Cybersecurity Awareness Month is bringing cybersecurity to the forefront of discussions here at ClearanceJobs. Cybersecurity affects everyone from individuals to small firms, to multi-national corporations. Senior Technical Advisor at the Cybersecurity and Infrastructure Security Agency Bob Lord joined us to discuss how businesses and individuals can use multi-factor authentication, or MFA, to improve their cyber posture.
“You’ve always had passwords, but over the past couple of decades, we’ve really started to see their limits,” explained Lord.
MFA is designed to stop most of these types of attacks by requiring users to provide another set of information besides just their login and password. MFA could be app-based, where users download an authenticator app and pair it with their account. After downloading the authenticator app on a mobile device and linking it to an account, it will then generate a six-digit code when the user tries to log into their account. Other MFAs are SMS-based, where the user gets a text message or push notifications on your phone that will ask you to confirm your identity when you’re trying to log in.
While some MFA is better than none, certain methods of MFA are less secure. “Push notification MFAs have come under a lot of scrutiny lately because of push bombing,” cautioned Lord. “It’s where the attacker has gotten your name or password. Then they just keep trying to log in, and you keep getting all these notifications on your phone,” said Lord. ”Whether because of an accident or just out of frustration, people eventually hit accept.” Lord said the most powerful MFA is through a new technology called Fast IDentity Online (FIDO), which is associated with a physical token that makes it much more difficult to steal.
Most apps and websites don’t require MFA use, but it is usually available. Once the user rejects the use of MFA at signup, they may never be asked again if they’d like to begin using it. This is something Lord hopes to change.
“When we talk about secure by design, we talk about secure by default. There’s no visual difference between your Instagram account if you have MFA and if you don’t,” Lord explained. “Compare that to a car. If you don’t have your seatbelt buckled, the dinging seatbelt sound just keeps going off and getting louder and louder until you buckle up.”
While cars weren’t initially built with safety features like collapsible steering columns and seatbelts, these features are now designed into every vehicle. Lord hopes that similar safety features, like MFAs, will soon be the default for all websites and apps.
Part of CISA’s mission for October is to help people see themselves in cyber, and Lord has an interesting perspective on how that mission can be accomplished.
“‘See Yourself in Cyber’ can be interpreted a few different ways. We want individuals to see themselves being more cyber secure. We also want people in organizations of any size to be cyber champions, to start leading the way, to start nudging the organization to be more secure,” he continued. “Of course, if you’re interested, CISA has job openings, and there’s a lot of really exciting stuff happening across CISA.”
CISA’s website has toolkits that individuals and businesses can use to become more secure, and they help larger organizations prioritize vulnerabilities so they can focus their efforts where they matter most.
SPONSORED CONTENT: This article is written on or behalf of our Sponsor.