CISA demystifies phishing-resistant MFA – Cybersecurity Dive




The “gold standard” safeguard isn’t a one-size-fits-all or all-or-nothing endeavor. For most organizations, a phased approach works best.
Phishing-resistant multifactor authentication isn’t just the strongest form of MFA — it’s “the gold standard for MFA,” according to the Cybersecurity and Infrastructure Security Agency.
The federal agency this week published a fact sheet to clarify its definition of phishing-resistant MFA and provide guidance and prioritization schemes for organizations to implement the safeguards in logical phases. 
Three key recommendations from CISA:
FIDO standards and the WebAuthn protocol are the only widely available phishing-resistant forms of MFA, according to CISA. The protocol and standard, both developed by the FIDO Alliance, can work together to bolster MFA.
The WebAuthn protocol, developed in tandem with FIDO2 standards, is supported in browsers, operating systems and smartphones. It works with the FIDO2 standard to facilitate a phishing-resistant authenticator that can come in the form of physical tokens, such as a USB device, or components embedded in laptops or mobile devices.
FIDO2 authentication can also occur via biometrics or an asymmetric pair of private and public keys.
CISA encourages organizations to identify systems in their infrastructure that don’t support MFA and develop a plan to upgrade or migrate to systems that do.
The agency acknowledges MFA implementations can be challenging and encourages IT leaders to prioritize their organization’s adoption of phishing-resistant MFA in phases.
Start with resources of most value and often targeted by threat actors, including email systems, file servers and remote access systems that provide access to corporate data.
Organizations should also prioritize the implementation of phishing-resistant MFA for high-value targets, such as executives or other employees that have additional access or privileges, which are especially valuable to threat actors, according to CISA.
“If a cyberthreat actor can compromise the account of a system administrator, they may be able to access any system and any data in the organization,” the agency said in the guidance. 
Attorneys and employees in human resources also might have access to personnel records, which need to be accounted for in prioritization schemes.
While some products may not support the phishing-resistant MFA safeguards, CISA advises organizations to first focus on services, such as hosted mail platforms, that do support them.
Larger organizations will find it difficult and impractical to train, enroll and support all users at once, so it’s best to roll out phishing-resistant MFA in phases, according to CISA. Businesses will also encounter resistance among some employees that find MFA a nuisance, so it’s pertinent that security leaders explain the risks and how phishing-resistant MFA can bolster defenses.
CISA urges all organizations to implement phishing-resistant MFA and has multiple resources available online to help guide IT teams through the process.
Get the free daily newsletter read by industry experts
Rates continue to soar, but Marsh research shows the pace of increases is slowing. 
Security executives from Zoom, NS1 and Oomnitza shared their security priorities for the rest of 2022, with a special emphasis on mastering the basics. 
Keep up with the story. Subscribe to the Cybersecurity Dive free daily newsletter
Keep up with the story. Subscribe to the Cybersecurity Dive free daily newsletter
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Rates continue to soar, but Marsh research shows the pace of increases is slowing. 
Security executives from Zoom, NS1 and Oomnitza shared their security priorities for the rest of 2022, with a special emphasis on mastering the basics. 
The free newsletter covering the top industry headlines

source


CyberTelugu

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page