Blog

Before You Read: This article is about a developing situation. While the steps below are accurate as of the date of this publication, we recommend visiting the Progress MOVEit Product Forum for the latest information and up-to-date mitigation steps. 

On May 31, 2023, Progress announced a critical vulnerability in their file transfer software product called MOVEit Transfer. In this article, we're going to give you a quick summary of what you need to know, including what MOVEit Transfer is, what you need to know about the vulnerability, how to know if you're affected, and what steps you may need to take.

About MOVEit Transfer

MOVEit Transfer is a secure managed file transfer (MFT) application by a company called Progress. MOVEit Transfer was originally developed by a company called Ipswitch who was acquired by Progress in 2019.

About the Vulnerability

A SQL injection vulnerability was discovered which could allow an unauthenticated malicious actor to gain unauthorized access to the MOVEit Transfer database. Once in, the malicious actor could not only read certain databases, but could also potentially modify and/or delete information from the database.

The vulnerability has been assigned CVE-2023-34362. Refer to the NIST National Vulnerability Database (NVD) for more information.

Are You Affected?

Your organization may be affected by this vulnerability if you:

• Use MOVEit Transfer. Check your IT asset inventory and/or vendor list to determine if your organization has a relationship with this third party. Be sure to look for other names the vendor may go by (e.g., Ipswitch, Progress, etc.).
  
  
• Use a third party who uses MOVEit Transfer. Check with your critical third-party service providers (e.g., Fiserv, Jack Henry, etc.) to determine if they use MOVEit Transfer in any of their products.

Mitigation Steps

If your organization uses MOVEit Transfer, follow the six steps outlined in the "Recommended Remediation" section of the vulnerability notification by Progress.

1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
2. Review for any unauthorized files and user accounts. Progress has provided a list of indicators of compromise (IOCs), including folder paths, file names, HTTP requests, user accounts, and IP addresses which may mean there has been a compromise.
3. Apply the patch. Check your version number to determine which patch would be the correct one to install.
4. Re-enable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
5. Verify. Confirm all IOCs have been removed. If any remain, repeat the process until all IOCs have been removed.
6. Continuous monitoring.

If your third parties use MOVEit Transfer, request a statement from them about if the vulnerability has been patched. Add the statement to your incident tracking system and vendor management program.

We encourage you to continue to monitor information provided by Progress as information about this vulnerability is still developing.

Update: June 9, 2023

On June 9, 2023, Progress announced additional vulnerabilities in the MOVEit platform, along with new recommendations for remediation and patches.

These updated vulnerabilities have been assigned CVE-2023-35036. Refer to the NIST National Vulnerability Database (NVD) for more information.

Update: June 15, 2023 

On June 15, 2023, Progress announced additional vulnerabilities in the MOVEit platform, along with new recommendations for remediation and patches. 

These updated vulnerabilities have been assigned CVE-2023-35708. Refer to the NIST National Vulnerability Database (NVD) for more information. 

Update: July 6, 2023 

On July 6, 2023, Progress announced additional vulnerabilities in the MOVEit platform, along with new recommendations for remediation and patches. 

These updated vulnerabilities have been assigned CVE-2023-36934, CVE-2023-36932, and CVE-2023-36933. Refer to the NIST National Vulnerability Database (NVD) for more information. 

Additional Resources

For additional information, check out these resources:

• CISA & FBI Joint Cybersecurity Advisory: #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (06/07/2023)
• CISA Alert: CISA Adds One Known Exploited Vulnerability to Catalog: CVE-2023-34362 Progress MOVEit Transfer SQL Injection Vulnerability (06/02/2023)
• CISA Alert: Progress Software Releases Security Advisory for MOVEit Transfer Vulnerability (06/15/2023)
• CISA Alert: Progress Software Releases Service Pack for MOVEit Transfer Vulnerabilities (07/07/2023)
• Office of Cybersecurity & Critical Infrastructure Protection (OCCIP) Alert on MOVEit Transfer Exploit. This resource is TLP:AMBER and is not available to the public. ICBA members can see it on the ICBA's Cyber and Data Security Resource Center. (06/04/2023)

Need Help?

The CoNetrix Technology and CoNetrix Security teams are available to answer your questions and help with the mitigation process. Contact our team through our website at CoNetrix.com/ContactUs. If you are a current customer, you can email the CoNetrix support inbox.

Since the FFIEC published the Cybersecurity Assessment Tool (CAT) in 2015, it has become a popular way to measure control maturity. It includes a series of statements which must be answered "Yes" to achieve "Baseline" maturity, which is the "minimum expectations required by law and regulations or recommended in supervisory guidance."

One benefit of the CAT is that it can be used to see trends, since it is standardized and so widely adopted. One emerging trend is that while most financial institutions have achieved the baseline requirements, there are still baseline requirements which are not met by a subset of financial institutions.

The baseline statements in this article are the top five which have been answered "No" the most. So, let's identify these pain points, review what regulatory guidance says, and see what it means to be "baseline" in those areas. At the end of the article, we'll include some resources and recommendations for helping you get to baseline.

Trend #1. Data Flow Diagrams

External Dependency Management > Connections > Connections > Baseline Question #4
"Data flow diagrams are in place and document information flow to external parties."

The Guidance

This baseline requirement stems from the FFIEC's Information Security Booklet, Section II.C.9 Network Controls, which says:

"Management should maintain accurate network and data flow diagrams, and store them securely, providing access only to essential personnel. These diagrams should identify hardware, software, and network components, internal and external connections, and types of information passed between systems to facilitate the development of a defense-in-depth security architecture."

If you're not quite sure what this looks like, have no fear. The FFIEC provides an example in the Architecture, Infrastructure, and Operations Booklet, Section III.C.2 Data Flow Diagrams.

What exactly about this guidance and declarative statement makes it so noteworthy? (Or should I say "No"-worthy?) To understand this, I think we need to have a conversation about the difference between the letter of the law and the intent of the law.

• The letter of the law says you need to have data flow diagrams.
• The intent of the law asks "why?" Why do you need data flow diagrams? For what purpose? Answering this question often helps get to the bottom of things.

Looking at the surrounding context in both guidance documents, the answer becomes clear.

The Recommendation

You need to have a process in place to identify and track where your data is going.

You cannot secure your data if you don't know where it lives. So, what are you doing to identify and track your data? The answer to this question should shape how you answer this declarative statement.

