Article by Ben Taylor, Executive Director at Cannabis Information Sharing & Analysis Organization
While the legacy market, and a cash-based legal market have forced the cannabis industry to keep physical security thinking at the forefront, the importance of cybersecurity is just starting to gain the attention it requires.
As October is officially Cybersecurity Awareness Month, we want to take an opportunity to look at one of the best defenses an organization can implement to enhance their security, multi-factor authentication (MFA).
One of the first lines of defenses a cannabis company should consider is guarding authentication into their digital environments.
One of the most effective ways to start is by leveraging MFA to help reduce account takeovers or unauthorized access.
The Cybersecurity & Infrastructure Security Agency (CISA) has produced alerts specifically on how weak security controls are routinely exploited for initial access, and implementing MFA remains one of the first mitigation steps for preventing data breaches.
In 2020 Microsoft reported that 99.9% of compromised accounts did not use MFA. While utilizing MFA is essential, not all MFA is created equally.
This article will briefly review types of MFA solutions, recent examples of how threat actors are bypassing MFA protocols, and what mitigating steps the cannabis industry should be implementing to fortify their data security.
Multi-Factor Authentication (MFA) is a security layer many organizations utilize to help secure how staff login to their systems. It requires the user to provide a combination of two or more factors to verify their identity before gaining system access.
Security is naturally enhanced because even if one factor (like your password) becomes compromised, unauthorized users would have to bypass the second factor before gaining access.
There are a variety of MFA strategies, and deciding which one makes most sense for your organization may depend on the sensitivity of the information that users have access to.
The methods below are presented from most to least secure.
Physical Key: Users will insert or tap the physical key into the device or computer to access information. Often, companies will offer physical keys to their highest value users, though recently a growing number have started issuing them to all users to make their MFA more phishing resistant.
It is not recommended that keys be shared amongst employees. The FIDO Alliance developed FIDO Authentication standards based on public key cryptography for authentication that is more secure than passwords and SMS OTPs, simpler for consumers to use, and easier for service providers to deploy and manage.
FIDO Authentication enables password-only logins to be replaced with secure and fast login experiences across websites and apps.
Authenticator App: The authenticator app is an application that you download to your phone. The app will typically provide you with two authentication options.
The first is known as a push notification, which is where the authentication app notifies you that someone is trying to access your account, and it prompts you to approve or decline the attempt. This method offers a combination of security and ease of use.
The second option which is more widely used, is where the app generates a time-sensitive code that you enter on the login screen when prompted.
Biometric Verification: This can be anything from facial recognition technology to fingerprint verification.
It is important to note that biometric verification should still be used in combination with another factor. As a standalone solution it does not constitute as MFA and still allows for security gaps.
Municipality specific laws around storage of biometric data may limit the usefulness of this factor to only systems that are dedicated to a specific employee and do not store their data to a central database, so be sure to check with your legal team on applicable limits if you want to consider biometrics.
SMS: Texts and call one-time passwords (OTP) are a common method for MFA. After a username and password are entered, a one-time password in the form of a PIN is either texted or read via a call.
This method has the drawbacks of having time limits and can also be more vulnerable to threat actors than some previous methods discussed.
Email: Email authentication works similarly to the SMS OTP method. It also shares some similar risk factors. Emails can be hacked, and if a threat actor has access to your email or that of the provider, they can defeat MFA. While like SMS, this is a common form of MFA, but not the most secure.
A method that has gained notoriety lately is known as “MFA Fatigue”, and was the tactic used in the recent Uber breach.
This method is possible once the threat actor has obtained the initial access control (typically username and password), and repeatedly sends the target push requests to authenticate. By continually sending the pushes, the threat actor hopes that authentication will be accepted on accident or done in order to stop the pushes all together.
According to Kevin Beaumont, a renowned cybersecurity expert, the Uber attack went as follows:
Lapsus$, the extortion gang recently identified as the group that breached Microsoft, Okta, and Nvidia claimed to have also worn down victims with repeated MFA push notifications, including a Microsoft employee.
According to a message captured from Lapsus$ Telegram channel, “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”
In addition to mass MFA bombing, sending only one or two MFA prompts per day to attract less attention can also be effective.
You can learn about additional techniques to bypass MFA here.
For the cannabis industry to reduce the risk and protect organizations and users from succumbing to MFA bypass, consider the following in your MFA implementation:
Need a little more Bluntness in your life? Subscribe for our newsletter to stay in the loop.