1
00:00:00,000 --> 00:00:04,440
To the first CIT Tech for Business podcast today,

2
00:00:04,440 --> 00:00:06,440
we're sitting down with Nate and Todd,

3
00:00:06,440 --> 00:00:09,440
and we're going to talk about multi-factor authentication.

4
00:00:09,440 --> 00:00:12,440
Our first acronym, we're kicking it off strong, MFA.

5
00:00:12,440 --> 00:00:14,520
Leading in you guys, first off,

6
00:00:14,520 --> 00:00:17,920
let us know a little bit about you and what is MFA?

7
00:00:17,920 --> 00:00:20,900
Thanks, Kelsey. I am Todd.

8
00:00:20,900 --> 00:00:23,560
I am CIT's Chief Operations Officer.

9
00:00:23,560 --> 00:00:26,440
I am also our Chief Information Security Officer.

10
00:00:26,440 --> 00:00:28,880
I'll let Nate introduce himself and he can kick off

11
00:00:28,880 --> 00:00:30,920
the MFA overview as well.

12
00:00:30,920 --> 00:00:32,840
Yeah. My name is Nate.

13
00:00:32,840 --> 00:00:35,920
I'm our Director of Cybersecurity here at CIT.

14
00:00:35,920 --> 00:00:40,560
Just help oversee the operational components of our department.

15
00:00:40,560 --> 00:00:43,280
Multi-factor authentication,

16
00:00:43,280 --> 00:00:46,200
also known as two-factor authentication,

17
00:00:46,200 --> 00:00:56,120
is really at the core is basically another form of authentication.

18
00:00:56,120 --> 00:00:58,200
There's multiple variants to this,

19
00:00:58,200 --> 00:01:01,800
but essentially it's a mix of something that you have,

20
00:01:01,800 --> 00:01:05,040
something you know, and something that you are.

21
00:01:05,040 --> 00:01:10,000
As long as you have two of the three of those to log into a system,

22
00:01:10,000 --> 00:01:13,360
that's what multi-factor or two-factor authentication is.

23
00:01:13,360 --> 00:01:17,240
What does that look like for something that you know,

24
00:01:17,240 --> 00:01:22,960
is something likely going to be like a password or something like a pin code,

25
00:01:22,960 --> 00:01:25,040
then there's something that you are,

26
00:01:25,040 --> 00:01:27,680
that's something that's going to be like biometrics.

27
00:01:27,680 --> 00:01:31,800
For example, in order to log into some computers,

28
00:01:31,800 --> 00:01:37,800
you need to touch your fingerprint or you see things on some of those crime shows

29
00:01:37,800 --> 00:01:41,200
where they're doing the iris scanning to get into the secure facilities.

30
00:01:41,200 --> 00:01:43,160
That's something that you are.

31
00:01:43,160 --> 00:01:44,760
Then there's something that you have,

32
00:01:44,760 --> 00:01:52,600
and this is where this is most common in business due to privacy concerns with the biometrics and everything.

33
00:01:52,600 --> 00:01:57,160
But something you have is something that's going to look like

34
00:01:57,160 --> 00:02:03,120
either your cell phone and in order to do a push notification to it,

35
00:02:03,120 --> 00:02:08,520
it's going to be something that could be a USB that you have to plug in.

36
00:02:08,520 --> 00:02:16,920
I have in front of me a hardware token that in order to log in after I put in my password,

37
00:02:16,920 --> 00:02:18,560
I plug this into my computer,

38
00:02:18,560 --> 00:02:23,680
I touch it and it just activates and sends off another code.

39
00:02:23,680 --> 00:02:25,480
That's another form.

40
00:02:25,480 --> 00:02:31,400
Then they even have ones I have another little hardware token in front of me,

41
00:02:31,400 --> 00:02:33,080
which looks like a little credit card.

42
00:02:33,080 --> 00:02:35,680
This is something where it has a little battery in it.

43
00:02:35,680 --> 00:02:38,360
I click on it, it generates a six-digit code.

44
00:02:38,360 --> 00:02:41,080
Then from there, I enter in that code as well.

45
00:02:41,080 --> 00:02:47,080
So I've put in both my password and a code from something that is in my possession.

46
00:02:47,080 --> 00:02:51,160
So that's what multi-factor is in general.

47
00:02:51,160 --> 00:02:58,600
Where is it used is a whole different discussion and I'll let Todd take that over.

48
00:02:58,600 --> 00:03:02,960
I want to back up just to hear before we went too far where we use it.

49
00:03:02,960 --> 00:03:05,240
It's been around for decades.

50
00:03:05,240 --> 00:03:06,960
It's not a new technology.

51
00:03:06,960 --> 00:03:10,000
People have been using it for banking where you've

52
00:03:10,000 --> 00:03:12,200
get a text message or something along those lines.

53
00:03:12,200 --> 00:03:14,360
That's typically referred to as 2FA.

54
00:03:14,360 --> 00:03:19,280
But the reason why I interrupted Nate is I just wanted to back up and say,

55
00:03:19,280 --> 00:03:23,080
why do we use it? The biggest reason that typically comes up and

56
00:03:23,080 --> 00:03:25,440
everybody here can expand on it.

57
00:03:25,440 --> 00:03:29,640
But what ends up happening is that people typically have issues with passwords.

58
00:03:29,640 --> 00:03:31,920
Passwords are painful, they're difficult to remember,

59
00:03:31,920 --> 00:03:34,400
so people tend to make them easy to remember.

60
00:03:34,400 --> 00:03:38,400
That's your phone number, your childhood,

61
00:03:38,400 --> 00:03:40,400
best friend, whatever it is, your pet.

62
00:03:40,400 --> 00:03:44,040
What makes matters worse is that people then use that password everywhere.

63
00:03:44,040 --> 00:03:46,240
If you're looking at social media or LinkedIn,

64
00:03:46,240 --> 00:03:50,240
your work email and accounts, etc., more often than not,

65
00:03:50,240 --> 00:03:53,520
most people tend to reuse it over and over again.