• "No" might just be the right answer if you aren't doing anything at all. (It's not a good answer, mind you. But it might be the right one.)
• "Yes with Compensating Controls" could be a good choice if you do have a process, but you just haven't sketched it out.
• "Yes" is your answer if you use a flowchart software to help you create official data flow diagrams. (Or if you're just really good at sketching things out on a whiteboard.) Better yet, use the same program you use to create your network diagrams.

The benefit of creating a data flow diagram is that it is visual. It not only shows the connections, but it can make it easier to recognize gaps or missing pieces.

If you aren't quite sure how to start, download our Sample Data Flow Diagram here. (The data flow diagram can be edited in Visio, which is included with Microsoft Office 365 subscriptions.)

Where is your data? Now feels like a good time to find out.

Trend #2. Firewall Rules

Cybersecurity Controls > Detective Controls > Threat & Vulnerability Detection > Baseline Question #3
"Firewall rules are audited or verified at least quarterly."

The Guidance

The guidance cited on this declarative statement comes from the FFIEC Information Security Booklet, Section III, which states:

"Security operations activities can include the following: Security software and device management (e.g., maintaining the signatures on signature-based devices and firewall rules)."

Now, if you're thinking that puzzle piece doesn't quite look like it fits, you'd be right. The declarative statement was actually based on the 2006 version of the Information Security Booklet (which itself was based on the original version of NIST SP 800-41). The original guidance read:

"Firewall policies and other policies addressing access control between the financial institution's network and other networks should be audited and verified at least quarterly."

So, why the change? It wasn't because "at least quarterly" was bad or incorrect. It's just that there was a better way to say it. NIST SP 800-41 Rev. 1 now reads:

"It is best to review the firewall policy at regular intervals so that such reviews do not only happen during policy or security audits (or, worse, only during emergencies). Each review should include a detailed examination of all changes since the last regular review, particularly who made the changes and under what circumstances. It is also useful to occasionally perform overall ruleset audits by people who are not part of the normal policy review team to get an outside view of how the policy matches the organization's goals. Some firewalls have tools that can do automated reviews of policies, looking for such things as redundant rules or missing rules that are widely recommended. If such tools are available for an organization's firewall, they should be used periodically, probably as part of the regular policy review."

In short, as guidance and technology improve, so should we and so should our firewalls.

The Recommendation

Audit or verify your firewall rules on a regular basis.
(Preferably, at least quarterly.)

Set a reminder on your calendar to check on the firewall rules once every three months.

Use the tools, software, and logs available to you to make sure that your firewall is doing what it needs to be doing. Make sure firewall rules are configured correctly, make note of any concerns, and most importantly, make a plan for improvement, when it is needed.

If this seems like a bit of a stretch, contact your third parties to see how they can help.

Once you get into a rhythm where you are reviewing your firewall rules regularly (i.e., quarterly or more often), you can feel confident about answering this statement "Yes."

Trend #3. Normal Network Activity Baseline

Cybersecurity Controls > Detective Controls > Event Detection > Baseline Question #1
"A normal network activity baseline is established."

The Guidance

The FFIEC Glossary defines a network activity baseline as:

"A base for determining typical utilization patterns so that significant deviations can be detected."

The NCUA Automated Cybersecurity Evaluation Toolbox (ACET) explains:

"Financial institutions should perform an analysis of their network traffic and then develop a normal activity baseline. A baseline is a process for studying the network at regular intervals to ensure that the network is working as designed. It is more than a single report detailing the performance or health of the network at a certain point in time."

This is a lot of fancy words to say, if you know what's normal, you can more easily identify what's abnormal and fix it. For example:

You get the idea. A "normal network activity baseline" makes it easier to identify abnormal activity.

The Recommendation

Determine what is normal for your network and set some rules to alert you when things are awry.

Monitoring continues to emerge as a prevalent topic in the world of cybersecurity. It isn't enough to have good systems or even to implement them effectively. Network monitoring helps ensure that systems remain relevant in the face of an ever-changing threat environment. By setting suitable key performance indicators (KPIs) which indicate normal (and abnormal) network activity, you can better secure your systems, your data, and your business.

 Learn more about this topic in the FFIEC Architecture, Infrastructure, and Operations Booklet, Section VI.D.2 IT and Operations Key Performance Indicators.

Trend #4. Audit & Security Event Logs

Threat Intelligence and Collaboration > Monitoring & Analyzing > Monitoring & Analyzing > Baseline #1
"Audit log records and other security event logs are reviewed and retained in a secure manner."

The Guidance

The FFIEC Information Security Booklet, Section II.C.22 states:

"Management should have effective log retention policies that address the significance of maintaining logs for incident response and analysis needs. […] Additionally, logging practices should be reviewed periodically by an independent party to ensure appropriate log management. […] Regardless of the method of log management, management should develop processes to collect, aggregate, analyze, and correlate security information."

The FFIEC Architecture, Infrastructure, and Operations Booklet, Section VI.B.7 Log Management dives further into the topic, giving a helpful list of pros and cons of logging.

The Recommendation

Become a logger.

I'm not necessarily suggesting a career change here. (But if you do decide to become a woodsman, here's a helpful resource: What to Do if Your ISO Leaves.) What I am saying is that when you're in the midst of the day-to-day cybersecurity battle, sometimes you can't see the forest for all the trees.

There's some trend-ception going on here. Trends within the trends suggest that we (as an industry) need to do some review work. If there's one thing that we can learn from the baseline statements, it's that financial institutions are (by and large) pretty good at selecting and implementing controls. It's the post-implementation activity that is causing institutions to miss the "baseline" mark in these domains (e.g., logging, monitoring, reviewing, documenting, etc.).

Two viable options for improvement in these areas would involve 1) upskilling and/or 2) investing in a security information and event management (SIEM) system or some kind of log management system. Learn more about your options via CrowdStrike's blog: What is Log Management? The Importance of Logging and Best Practices.

Trend #5. Secure Coding Practices

Cybersecurity Controls > Preventative Controls > Secure Coding > Baseline Question #1
"Developers working for the institution follow secure program coding practices, as part of a system development life cycle (SDLC), that meet industry standards."

The Guidance

Having a SDLC has been an emerging topic in guidance over the years, including:

• Here: FFIEC Information Security Booklet, Section II.C.17 Application Security
• Here: FFIEC Management Booklet, Section III.C.5 Software Development and Acquisition
• And here: FFIEC Architecture, Infrastructure, and Operations Booklet, Section III.D.1 Change Management, V.C.3 Software Hosting, and VI.B.2 Configuration Management

The idea is generally the same: Having an SDLC is a good idea. It introduces stability, reduces confusion, and makes sure systems (and software) are secure both before and after they are launched.

