The Holiday of Threats: Cybersecurity Over the Thanksgiving Weekend

Cyber threat actors know that s we approach the holidays our lives get considerably busier, which means less focus on business tasks and communications. They use this lull in focus, planning, and policy reviews to their advantage. Thought leaders in the cybersecurity industry have been warning us of this every year at this time, but some of us just can’t seem to get past the turkey, family time, and the shopping ads showing up in our emails.

Be mindful of phishing emails and smishing texts

Phishing attacks peak during holidays and soars by 52% in December, typically around Thanksgiving, Black Friday, Christmas, and New Year. 

Between deals and sneaking in “one last email” before putting on the Out of Office there is an increase in the number of emails and texts received over the holiday weekend. Alongside your favorite retailers, threat actors are also increasing the volume of their attempts. One of our favorite pieces of advice from our podcast episode “How to Recognize and Report Phishing” is to slow down and avoid taking any action (opening, clicking, forwarding, etc) on emails or texts while you’re distracted. (Yes, that includes while you’re enjoying a slice of pie while watching the Vikings game). The U.S. Navy Seal’s phrase “Slow is smooth, smooth is fast” is a reminder that the best way to move fast in a professional setting is to take your time, slow down, and do the job right.

So, how do you know if it’s a phish or smish? Some of the top ways to easily spot them are:

  • The sender’s email address looks almost right but contains extra characters or misspellings
  • There are misspellings or bad grammar either in the subject line or anywhere in the body
  • They address you with generic terms (“Mr.” or “Ms.” or “Dear Customer”)
  • The message is tailored to instill a sense of urgency
  • The messages promise a refund, coupons, or other freebies
  • The company logo in the email looks low-quality or outdated or isn’t the correct logo


Over half (56%) of Black Friday spam emails received between October 26 and November 6 2022 were scams. Take a look at a couple of examples of what these may look like.

Amazon phishing email
Jewelry phishing email

Be careful of fake sites

Amazon-related phishing sites approach 900 on Amazon Prime Day.

So what is a fake site?

Just remember the old adage about wolves in sheep’s clothing. By looking like something harmless, spoofed websites trick visitors into letting their guard down and disclosing sensitive information. Fake sites are designed to look like the sites they’re mimicking, down to the logo, branding, and content. Login pages and form submissions are popular targets for spoofers since they can yield high-value information. Fake websites are often accompanied by phishing emails. The email contains a link to the site and encourages you to click it, often using urgent or alarmist language like “verify your account credentials immediately!” or “unusual account activity detected!”.

How to spot a fake site:

  • Incorrect URL 
    Sometimes this means the web address is “off,” like it’s missing a letter or uses a number substitution for a letter (think: “amaz0n” or “fac3book”). Other times, scammers make up URLs that sound plausible because they use words we commonly associate with that business. An example is “” which is not associated with Symantec or the Norton Anti-Virus program.
  • Insecure website
    All encrypted websites have two features you should look for: a padlock symbol in the browser window and a URL that starts with “HTTPS”.
  • Typos and misspelled words
    Just like in the phishing and smishing guide above, misspelled words are a red flag.
  • Low-resolution images or fake imagery
    Spoof sites often don’t look quite right. They’re not as sleek or polished as the high-end companies they’re trying to mimic. They use low-resolution images that look fuzzy or pixelated. They may use an incorrect or outdated version of a company logo. Sometimes the whole site just feels off, like it’s been built using a low-end template.

Avoid using work emails when signing up for Black Friday deals

You’re getting ready to snag that limited-time deal and your phone auto-fills your business email address. We’ve been there, but here are 5 reasons why you should avoid using your business email for personal:

  1. It makes profiling easier
    Before sending a phishing cybercriminals harvest information online, using specialized tools to learn which address someone uses on social networks, online platforms, and more. Using a business address for nonbusiness purposes makes you easier to profile, thereby making you more vulnerable to spear-phishing in the first stage of an attack on the company.
  2. It facilitates spear-phishing
    Cybercriminals choose the tactics that they think will earn the click. If they learn you’ve used your business email address to register elsewhere, let’s say a retail store online, then they know you’re likely to fall for a phishing email. All they have to do is disguise their message as a legitimate notification from that retailer that you really are registered on.
  3. It provides criminals with a smoke screen
    Typically, all a cybercriminal needs for an attack to succeed is time. That’s why many services send a note to the account holder if you or anyone else tries to log in from an unknown IP address or attempts to change the password. Of course, to get ahead of the hackers, you need to know about those warnings as soon as possible. To that end, arrange a riot of notifications in your mailbox. If you’ve linked your address to outside resources, when hackers (or their bots) begin trying to brute-force your social network and other personal accounts, your inbox will quickly fill with warnings and alerts.
  4. More mass phishing and malware in the inbox
    When it comes to securing customers’ data, not all online resources were born equal. Leaked databases are a popular resource with mass spammers, who simply buy lists of addresses to flood with malicious links or phishing messages. This means that the more resources you tie to your business mail account, the more potential threats you’ll see in your inbox.

