Implementing the ACSC Essential 8 Maturity Model. Mitigation Strategy 7: Multifactor Authentication

The Essential 8 Maturity Model is a set of baseline cyber security measures for Australian organisations developed by the Australian Cyber Security Centre (ACSC). This article forms part of our Essential 8 series and goes into detail on Mitigation Strategy 7: Multifactor Authentication. Read on to learn about how you can implement Mitigation Strategy 7: Multifactor Authentication for all Essential 8 Maturity Levels within your organisation.

What is Multifactor Authentication? Why is Multifactor Authentication important? Maturity Level 1: Multifactor Authentication Maturity Level 2: Multifactor Authentication Maturity Level 3: Multifactor Authentication Summarising Multifactor Authentication Where to Next?

What is Multifactor Authentication?

Passwords, love them or hate them. Longer passwords, more complex passwords, use passphrases instead of passwords, more passwords, and the promise of being passwordless. Everyone knows security is getting more difficult, and identity management is vital within a zero-trust network architecture. Passwords may not be the answer in the future, but unfortunately, it is still the answer today.

Passwords alone are not enough. Passwords only provide one layer of defence to your identity, something you know. Sadly, passwords are reused frequently, and sometimes personal and organisational passwords are mixed, increasing the risk of passwords being breached and granting access to your identity. If those credentials are for a privileged account, the damage a bad actor can do is extensive.

Multifactor authentication (MFA) adds another layer of authentication to your identity with something you have. For example, cybercriminals may brute force your password, but they may not have access to your MFA device. Therefore, MFA adds an additional layer of security to your authentication, so even if your credentials have been compromised, adversaries will still need access to your MFA.

However, not all MFA are equal. We need to be careful to use what works best for our organisations. Typically, app-based MFA are most favoured for convenience and ease of use, while hardware tokens using FIDO2 tools like YubiKeys add another security layer, something you are, making it more secure but less user-friendly. Windows Hello fingerprint or face unlock, while less secure than YubiKeys, are great alternatives.

Of course, nothing is perfect. MFA is still exploitable. For example, cybercriminals have fake login screens that look like real ones to capture your MFA and login or like the MFA fatigue Uber hack. Further, login tokens can be stolen after you have authenticated your MFA.

That’s not to say it isn’t effective. Both Microsoft and Google say that accounts with MFA are 99.99% less likely to be hacked. The ACSC also sees the importance and effectiveness of MFA hence creating Mitigation Strategy 7: Multifactor Authentication.

If you haven’t already, get your MFA sorted! It’s a quick win.

Why is Multifactor Authentication important?

To understand why application control is essential, we must empathise with our users on how and why they use authentication.

👩‍💼Business users

I have too many passwords I don’t remember them all
I write down my passwords and store them in other documents or on paper
I keep having to update my passwords so it’s difficult to remember it
I reuse passwords regularly so I can remember them
I don’t want to have to go to IT to keep resetting my password
I just want to login and get on with my work
Password security should be managed by IT
IT is never easy to reach
I sometimes use MFA for other services but only because it was required

✅Risk managers

We need to protect our credentials, especially privileged credentials to lower the risk of compromise
If it can protect against 99.99% of hacks, we should definitely implement it

👩‍💻IT users

Not all existing servers, services or hardware allow for MFA
We use strong passwords already
We share passwords between admins
We store server passwords in excel spreadsheets

😈Threat actors

I want to obtain organisation credentials
Ideally, I want to get my hands on privileged credentials but understand I might have to work my way up from other accounts
I know passwords are a hassle and are reused so I use many technical and social engineering techniques to crack passwords
I want to find the easiest way into organisations

Maturity Level 1: Multifactor Authentication

Multi-factor authentication is used by an organisation's users if they authenticate to their organisation’s internet-facing services.

Internet-facing services, including your Microsoft 365 login, must have MFA switched on. Simple as that.

At Maturity Level 1, Essential 8 does not specify which authentication method is used. The only requirement is that two authentication techniques are used. If you are planning on achieving Maturity Level 2 or Maturity Level 3, you should consider more MFA solutions.

Multi-factor authentication is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data.

There are many solutions out there that are ‘as a Service’ now, from IaaS, PaaS, SaaS even RaaS (ransomware as a service). So it is likely your organisation is using some of these services, hopefully not RaaS, though.

Most services today will allow you to enable MFA without having to pay extra for it. This requirement is for your organisation’s sensitive data and must be switched on.

However, some services see this as an enterprise opportunity and charge extra for it, while some providers do not provide MFA capability. In cases where they may not have MFA but allow for SSO, it might be better to use SSO with your MFA simplifying your IAM. In other cases, you will have to contact them or look for another provider.

Your sensitive data is important and poses a significant risk. MFA must be implemented.

Multi-factor authentication (where available) is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's non-sensitive data.

This requirement is the same as the above but covers non-sensitive data.

For non-sensitive data, Essential 8 is more lenient on MFA requirements as the impact of losing data is less.

If your provider does not offer MFA, think twice about using their services, as MFA has become common today.

Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services.

If external users log in to use your organisation’s services, such as online banking, mygov or e-commerce platforms, you should have MFA enabled by default. Having MFA enabled by default is a great way to add security as it becomes more of a chore to opt out of MFA later.

Maturity Level 2: Multifactor Authentication

Multi-factor authentication is used to authenticate privileged users of systems.

As mentioned in Mitigation Strategy 5: Restrict Privileged Accounts, these accounts are very powerful and must be protected.