So, what seems to be the problem?

Well, it seems that the question is not about whether having a SDLC is a good idea or not, or even how to have one. In my experience, the question often comes back to a matter of interpretation of the declarative statement. Are these "developers working for the institution?" If the institution does not have any developers on staff, wouldn't "N/A" be a better answer here? Why is there not an "N/A" answer option for this question on the CAT?

I believe these questions are well addressed with this quote from the FFIEC Information Security Booklet:

"At institutions that employ third parties to develop applications, management should ensure that the third parties meet the same controls."

The Recommendation

Make sure third-party developers working for the institution follow a SDLC.

As part of your ongoing vendor management practices, do your due diligence.

• In general, if you are using a software-as-a-service (SaaS) product, you should determine if the vendor follows a SDLC. Our sister company, Tandem, puts this information in their "Due Diligence FAQ" document and customers can download it any time through the Due Diligence page in the application. 
• If you are developing your own software (think: website, mobile application, etc.) or engaging in financial technology ("fintech") activities with a third-party developer, you should dig a little deeper. Create a policy that guides your decisions. Make sure contracts and agreements are favorable. Develop a plan to ensure ongoing security.

If you are doing these things, you can be confident in answering "Yes" to this declarative statement.

Ready to be a Trend Breaker? 

If you answered "No" to one or more of the declarative statements highlighted in this article, do not despair. You most certainly aren't alone, and there are people and solutions here to help.

• CoNetrix Technology specializes in providing computer network support, IT managed services, and network design and implementation. One area in which CoNetrix Technology specializes is called "Network Threat Protection." This is a suite of Managed Security Service (MSS) solutions, including topics addressed in this article, like: 
  • Firewall monitoring and management. 
  • Cybersecurity monitoring and reporting. 
  • Endpoint and email protection. 
     
• The Tandem suite of cybersecurity governance, risk management, and compliance (GRC) solutions is also ready to help. For example: 
  • Tandem Policies offers recommendations for your cybersecurity policies, including "Third-Party Secure Application Development," "Project Management," "Cloud Computing," and more. 
  • Tandem Vendor Management features a way to streamline and simplify your third-party risk management processes. Track and document due diligence for your vendors, get helpful reminders, and access reporting on your third-party "developers working for the institution."  
  • Tandem Risk Assessment allows you to identify and classify your data types, connect them with information assets, and perform information security risk assessments. 

See how CoNetrix Technology can help you: CoNetrix.com/Technology/Managed-Security-Services 

Want to see how you measure up with your peers? Sign up for the free Tandem Cybersecurity Assessment Tool product today at Tandem.App/Cybersecurity-Assessment-Tool-FFIEC.

Attackers have learned to appeal to the human element of information security. Here is one story of a situation where the human element is exactly why a CFO lost $1.5 million for his organization while on vacation.  

One day, a wire request was sent by email, supposedly from a CFO to (1) an employee where this CFO banks and (2) the secretary of the CFO. The CFO was on vacation (according to their very public social media posting) and their secretary didn't want to bother them, but there was one issue: the CFO was the only authorized approver for wire transfers at their organization. The secretary wanted to be helpful and asked for the wire to be expedited. The bank complied since they knew the CFO and could see from social media that the CFO was busy on vacation. As soon as the wire was sent, the CFO reached out to the bank to say that they did not authorize the wire. But it was too late. $1.5 million was gone and eventually jobs were lost and reputations were hurt. The attackers spoofed the CFO's email and waited until their social media posts indicated they were away from the office. Yikes! 

According to Verizon's 2021 Data Breach Investigation Report, 85% of breaches involved the human element. Additionally, 36% of breaches involved phishing, which is up 11% from last year. 

The Cybersecurity and Infrastructure Security Agency (CISA) is encouraging a "shields up" position as cyber warfare continues to create a threat to businesses, including financial institutions and other critical infrastructure organizations, across the country. See the CISA critical infrastructure list. 

The best shields up position is a security conscious culture among your employees. 

Recognize Your Most Valuable Assets: Your Employees 

It only takes one click on a phishing email to cause an immense amount of damage to an organization. We can implement multiple hardware and software controls for layers of security to create a defense to help mitigate the risk of a cyber-attack, but the best defense is of the human element. 

Consider that your employees are your most vulnerable, most volatile, and most valuable asset. Attackers know this, and your employees should too. As your most vulnerable asset, they need consistent and frequent training. As your most volatile, they need to be empowered and encouraged. As your most valuable, they need to be enriched as a knowledge investment. 

Your employees play a key role when it comes to cyber resilience.  

Does your team know that? 

If not, it's time to empower them. 

Build a Defense: Encourage a Security Culture 

You can build your first line of defense against cyber-attacks with consistent and frequent security awareness training. The more your people learn, practice, and understand their role in your defense strategy, the better protected your organization becomes.  

A culture of security awareness is more than just training; it is an attitude that we are all in this together. In other words, your whole team is on guard to defend your organization from outside attacks.  

In order to help frame a mindset of putting our shields up together, you can help foster this culture with your implementation of effective security awareness training techniques. 

Here's how. 

Perspective: Train, don't just Test 

Phishing emails are tricky, which is why they work. Starting with a belief that all people need training and reminders helps keep everyone on an even playing field. Your new recruits, your seasoned IT experts, and your board members should all receive frequent training to keep their skills top of mind. 

Test their skills with the goal of learning where they need more education. For example, you may send a simulated phishing attack and 14% of your targeted group fails the test. By keeping your perspective, you can inform, encourage, and educate as part of your campaign. Without calling anyone out, you can inform your group of the recent campaign, let them know the results, praise those who reported the email as suspicious, and provide a reminder about what clues and tactics gave the email away. 

Proactive: Skills before Drills 

Create a system for reporting suspicious emails and give your team an easy way of using it. Our information security committee at CoNetrix developed a simple system that starts with a dedicated email and a testing machine. When a CoNetrix employee receives an email that looks suspicious, they can send the email as an attachment to the dedicated email address for testing in the dedicated environment.  