Now that you’re using a personal email, make sure it’s paired with a strong password

36% of people engage in bad password habits because they believe their accounts are not valuable enough for hackers. (LastPass). Now pair that with the stat from Verizon Data Breach Investigations Report, that compromised passwords are responsible for 81% of hacking-related breaches. Needless to say, a key part of overall information security is securing your passwords.

What consists of a bad password vs a strong password? According to NIST guidelines, a strong password meets the following criteria:

  • A strict eight-character minimum length
    Conventional wisdom says that a complex password is more secure. But in reality, password length is a much more important factor because a longer password is harder to decrypt if stolen. We recommend a unique randomly generated password for each site as part of a best practice for password usage.
  • Not changed periodically
    Many companies ask their users to reset their passwords every few months. However, frequent password changes can actually make security worse. It’s challenging enough to remember one good password a year. And since users often have numerous passwords to remember already, they often resort to changing their passwords in predictable patterns, such as adding a single character to the end of their last password or replacing a letter with a symbol that looks like it (such as ! instead of I).
  • Doesn’t Include a “Password Hint”
    With the constant dissemination of personal information on social media or through social engineering, the answers to these prompts are easy to find.
  • There is a to how many times the password can be attempted
    Many attackers will attempt to gain access to an account by logging in over and over again until they figure out the right password (brute-force attack). 
  • Used with Multi-Factor Authentication (MFA)
    The NIST guidelines now require the use of multi-factor authentication for securing any personal information available online. Multi-factor authentication (MFA), also known as two-factor authentication (2FA), requires that users demonstrate at least two of the following in order to log in:
    • “something you know” (like a password)
    • “something you have” (like a phone)
    • “something you are” (like a fingerprint)

Avoid unprotected wifi while traveling

The same features that make free Wi-Fi hotspots desirable for you make them desirable for hackers – that it requires no authentication to establish a network connection. This creates an amazing opportunity for access to unsecured devices on the same network.

What are the dangers of using public wifi?

  • Malware, Viruses, and Worms
  • Rogue Networks
  • Network Snooping
  • Log-in Credential Vulnerability
  • System Update Alerts
  • Session Hijacking

So how do you stay protected when you need to connect to wifi while away from home?

  • Use a VPN
    Encourage employees to use a virtual private network (VPN) when connecting to a free, public WIFI. A VPN establishes a secure, encrypted tunnel from a device to the internet.
  • Install anti-malware on devices
    Apply anti-malware and Endpoint Detection & Response (EDR) to all employee devices to block unauthorized, malicious access. Further, ensure all employee devices have up-to-date software to leverage any newly released security or bug fixes.
  • Turn off WIFI auto-connect
    Encourage employees to avoid auto-connecting to WIFI and Bluetooth.
  • Check website security
    Train employees to check for HTTPS in the website’s URL before entering any confidential information.
  • Build employee security awareness
    Many employees using public WIFI are likely unaware of the security threat to their business data and devices. So, provide consistent security awareness training to ensure your employees are up to date on the dangers of using public WIFI and well-versed in measures to protect information shared over these networks.
  • Get a password manager
    As discussed earlier, using strong passwords is crucial. Password managers are a digital tool that can encrypt and securely store all passwords, as well as generate unique passwords for different accounts. This can limit the scale of a cyberattack even if a hacker gets access to one password through an infected public WIFI network.

It might be a holiday weekend, but that doesn’t mean you shouldn’t be vigilant.

Have additional questions or want help implementing tools? We’ve got an in-house team and additional tools to look deeper into your systems, but those are best discussed in person. Think of this as a gentle nudge, get in touch with the team at CIT, and let’s review your security plan. Email us or call today.