66
00:03:53,520 --> 00:03:58,040
Inherently, what ends up happening is if something ever happens and it could be

67
00:03:58,040 --> 00:03:59,960
anything from if you're in the Twin Cities,

68
00:03:59,960 --> 00:04:01,640
there was a Starter Be-Un hack.

69
00:04:01,640 --> 00:04:07,640
There was also a hack that happened on the Meters Downtown Minneapolis where they

70
00:04:07,640 --> 00:04:11,440
were able to take account names and passwords and post that

71
00:04:11,440 --> 00:04:13,760
on to what's referred to the dark web.

72
00:04:13,760 --> 00:04:18,800
Once that's been out there, if you've ever had that information harvested from you,

73
00:04:18,800 --> 00:04:20,080
it's now out in the wild.

74
00:04:20,080 --> 00:04:21,320
So how do you protect it?

75
00:04:21,320 --> 00:04:23,520
That's where multi-factor comes in.

76
00:04:23,520 --> 00:04:26,200
So just want to make sure we covered that piece real briefly so

77
00:04:26,200 --> 00:04:30,120
we've got that whole picture of what it is, where it came from, why we're worried about it.

78
00:04:30,120 --> 00:04:33,560
The answer is passwords are bad, people hate them.

79
00:04:33,560 --> 00:04:35,960
We could get into that a little bit later on.

80
00:04:35,960 --> 00:04:36,920
What can we do about it?

81
00:04:36,920 --> 00:04:39,440
Can we rely more on biometrics at some point in the future?

82
00:04:39,440 --> 00:04:44,160
But it's a little bit off topic of where we're at at the moment.

83
00:04:44,160 --> 00:04:50,480
Where most people will try to implement a multi-factor authentication tool set is on

84
00:04:50,480 --> 00:04:53,200
anything that's quote unquote internet facing.

85
00:04:53,200 --> 00:04:56,800
More often than not, one of the larger threats that we're seeing in our business,

86
00:04:56,800 --> 00:05:01,000
and this has been true for years, we've been kind of banging the drum on multi-factor for

87
00:05:01,000 --> 00:05:03,000
about five years at least.

88
00:05:03,000 --> 00:05:06,480
And that's how I've been at CIT, so you can kind of see a correlation there.

89
00:05:06,480 --> 00:05:10,240
But email is probably the biggest.

90
00:05:10,240 --> 00:05:14,120
So Microsoft has done a really nice job of pushing everybody to the cloud.

91
00:05:14,120 --> 00:05:16,840
Google's doing the same, they're huge providers.

92
00:05:16,840 --> 00:05:21,360
Once people move their email to the cloud, some of the inherent security that was in

93
00:05:21,360 --> 00:05:25,520
having email inside an organization started to be exposed to the internet.

94
00:05:25,520 --> 00:05:28,800
And typically most people were signing in with an email address,

95
00:05:28,800 --> 00:05:33,360
which is more often than not, first name, last name, first letter, last name, or vice versa.

96
00:05:33,360 --> 00:05:38,080
And then at the company, so that part's super easy to figure out, and then you just start

97
00:05:38,080 --> 00:05:39,520
going down the list, right?

98
00:05:39,520 --> 00:05:44,160
It's winter 2022 exclamation point and so on, and I'm in.

99
00:05:44,160 --> 00:05:47,440
So in order to protect that, that's where multi-factor is coming along.

100
00:05:47,440 --> 00:05:51,280
Yeah, quick, quick stat that comes to mind.

101
00:05:51,280 --> 00:05:56,800
So this is all the way back in 2019, but Microsoft did push out an article.

102
00:05:56,800 --> 00:06:01,560
I'm sure that the numbers have only increased since then, just given the nature that people

103
00:06:01,560 --> 00:06:03,640
continue to move to the cloud.

104
00:06:03,640 --> 00:06:11,840
But back in 2019, Microsoft put out an article that said their login services for their, sorry,

105
00:06:11,840 --> 00:06:20,480
their cloud services have attempted logins over 300 million times a day that were fraudulent.

106
00:06:20,480 --> 00:06:26,640
And so the article is saying, if you implement multi-factor authentication on the accounts,

107
00:06:26,640 --> 00:06:32,080
it reduces the risk of account compromise by 99.9%.

108
00:06:32,080 --> 00:06:33,080
Right?

109
00:06:33,080 --> 00:06:38,640
It's everyone, there's a couple different attacks that people are going to take to try

110
00:06:38,640 --> 00:06:40,760
and get to your account.

111
00:06:40,760 --> 00:06:46,920
Fishing, you know, we've talked about fishing here at CEIT many, many times, but fishing

112
00:06:46,920 --> 00:06:52,280
for those that don't have the full understanding on that is an attacker will send you a fraudulent

113
00:06:52,280 --> 00:06:57,420
email attempt to elicit your username and password, and then they'll use that to then

114
00:06:57,420 --> 00:06:59,360
log into your account.

115
00:06:59,360 --> 00:07:03,880
So it's a fraudulent way of capturing your credentials.

116
00:07:03,880 --> 00:07:05,360
That's one method.

117
00:07:05,360 --> 00:07:10,880
One of the other common methods, which for example, Todd had mentioned is password reuse.

118
00:07:10,880 --> 00:07:14,840
If you're a compromise on one account, you reuse the same password and it's leaked out

119
00:07:14,840 --> 00:07:16,360
on the dark web.

120
00:07:16,360 --> 00:07:20,780
You take that and go attempt to log into other services with that.

121
00:07:20,780 --> 00:07:24,240
And then the last one is just what they call password spraying.

122
00:07:24,240 --> 00:07:29,440
So you just, or password stuffing, you just attempt to push as many passwords as possible

123
00:07:29,440 --> 00:07:32,280
for a particular user until one is successful.

124
00:07:32,280 --> 00:07:33,280
Right?

125
00:07:33,280 --> 00:07:40,400
And by having the multi-factor, all of those methods are defeated.

126
00:07:40,400 --> 00:07:43,840
There is some considerations to take into play, which we can get into a little bit later

127
00:07:43,840 --> 00:07:44,840
too.

128
00:07:44,840 --> 00:07:51,080
But for the majority, if you just implement multi-factor, you reduce about 99.9% of all

129
00:07:51,080 --> 00:07:53,520
attempts to log into the system fraudulently.