For those that do not have a one-click button to report phishing, it's hard to remember how to report a phishing email when you only do it every once in a blue moon. You can create your own phishing report button through Microsoft Outlook's Quick Steps. Because we already use Outlook and our people love efficiency, one of our team members created a tutorial for using Outlook Quick Steps to make it fast and easy to correctly report a phishy email for the good of the team. By setting up Outlook Quick Steps, employees take five minutes up front to address future suspicious emails in five seconds or less. 

Perceptive: Remove Blame and Shame 

According to Verizon's report, "The majority of Social Engineering incidents were discovered externally. […] When employees are falling for the bait, they don't realize they've been hooked. Either that, or they don't have an easy way to raise a red flag and let someone know they might have become a victim. The former is difficult to address, but the latter is simple and should be implemented." 

Most people want to keep their jobs and the security your company provides for them and their families. If an employee inadvertently clicks a phishing link, you want them to feel safe about reporting the accident, without incurring ridicule or harsh retribution. It's better for your incident response process to get information about a potential breach right away rather than incurring a network take-down. 

If an employee clicks on something and then after-the-fact decides it may have been something dangerous, they should feel safe to report the phishing email and report the fact that they clicked. They should not expect humiliation. 

Continue to Reinforce the Basics 

We all need reminders. Consistent, frequent, ongoing education can help your team recognize a phony email, quickly deal with it, and move on. By encouraging and reminding with an attitude that preserves the dignity of your employees, you can build a workforce that wants to protect your organization. 

Thought prompt: What are some things you do to encourage a security culture? 

Whether you work from home full-time, go to the office a couple of days a week, or work full-time in the office, each of us has adjusted our routines to deal with this new lifestyle. With these adjusted routines, it is imperative that we check in on our security routines to ensure the safety of our information and customer information.  Some of the tactics we have relied upon in the past can still be helpful to us today, even if our routines look different.

So, what does it mean to "check-in" on our security routines? Consider these questions:

• What kind of habits make up a security routine?
• How can I monitor these habits and controls for myself and my employees as we encounter different types of risk every day?
• Is there guidance I can turn to for extra tips?

Change Passwords Frequently

Many organizations have implemented policies that force passwords to be changed on some sort of frequency to prevent fraudulent logins. Even if an account you use doesn't have this type of policy in place, consider updating passwords for your frequently used accounts to ensure further security.

Don't Share Passwords 

If you're an administrator, manager, or officer of some sort for your organization, you may have elevated administrative privileges for certain accounts. None of your passwords should ever be shared with anyone else, including those within your organization. This can lead to unauthorized access, misuse, alteration, and destruction of data.

Implement Multi-Factor Authentication

This is especially helpful for employees working from home who must access your organization's network over a VPN. Home networks are not always as secure as the network of your organization, and your employees should have to verify their identity before accessing the company network from a different location.

Schedule Regular Exercises / Tests

Testing your organization's response to downtime, closures, or inability to access information can be critical for those situations that occur in real life. Are your employees prepared for how to continue critical operations if there's a network outage, or if they cannot report to their normal job site? Documenting these procedures in a business continuity plan is a start, but executing those procedures helps you identify gaps and areas that need improvement.

Schedule Annual Security Awareness Training

Improperly trained employees pose a large security risk to your institution. Even employees with low-level access to secure information should be trained to understand the importance of keeping information secure, and how to easily detect and report problems. Everyone at your institution plays a role in keeping customer and internal information secure, and creating an environment where risks can be taught, discussed, and used for educational purposes is vital. At least once a year, enroll all employees in security awareness training. As part of the security awareness training, conduct simulated phishing tests. If certain employees continuously fail your simulated phishing tests, take that as an indication that additional security awareness training is needed.

What are my next steps?

As you check in on your security routine, remember that you can always refer to guidance for additional tools and verification. Checking in on your security routine not only benefits your own knowledge and skills, but it benefits the overall well-being and security of your information, so your organization can continue to thrive and provide exceptional service.

Multifactor authentication (MFA) is considered a staple in the world of security. For many, the use of MFA may seem straightforward, but as with many things in life, complexities abound. In this article, we will discuss five current challenges associated with MFA and ways to mitigate those risks. 

Before you go any further, visit this article over What is Multifactor Authentication? This article provides an overview of MFA, financial institution regulatory guidance sources, and tips for how to incorporate it into your information security program. 

Challenge #1. Misapplication of MFA may negate your cyber insurance. 

It is not a secret that cyber insurance companies are facing an uphill battle. Some sources state that in 2020, cyber insurers had a loss ratio of 500%, which means that for every $1 they earned in premiums, they lost $5 in responding to incidents. 

Due to the rising costs associated with cyber incident response, many insurance companies are beefing up their coverage requirements and now expect MFA to be enabled for the following types of services: 

• All admin access (both internal and remote) to directory services, network backup environments, network infrastructure, endpoints, and servers. 
• All remote access to the network, including employees and third parties. 
• All email systems which can be accessed through a cloud service (e.g., Office 365). 

While this may seem like a reasonable request up-front, it may also be used as a reason to deny coverage in the event MFA implementation is not up-to-par. 

Facing the Challenge: Review your cyber insurance policies. Determine if they require MFA and if your current MFA implementation would be satisfactory in the event of an incident. 

Challenge #2. Financial institution guidance about MFA is not very descriptive. 

Various financial institution regulatory agencies and industry leaders also now expect multifactor authentication to be implemented, as discussed in this article over What is Multifactor Authentication? For example: 

• FFIEC Authentication Guidance (August 2021) 
  According to the guidance, MFA is encouraged for "high-risk users," which are defined as users who have "access to critical systems and data; privileged users, including security administrators; remote access to information systems; and key positions such as senior management" (page 5). For additional information, read the full guidance. 
   
• FFIEC Cybersecurity Assessment Tool 
  The following maturity declarative statements from the tool's "Access and Data Management" component include reference to multifactor authentication.
   
  
  • Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. 
  • Multifactor authentication and/or layered controls have been implemented to secure all third-party access to the institution's network and/or systems and applications. 
  • Multifactor authentication (e.g., tokens, digital certificates) techniques are used for employee access to high-risk systems as identified in the risk assessment(s).
  • For additional information, download the PDF or sign up for Tandem's free automated version of the tool. 

• CSBS Ransomware Self-Assessment Tool (R-SAT) 
  R-SAT Question 10 asks users to confirm that MFA is used for various circumstances, including access to cloud-based services, cloud email services, VPN remote access, and administrative access. For additional information, check out our R-SAT blog. 
   