Want to learn more? Listen to our podcast while traveling

A Brief Guide to Identity Federation Frameworks

One of the challenges in designing and implementing a cybersecurity program is reconciling the somewhat disparate goals of establishing and maintaining secure systems while preserving end user access and efficiency. You can implement the most secure system in the world, but if your end users can’t access your systems or access them efficiently, it’s all for naught. One of the solutions that has been used to bring these goals more in line is the concept of federated identities.  A federated identity is an identity, i.e., a user account, that is shared among multiple systems. You’re likely familiar with this concept just from using everyday websites like Twitter, Reddit, LinkedIn, and Spotify, which all allow you to login to their websites with your user account from certain other websites (such as Google, Apple, Facebook, and Microsoft). For example, I can login to my LinkedIn account using my Google account. In this example, my Google account is acting as a federated identity that I’m allowed to “share” with other websites (thus allowing me to login to these sites with my Google account using what’s referred to as single sign-on or SSO). This is due to a trust relationship that has been established between those websites and Google. There are several benefits to both organizations and end users when implementing federated identities and SSO. End users don’t need to create and remember passwords for every site they visit, thus making them less likely to use insecure passwords. With the advent and increased popularity of the concept of federated identity, several frameworks have been developed to implement SSO using federated identities. Frameworks provide standard mechanisms that can be used to design these systems, but they do not specifically define how those mechanisms must be implemented. Thus, design and implementation can vary from system to system. Below is a brief synopsis of the most common frameworks in use today. 

SAML (Security Assertion Markup Language)

  • SAML is used for authentication and authorization.
    • Authentication is the concept of verifying your identity, often via a username and password, but also via some forms of advanced authentication such as push notifications, text messages, or phone calls. 
    • Authorization occurs after authentication and defines what the verified end user should be allowed to access, i.e., what permissions the end user has. 
  • The most recent version is SAML 2.0, but the previous version, SAML 1.1, is also still being used in various capacities. 
  • SAML is both a framework and a type of token. Think of a token like an access card that you would use to access a building, except in this case the token is entirely digital and is used to access websites or other digital systems. 
    • A SAML token is XML encoded. 
  • It is commonly used with browser-based applications, like websites. It is less commonly used with desktop or native applications and mobile applications, because the XML token is more difficult to use with these kinds of applications given its large size. 
  • The SAML framework supports both IdP (Identity Provider), and SP (Service Provider)-initiated flows (a flow describes how the traffic is routed). An IdP is a service (such as Google) that stores and manages a user’s federated identity. A SP is a separate service (such as LinkedIn) that has a trust relationship with the IdP and is configured to allow its users to login with their IdP identities. 
    • SP-initiated flow: A user accesses the login interface of a service (the SP) they wish to utilize. The SP will then redirect the user to the IdP to login (usually either after the user enters their username or after they’ve indicated they wish to sign in via an IdP). At the time of this redirect, the SP sends an authentication request to the IdP. Once the IdP authenticates the user’s identity, it generates a SAML token (also known as a SAML assertion), which contains various required and optional information. This information usually includes the authenticating user’s username, statements about how and when the user authenticated with the IdP, and may include other information about the user, such as their name, email address, phone number, etc. Additionally, the SAML token may include authorization information that will indicate to the SP to which resources the user is allowed access. This SAML token is then sent to and validated by the SP. The SP uses this token to authenticate (and authorize, if such information is included) the user.  
    • IdP-initiated flow: A user signs in to their IdP (such as Microsoft) and initiates a login to a preconfigured (often third-party) application (the SP), usually via an application dashboard. The SP does not initiate the authentication flow via an authentication request, rather the flow is initiated from the IdP. Once the user is authenticated and attempts to access the SP from the IdP, the IdP generates the SAML token, as described above, and sends it to the SP, which uses it to authenticate (and possibly authorize) the user. 
    • While the framework supports both flows, not all IdPs and SPs support both. The SP-initiated flow is the most frequently supported of the two types. 


  • WS-Fed is used for authentication and authorization.
  • It is predominantly used for federation services for Microsoft products, such as Microsoft 365.
  • It has an authentication flow that is similar to SAML. It also supports IdP (aka STS) and SP-initiated flows. 
  • WS-Fed uses a SAML 1.1 token for authentication and authorization.

OAuth (Open Authentication)

  • Used on its own, OAuth is only used for authorization. The current version in use is OAuth 2.0.
  • OAuth supports three different flow types: authorization code flow, implicit flow, and hybrid flow.
    • Authorization code flow is the most common of the three. Implicit flow is no longer recommended for various security reasons, including token leakage. 
  • It can be used with browser-based applications, desktop or native applications, and mobile applications. 
  • The OAuth framework does not prescribe a particular token type, but JSON web tokens (JWTs or “jots”) are frequently used. 
  • OAuth is considered consent-based authorization and it will often involve the user being asked to agree to third-party access to their information and/or to allow the third-party to take some action on the user’s behalf. 
  • Example: You’ve (the resource owner) downloaded an application called Shop (the client), which is a shipment tracking app, to help you keep track of the status of your online purchases. Shop has an integration with Gmail, which allows it to read shipment confirmation emails and pull this content into the app to be tracked. When you first initiate this link to your Gmail account, the app will redirect you to Gmail. During this redirection, the app sends a request to Gmail (sent to the authorization server) asking for specifically defined access (defined using scopes) to your Gmail account. Once you’re logged into Gmail (OAuth does not handle this part, remember it’s only used for authorization), it will prompt you to consent to the access being requested by Shop. Once you approve this access, Gmail will generate an access token, which only allows access to that to which you’ve consented. The access token is sent to Shop to be used to access your emails (it can be used to access what’s known as the resource server). 
    • Prior to OAuth, the standard way to allow this access was to give Shop your Gmail username and password, thus allowing it unfettered access to your Gmail account. This is, of course, not ideal for many reasons. With OAuth, you do not provide credentials directly to Shop and Shop only has the limited access to which you’ve consented. 