130
00:07:53,520 --> 00:07:57,400
So you kind of mentioned that already about the statistics.

131
00:07:57,400 --> 00:08:02,600
Do you have a rough idea of what number of attacks are coming from email?

132
00:08:02,600 --> 00:08:07,440
So we can use our own examples of what we're seeing most of our customers suffer from.

133
00:08:07,440 --> 00:08:10,920
Does it typically end up being in the world of cybersecurity?

134
00:08:10,920 --> 00:08:13,480
They refer to it as business email compromise.

135
00:08:13,480 --> 00:08:18,640
Do you have a sense in how many attacks we see coming in through email specifically?

136
00:08:18,640 --> 00:08:23,120
Thousands.

137
00:08:23,120 --> 00:08:27,680
Even if we take a look at CIT systems, if I pull up any given day, there's hundreds

138
00:08:27,680 --> 00:08:28,680
of them.

139
00:08:28,680 --> 00:08:29,760
Right?

140
00:08:29,760 --> 00:08:33,560
It's just the simple fact of the password spraying is real.

141
00:08:33,560 --> 00:08:34,560
Right?

142
00:08:34,560 --> 00:08:36,080
Everyone has our email addresses.

143
00:08:36,080 --> 00:08:44,520
It's either in someone's database dump, right, because, for example, if we continue to push

144
00:08:44,520 --> 00:08:51,640
on things like the Star Tribune or the Minneapolis parking that was compromised, right, and they

145
00:08:51,640 --> 00:08:56,560
had the email addresses, if you have ever used your work account for that, it's floating

146
00:08:56,560 --> 00:08:57,560
out there.

147
00:08:57,560 --> 00:08:58,560
It's on a list.

148
00:08:58,560 --> 00:09:01,760
People are just going to attempt it with all the common passwords.

149
00:09:01,760 --> 00:09:06,920
There's some big password lists out there that are known to be highly effective because

150
00:09:06,920 --> 00:09:11,880
people tend to just pick bad passwords across the board.

151
00:09:11,880 --> 00:09:18,120
Yeah, it's hundreds of times a day for any organization, even if you're small.

152
00:09:18,120 --> 00:09:19,120
Yeah.

153
00:09:19,120 --> 00:09:20,120
I think that's great.

154
00:09:20,120 --> 00:09:21,120
It's a great key.

155
00:09:21,120 --> 00:09:25,280
Once upon a time, we were used to talk about organization sites, and people used to say,

156
00:09:25,280 --> 00:09:27,920
hey, I'm way too small to be attacked.

157
00:09:27,920 --> 00:09:29,160
That really isn't the case anymore.

158
00:09:29,160 --> 00:09:34,120
Statistically, it's something along the lines of 56, 60% of all attacks happen against small

159
00:09:34,120 --> 00:09:36,320
businesses, and the reason is because it's easy.

160
00:09:36,320 --> 00:09:41,760
They don't always have the wherewithal, the technical ability to understand what they should

161
00:09:41,760 --> 00:09:43,880
be doing, and so on and so forth.

162
00:09:43,880 --> 00:09:47,240
The attacks are real, and it does impact everybody.

163
00:09:47,240 --> 00:09:49,920
I'm sure people see it even happening at home.

164
00:09:49,920 --> 00:09:53,160
I get stuff from PayPal and Apple, and you name it.

165
00:09:53,160 --> 00:09:56,400
I get attacked all the time that I need to click on something or reset something all

166
00:09:56,400 --> 00:09:57,400
the time.

167
00:09:57,400 --> 00:10:03,240
Staying on statistics, the reason why I asked Nate about the percent of attacks is, I think

168
00:10:03,240 --> 00:10:07,400
it's still somewhere in the high 90s of all attacks that are coming in tend to be fishing,

169
00:10:07,400 --> 00:10:09,920
and that's somewhere in the high 90s.

170
00:10:09,920 --> 00:10:17,720
As he mentioned, if you can protect services and your identity with 99.9%, that's significant,

171
00:10:17,720 --> 00:10:21,280
and the number one tool being MFA, there are some statistics.

172
00:10:21,280 --> 00:10:24,560
We can share this out too.

173
00:10:24,560 --> 00:10:27,760
For those that are listening, we'll be able to see this, but we can share it in the channel,

174
00:10:27,760 --> 00:10:30,800
and if you're interested, we can find ways to get you the information as well.

175
00:10:30,800 --> 00:10:36,040
But there was the United National Cybersecurity Chief said that 80 to 90% of all attacks,

176
00:10:36,040 --> 00:10:41,360
not just email, all attacks can be circumvented by having multi-factor in.

177
00:10:41,360 --> 00:10:44,040
How we started out this meeting is, what is it?

178
00:10:44,040 --> 00:10:46,480
What's the threat, and what are you doing about it?

179
00:10:46,480 --> 00:10:50,520
Ultimately, that's why we keep talking about multi-factor authentication.

180
00:10:50,520 --> 00:10:53,640
One last statistic in case you're wondering, well, sure, this has been something you've

181
00:10:53,640 --> 00:10:55,920
talked about for years.

182
00:10:55,920 --> 00:10:57,360
We've got it.

183
00:10:57,360 --> 00:11:05,920
Statistically, there was 55% of all organizations have multi-factor enabled, only 55%, so only

184
00:11:05,920 --> 00:11:07,440
half.

185
00:11:07,440 --> 00:11:12,160
Even in those cases, a lot of times people are very picky and choosy on how they do it,

186
00:11:12,160 --> 00:11:17,160
so they may only do it with their tech team, or they may only do it with their administrators.

187
00:11:17,160 --> 00:11:21,680
Small number of organizations, I shouldn't say small, because half is a significant number,

188
00:11:21,680 --> 00:11:23,520
but half still don't have it.

189
00:11:23,520 --> 00:11:28,240
It's a major problem, and it is still where we see most attacks coming from and can be

190
00:11:28,240 --> 00:11:30,880
circumvented by putting multi-factor in place.

191
00:11:30,880 --> 00:11:34,440
So, Todd and me, I have a question about that.