• NIST Cybersecurity Framework v1.1 
  While not specific to financial institutions, the framework references MFA in subcategory PR.AC-7, which states "users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction." For additional information, download the framework. 

While these guidance references are prescriptive, they are not overly descriptive as to how these recommendations are to be accomplished. 

Facing the Challenge: Implementing a control, such as MFA, needs to be focused on protecting likely entry points, in addition to those which could cause significant potential damage, if compromised. Start considering how MFA could most effectively be implemented to mitigate the risks facing your organization. 

Challenge #3. It is unfeasible to implement MFA everywhere. 

Perhaps the greatest challenge with MFA, especially in consideration of increasing requirements, is that it is currently unfeasible to implement everywhere. 

For example: 

• It is not currently possible to enable MFA on Active Directory (AD) or SQL Servers. One can enable MFA on the systems which allow administrators to access these programs, but not the programs themselves, as they typically do not support integration with MFA applications. 

• It is also not currently possible to enable MFA on service accounts. Service accounts often run with elevated privilege, but are not connected to any particular user, making it impossible to authenticate using MFA. 
  
  
• To complicate matters further, there are multiple ways to authenticate as a Windows domain admin or to elevate privileges, once authenticated. Some examples could include running certain command lines, PowerShell scripts, windows management protocols, or User Account Control (UAC).  

While applying MFA everywhere may sound like a dream come true, technological limitations currently prevent that dream from becoming a reality. 

Facing the Challenge: Determine what you can secure with MFA and apply compensating controls for what you cannot. Based on your organization's long-term technology strategy, it may be beneficial to consider the possibility of moving certain systems to the cloud (e.g., Azure, AWS, etc.). That said, while many cloud solutions support MFA for access, they also present an entirely different set of risks and would not be a wholesale security solution in-and-of themselves. 

Challenge #4. MFA is not infallible. 

While MFA is an appealing control to consider, it is certainly not infallible and should not be implemented lightly. For example: 

1. It is important to recognize that anybody who has administrator access also has the ability to turn MFA off. If you are depending on MFA as a security control for administrators, there must be validation implemented to ensure it is not disabled. 
   
   
2. MFA is a preventive control. Unfortunately, this can mean that when MFA methods are incorrectly configured or fail to work, it can result in administrators being locked out of their systems, which could cause significant damage to the organization. 
   
   
3. When controls, like MFA, cannot be implemented universally, it leaves the entire environment vulnerable by proxy. While applying MFA in certain areas or to certain users can limit exposure, the more security gaps you can close, the better. 

Facing the Challenge: Implementation of MFA is not only a technical decision. It is an enterprise-wide strategy. Start the conversation by including relevant personnel in the decision-making process. Assess the impact of MFA on operations and make sure plans are in place to limit negative consequences. 

Challenge #5. MFA can be expensive to implement. 

While MFA is becoming more widely available, implementing it can still require a significant investment of time and money, as "one MFA to rule them all" does not exist. Every system has its own form of MFA. For example, some systems support: 

• Proprietary MFA solutions, such as Duo MFA, Palo Alto GlobalProtect, RSA SecurID, Symantec VIP, etc. 
• Solutions built on the Time-Based One-Time Password (TOTP) standard, such as Google Authenticator, Microsoft Authenticator, Twilio Authy, etc. 
• Native MFA solutions, built into the application, such as how the Tandem Mobile App can be used as an MFA option for Tandem access. 

Since systems use a variety of MFA options, it is up to each organization to ensure they select the right solution for them and ensure adequate coverage. 

Facing the Challenge: If you do not currently have MFA implemented, begin planning for it now. If you need assistance, there are managed security service providers (MSSPs) with expertise in this area, such as CoNetrix Technology. If you would like assistance with selecting and implementing the right MFA solution, contact us. 

Conclusion 

MFA is a highly effective control when it comes to reducing the risk of various threats, but it comes with its own set of challenges and risks. As you consider your current and future MFA plans, take a step back and answer the question: Are you trying to check a box or are you trying to mitigate a risk? 

A layered security program is always going to be the most effective way to face the cyber challenges of our time. While MFA is a helpful component of this program and should be used when feasible, it is not the only control you need. You have to use many controls to create a layered security program. For additional information about how you can secure your systems or to learn more about IT managed services, visit CoNetrix.com/Technology. 

Many organizations are adopting Microsoft 365 (formerly Office 365) and businesses nationwide are seeing the benefits of improved productivity through its email and collaboration solution. Organizations of all sizes can benefit from a seamless user experience between mobile and on-premise environments.

While Microsoft 365 offers great flexibility, it mostly focuses on infrastructure management rather than data management. Meaning: You are responsible for your data.

Some businesses who have migrated their workloads to Microsoft 365 do not realize that the same reasons they had for backing up and protecting that data on-premises applies even in the cloud.

If you are still considering Microsoft 365 for office productivity and collaboration, this article may be for you: Microsoft 365: Is it the right choice for your business?

Without proper backup and recovery, your data is at risk, because Microsoft isn't providing complete protection. It's important to create a backup and recovery strategy to ensure you avoid permanently losing your critical data.

It's important to understand the difference in responsibilities of Microsoft and Microsoft 365 user organizations. Microsoft hosts the infrastructure, but you are responsible for your data.

What is Microsoft's Responsibility?

Cloud Infrastructure Uptime — Microsoft focuses on the infrastructure management rather than data management. By focusing on infrastructure, Microsoft ensures its cloud service is online and operational. Guaranteed uptime is based on your agreement level and outlined in the availability SLA (Service Level Agreement).

Basic Data Replication — Microsoft provides basic data replication with datacenter-to-datacenter geo redundancy, and limited retention for short-time data recovery.

Data Processing Compliance — Compliance and controls for data processing are limited to the processor, not the data itself. Microsoft ensures data privacy, regulatory controls, and industry certifications for compliance are in place and maintained for the infrastructure of its cloud service.

Physical Infrastructure Security — Security functions for Microsoft 365 are limited to physical infrastructure, not data. It includes app-level security, logical security, and access controls for users and administrators.

What is the Customer's Responsibility?

Business Data in Microsoft 365 — The customer is the owner of the data that resides in the Microsoft 365 data centers. As the owner, the customer controls the data and who can access the data. All responsibility of the data is on the user to ensure data security, privacy, and retention.