OIDC (OpenID Connect)

  • OIDC is used for authentication and authorization.
  • It runs on top of OAuth 2.0 and adds authentication.
  • The OIDC framework prescribes JWTs as the required token type. 
  • Like OAuth, OIDC is a framework that supports three flows: authentication code flow, implicit flow, and hybrid flow. 
  • Just like with OAuth, the client (known as the relying party in OIDC terms) receives an access token from the authorization server to be used to access the resource server. With OIDC, the client also receives an ID token, which includes claims. Claims are key:value pairs that include information asserted about the authenticating user (aka the resource owner). As an example, firstname:Kelsey is a claim that might be included in an ID token.
    • The claims that are to be included in the ID token are defined in the request from the client to the authorization server using scopes
      • Scopes are used to define what information the client can access about the resource owner, as well as what actions the client can take on the resource owner’s behalf. A request sent by a client using OIDC will always include a scope of openid. OAuth does not define any particular values for scopes, they must be pre-configured between the client and the authorization server. OIDC, on the other hand, does define a few standard scopes, which include standard claims. As an example, the profile scope includes seven standard claims (name, given_name, family_name, middle_name, nickname, picture, and updated_at). 

13 Safe Internet Habits Everyone Should Practice

We all enjoy using the internet, but the internet monitors everything we do. Everyone needs to take safety precautions to protect data and information. Over 90% of our daily activities take place online. Think about what would happen if the internet disappeared for a single day. No doubt, businesses, and individuals will suffer significant losses. Security awareness is essential since attackers are becoming more sophisticated every day.

Here are some measures you may take to make sure you have excellent online hygiene.

  1. Don’t take the bait: Always hover over the URL in your email before clicking.
  2. Type the actual web address into the browser: Don’t click on unknown links in your emails.
  3. Don’t use the same password everywhere: Use different passwords for different accounts.
  4. Use a password manager: store passwords in a password manager
  5. Configure MFA authentication: Set up MFA and do not use one-time passcode, use an MFA app such as DUO, Google Authenticator, or others.
  6. Update devices when an update is available: Always update devices when new patches are released.
  7. Do not enter financial information on websites that are not secured: Look out for the HTTPS and not just the HTTP.
  8. Lock credit or debit card:  Lock your cards if you suspect a suspicious transaction and do not shop online with a debit card
  9. Protect personal information with the use of a strong password
  10. Keep the browsers up to date: older versions don’t usually have updated protection in place.
  11. Keep passwords out of your browser: Always Disable autofill.
  12. Change Wi-Fi passwords regularly and do not trust public Wi-Fi- Use a VPN all the time to encrypt traffic both at home and in public places.
  13. Back up personal data.

We live in the information age; the most expensive commodity is no longer crude oil but information; therefore, “the bad guys” would do anything to have access to people’s information for monetary gains and other purposes. Allowing the wrong person to know things about you can cause incredible damage. Before you take any action online, stop, think, observe, and act.

Social Engineering 101

In today’s day and age there are 1000’s of buzz words and acronyms in the IT world, “Did you update the MX DNS record so that the SMTP server can relay correctly?”, “Is your next-gen Anti-Virus product EDR, MDR, or XDR?”, “How does your CDN mitigate DDoS attacks?”. Riveting conversation for the everyday person, right?  

What if I told you that 98% of attacks were due to simple exploitation of trust or authority and that 70% of data breaches start from that exploitation? In the security world, it is called Social Engineering.  

Social Engineering Methods 

Social Engineering simply put is the act of tricking users into divulging sensitive information through influence and persuasion.

All social engineering attacks fall into one of six categories: 

  1. Reciprocity – “You scratch my back, I’ll scratch yours.” 
  2. Commitment – “We previously agreed to this, now I need you to take action.” 
  3. Social Proof – “Everyone else is doing it.” 
  4. Authority – “Consequences will happen if it’s not done.” 
  5. Liking – “We are friends, I need you to take action.” 
  6. Scarcity – “It’s available for a limited time, you need to act quickly.” 

