Get the inside scoop with LoginTC and learn about relevant security news and insights.
March 21, 2023 •
In Part 1 of our series MFA Assessments Unpacked, we discussed what an MFA assessment is, and why you should do one.
Today we’re going to break down the first two critical steps in conducting an assessment of your organization’s MFA implementation. These steps are part of the preparatory stage of an MFA assessment. Following these steps will allow you to catalog all the assets in your inventory, and determine who has access to them.
While these steps don’t relate specifically to MFA, they’re needed in order to ensure no part of your network is overlooked.
Let’s dive in!
The first thing you should do before delving into your company’s MFA usage is to take stock of what your digital assets are in the first place.
Here are some different areas you’ll want to consider:
Remote access encompasses many different digital assets. You should know whether users on your network are able to remotely access VPNs and firewalls, company devices, email servers, web services, and more.
Make a list of all the remotely accessible assets you have in your network.
Privileged users, such as IT administrator accounts that can perform upgrades, install programs, change server settings, and other high-level functions in your network, should be closely examined in your assessment.
Administrator accounts are often the first targets cyber criminals will attack because they will grant them the most significant amount of access in one shot.
Whether you use Privileged Access Management (PAM) software to manage these administrator accounts or other means of credential management, you should feel confident about how many of those accounts exist and who has access to them.
Do you know where your company stores its backup data? Ensuring that back-ups are segmented outside of your regular network, and protected strongly, is critical to ensuring business continuity. Even if hackers gain access to your network, you can use your segmented backup data to get up and running without needing to pay a ransom.
It’s a common misconception that if you aren’t logging in remotely, you don’t need to worry, but cybercriminals can also gain access to your local machines and wreak havoc. Make sure you have an inventory of all of your company’s devices and who has access to them.
Once you’ve cataloged all the relevant digital assets you want to protect, the next step is to assess which users can access those things.
A simple way to do this may be to group your users into categories, such as privileged users, regular users, and contractors, consultants, or other third party users.
If you use Active Directory or a similar method of organizing your users, you may have your own groupings within your organization. This should help you easily identify who has access to what software, devices, or applications, and what their permissions are.
Once you have your groups, determine which is accessing the assets you identified in the previous step. You may find that a group of users has access to a part of your network that perhaps they don’t need, or don’t use all that often. Reducing the possible attack surface of your digital assets is a great first step to reducing your possible risk.
If you need any help with preparing your MFA assessment, reach out to us or book a consultation call.
Tune in next time to learn about the next two steps in our MFA Assessments process: Verifying MFA usage and finding authentication types. These steps will form the meat of your MFA assessment and help you determine the two most critical things about your MFA implementation: how comprehensive it is, and how strong it is.