Enterprise-grade Backup and Long-Term Data Retention — Implementing an enterprise-grade backup solution for Microsoft 365 can give businesses confidence to recover from security breaches, compliance exposure, and data loss. With enterprise-grade backup, a copy of the data is stored outside the environment. In the event of an incident, it provides granular and point-in-time recovery options.

Data Owner Compliance — As the data owner, the customer has the ultimate responsibility of data for internal legal and compliance teams. The customer answers to the demands from corporate and industry regulations.

Security Functions to Protect Data — Protection of data is the responsibility of the user, not Microsoft. Security controls must be implemented to protect the data from internal threats, such as accidental deletion, insider threat, and disgruntled employees, and external threats, such as malware, ransomware, and rogue applications.

What happens when Microsoft 365 is used without backup?

Microsoft only provides basic and limited retention. If you don't implement a backup strategy outside of Microsoft's native capabilities, you are opening up your business for unnecessary risk. Lack of a Microsoft 365 backup plan is a risky data strategy.

Without proper backup and recovery, your organization can expose itself to the following risks:

• Data loss from accidental deletions
• Ransomware attacks and security breaches
• Insufficient retention time for regulatory compliance policies
• Lack of data control due to potential SaaS lock-in

Organizations investing in productivity and collaboration tools should also consider their backup and retention needs as a factor in efficiency and productivity. Considering a third-party backup solution is critical for data loss avoidance.

What is the best strategy for Microsoft 365 backup?

Your data is your business. By taking a data-driven approach to your backup strategy, you recognize the critical importance of your data for your business stability.

Make Microsoft 365 Backup a Key Priority

Backup for cloud services (SaaS), such as Microsoft 365, is imperative for security and data control. Full oversight and control of data is a boardroom priority. Without backup, organizations do not have an exit strategy or freedom from SaaS lock-in because they are not in complete control of their data. Backup should be part of the conversation when buying SaaS and not an afterthought.

Consider Enterprise-grade Data Protection

When investing in backup solutions, consider integration between the Microsoft 365 environment and your existing data protection environment. Evaluate automation, security, and integration between systems when comparing enterprise-grade data protection and recovery features. Integrating SaaS into enterprise data protection can help unify data management.

What to look for in a Microsoft 365 backup solution

1) Freedom to use existing on-premise capacity for Microsoft 365 backup, or the ability to leverage another cloud for cloud backup.
2) Basic features provided, such as incremental backups, granular recovery, automation, and policy-based retention capabilities.
3) A solution capable of managing and protecting hybrid deployments and the ability to ease the full adoption of SaaS.
4) Integration between Microsoft 365 and the customer's existing data protection environment.
5) Advanced security features such as access control, SaaS usage metrics, and multifactor authentication for additional security.
6) Ability to scale up or down as business and data demand changes and as SaaS is rolled out more widely within the company.

Investing in productivity tools and the corresponding backup is an exciting adventure. When you are ready for a guide, we are here to help. We can advise on and implement a solution that fits your business needs. Contact us today to schedule a consultation.

Microsoft has been emphasizing Office 365 (now Microsoft 365) subscription services since the public introduction in 2011. As a result, the popularity of these services has grown to over 155 million active users as of October 2018, and is gaining new users at over 3 million seats per month. With this growth, on-going marketing, and the increasing acceptance of public cloud services, many businesses and financial institutions are starting to look at Microsoft 365.

In this article, we will highlight several pros and cons of Office 365 you should consider to determine if it's right for your business.

Microsoft 365 (formerly Office 365) encompasses several different products and services, but in this article, we will address these services in two primary areas: user applications and back-end services.

Microsoft 365 User Applications

Most Microsoft 365 subscription plans include Office applications like Word and Excel running on Windows, macOS, and portable devices running iOS and Android. Applications are also available through a web browser but most customers are interested in Microsoft 365 applications as a possible replacement for traditional Office licensing.

What are the primary differences between Microsoft 365 and traditional on-premise Office applications?

• Microsoft 365 is an annual subscription per user or seat. Each user is entitled to run the Microsoft 365 applications on up to 5 devices for the term of the subscription. As long as you continue to pay the annual subscription, you are covered for the Office applications included in your plan.
• Office applications through Microsoft 365 are designed to be downloaded from the O365 portal. There is no license key to determine if you have a valid license. After installation the applications routinely "check in" to the M365 (formerly O365) portal to ensure there is an active account. Because of this check-in process IT administrations must use a specific procedure for mass deployment of M365 applications. Additionally, installation on multi-user servers like Remote Desktop Services and Citrix requires a new approach.
• Microsoft 365 applications are designed to install features and security updates directly from Microsoft when they are released. Legacy patch management solutions like Windows Server Update Services (WSUS) and 3^rd party solutions will not work with M365. This can create a challenge for regulated customers who are required to report on patch status. Scanning tools used by auditors to determine patch levels will need the ability to recognize the differences between M365 and traditional Office applications. The M365 update process could also create an issue for Office-integrated applications if a hotfix is released that affects the compatibility of those applications, as there will be no option to block that update from being installed.
• Microsoft 365 applications utilize a feature called Click to Run. This feature, which was originally introduced with Office 2016, provides a streaming method for installing features and patches for Microsoft 365 and Office 2019 applications. Our experience is that Click to Run can use a significant amount of bandwidth if you are installing Office applications or large updates on multiple systems simultaneously.

Is licensing through Microsoft 365 less expensive than traditional licensing?

For most customers the biggest question is: "Is licensing through Microsoft 365 less expensive than traditional licensing?" The answer is "It depends!" Microsoft 365 licensing could be financially attractive if:

• Your business always updates to the latest release of Office.
• You want the flexibility of per user licensing.
• You want to take advantage of the licensing of up to 5 devices for multiple systems, mobile devices, home use, etc.
• You need a simplified update process that works anywhere the PC has Internet connectivity.
• You need to use the browser-based applications for a specific function or employee role.
• You plan to implement one of the Office 365 back-end services.

Microsoft 365 Back-End Services

Microsoft provides several cloud server applications through Microsoft 365 including Exchange Online (email), Skype for Business (voice and messaging collaboration), SharePoint (file collaboration), and OneDrive (file storage and sharing). These back-end services can be implemented individually, or as part of a bundle with or without the Office applications depending on the plan. However, Exchange Online vs. Exchange on-premise is receiving the most attention from our customers.

What should I look for when performing due diligence?

