Enable that MF-ing MFA: 1.2 million Azure Active Directory accounts compromised every month, reckons Microsoft Microsoft reckons 0.5 per cent of Azure Active Directory accounts as used by Office 365 are compromised every month. The Window giant's director of identity security, Alex Weinert, and IT identity and access program manager Lee Walker revealed the figures at the RSA conference last month in San Francisco. "About a half of a …
Can't agree more strongly.
At a previous company a user's corporate O365 account was compromised through the re-use of a password from the individual's private 'standard' list of passwords used for many purposes - one of these was hacked.
I asked the IT manager why MFA was not mandated - particularly as it is a free standard feature. There was no satisfactory response. It was fixed and there hasn't been a breach since.
We're trying to roll it out here. Myself and the other contractors and the IT managers are pushing hard for it, but user resistance is high. They're about to receive this article in their inboxes as a pre-emptive reponse to "why are you doing this?"
For some organizations, one of the issues is to give users the "multi-factor" devices.
You have to give them or hardware tokens, or a compatible smartphone, or trust user devices - and users have to trust you (my policy is no company stuff on my private phone, and the company does not have my mobile number also).
Hardware tokens and phone have a cost. Tokens may cost less, but people have to carry (all of) them around, and if they forget it they can't work. Phone can be expensive, and a company may not want to give a company phone to all users.
Sure, they strengthen security but not all companies and users are still ready to pay the price - some are instead trying some "single sign-on" method (often hacks with tools that fill password fields with auto-generated passwords - yet still saved with reversible encryption somewhere).
Hardware tokens and phone have a cost. Tokens may cost less, but people have to carry (all of) them around, and if they forget it they can't work. ... Sure, they strengthen security but not all companies and users are still ready to pay the price...
Most companies, when able to do a cost-benefits analysis with realist information concerning costs of implementation vs cost of breaches opt to pay the lesser of the two. This is typically cost of implementation.
No, they look unluckily at the immediate recurring costs (tokens, phones and their bills, lost productivity of users locked out, applications modifications), versus a risk that could happen in the future and hard to quantify to them, especially those looking at IT as a nuisance someone ask them to use.
Is through an authenticator app? Hmm..."app". Oh, I know! That's one of those programs people find on the internet and install with root access to their "smart" phones all the time. So....I don't have one of those. Because the only company that sold ones that could be secured exited the retail space.
Yeah, if you want me using an app for your business, you need to supply me the "smart" phone. And by the way, it WILL be turned off most of the time, as I have an aversion to being recorded constantly.
We've just disabled legacy auth within the past week and had to spend 2 or 3 days updating some of our systems to use better methods. Not complaining at the end result though; a lot of our apps are now using certificates to auth instead of passwords, using application accounts that don't have log on rights!
Microsoft has never vetted the users at Azure, and that is a bad problem. I had a friend who was attacked by bad actors on Azure, when it started out a few years ago; and so vigorously, that the only way to tell MS their problems was to snail mail them, and they acted like nothing happened. Getting on Azure if you have an IP to protect is like playing with dynamite. Proceed at your own risk!!
Especially if your company is a network security newbie; they will have your phone, system, email, and network thoroughly pwned before you know it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