Social engineering attacks come in many forms…

…but in the end, the goal is to acquire sensitive information. It can be through email (phishing/spear phishing), phone calls (vishing), text messaging (smishing), baiting, scareware, or pretexting.  

  1. Phishing – This is the most common method for social engineering. This is the act of sending an unsolicited email to a user prompting action. You may receive an email from “Your IT Team” prompting you to update your password by clicking this convenient link. You could have won the lottery and all you need to do is enter your information to claim it. Never trust those Nigerian princes wanting to share their wealth with you. 
  2. Spear Phishing – This is a deviation of phishing but is more targeted. An attacker will send a very targeted email to a user with details specifically related to the person, company, or role. The goal of this type of attack is to compromise a high-value target.  
  3. Vishing – A variation of phishing but over the phone. An attacker will call a user and request information posing as a trusted person or authority.  
  4. Smishing – Another variation of phishing where an attacker will send crafted text messages prompting access to a “trusted” site. This is common in bank account compromises. 
  5. Baiting – An attacker will provide bait to a user to pique their curiosity or greed. This is often done through malicious USBs or enticing advertisements. The end goal is to compromise a device through non-direct methods. 
  6. Scareware – This involves bombarding a user with prompts of compromise in a browser or email. The attacker will pose as a trusted authority, Microsoft, Apple, or your IT team, requesting you to call a number to resolve the issue. 
  7. Pretexting – An attacker will contact a user posing as a co-worker, person of authority, or trusted entity through crafted lies to gather information or divulge the user’s identity. It is common to gather social security numbers, addresses, phone numbers, vacation schedules, and other company information. 

Prevention Methods 

Your organization will never be able to stop a social engineering attempt but there are many ways to make sure it is not successful 

  • User Training: This is one of the best ways to stop a social engineer from successfully acquiring information. If a user is trained to recognize an attack, they are less likely to fall for it. 
  • Be suspicious: If an entity is requesting you to do something, ask questions and verify your identity before divulging information. This could be as simple as calling the user back on a known phone number or discussing the item in person. Don’t open attachments in emails if you are not sure who sent them. If the offer is too good to be true, it probably is.  
  • Antivirus/Antimalware: Keeping your antivirus/antimalware up to date and set to automatic updates will make sure if you accidentally open a malicious document, it will act on that file. 
  • Multifactor Authentication: In the event of an attacker getting your username and password it is best practice to have Multifactor on all accounts. Having MFA greatly decreases the likelihood that an attacker will be able to gain access to your account. If you ever get an unexpected call/text/notification report it to your IT team as soon as possible. This is an indication that someone knows your password.  

What GM Auto Dealers Need To Know About The New FTC Safeguards Rule

Updated March 17, 2023

Have you received notice from GM that, as a dealership you must meet the FTC Safeguards Rule by June 9th, 2023?

The FTC has stated that the Safeguards Rule applies to all businesses that control or process nonpublic personal information about consumers for whom they provide goods or services, or whose data they hold. It also applies to any business that is affiliated with another company that falls under the Safeguards Rule requirements.

What are the Safeguard Rule’s Requirements?

1. Designate a Qualified Individual to implement and supervise your information security program

This person should have significant knowledge of information security. The FTC recommends that you make sure this person has the ability to:

  • Identify possible security risks
  • Evaluate potential solutions
  • Develop policies and procedures to address those risks
  • Ensure that the policies and procedures are followed
  • Add project management and organization
  • Report clearly and concisely to the board of directors 

2. Conduct a risk assessment

The risk assessment is to be performed periodically and must be used to guide the continued updating and enforcement of your information security program. A written record of these risk assessments must be maintained.

3. Design and implement safeguards to control the risks identified. Including:

  • Implement and periodically review access controls
  • Know what you have and where you have it
  • Encrypt customer information on your system and when it’s in transit
  • Assess your apps
  • Implement multi-factor authentication for anyone accessing customer information on your system
  • Dispose of customer information securely
  • Anticipate and evaluate changes to your information system or network
  • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
  • Regularly monitor and test the effectiveness of your safeguards

Importantly, customer information is defined very broadly under the Safeguards Rule so the safest practice is to consider any information a customer provides (even simply their name) as covered customer information.

4. Train your staff

Everyone in your dealership needs to understand the importance of protecting customer data. Dealerships must implement policies and procedures to ensure employees are properly enacting and carrying out the information security program, including through security awareness training, utilizing qualified information security personnel to carry out and oversee the information security program, and keeping staff up to date on newly-identified risks or threats so that the information security program can be continuously fine-tuned and updated to address emerging risks. Staff at different levels will need different training based on role.

