Help Your Clients ‘Buckle Up’ With MFA And Secure By Default Configurations

This article was written by guest contributor Chris Henderson. Henderson runs threat operations and internal security at Huntress. He has been securing MSPs and their clients for over 10 years through various roles in software quality assurance, business intelligence, and information security.

What do seatbelts and multifactor authentication (MFA) have in common? They’re both measures designed to keep us safe—and routinely ignored by those who find them burdensome or just plain annoying. They do so at their own peril.

The recent Ticketmaster breach is a high-profile reminder that MFA should always be enabled. Ticketmaster was breached when a threat actor utilized stolen credentials to their Snowflake instance. Snowflake is a data lake technology, acting as the aggregation point for data from all different aspects of a business. Until very recently, just as of July 9th, 2024, Snowflake did not require MFA to be enabled on any accounts, even administrators.

Lack of a default secure configuration is likely what led to the Ticketmaster breach. MSPs should start demanding secure default configurations from all their vendors.

History Repeating Itself

In 1968, the United States made it mandatory for car manufacturers to install seatbelts for all newly produced cars. The evidence supporting the safety benefits of seatbelts was significant enough to warrant this mandate. Fifty years later, in 2018, new safety technology became available in the form of backup cameras, prompting another mandate for their installation.

While the auto industry was forced to install seatbelts in every car, it couldn’t force drivers to wear them. Eventually, the industry and state and local authorities created some negative incentives to drive seatbelt compliance. Your car now issues persistent warning sounds that grow louder and more annoying until you buckle up. There is a risk of receiving a substantial fine if law enforcement observes you driving without your seatbelt fastened. And graphic public education campaigns highlight the severe risks of death in accidents when not properly secured. Despite all the ways the world encourages individuals to be safe, there are still drivers who opt to drive unbuckled.

A similar problem exists within the software industry. We have an overwhelming amount of evidence that MFA is an extraordinarily effective preventative measure to protect businesses and their user accounts. And most technologies do support enabling multifactor authentication now—many even encourage its use upon signup.

But despite all the proactive steps and evidence, MFA adoption still lags.

Time To Enforce MFA Compliance

The software industry has an advantage, though. It can force compliance.

For MSPs, it’s time to start expecting (demanding) secure default configurations from vendors. Rather than expecting users to read a guide on secure deployment and configuration, vendors need to make those secure configurations default out of the box. MFA, for example, should be enabled by default and forced to be implemented upon first login. When selecting a new vendor, MSPs should start including questions around their default security configurations as part of diligence.

MSPs Can Take Action Now

While the world waits for potential legislation to require secure default configurations or the industry to self-regulate, this breach should serve as a prompt for MSPs to check configurations across critical software. Additionally, MSPs should review the controls in place to prevent and detect password reuse. These controls help mitigate some of the risk of an insecure default being left in place.

Defensive deployment is unfortunately necessary today while onboarding new applications. It is critical that MSPs document a comprehensive security review process for all newly onboarded applications, to be conducted initially and annually thereafter. Ensure that only intended means of authentication remain active and that they are adequately protected.

Password managers can help minimize risks in cases where human error leaves an account without MFA, especially if the vendor has not implemented a secure default posture. By ensuring each credential is unique and highly entropic, an attacker cannot gain twice from stealing the same credential. Password managers require adoption and use, so MSPs should check to ensure these tools are being utilized and haven’t become shelfware for your clients.

In school, they always said that computers are only as smart as the person who makes them. This same saying holds true with software, and people making the software who continue to choose to make them insecure by default are only helping threat actors by making their jobs easier. When vetting products, MSPs should get an understanding of the steps taken to ensure a secure default deployment and configuration. 

Share:

Author:

Chris Henderson

Chris Henderson runs threat operations and internal security at Huntress. He has been securing MSPs and their clients for over 10 years through various roles in software quality assurance, business intelligence, and information security. Huntress.com

RELATED ARTICLES

Get The #1 Media Source For MSPs!
Thousands Of MSPs Trust
MSP Success Magazine
For The Best Industry News, Trends And Business Growth Strategies. Subscribe now!
 

Upcoming Events

Stay Up To Date

Thousands Of MSPs Trust
MSP Success Magazine
For The Best Industry News, Trends and Business Growth Strategies

Never Miss An Update