The security and compliance of back-end Microsoft 365 services is not significantly different than any other cloud-based application or service. The areas to research include:

• External audit attestation – SSAE 18 or similar
• Data location residency – production and failover scenarios
• Data privacy policies - including encryption in transit and at rest
• Contracts and licensing agreements
• Intellectual property rights
• Service Level Agreements – service availability, capacity monitoring, response time, and monetary remediation
• Disaster recovery and data backup
• Termination of service
• Technical support – support hours, support ticket process, response time, location of support personnel

A few more things to consider...

As a public cloud service, Microsoft 365 has several challenges that need specific attention:

• The business plans listed on the primary pricing pages may include applications or services that you don't need. All of the various features can be confusing and it's easy to pick the plan that is close enough without realizing exactly what's included and paying for services you will never use.
• Most of the back-end M365 services can integrate with an on-premise Active Directory environment to simplify the management of user accounts and passwords. This provides a "single sign-on" experience for the user with one username and password for both local and M365 logins. Microsoft has several options for this integration but there are significant security implications for each option that should be reviewed very carefully.
• Microsoft has published several technical architecture documents on how to have the best experience with Microsoft 365. The recommendations are especially important for larger deployments of 100+ employees, or customers with multiple physical locations. One of the notable recommendations is to have an Internet connection at each location with a next-generation firewall (NGFW) that can optimize Internet traffic for M365 applications. Redundant Internet connections are also strongly recommended to ensure consistent connectivity.
• The default capabilities for email filtering, encryption, and compliance journaling in Exchange Online may not provide the same level of functionality as other add-on products you may be currently using. Many vendors now provide M365-integrated versions of these solutions, but there will be additional costs that should be included in the total.
• Microsoft OneDrive is enabled by default on most Microsoft 365 plans. Similar to other public file sharing solutions like Dropbox, Box, and Google Drive, the use of OneDrive should be evaluated very carefully to ensure that customer confidential data is not at risk.
• Several other vendors provide Microsoft 365 add-on products that provide additional functionality which may be useful for some businesses. Netwrix Auditor for Microsoft 365 can provide logging and reporting for security events in your M365 environment. Veeam Backup for Microsoft 365 can create an independent backup of your data to ensure it will always be available. Cloud Access Security Brokers (CASB) such as Fortinet FortiCASB and Cisco Cloudlock can provide an additional layer of security between your users and cloud services such as M365.

Discover why the default retention policies of Microsoft 365 can leave your business at risk.

It is certainly a challenge to research and evaluate cloud solutions like Microsoft 365. Financial institutions and other regulated businesses with high-security requirements have to take a thorough look at the pros and cons of any cloud solution to determine if it's the best fit for them.

CoNetrix Aspire has been providing private cloud solutions for businesses and financial institutions since 2007. Many of the potential security and compliance issues with the public cloud are more easily addressed in a private cloud environment when the solution can be customized for each business.

The combination of Office application licensing with back-end services like Exchange Online can be a good solution for some businesses. The key is to understand all of the issues related to Microsoft 365 so you can make an informed decision.

Contact CoNetrix Technology at techsales@conetrix.com if you want more information about the differences between Aspire private cloud hosting and Microsoft 365.

If you are like most leaders in an organization, you don't have the time or motivation to do any sort of cybersecurity assessment to mitigate risk. It's easy to question security testing and ask, "why bother." After all, doesn't it take a lot of effort to do security testing when it may not turn up any results?

However, much like a regular visit to the doctor's office for our physical health, you should find ways to regularly "check up" on your organization's cybersecurity posture. Much like a check-up with a doctor, finding irregularities or vulnerabilities early allows you to implement mitigating controls before they cause harm.

How do you manage your cyber risk? What vulnerabilities are you facing? How can you know?

In this article, we are going to discuss five "check-ups" you can do now to secure your future.

Internet Vulnerability and Exposure Assessment (IEVA)

Let's start with the external evaluation, and is similar to a doctor when he asks questions and pokes around. This is an external evaluation. It is not really an invasive procedure, and by no means will it catch everything, but it does allow the doctor to look for warning signs and make an informed decision about next steps.

The same kind of external evaluation should be performed for your network. We like to call this an "Internet Exposure and Vulnerability Assessment" or IEVA, for short. An IEVA can identify how a potential attacker can target your system from outside your network. It is designed to review controls protecting your external presence, including your perimeter devices, servers, applications, and encryption technology.

Evaluating the external perimeter of your network allows you to identify vulnerabilities in your first lines of defense. This level of knowledge allows you to focus your resources, both monetary and time, to areas providing the biggest impact making your security more efficient and effective.

An IEVA is a great place to start, but remember, this is a high-level observation. For a full assessment of external vulnerabilities, there is always one step further you can go, which is a full-on network penetration test. You can think of this as a referral from your primary care physician to a specialist. They may perform some of the same tests, but the goal is to discover and remedy flaws, which means more thorough tests may be performed.

When it comes to assessing the status of your external perimeter, consider the following questions.

• Have you had an external vulnerability assessment or penetration test performed on your network?
• What is the frequency of these assessments, is that frequency sufficient to ensure your external perimeter remains secured?

A strong external perimeter will dissuade an attacker as well as alert you to persistent attempts, allowing you to be proactive instead of reactive.

Internal Vulnerability Assessments (IVA)

Let's continue with the doctor analogy. When a doctor finishes his high-level assessment, he sends you over to have lab work done. These tests are a bit more invasive and look at things that could be wrong or right internally. With results from the lab, the doctor can make a more precise diagnosis about the status of your health, seeing if previous recommendations were working as intended, or if changes needed to be made.

An "Internal Vulnerability Assessment," or IVA, works in similar ways. An IVA is a credential scan, preferably with domain admin privileges. This scan can identify vulnerabilities that exist inside your network. An IVA can find vulnerabilities such as outdated software, missing patches, weak or outdated protocols, weaknesses in system hardening procedures, and many other known vulnerabilities.

With this information the Information Security Officer can make recommendations for additional controls that target these specific vulnerabilities, increasing the efficiency and effectiveness of your information technology infrastructure.

When assessing the status of your internal network, consider the following questions.

• What types of internal assessments have you performed on your network?
  • How frequently do you conduct those assessments?
  • Do these assessments test all your internal controls?
• Are the controls working as intended?
  • Are they mitigating the known threats as designed?
  • What proof are you relying on to verify the controls are working as intended?
  • If not, what are your short-term and long-term plans for addressing those weaknesses?

