG

SECURITY ADVISORIES

 24/7 Emergency – (888)-287-5858