192
00:11:34,440 --> 00:11:38,720
You mentioned that there's over half organizations that don't have that.

193
00:11:38,720 --> 00:11:40,200
Why do you think that is?

194
00:11:40,200 --> 00:11:45,160
What barriers are they looking at to be like, I don't have time to do MFA.

195
00:11:45,160 --> 00:11:50,280
Talk a little bit more as to why that's the case.

196
00:11:50,280 --> 00:11:51,960
I think that, right?

197
00:11:51,960 --> 00:11:55,280
If your question answered one of them, they don't see that they have time to implement

198
00:11:55,280 --> 00:11:56,280
it.

199
00:11:56,280 --> 00:11:57,280
Right?

200
00:11:57,280 --> 00:12:02,000
Often, these are slightly lengthlier engagements.

201
00:12:02,000 --> 00:12:06,920
It doesn't need to be complicated, but the more time you put into ensuring that it's

202
00:12:06,920 --> 00:12:11,600
a smooth process, the smoother the adoption is going to be.

203
00:12:11,600 --> 00:12:15,200
It's easy to just go into a system and say, everyone has it on.

204
00:12:15,200 --> 00:12:20,480
That's where your user friction is going to come into play, and absolutely everyone is

205
00:12:20,480 --> 00:12:26,360
going to be upset that day as they are trying to sign into things.

206
00:12:26,360 --> 00:12:32,960
User adoption is one of those items that you need to be pretty cognizant of when you're

207
00:12:32,960 --> 00:12:34,460
implementing it.

208
00:12:34,460 --> 00:12:37,600
There's also some additional strategies that you need to take in order to actually implement

209
00:12:37,600 --> 00:12:39,440
it successfully.

210
00:12:39,440 --> 00:12:44,120
For example, if the user friction is, I don't want to put this code in every single time

211
00:12:44,120 --> 00:12:45,960
I'm logging in.

212
00:12:45,960 --> 00:12:53,440
You can do things to say, well, maybe let's bypass multi-factor from within the office.

213
00:12:53,440 --> 00:13:01,680
There is some residual risk there that maybe the organization is willing to accept because

214
00:13:01,680 --> 00:13:06,040
for the most part, if someone does have the password and they are attempting to log in,

215
00:13:06,040 --> 00:13:08,960
it will likely come from outside of the office.

216
00:13:08,960 --> 00:13:13,040
That doesn't mean that maybe that user's computer is compromised and there's some type of script

217
00:13:13,040 --> 00:13:15,880
that calls in from internally.

218
00:13:15,880 --> 00:13:20,760
But again, the likelihood is significantly reduced.

219
00:13:20,760 --> 00:13:25,640
If your employees are constantly working from the office, you could still bypass multi-factor.

220
00:13:25,640 --> 00:13:34,000
The larger you put that bypass, maybe it's the state, the country, the bigger the risk

221
00:13:34,000 --> 00:13:36,680
becomes.

222
00:13:36,680 --> 00:13:39,120
But there are strategies that you can implement with that.

223
00:13:39,120 --> 00:13:43,320
I'd say the other one is cost.

224
00:13:43,320 --> 00:13:47,480
There's a lot of different multi-factor solutions out on the market.

225
00:13:47,480 --> 00:13:53,040
If you're only looking at doing something like email, all of the major email providers

226
00:13:53,040 --> 00:13:56,960
now are offering it for free.

227
00:13:56,960 --> 00:14:00,920
You can implement it in Office 365, G Suite.

228
00:14:00,920 --> 00:14:03,760
There's no additional cost.

229
00:14:03,760 --> 00:14:08,640
If you're looking to use some type of third-party service, then you're going to start seeing

230
00:14:08,640 --> 00:14:18,960
those licensing costs for more of a per user cost there.

231
00:14:18,960 --> 00:14:25,560
The other component that I would say is how far do you want to implement multi-factor across

232
00:14:25,560 --> 00:14:27,680
the organization?

233
00:14:27,680 --> 00:14:31,600
Todd mentioned that the most common one that's going to be abused is going to be your email

234
00:14:31,600 --> 00:14:34,080
system.

235
00:14:34,080 --> 00:14:35,480
Start there.

236
00:14:35,480 --> 00:14:40,760
Then you can start looking at other services as well, such as your VPN, critical business

237
00:14:40,760 --> 00:14:42,320
applications.

238
00:14:42,320 --> 00:14:47,600
Once you start wanting to implement multi-factor on those additional systems, that's where

239
00:14:47,600 --> 00:14:53,680
some of the paid services come into play because they do extend out to additional services

240
00:14:53,680 --> 00:14:57,520
and different protocols.

241
00:14:57,520 --> 00:14:59,920
User friction costs.

242
00:14:59,920 --> 00:15:08,360
Maybe the other big one that I'll let Todd expand on a little bit more is executive buy-in.

243
00:15:08,360 --> 00:15:12,720
I would say the two things that I would say by far are the biggest thing that I see as

244
00:15:12,720 --> 00:15:17,240
resistance is more often than not, when you go through it, you are going to put a little

245
00:15:17,240 --> 00:15:22,600
bit of friction in between your employees and them getting work done.

246
00:15:22,600 --> 00:15:27,080
The typical pushback that you will get back from that employee is, I'm holding up my

247
00:15:27,080 --> 00:15:28,080
phone.

248
00:15:28,080 --> 00:15:29,920
The company doesn't pay for it.

249
00:15:29,920 --> 00:15:33,880
I'm not putting your business application on my phone.

250
00:15:33,880 --> 00:15:40,000
The reality is, there are ways to start to build the adoption.

251
00:15:40,000 --> 00:15:43,320
You can be a little forceful with it and you say, okay, great, well, we're just going

252
00:15:43,320 --> 00:15:44,880
to give you a token.

253
00:15:44,880 --> 00:15:47,760
We're going to give you a business phone.

254
00:15:47,760 --> 00:15:51,440
Bear with me when I walk through some of this because I'm not actually encouraging you to

255
00:15:51,440 --> 00:15:53,680
go out and buy 100 phones.