Knowing your vulnerabilities and addressing them is an ongoing process. Threat landscapes are constantly changing as are the vulnerabilities facing your organization.  Constant evaluation and upkeep are required to maintain a secure environment.

Security Awareness Training

Another way a doctor might help you physically is to provide some literature on natural ways to improve health. As you may know, people adapt to the culture that surrounds them when it comes to healthy living. If those around you eat healthily and exercise, then you are likely to do so as well. 

Culture sets the tone for nearly everything we do in life and security awareness is no different.

When assessing the status of your organization's security awareness culture, consider the following questions.

• Is maintaining a high level of information security part of your culture, or is it a compliance box to check?
• Does your security awareness training focus solely on policies, or does it apply to your employees' personal and professional lives?
• Do your policies reflect security or convenience?
• Is information security addressed both formally and informally throughout the year?
• In your governance structure, who is accountable for the level of training provided (e.g., IT Director, ISO, CEO, etc.)?

For security awareness training to be impactful, it needs to happen frequently, be relevant to its audience, current in its content, and start at the top of the organization.

According to a survey of financial institutions conducted by Tandem, a CoNetrix Security partner, 79% of respondents stated they believe cybersecurity awareness training directly reduces the risk of security incidents. Download the 2020 State of Cybersecurity Report for additional trends and insights.

Simulated Phishing Tests

When we visit the doctor, he asks if you exercise, how frequently, and for what duration. The more you exercise, the better you feel. The better you feel, the more exercise you are willing to do. 

Simulated phishing tests are similar to exercise. At first, your employees will think you are out to get them, but the more times they pass the test, the more times they recognize the phishing attempt, the more confidence they will have going forward, knowing they have the ability to thwart the bad guys.

An unfortunate, yet simple truth is the human asset is any organization's weakest point when it comes to information security. This is why phishing (or variants thereof) remains the most carried out cyber-attack. A particularly scary problem with phishing is that every time you put a control in place, attackers find a way around it. For instance, phishing used to primarily be about delivering a malicious file, getting the recipient to install the file, and granting the bad guy access. Today, this is still an employed tactic, but it is just as likely the attacker is trying to get the recipient to divulge important information.

Phishing tests should be frequent in nature and the results should be used to drive security awareness training. In the areas where you see success, highlight those in your next training. In the areas where you see weakness, follow up with an increased focus on identifying key elements of the phishing attempt.

Send out multiple types of phishing emails, requesting unique recipient interaction (e.g., download a file, ask for credentials or other confidential information, request immediate action, etc.). Maybe try vishing (phone calls) or smishing (SMS messages). Let your employees know that the principles for each type of social engineering are the same, and the outcomes are equally devastating.

While clicking a link or providing information is a failure, equally important is what the employee does once they have succumbed to the attack. How quickly did they notify the appropriate personnel? Was it quick enough to minimize the damage that could have been caused if the phishing email was real? Is this part of your security awareness training?

When assessing the status of your organization's simulated phishing training, consider the following questions.

• How often do you send phishing tests to your employees?
• What are you doing with the results?
• Are you diversifying the types of phishing tests carried out?
• What do you deem a "failure?"
• What type of follow-up training do you provide?

Phishing is so prevalent because it works, and it only takes one person to make that vital mistake. Awareness is the most important control you can put in place when mitigating this threat.

Strategic Planning

When you visit a doctor's office, it is common to discuss your family's medical history. You will look at issues that you could potentially face in the future, and determined a needed strategic plan to help secure your future. The plan will often include recommendations based on your current health and often includes a recommendation to consult with a specialist as a preventative or early detection measure.

Identifying threats allows you to put controls in place to mitigate what you know. Having a strategic plan in place allows you to prevent or respond quickly to the unknown.

Everything we've talked about up this point can help you identify where you are, but what is your plan to address the identified issues? How do you transition from identification to detection and prevention? How can you develop a sustainable plan? There are some basic elements, essential to any information security program that all organizations should factor into their strategic plan.

• A Business Continuity Plan, based on an impact analysis for each business unit to promote resilience and create restoration plans, in the event of a business disruption.
• An Information Security Risk Assessment to identify the threats your organization faces and the controls in place to mitigate the risk of those threats.
• An Incident Response Plan to document how your organization is going to handle an information security incident when it happens.
• Information Security Policies to define the overarching principals your organization will follow when it comes to users, system hardening, and use of organizational or personal assets.

When assessing the status of your organization's strategic plan, consider the following questions.

• What is the status of the organization's information security program?
• When is the last time the program was tested?
• What types of training and/or testing are you performing?
• Is the information security program part of your organization's strategic plan?
• If not, does your organization have the expertise or knowledge to change that?

If you are not sure about the status of your organization's information security program, or if necessary expertise does not exist, it may be time to look at a consultant to help put a plan in place for moving forward.

Securing Your Future

Sometimes, we all need a helping hand. When it comes to something as important as your health or the security of your network, an independent evaluation can help offer the tools you need to secure your future. If you work in a regulated industry, I look forward to hearing how your next audit, examination, and/or consultation goes, and the improvements you decide to make as we all mature together.

For your next steps towards securing your future, learn more about how CoNetrix Security can help at https://conetrix.com/security.

At CoNetrix we've helped many customers implement Multi-Factor Authentication (MFA) over the past year. Most of these implementations have been to support employees working from home or migration to cloud-based services such as Microsoft 365.

Overall I consider MFA to be a positive approach to improving account security and preventing unauthorized access due to phishing or weak passwords. But as MFA becomes more common, are there any "gotchas" that we need to consider?

I recently encountered a situation where a user was getting prompted for an MFA "allow" through a smartphone app when they weren't actively trying to log on. This type of non-interactive login using MFA is potentially dangerous because the user can become desensitized and automatically click "allow" or "approve" without knowing if it's a valid login attempt. Obviously this completely defeats the purpose of using MFA in the first place.

How do we prevent this problem?
- Ensure your MFA solution is configured so it is only used for interactive logins and not background processes or services.
- Train the users they should only see an MFA prompt when they are trying to login, and don't approve logins automatically.
- If the above are not practical or effective, then consider configuring MFA to require the user to enter a code instead of approving through a push alert.

Multi-Factor Authentication is a great solution to provide an additional layer of security to protect our businesses. However like any technology, we need to carefully consider the implementation and how it will affect our employees.