This Message Will Self Destruct.. ft. Bryon Singh, RailWorks Corporation

This Message Will Self Destruct.. ft. Bryon Singh, RailWorks Corporation

By Steve Gold
Posted in Security
On October 26, 2023

In "Mission: Impossible," one of the most iconic scenes involves Ethan Hunt (played by Tom Cruise) infiltrating a highly secure CIA facility at Langley to steal the NOC list, a comprehensive list of all covert agents. To access this room, Hunt has to bypass multiple security measures:

  1. Temperature Regulation: The room is temperature-controlled. A sudden rise could trigger the alarm. Ethan and his team have to ensure that his body heat doesn't increase the room's temperature.
  2. Sound Sensors: The room is equipped with sensitive acoustic sensors. Any noise louder than a whisper can set off the alarm. Hence, Ethan has to move very quietly.
  3. Pressure-sensitive Floor: The floor is loaded with pressure sensors. Ethan can't touch the floor, which is why he's suspended from the ceiling with ropes and harnesses.
  4. Retina Scanner: The computer holding the NOC list is secured with a retina scan. Ethan has to dangle right above the desk and use a gadget to capture the eye scan of a rightfully authorized person (in this case, the man who enters the room before the heist begins) and then replicate it to gain access.

This scene vividly encapsulates the principle of multi-layered security. Each layer (temperature, sound, pressure, and retina scan) is akin to a factor in multi-factor authentication (MFA) in real-world IT security. Even if an intruder bypasses one, there are additional layers of security in place to stop them.

At its core, MFA is a security protocol that requires users to provide multiple types of identification before gaining access to an account. This often combines something they know (like a password), something they have (like a smartphone or a token), and something they are (like a fingerprint or facial recognition).

If you’re not a Mission Impossible fan, imagine your house has multiple locks on the door, a security camera, and a fingerprint scanner. Even if a burglar picks one lock, they'd still need to bypass the other security measures. Similarly, MFA acts as multiple security barriers, making unauthorized access exponentially more challenging.

In the age of digital transformation and the era of remote work, companies are relying heavily on applications that are externally accessible. While this opens up opportunities for better collaboration and flexibility, it also introduces a series of security challenges. The onus then falls on the Chief Information Officers (CIOs), to not just innovate, but to also protect. One of the key security recommendations, as highlighted by the Center for Internet Security (CIS) in Safeguard 6.3, is the implementation of MFA for externally-exposed applications.

Pros of Adopting MFA for Externally-Exposed Applications:

  1. Enhanced Security Posture: In an environment where cyberthreats are continually evolving, MFA acts as a formidable barrier, ensuring that compromised credentials alone can't provide access.
  2. Building Stakeholder Confidence: By adopting recommended security measures like MFA, organizations signal to their stakeholders, including customers, employees, and partners, that their data is taken seriously and protected diligently.
  3. Regulatory Alignment: MFA is increasingly becoming a requirement in various industry regulations. Implementing it ensures that the organization remains compliant, avoiding potential fines or penalties.
  4. Versatile Authentication Options: Today's MFA solutions offer a range of verification methods, from SMS-based codes to biometrics. This ensures flexibility in deployment based on the organization's needs.

Here’s a link to the Account and Credential Management Policy Template for CIS Controls 5 and 6 provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/account-and-credential-management-policy-template-for-cis-controls-5-and-6

Here are some details on this specific Control/Safeguard. If you want more detail, DM me.

CIS Control 6 – Access Control Management

Use processes and tools to create, assign, manage, and revoke access credentials and privileges for users, administrators, and service accounts for enterprise assets and software.

Implementation Group 1

CIS Safeguard 6.3 - Require MFA for Externally-Exposed Applications

Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.