256
00:15:53,680 --> 00:15:58,040
When you start to go, hey, employee, I'm going to give you a phone and they've got the

257
00:15:58,040 --> 00:15:59,040
phone.

258
00:15:59,040 --> 00:16:03,120
They're going to be like, I don't want two phones just to avoid putting in the six digit

259
00:16:03,120 --> 00:16:04,960
code and they'll usually adopt it.

260
00:16:04,960 --> 00:16:07,120
Or you give them a token and they're like, this is inconvenient.

261
00:16:07,120 --> 00:16:09,280
I have to make sure I have it with me.

262
00:16:09,280 --> 00:16:12,800
When I'm logging in from home, I got to go grab my keys because it's on my key chain,

263
00:16:12,800 --> 00:16:14,680
whatever the case may be.

264
00:16:14,680 --> 00:16:17,080
That's usually where they're kind of pushing back.

265
00:16:17,080 --> 00:16:20,200
Then inevitably what ends up happening is you go, okay, well, here's a solution.

266
00:16:20,200 --> 00:16:21,200
Here's a solution.

267
00:16:21,200 --> 00:16:22,200
Here's a solution.

268
00:16:22,200 --> 00:16:25,720
They're like, the reality is it's so convenient to just have it on my phone that I carry with

269
00:16:25,720 --> 00:16:27,120
me everywhere anyway.

270
00:16:27,120 --> 00:16:29,360
I'll just go ahead and do it.

271
00:16:29,360 --> 00:16:32,720
The reality is it's not really all that complex.

272
00:16:32,720 --> 00:16:34,120
It's not a heavyweight thing.

273
00:16:34,120 --> 00:16:36,640
It's not dipping into any of your personal information.

274
00:16:36,640 --> 00:16:39,240
It's just an app and it's only doing a couple of things.

275
00:16:39,240 --> 00:16:43,720
It's either generating a six digit code or longer or it's pushing you with content that

276
00:16:43,720 --> 00:16:45,640
says, is this you?

277
00:16:45,640 --> 00:16:49,160
Nate's correct when it comes to executive adoption.

278
00:16:49,160 --> 00:16:50,160
It is inconvenient.

279
00:16:50,160 --> 00:16:53,000
A lot of people don't want to be bothered by it.

280
00:16:53,000 --> 00:16:58,240
I'll give a good example and as I said, multi-factor has been around for ages.

281
00:16:58,240 --> 00:17:02,560
Back many, many years ago, early 2000s, I had joined an organization and the very first

282
00:17:02,560 --> 00:17:06,640
thing I did was our remote connections is really insecure.

283
00:17:06,640 --> 00:17:11,760
Let's implement multi-factor and I implemented it and it probably lasted about a month before

284
00:17:11,760 --> 00:17:15,640
the CEO said I can't stand to turn it off.

285
00:17:15,640 --> 00:17:20,000
The security threats weren't nearly what they are today, but I learned a lot during that

286
00:17:20,000 --> 00:17:22,600
time too.

287
00:17:22,600 --> 00:17:27,040
One of the strategies or several of the strategies Nate covered already is you start small, you

288
00:17:27,040 --> 00:17:30,880
start going, well, let's start with a small group that are my power users.

289
00:17:30,880 --> 00:17:34,360
Maybe it's IT and then you get a few other people that go, okay, it's working.

290
00:17:34,360 --> 00:17:39,760
It really isn't that bad and you start to expand it or you lessen some of the security

291
00:17:39,760 --> 00:17:40,760
requirements.

292
00:17:40,760 --> 00:17:43,000
As Nate said, you can make an area trusted.

293
00:17:43,000 --> 00:17:44,000
It's work.

294
00:17:44,000 --> 00:17:45,000
Work is trusted.

295
00:17:45,000 --> 00:17:46,720
I've got the adoption in.

296
00:17:46,720 --> 00:17:49,480
People are getting used to the fact that when I'm at work, I don't get prompted when I'm

297
00:17:49,480 --> 00:17:50,480
at home.

298
00:17:50,480 --> 00:17:51,480
I do.

299
00:17:51,480 --> 00:17:52,480
Okay.

300
00:17:52,480 --> 00:17:54,480
We're going to ratchet it up a little bit.

301
00:17:54,480 --> 00:17:55,480
We're going to add another location.

302
00:17:55,480 --> 00:17:57,120
We're going to add another application.

303
00:17:57,120 --> 00:17:58,440
We're going to whatever.

304
00:17:58,440 --> 00:18:05,520
You can continue to build on the security and you can get that by and just naturally.

305
00:18:05,520 --> 00:18:09,400
Probably many people have heard the term and I don't mean this in a derogatory way.

306
00:18:09,400 --> 00:18:13,720
It's a bit of the boiled frog scenario is as you start to do what they realize, it really

307
00:18:13,720 --> 00:18:15,280
isn't that bad.

308
00:18:15,280 --> 00:18:19,520
Not that we're trying to boil our employees, but conceptually, you just do it a little

309
00:18:19,520 --> 00:18:24,560
bit at a time and you're improving your security as you go.

310
00:18:24,560 --> 00:18:27,640
One last user friction that I wanted to call out.

311
00:18:27,640 --> 00:18:35,360
It's not as common, but it does come up from time to time is union policies.

312
00:18:35,360 --> 00:18:42,040
If you want to have an employee start downloading an application on their phone or start carrying

313
00:18:42,040 --> 00:18:48,400
around a phone just for phone calls and stuff, sometimes union policies will say, well, you

314
00:18:48,400 --> 00:18:51,280
need to start reimbursing the employees for that.

315
00:18:51,280 --> 00:18:52,960
There is a cost associated with that.

316
00:18:52,960 --> 00:18:59,080
So that definitely feeds into some of the other considerations that sometimes where

317
00:18:59,080 --> 00:19:02,160
hardware tokens come into play.

318
00:19:02,160 --> 00:19:06,640
It's maybe a $20 hardware token.

319
00:19:06,640 --> 00:19:07,640
That's one time cost.

320
00:19:07,640 --> 00:19:09,160
It's not reoccurring.

