Blog

Get the inside scoop with LoginTC and learn about relevant security news and insights.

MFA Assessments Unpacked Part 2: Preparing Your MFA Assessment

March 21, 2023Victoria Savage

mfa assessments prepare

MFA Assessments Part 2

In Part 1 of our series MFA Assessments Unpacked, we discussed what an MFA assessment is, and why you should do one.

Today we’re going to break down the first two critical steps in conducting an assessment of your organization’s MFA implementation. These steps are part of the preparatory stage of an MFA assessment. Following these steps will allow you to catalog all the assets in your inventory, and determine who has access to them.

While these steps don’t relate specifically to MFA, they’re needed in order to ensure no part of your network is overlooked.

Let’s dive in!

MFA Assessment Step 1: Identify your digital assets

The first thing you should do before delving into your company’s MFA usage is to take stock of what your digital assets are in the first place.

mfa assessment step 1 identify assets

Here are some different areas you’ll want to consider:

Remote Access Services

Remote access encompasses many different digital assets. You should know whether users on your network are able to remotely access VPNs and firewalls, company devices, email servers, web services, and more.

Make a list of all the remotely accessible assets you have in your network.

Privileged Access

Privileged users, such as IT administrator accounts that can perform upgrades, install programs, change server settings, and other high-level functions in your network, should be closely examined in your assessment.

Administrator accounts are often the first targets cyber criminals will attack because they will grant them the most significant amount of access in one shot.

Whether you use Privileged Access Management (PAM) software to manage these administrator accounts or other means of credential management, you should feel confident about how many of those accounts exist and who has access to them.

Back-ups

Do you know where your company stores its backup data? Ensuring that back-ups are segmented outside of your regular network, and protected strongly, is critical to ensuring business continuity. Even if hackers gain access to your network, you can use your segmented backup data to get up and running without needing to pay a ransom.

Local Devices

It’s a common misconception that if you aren’t logging in remotely, you don’t need to worry, but cybercriminals can also gain access to your local machines and wreak havoc. Make sure you have an inventory of all of your company’s devices and who has access to them.

MFA Assessment Step 2: Determine which users have access

Once you’ve cataloged all the relevant digital assets you want to protect, the next step is to assess which users can access those things.

mfa assessments step 2 determine access

A simple way to do this may be to group your users into categories, such as privileged users, regular users, and contractors, consultants, or other third party users.

If you use Active Directory or a similar method of organizing your users, you may have your own groupings within your organization. This should help you easily identify who has access to what software, devices, or applications, and what their permissions are.

Once you have your groups, determine which is accessing the assets you identified in the previous step. You may find that a group of users has access to a part of your network that perhaps they don’t need, or don’t use all that often. Reducing the possible attack surface of your digital assets is a great first step to reducing your possible risk.

If you need any help with preparing your MFA assessment, reach out to us or book a consultation call.

Up next: Conducting your MFA Assessment

Tune in next time to learn about the next two steps in our MFA Assessments process: Verifying MFA usage and finding authentication types. These steps will form the meat of your MFA assessment and help you determine the two most critical things about your MFA implementation: how comprehensive it is, and how strong it is.

Start your free trial today. No credit card required.

Sign up and Go