5. Monitor your service providers

Dealerships must ensure that service providers or third parties that have access to their customer information maintain safeguards commiserate with a dealership’s own information security program and periodically assess their level of access to such information and whether the safeguards they maintain are sufficient. Dealerships must take steps to monitor their service providers’ compliance with this rule.

6. Keep your information security program current (this must be updated yearly at a minimum)

Evaluate security programs and adjust them in light of the results of testing and monitoring. It should always be a priority to stay updated on everything that’s going on with your security systems.

7. Create a written incident response plan

A written incident response plan is a document that details how your dealership will respond if there is an unanticipated breach of your information systems or exposure of customer data. The plan should include, but is not limited to:

  • The goals of your plan
  • Guidelines for internal and external communications and information sharing regarding the incident (e.g., what to say to customers, the media, and other stakeholders)
  • Clear delineation of roles and responsibilities for decision-makers in dealing with the incident
  • An internal process for responding to an incident (e.g., determining whether or not it was caused by someone within your organization) and correcting any issue that has arisen
  • An internal process for investigating when it looks like something has happened but no one knows exactly what happened yet
  • Training materials so that everyone can learn what their role is in responding to an incident
  • A post mortem of what happened and a revision of your incident response plan and information security program based on what you learned

8. Require your Qualified Individual to report to your Board of Directors

The designated Qualified Individual must report in writing, at least annually, to the dealership’s board of directors or equivalent governing body on the status of your dealership’s information security program and compliance with the Safeguards Rule as well as material events related to information systems security and the implementation and enforcement of your information security program.

What are the consequences if the Safeguard Rule’s Requirements aren’t met by June 9th, 2023?

Failure to abide by requirements can come at a price. Companies that receive this Notice and nevertheless engage in prohibited practices can face:

  • Lengthy oversight periods or disabling access to information systems
  • Civil penalties of up to $46,517 per violation
  • Prison time of up to five years

Notices of Penalty Offenses | Federal Trade Commission (

CIT Helps Your Auto Dealership Remain in Compliance with The FTC Safeguards Rule

There isn’t a DIY fix to meet these requirements. Our Cybersecurity and Managed Services teams have worked with Minnesota and Western Wisconsin GM dealerships to make sure they are ready for these requirements, and any future compliance needs. Avoid the consequences coming June 9th and contact our team today.

Technology For Business Podcast Season 1 Episode 1: Multi-Factor Authentication (MFA): The basics and why does my business need it?

Join Todd Sorg (COO and CISO) and Nate Schmitt (Director of Cybersecurity) from CIT as they chat about all things MFA. Whether it’s examples of MFA/2FA or addressing employee concerns when implementing MFA they’ve got advice for your small to medium-sized business.

Want to connect with our speakers? Email or call 651.255.5780.

Listen now


00:00:01 Kelsey Welcome to the first CIT tech for business podcasts. Today we’re sitting down with Nate and Todd and we’re going to talk about multi factor authentication, our first acronym, we’re kicking off strong MFA leading in you guys. First off, let us a little bit about you and what is MFA

00:00:18 Todd Thanks, Kelsey, I am Todd. I am Cit’s chief operations officer. I am also our chief Information Security Officer. I’ll let Nate introduce himself and he can kick off the MFA overview as well. 

00:00:31 Nate Yeah, and my name is Nate. I’m our director of cyber security here at CIT. Just help oversee the operational components of our department.

So multi-factor authentication, also known as two factor authentication, is really the core is basically another form of authentication and there’s multiple variants to this, but essentially it’s a mix of something that you have something you know and something that you are and as long as you have two of the three of those to log into a system that’s what multi factor or two factor authentication is. 

00:01:13 Nate 

So what does that look like for something that you know is something likely going to be like a password or something like a PIN code? 

Then there’s something that you are. That’s something that’s going to be like biometrics. So for example, in order to log into some computers, you need to touch your fingerprint or you know you see things on you know some of those crime shows where they’re doing the iris scanning to get into the secure facilities. That’s something that you are. 

Then there’s something that you have, and this is where this is most common in business.  Uhm, due to you know, privacy concerns with the biometrics and everything, but something you have is something that’s going to look like either your cell phone and, you know, in order to do like a push notification to it, it’s going to be something that could be a USB that you have to plug in. 

So I have in front of me. A hardware token that, in order to log in after I put in my password, I plug this into my computer.  I touch it and it just activates and sends off another code, so that’s another form. Then they even have ones, I have another little hardware token in front of me which looks like a little credit card. This is something where it has little battery in it. I click on it, it generates A6 digit code and then from there I enter in that code as well. 