321
00:19:09,160 --> 00:19:16,320
You can still implement multi-factor without having to start reimbursing for cell phones

322
00:19:16,320 --> 00:19:18,920
or paying for the phones outright.

323
00:19:18,920 --> 00:19:25,440
It's one that I don't commonly hear, but on more of the production environments, I'm

324
00:19:25,440 --> 00:19:31,160
not going to get deep into compliance here, but things like CMMC, it's starting to ask

325
00:19:31,160 --> 00:19:32,160
for multi-factor.

326
00:19:32,160 --> 00:19:39,160
CMMC tends to be a lot of the manufacturing firms where there's a lot of union employees.

327
00:19:39,160 --> 00:19:43,440
I'll expand on the compliance piece too.

328
00:19:43,440 --> 00:19:46,240
There's a lot coming.

329
00:19:46,240 --> 00:19:51,240
If you're in any compliance industry, healthcare finance, you name it as Nate mentioned, manufacturing,

330
00:19:51,240 --> 00:19:53,600
it's going to be something that you're probably already experiencing.

331
00:19:53,600 --> 00:19:57,760
As I mentioned, you've been being prompted for an additional code from your bank for

332
00:19:57,760 --> 00:20:01,040
days, for weeks, months, years, whatever the case may be.

333
00:20:01,040 --> 00:20:02,400
It is coming.

334
00:20:02,400 --> 00:20:05,240
This is just me expanding a little bit.

335
00:20:05,240 --> 00:20:10,680
My opinion, compliance is coming and it's going to be expanding over the next five years.

336
00:20:10,680 --> 00:20:15,200
There are going to be reasons why you're going to have to adopt something like this.

337
00:20:15,200 --> 00:20:19,920
If the threat of cyber attacks isn't enough, there are going to be other things.

338
00:20:19,920 --> 00:20:21,400
You can already see it's happening.

339
00:20:21,400 --> 00:20:23,080
This is why I'm saying it.

340
00:20:23,080 --> 00:20:28,440
If you look over the last year, the Biden administration had come out and said the cyber

341
00:20:28,440 --> 00:20:30,440
attacks are getting worse and worse.

342
00:20:30,440 --> 00:20:31,760
We're spending tons of money.

343
00:20:31,760 --> 00:20:33,320
We're constantly under attack.

344
00:20:33,320 --> 00:20:35,000
What are we going to do about it?

345
00:20:35,000 --> 00:20:40,800
They built out an executive order and they specifically say, yeah, got to have MFA.

346
00:20:40,800 --> 00:20:44,760
If that's not enough, the insurance companies are doing it too.

347
00:20:44,760 --> 00:20:49,160
If you're looking at cybersecurity insurance and almost everybody's asking for it at this

348
00:20:49,160 --> 00:20:54,240
point, they're going to be looking for it as well.

349
00:20:54,240 --> 00:20:58,680
As I'm going down this compliance thing, I'll wrap this up briefly and I'll pass it back

350
00:20:58,680 --> 00:20:59,680
to Nate.

351
00:20:59,680 --> 00:21:03,360
As you're looking at the compliance thing, I was actually working with one of our customers

352
00:21:03,360 --> 00:21:08,600
and they were going through the insurance process and they don't have any of the compliance

353
00:21:08,600 --> 00:21:11,880
from CMMC, healthcare, any of that.

354
00:21:11,880 --> 00:21:17,160
The insurance organization had come in and they did what I would consider pretty much

355
00:21:17,160 --> 00:21:22,040
a full IT audit where they were looking at data diagrams.

356
00:21:22,040 --> 00:21:23,640
They're looking at security protocols.

357
00:21:23,640 --> 00:21:24,640
I mean, it was everything.

358
00:21:24,640 --> 00:21:30,240
I actually went on site and met with the insurance adjuster just to make sure that we covered

359
00:21:30,240 --> 00:21:32,520
all the information that we needed to cover.

360
00:21:32,520 --> 00:21:33,520
It was significant.

361
00:21:33,520 --> 00:21:37,320
It took an hour and obviously MFA is included in that.

362
00:21:37,320 --> 00:21:41,280
It's the way life insurance used to be where life insurance you could just sign on the

363
00:21:41,280 --> 00:21:45,480
dotted line off you went, you got a whole bunch of coverage and that's changed over the years

364
00:21:45,480 --> 00:21:46,480
too.

365
00:21:46,480 --> 00:21:50,400
The underwriting is going now I need blood work and I need to wait you and I need health

366
00:21:50,400 --> 00:21:54,120
background and family history and yada yada.

367
00:21:54,120 --> 00:21:56,760
It's just going to get worse is where I was going with it.

368
00:21:56,760 --> 00:21:58,920
Like I said, I was going to wrap that up quickly and I didn't.

369
00:21:58,920 --> 00:22:01,840
I'll stop talking and pass it back to Nate.

370
00:22:01,840 --> 00:22:08,560
I can interrupt for just a hot second as we've gone down the compliance path and all of these

371
00:22:08,560 --> 00:22:09,560
good things.

372
00:22:09,560 --> 00:22:12,640
I'm kind of looking at right if you're having user friction and you're having people that

373
00:22:12,640 --> 00:22:13,760
are like, I don't want to do it.

374
00:22:13,760 --> 00:22:15,440
I don't want to have this code pushed in my phone.

375
00:22:15,440 --> 00:22:16,960
It's too much work.

376
00:22:16,960 --> 00:22:19,840
Why is it effective at actually preventing these attacks?

377
00:22:19,840 --> 00:22:21,720
What is it doing for me?

378
00:22:21,720 --> 00:22:22,720
I'm like, yeah, I get it.

379
00:22:22,720 --> 00:22:23,720
I get the phone.

380
00:22:23,720 --> 00:22:24,720
I put it in and congratulations.

381
00:22:24,720 --> 00:22:28,280
So we're saying, yeah, it's 99 or over 99% effective.

382
00:22:28,280 --> 00:22:29,280
Why?

383
00:22:29,280 --> 00:22:30,280
Yeah.

384
00:22:30,280 --> 00:22:32,280
Good question there.

