Situation

Many companies have found the evolving threat landscape has made cybersecurity desirable, and some companies even require their suppliers have an adequate amount of cybersecurity insurance in place before doing business with them. If you are applying for cybersecurity insurance for the first time or are renewing, you will find an increased level of diligence by the insurance company.

One new requirement may be a signed “Multi-Factor Authentication Attestation” form. Here is an example of an attestation form from Travelers: https://www.travelers.com/iw-documents/apps-forms/cyberrisk/cyb-14306.pdf

First, the minimum stated objective for the MFA attestation is to battle ransomware and business email compromise. This is no surprise given the prevalence of ransomware attacks and insurance claims made:

• Gartner ranks cyber vulnerability and ransomware as the two most important risks of 2022. See Top Risks. https://www.gartner.com/document/4009297?ref=solrAll&refval=339085736
• In the US, Lincoln College succumbed to a ransomware attack, which resulted in it closing its doors after 157 years. “Ransomware attack shutters 157-year-old Lincoln College”: https://www.cbsnews.com/news/lincoln-college-closes-ransomware-hackers-illinois/
• In Check Point’s 2021 Mid-Year Report on Cyber Attack Trends, “ransomware” appears 73 times in a word search! https://pages.checkpoint.com/cyber-attack-2021-trends.html
• And in Check Point’s 2022 Mid-Year Report https://pages.checkpoint.com/cyber-attack-2022-trends.html, “Ransomware is the number one threat: This year, ransomware actors have stepped up to nation-state level, targeting the entire countries of Costa Rica and Peru. The huge potential for financial gain means that ransomware is going to be around for a long time and will only get worse.”
• From HUB’s “Cyber Headwinds: The State of the Cyber Insurance Market for 2021” – “Losses due to ransomware events have been staggering for insurers.” – leading some insurers to sub-limit the ransom-related coverage and add a co-insurance percentage clause.

The MFA attestation specifically references ransomware: “The controls described above and listed below are the minimum controls that must be in place in order to be eligible for a Cyber policy. Because of the importance of the controls in preventing ransomware attacks…”

Thwarting Business Email Compromise (BEC) is the objective of adding MFA for Remote Access to Email: “Requiring multi-factor authentication for remote access to email can help reduce the potential for a compromise to corporate email accounts caused by lost or stolen passwords. Without this control an intruder can easily gain access to a user’s corporate email account. Threat actors often use this access to perpetrate various cyber crime schemes against the impacted organization and its clients and customers.”

To summarize, an attestation is required that MFA is in use for:

1. Email
2. VPN (for remote access to the corporate network)
3. Admin access to everything including laptops and RDP (Remote Desk Protocol)

in order to get insured.

Complication

The purpose of requiring MFA is to battle ransomware and business email compromise. But there is a problem. Adding traditional MFA* with an SMS code or mobile phone authenticator on top of your password may be enough to get cybersecurity insurance TODAY, but it does not actually stop credential theft which can lead to ransomware and BEC. As enterprises moved to implement MFA, hackers quickly evolved to find new ways of attacking MFA-protected systems.

For example, in “Okta Customer Data Exposed via Phishing Attack on Twilio,” the customer was using OTP as a second factor, but it was breached because it is not phishing resistant.

https://www.databreachtoday.com/okta-customer-data-exposed-via-phishing-attack-on-twilio-a-19924?rf=2022-09-03__ACQ_DBT__Slot1_ART19924&mkt_tok=MDUxLVpYSS0yMzcAAAGGouW5_Md5fzzJV2QyHB4tdIwvDfUrv02bgnmasxkNLtKHMl-uuQi1-EfL1ryvdU78G0v-9Iar9tDq_RSysgcdv8DBtezmOV3EInKjUYOWgeiqJaU

The attacks on traditional MFA can be surprisingly simple and go something like this:

• The victim receives an email or text message about a problem with their account. The message contains a convenient link that all they need to do is click on to get to the login page.
• The user clicks on the link, and a login page that looks exactly like the one they normally see appears on their web browser, but this site belongs to the attacker!
• They enter their username and password and press enter.
• Next, they are prompted to enter an OTP or press “Approve” on their mobile authenticator app.
• At this point, the attacker has everything they need to log in to the real account on the legitimate website and just terminate the victim’s session.

To recap, adding a traditional MFA factor with a mobile phone authenticator on top of your password may be enough to get cybersecurity insurance TODAY, but it does not actually stop credential theft which can lead to ransomware and BEC. And in the future, will the insurance industry move the goal posts and require the use of phishing-resistant MFA?

I saw something like this happen recently with the US Government. In May 2021, President Biden’s “Executive Order on Improving the Nation’s Cybersecurity” multi-factor authentication was mandated. Then it appeared that any kind of MFA would be enough to comply with the executive order.

https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

In January of 2022, the US Office of Management and Budget published additional zero-trust guidance in response to a growing number of attacks https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf – “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles” – But now, not just any MFA will do.  It has to be phishing resistant:

“MFA will generally protect against some common methods of gaining unauthorized account access, such as guessing weak passwords or reusing passwords obtained from a data breach. However, many approaches to multi-factor authentication will not protect against sophisticated phishing attacks, which can convincingly spoof official applications and involve dynamic interaction with users. Users can be fooled into providing a one-time code or responding to a security prompt that grants the attacker account access. These attacks can be fully automated and operate cheaply at significant scale.

…

Agencies must require their users to use a phishing-resistant method to access agency hosted accounts. For routine self-service access by agency staff, contractors, and partners, agency systems must discontinue support for authentication methods that fail to resist phishing, including protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications.”

Traditional MFA may be enough to get cybersecurity insurance TODAY, but it is NOT good enough to resist-phishing attacks and the resulting credential theft that can lead to ransomware and BEC, the attacks the insurance companies are trying to protect against with the MFA requirement in the first place. As the attacks grow against traditional MFA, the insurance industry may be forced to respond with more stringent requirements like the US government did.

Resolution

MagicEndpoint passwordless MFA is phishing resistant and can be applied to pre-boot login, Windows login, VDI login, RDP login, email, VPN access and many other remotes services.

It meets today’s cyber insurance requirements for MFA and future-proofs your organization against possible evolving cyber insurance requirements for phishing-resistant MFA.

For more information, see MagicEnpoint Passwordless Authentication

*Traditional MFA is mobile-phone based and uses SMS to receive a one-time password (OTP) code or an app to generate the OTP code or approve a prompt pushed to the phone