So I put in both my password and a code from something that is in my possession, so that’s what multi-factor is in general. 

00:02:51 Nate 

Where is it used is a whole different discussion, and I’ll let Todd take that over. 

00:02:58 Todd 

But I wanted to back up just to hear before we went too far where we use it. 

It’s been around for for decades.  It’s not a new technology.

People have been using it for banking where you get a text message. Or something along those lines, and that’s typically referred to as 2FA, but the reason why? 

What reason why I interrupted Nate is I just kind of wanted to kind of back up and say why do we use it, right? And the biggest reason that typically comes up and everybody that’s here can kind of expand on it. But what ends up happening is that people typically have issues with passwords. 

Passwords are painful, they’re difficult to remember, so people tend to make them easy to remember, and that’s, you know, your phone number, your childhood best friend, whatever it is your pet and what makes matters worse is that people then use that password everywhere. And if you’re looking at social media or LinkedIn, your work, your work, email and accounts, etc.  More often than not, most people tend to reuse it over and over and over. 

00:03:52 Todd 

Again, inherently what ends up happening is if something ever happens and it could be anything from if you’re in the Twin Cities, there was a Star Tribune hack, there was also a hack that happened on the the meters downtown Minneapolis where they were able to take account names and passwords and post that on through what’s referred to the dark web, and once that’s been out there, if you’ve ever had that information harvested from you, it’s now out in the wild.

So how do you protect it? 

That’s where multi factor comes in. 

So I just wanted to make sure we covered that piece real briefly, so we’ve got that whole picture of what it is, where it came from, why we’re worried about? 

But the answer is, passwords are bad. People hate them, and we could get into that a little bit later on. You know, what can we do about it?  Can we rely more on biometrics at some point in the future? But it’s a little bit off topic of where we’re at at the moment. 

Uhm, where most people will try to implement a multi-factor authentication tool set.  Is anything that’s quote-on-quote “Internet facing” more often than not, one of the larger threats that we’re seeing in our business, and this has been true for for years we’ve we’ve been kind of banging the drum on multi factor for about five years at least. And that’s how I bet that’s the idea. So you could kind of see a correlation there, but email is probably the biggest, so Microsoft has done a really nice job of pushing everybody in the cloud. Google is doing the same. They’re huge providers. 

Once people move their email to the cloud, some of the inherent security that was in having email inside an organization started to be exposed to the Internet. 

And typically most people were signing in with the email address. Which is more often than not, first name, last name, first letter, last name or vice versa, and and then at the company, so that part is super easy to figure out and then you just start going down the list, right? It’s winter, 2022 exclamation point and so on. Then I’m in. 

So in order to protect that that’s where multi factor is coming along. 

00:05:47 Nate 

Yeah, a quick stat that comes to mind. So this was all the way back in 2019, but Microsoft did push out an article, and I’m sure that the numbers have only increased since then, just given the nature that people continue to move to the cloud. But back in 2019 Microsoft put out an article that said their login services for this or their cloud services have attempted logins over 300,000,000 times a day that were fraudulent, and so the article is saying if you implement multi-factor authentication on the accounts it reduces the risk of account compromise by 99.9% right it it’s. 

Everyone, there’s a couple different attacks that people are going to take to try and get to your account fishing. You know, we’ve talked about fishing here at CIT many, many times, but fishing for those that don’t have the full understanding on (phishing) that is an attacker will send you a fraudulent email attempt to elicit your username and password, and then they’ll use that to then log into your account so it’s a fraudulent way of capturing your credential. 

That’s one method, one of the other common methods which for example Todd had mentioned is password reuse. 

If you’re compromising one account, you reuse the same password and it’s leaked out on the dark web you take that and go attempt to log into other services with that and then the last one is just what they call password spraying so you just or password stuffing. You just attempt to push as many passwords as possible for a particular user until one is successful, right, and by having the multi factor, all of those methods are defeated. 

Uhm, there is some considerations to take into play at which we can get into a little bit later too, but, for the majority, if you just implement multi-factor, you reduce about 99.9% of all attempts to log into the system fraudulently. 

00:07:54 Todd 

But you kind of mentioned that already about the statistics. Do you have a rough idea of what number of attacks are coming from email so we can use our own examples of what we’re seeing most of our customers suffer? Does it typically end up being in the the world of cyber security? They refer to it as business email compromise. 

Do you have a sense on how many attacks we see coming in through email specifically? 