385
00:22:32,280 --> 00:22:39,400
Before I jump into that, while Todd was talking, I decided to go look at our, I don't know,

386
00:22:39,400 --> 00:22:45,440
system here just to see how many of that password spraying attempt I saw in our system.

387
00:22:45,440 --> 00:22:48,760
In the last 24 hours, it was just shy of 200 attempts.

388
00:22:48,760 --> 00:22:50,480
I can see the logs.

389
00:22:50,480 --> 00:22:53,160
So again, we're not a big company by any means.

390
00:22:53,160 --> 00:22:56,560
It happens all the time.

391
00:22:56,560 --> 00:22:58,160
Why is it so effective?

392
00:22:58,160 --> 00:23:05,880
If I just called out, there's nearly 200 attempts in the last 24 hours to password spray our

393
00:23:05,880 --> 00:23:08,040
environment there.

394
00:23:08,040 --> 00:23:13,760
The reason why it's so effective is even if a password is compromised, the threat actor

395
00:23:13,760 --> 00:23:20,560
is not going to have the other form of multi-factor or the other form, the second form or the

396
00:23:20,560 --> 00:23:24,440
third form of multi-factory in order to get into the system.

397
00:23:24,440 --> 00:23:31,280
So password, I've showed this to people before is I say, here's a dummy account in like a

398
00:23:31,280 --> 00:23:33,360
Gmail or something, right?

399
00:23:33,360 --> 00:23:34,360
Here's the password.

400
00:23:34,360 --> 00:23:38,440
I'll give you a hundred bucks if you can get into that because I have the multi-factor

401
00:23:38,440 --> 00:23:41,160
keys here.

402
00:23:41,160 --> 00:23:42,160
It just doesn't happen.

403
00:23:42,160 --> 00:23:48,280
I've never paid someone out because they would have to retrieve that file from me or

404
00:23:48,280 --> 00:23:51,640
that hardware token from me in order to get into place.

405
00:23:51,640 --> 00:24:00,960
So where we typically see multi-factor fail is not the technology in itself.

406
00:24:00,960 --> 00:24:02,480
It's still the user.

407
00:24:02,480 --> 00:24:09,240
So there are websites that will try and capture the multi-factor token and pass it through

408
00:24:09,240 --> 00:24:11,680
to the legitimate site and then redirect the user.

409
00:24:11,680 --> 00:24:19,160
So they'll still log in, but it's the user who has fallen for a fraudulent website, still

410
00:24:19,160 --> 00:24:24,720
entered in their password and given up the multi-factor code, gave it both of them to

411
00:24:24,720 --> 00:24:29,240
the attacker, then the attacker just goes logs in.

412
00:24:29,240 --> 00:24:34,080
And there is a timing on these tokens where maybe they're good for five minutes, maybe

413
00:24:34,080 --> 00:24:35,680
they're good for 15 minutes.

414
00:24:35,680 --> 00:24:41,320
It allows for users to have a grace period to access their phone sitting on the desk,

415
00:24:41,320 --> 00:24:44,080
access the email, access the text message.

416
00:24:44,080 --> 00:24:47,720
So if you give it up right away and then you hand it over to someone immediately, they're

417
00:24:47,720 --> 00:24:50,320
going to use it first, right?

418
00:24:50,320 --> 00:24:56,280
I just worked with another organization where their multi-factor was a phone call, right?

419
00:24:56,280 --> 00:25:00,240
So this was actually a pretty common attack method at the moment.

420
00:25:00,240 --> 00:25:03,600
It's called MFA bombing.

421
00:25:03,600 --> 00:25:09,080
So what you do is you just bug the user enough until they just say, I can't take it anymore,

422
00:25:09,080 --> 00:25:10,720
except the phone call.

423
00:25:10,720 --> 00:25:15,720
And that was the phone call that was the MFA prompt and the attacker just logs in, right?

424
00:25:15,720 --> 00:25:23,640
So in the instance that I was looking at with that other customer, it was attacker-gid to

425
00:25:23,640 --> 00:25:27,440
log in, was prompted with a six-digit code.

426
00:25:27,440 --> 00:25:28,760
They weren't able to get that.

427
00:25:28,760 --> 00:25:34,440
So then they switched over to the backstop, which was a phone call, sent the user a phone

428
00:25:34,440 --> 00:25:35,440
call.

429
00:25:35,440 --> 00:25:37,360
It failed because the user didn't accept it.

430
00:25:37,360 --> 00:25:39,720
30 seconds later, sent another one.

431
00:25:39,720 --> 00:25:40,720
It failed.

432
00:25:40,720 --> 00:25:41,720
Sent the next one.

433
00:25:41,720 --> 00:25:43,920
The user said, I'm sick of this call.

434
00:25:43,920 --> 00:25:44,920
Accept.

435
00:25:44,920 --> 00:25:46,480
And the attacker logged in.

436
00:25:46,480 --> 00:25:48,720
So another one I'll throw in.

437
00:25:48,720 --> 00:25:50,360
We don't see this as often.

438
00:25:50,360 --> 00:25:53,960
And the endpoint of this is you still need training when you deploy the tool.

439
00:25:53,960 --> 00:25:57,680
But we have seen people that have deployed the push technology.

440
00:25:57,680 --> 00:26:02,640
So that is, I log in and you get a push to your phone that says, was this really you?

441
00:26:02,640 --> 00:26:06,040
We have had people that have been attacked where someone was like, yeah, I just logged

442
00:26:06,040 --> 00:26:10,360
in and they've allowed the attacker in, even though they didn't personally sign in.

443
00:26:10,360 --> 00:26:13,920
So there is kind of a training aspect that goes with it.

444
00:26:13,920 --> 00:26:15,880
One last thing that I kind of wanted to dive into.

445
00:26:15,880 --> 00:26:18,560
I know we talked about the threats and the attacks and whatnot.

446
00:26:18,560 --> 00:26:22,760
But as we're wrapping this up, I just kind of wanted to kind of reillustrate some of

447
00:26:22,760 --> 00:26:24,280
the real concerns.

448
00:26:24,280 --> 00:26:26,760
And ultimately, we talked about compliance.

449
00:26:26,760 --> 00:26:28,120
We talked about the threats.

