Today’s threat landscape for Credit Unions is increasingly complex. Viruses, trojans, phishing, fraud, and social engineering are just a few of the threats that we have to account for daily. In order to conduct business, we must provide employees, vendors and our customers access to our systems and critical data.
How then in the face of these threats do we ensure that the person accessing a system is the person whose identity was presented?
Traditionally to authenticate someone’s identity we require them to provide a password to prove that identity. If the password is strong enough and there are no other threats, then passwords can be an effective authentication mechanism. However, problems can arise because passwords can be compromised through numerous vectors. Some of the ways a password can be compromised are:
- The password can be guessed or found by brute force if it is not complex.
- Credentials can be stolen via a trojan or a phishing attack.
- Social engineering attacks can lead users to give credentials to the attacker.
When authenticating to a higher value or higher risk systems, we will want to provide additional assurances that the identity presented matches the person using it. One way to facilitate this is through multi-factor authentication (MFA) or using more than one mechanism, or factor, to validate the identity. So, what is a factor you ask? There are three types we refer to when looking at multifactor authentication.
- Something you know. This is a password, a pin, etc.
- Something you have. A smartcard, token, cell phone, etc.
- Something you are. Fingerprint, retina, palm geometry, etc.
When implementing multi-factor or two-factor authentication, we must select methods from two different factors. For example, a password and a smart card would be multi-factor, however requiring a pin and a password would still be considered a single factor because those are both something you know. There are numerous authentication methods available and the selection of the methods will be dictated by a number of criteria, but first and foremost will be if it is supported by the systems you are authenticating against. Unfortunately, the support for multi-factor authentication varies widely by system and vendor.
When deciding what systems and accounts to use multi-factor authentication with, you should consider the following:
- The risk of the access method. For example, remote access and access over the internet are higher risks than access over the local network.
- The sensitivity and criticality of the data being accessed
- The function of the system
- The permission level of the account being authenticated
- Other compensating controls
- The risk appetite of the credit union
Note, for this discussion we are focusing on the use of multi-factor authentication for internal information systems and not customer access to online services.
The first place to start with multi-factor is at the edge of your network and require MFA for all remote access connections. The next step will be to secure administrative access to servers, network devices, and applications with multi-factor authentication. This will help to ensure that your credit union’s critical infrastructure is kept secure. Once remote access and administrative access is secure, the next step will be to work towards securing all employee network access with multi-factor authentication.
The NCUA provides credit unions some guidance on multi-factor authentication. To fulfill the Baseline maturity level when completing the ACET, a credit union is expected to use multi-factor authentication to secure remote access to critical systems. Additionally, in the August 2019 letter on “Business Email Compromise Fraud”1 they provided additional recommendations to require multi-factor authentication for all corporate email accounts. Industry-standard frameworks such as the ones provided by NIST and CIS dictate multi-factor authentication as one aspect of the layered security businesses should use when securing their networks.
Multi-factor authentication is an import security control and tool but like any control should not be relied upon alone. It should be part of the layered security that your credit union uses to secure your member data and critical assets. Hopefully, your credit union has started the journey of implementing MFA in your environment. If not, now is definitely the time to start.
Ongoing Operations and our CISO team have experience in helping credit unions implement multi-factor authentication solutions. If you would have questions or want to discuss possible solutions, please reach out to us today and we will be in touch. You can also fill out the short form below.