What better way to protect authentication of your most important accounts than to add MFA to them. Given MFA's effectiveness, I'm surprised this requirement is not at Maturity Level 1.

Review your privilege systems locally and remotely, check that they allow for MFA and enable it.

Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are.

At Maturity Level 2, Essential 8 is stricter on authentication methods. It specifies that MFA must be something users have and know or something user have that is unlocked by something users know or are. Let’s break this down.

Something users have, and something users know. Think about entering your password + PIN from your phone.

Something users know – this is the secret you know, typically your password.
Something users have – this is something you physically have, a phone, etc. and a way to verify that you have it in possession.

Something users have that is unlocked by something users know or are. Think of FIDO2 security keys that need to be inserted and touch verified.

Something users have – we already know this from above
Something users know – also covered above
Something users are – this is something that can verify you are there and not a script being run

More than biometrics is needed for Maturity Level 2 as it is based on probability rather than being deterministic, leaving it open to tampering.

To achieve Maturity Level 2, Essential 8 understands that remote, on-premise and 3rd party services do not all have the same MFA features, so MFA may differ across services. However, either of the two MFA options must be used to meet this requirement.

Review your MFA across your services and make sure they comply with something users have, something users know, or something users have that is unlocked by something users know or are.

Successful and unsuccessful multi-factor authentication events are logged.

Logging is a common theme in Essential 8. At Maturity Level 2, you simply need to log successful and unsuccessful MFA events. Logs do not need to be centralised until Maturity Level 3.

Maturity Level 3: Multifactor Authentication

Multi-factor authentication is used to authenticate users accessing important data repositories.

Essential 8 requires that access to all important data repositories require MFA. Your organisation will define important, but consider on-prem and cloud environments when doing this.

Identify all your essential data repositories and enable MFA if you haven't already.

Assessors will be looking at how access is granted to these data repositories, specifically the use of MFA.

Multi-factor authentication is verifier impersonation resistant and uses either: something users have and something users know, or something users have that is unlocked by something users know or are.

Essential 8 recognises that not all MFA are equal and at Maturity Level 3 requires stricter implementation of MFA.

At Maturity Level 3, Essential 8 requires MFA to be verifier impersonation resistant. With Ransomware as a Service (RaaS) and other phishing techniques, MFA login screens can be impersonated, and credentials and MFA tokens can be stolen on these screens. For example, think about your M365 login screen. It is one of the most common business login screens in the world. Adversaries know this and can fake it to capture your credentials, including your keys.

To meet this requirement, you must use FIDO2 security keys, smart cards, or Windows Hello for Business with a Trusted Platform Module (TPM) across all your MFA logins. If your provider does not allow this level of authentication, you will have to find an alternative to reach Maturity Level 3.

Successful and unsuccessful multi-factor authentication events are centrally logged.

At Maturity Level 2, we needed to log MFA access. However, at Maturity Level 3, logs must be centralised within a SIEM. These logging requirements are common across all Mitigation Strategies at Maturity Level 3.

Event logs are protected from unauthorised modification and deletion.

Like other Essential 8 Mitigation Strategies, event MFA event logs should also be protected.

Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected.

Again, you will want to combine logging with your other Mitigation Strategies and have a SOC analyst monitor your MFA logs for any signs of compromise. Contact us to chat about how CyberOxide's SOC can help you here.

Concluding Multifactor Authentication

MFA is vital today. Even for your personal accounts, securing them would be worthwhile since both Microsoft and Google found they are 99.99% effective against hackers.

While some MFA is less secure than others, Essential 8 acknowledges that having MFA is better than having no MFA.

Essential 8 also understands that adversary threats are not all the same, so MFA complexity increases with each Maturity Level.

If you haven’t already, start implementing MFA implementation for your on-premise, cloud and 3rd party systems. Protect your accounts, especially your privileged ones, with MFA today.

Where to Next?

Implement Multifactor Authentication in your organisation! Accelerate your Essential 8 program and reach out to a CyberOxide Specialist to help uplift and assess your Essential 8 Maturity Model Mitigation Strategy 7: Multifactor Authentication.

Continue learning about Essential 8 in our last article on Essential 8 Mitigation Strategy 8: Regular Backups.

Continue with our Essential 8 series

Overview:

Exploring the Origins and Significance of the Essential 8

8 Essential Mitigation Strategies:

Adoption:

Navigating Cybersecurity Excellence: The Essential Eight Meets Prosci's OCM Approach

Looking to accelerate your Essential Eight implementation?

Learn about our Essential 8 Accelerator or simply contact a CyberOxide specialist to find how we can help you.

Resources

Australian Cyber Security Centre (ACSC), by Australian Cyber Security Centre (ACSC).

"Strategies to Mitigate Cyber Security Incidents", by the Australian Cyber Security Centre (ACSC).
"The Essential 8", by the Australian Cyber Security Centre (ACSC).
"The Essential 8 FAQ", by the Australian Cyber Security Centre (ACSC).
"Essential 8 Maturity Models", by The Australian Cyber Security Centre (ASCS).
"Yubico | Yibikey Strong Two Factor Authentication", by Microsoft Contributors, Microsoft.
"MFA Fatigue attacks are putting your organization at risk", by Specops Software, Bleeping Computer.
"Your Pa$$word doesn't matter", by Alex Weinert, Microsoft Tech Community.

"New research: How effective is basic account hygiene at preventing hijacking", by Kurt Thomas and Angelika Moscicki, Google Security Blog.

Get in touch with us

Start your holistic cyber security discussion today.