450
00:26:28,120 --> 00:26:29,880
We talked about all of that stuff.

451
00:26:29,880 --> 00:26:33,400
The reality is the reason behind that is because of the cost.

452
00:26:33,400 --> 00:26:36,040
And the cost is built up from a lot of different things.

453
00:26:36,040 --> 00:26:37,520
It's from the ransomware.

454
00:26:37,520 --> 00:26:40,400
If you get attacked from ransomware, ransomware is more often than not.

455
00:26:40,400 --> 00:26:44,120
They start nowadays, they start around a million dollars and they start to get talked down

456
00:26:44,120 --> 00:26:45,120
to something real.

457
00:26:45,120 --> 00:26:50,840
It includes downtime, it includes unprotected employees, et cetera.

458
00:26:50,840 --> 00:26:54,400
Looking statistically, the last time I looked at it, we were somewhere on average.

459
00:26:54,400 --> 00:26:59,320
So that's average across all SMB market, not you're a bigger company, you get bigger ransomware,

460
00:26:59,320 --> 00:27:00,320
et cetera.

461
00:27:00,320 --> 00:27:01,920
It's about $500,000.

462
00:27:01,920 --> 00:27:04,360
Downtime, about two weeks.

463
00:27:04,360 --> 00:27:06,880
So that's fairly significant.

464
00:27:06,880 --> 00:27:14,360
And if I can deploy something like MFA and protect 90% to 99.9, it's something you really

465
00:27:14,360 --> 00:27:22,320
got to start to consider and go, boy, I can reduce my risk by $500,000 in a given year.

466
00:27:22,320 --> 00:27:26,400
That's probably something for a little bit of friction, a little bit of build up.

467
00:27:26,400 --> 00:27:27,960
We can find a way to move forward.

468
00:27:27,960 --> 00:27:31,120
It's a good way to start looking at it and thinking about it and go, where do we go from

469
00:27:31,120 --> 00:27:32,120
here?

470
00:27:32,120 --> 00:27:33,120
Yeah.

471
00:27:33,120 --> 00:27:39,800
And the one thing that I'd add to that is the cost is going to be dependent on the application

472
00:27:39,800 --> 00:27:43,920
or system that the threat actor is obtaining access to.

473
00:27:43,920 --> 00:27:49,840
So Todd was mentioning ransomware, that could have been multi-factor on a VPN, for example.

474
00:27:49,840 --> 00:27:54,240
Someone had a compromised password, attacker gets into the VPN.

475
00:27:54,240 --> 00:28:00,040
Most companies don't have a dedicated demilitarized or DMZ zone for VPN users.

476
00:28:00,040 --> 00:28:04,080
They just say, once you pass through, you have full access to the network.

477
00:28:04,080 --> 00:28:06,800
That's where those ransomware costs are going to come into play.

478
00:28:06,800 --> 00:28:13,120
It could be something like your email system, someone's in there just obtaining data.

479
00:28:13,120 --> 00:28:15,640
It's a fraudulent wire transfer that they're trying to set up.

480
00:28:15,640 --> 00:28:17,240
Whatever that number is, it could be 10,000.

481
00:28:17,240 --> 00:28:22,920
It could be, I've dealt with the ones that are $500,000 wire transfers.

482
00:28:22,920 --> 00:28:30,960
It's just a matter of what are they accessing, what are the costs, and whatever the remediation

483
00:28:30,960 --> 00:28:36,800
costs are, I promise it's less, sorry, I promise that it's far more than the cost of implementing

484
00:28:36,800 --> 00:28:39,200
multi-factor at the end of the day.

485
00:28:39,200 --> 00:28:44,200
Yeah, so kind of as a last thought from me, and they can jump in on this too if he's

486
00:28:44,200 --> 00:28:48,400
got any, but the last thing I have is we did talk about sometimes there's friction, sometimes

487
00:28:48,400 --> 00:28:53,120
there's a technical hurdle, if you will, because there are ways to go about it.

488
00:28:53,120 --> 00:28:55,000
There's paid solutions, et cetera.

489
00:28:55,000 --> 00:28:57,200
Obviously if you need help, reach out to your trusted partners.

490
00:28:57,200 --> 00:28:58,600
There's a lot of help out there.

491
00:28:58,600 --> 00:29:01,720
Of course, you can go do your Google searches as well.

492
00:29:01,720 --> 00:29:05,040
In the end, when you need help, reach out to those that you trust and you can get some

493
00:29:05,040 --> 00:29:06,640
good support from.

494
00:29:06,640 --> 00:29:14,960
Yeah, I guess my final closing thought is everyone's scared of user friction, but in

495
00:29:14,960 --> 00:29:24,240
almost every case, it ends up being more of a concern that doesn't always come to fruition.

496
00:29:24,240 --> 00:29:29,240
The impact is actually fairly minimal if you implement it correctly.

497
00:29:29,240 --> 00:29:38,320
So a lot of those concerns are unfortunately just not fully grounded based on facts, just

498
00:29:38,320 --> 00:29:39,320
feelings.

499
00:29:39,320 --> 00:29:40,320
Awesome.

500
00:29:40,320 --> 00:29:46,200
Thank you so much, Todd and Nate for sitting down and chatting about MFA and all of the

501
00:29:46,200 --> 00:29:48,160
things that we could go into it.

502
00:29:48,160 --> 00:29:51,840
I'm sure that you guys would love to chat with anybody for an extended period of time

503
00:29:51,840 --> 00:29:55,160
about any of this that we could tangent on a lot of things.

504
00:29:55,160 --> 00:29:59,720
That wraps up our first check for business podcast here today.

505
00:29:59,720 --> 00:30:05,960
If you guys have more questions that you want to ask Todd and Nate, feel free to reach out

506
00:30:05,960 --> 00:30:13,120
to info at cit-net.com or give us a call 651-255-5780 or else we're also online at www.cit-net.com

507
00:30:13,120 --> 00:30:16,920
but that's our little marketing spiel on there that they're here to answer your questions

508
00:30:16,920 --> 00:30:20,960
at any time about any cybersecurity needs or technology for business and we will chat

509
00:30:20,960 --> 00:30:27,960
with you guys next week.