00:08:22 Nate 

Even if we take a look at CIT systems, if I pull up any given day, there’s hundreds of them, right? It’s it’s just the simple fact of the password.  Spraying is real, right? Everyone has our email addresses. It’s entered in someone’s database dump, right? Because for example, if we continue to push on things like the Star Tribune or the Minneapolis, the parking that was compromised, right? And they had the email addresses. If you have ever used your work account for that it’s floating out there. t’s on a list. People are just going to attempt it with all the common passwords. There’s some big password lists out there that are known to be highly effective because people tend to just pick bad passwords across the board so, yeah..

…it’s hundreds of times a day for any organization, even if you’re small. 

00:09:18 Todd 

Yeah, yeah, I think that’s great. It’s a great key.

Once Upon a time we were used to talk about organization sites and people used to say hey, I’m way too small to be attacked and and that really isn’t the case anymore. 

Statistically, it’s something along the lines of 5660% of all attacks happen against small businesses, and the reason is because it’s easy, they don’t always have the wherewithal, the technical, technical ability to understand what they should be doing, and so on and so forth so the attacks are real and it does impact everybody. 

I’m sure people see it even happening at home. I get stuff from PayPal and Apple and you name it, I get attacked all the time that I need to click on something or reset something all the time. Uhm, staying on statistics. The reason why I ask Nate about the percent of attacks is I think it’s still somewhere in the high 90s of all attacks that are coming in tend to be fishing and that’s somewhere in the high 90s. 

And as he mentioned, if you can protect correct services and your identity with 99.9%. I mean that’s significant, right? And and the number one tool being MFA. 

There are some statistics we can share this out to, you know, you probably for those that are listening, won’t be able to see this, but we can share it in the channel. And if you’re interested, we can find ways to get you the information as well, but there was the United National Cyber Security chief said that 80 to 90% of all attacks, not just email. All attacks can be circumvented by having multi-factor in. So how we started out? This meeting is what is, but what’s the threat and what are you doing about it? 

Ultimately, that’s why we keep talking about multi-factor authentication. One last statistic, in case you’re wondering, well, sure this has been something we’ve talked about for years. We’ve got it statistically, there was 55% of all organizations have multi-factor enabled only 55% so only half and even in those cases a lot of times people are. Very picky and choosy on how they do it, so they may only do it with their tech team. Or they may only do it with their administrators and so small number of organizations. I shouldn’t say small ’cause half US is a significant number…

…but half (of businesses) still don’t have it, so it’s a major problem and it is still where we see most attacks coming from and can be circumvented by putting multi factor in place. 

00:11:31 Tara

So Todd, maybe I have a question about that – You mentioned that there’s over half organizations that don’t have that. Why do you think that is? What barriers are they looking at (in order) to be like I I don’t have time to do MFA talk a little bit more as to why that’s the case. 

00:11:50 Nate 

I think that right your question answered one of them. They don’t see that they have time to implement it, right is. Often these are slightly lengthier engagements. You know, it doesn’t need to be complicated, but the more time you put into ensuring that it’s a smooth process, the smoother the adoption is going to be.It’s easy to just to go into a system and say everyone has it on. 

That’s where your user friction is going to come into play, and absolutely everyone is going to be upset that day as they are trying to sign into things. 

So user adoption is. One of those items that you need to be pretty cognizant of when you’re implementing it. There’s also some additional strategies that you need to take in order to actually implement it successfully. 

So for example, if the user friction is, “I don’t want to put this code in every single time I’m logging in.”

You can do things to say well, maybe let’s bypass multi-factor from within the office right there is. (There is) some residual risk there that maybe the organization is willing to accept because, for the most part, if someone does have the password and they are attempting to log in, it will likely come from outside of the office. That doesn’t mean that maybe that user’s computer is compromised and there’s a some type of script that calls in from internally, but again, the likelihood is significantly. 

So if your employees are constantly working from the office, you could still bypass multi-factor. 

The larger you put that bypass you know, maybe it’s the the state the the country, right? The bigger the risk becomes, but there are strategies that you can implement without. 

I’d say the other (user friction) one is cost.

there’s a lot of different multi factor solutions out on the market, so if you’re only looking at doing something like email, all of the major email providers now are implementing it or offering it for free, right? You can implement it in Office 365 G suite. There’s no additional cost. 

If you’re looking to use some type of third party service. Then you’re going to start seeing those licensing costs for you know more of a per user cost there. The the other component that I would say is – how far do you want to implement multi-factor across the organization, right? 

You know Todd mentioned that the most common one that’s going to be abused is going to be your email system, so start there. Then you can start looking at other services as well, such as your VPN critical business applications. Once you start wanting to implement multi-factor on those additional systems, that’s where some of the paid services come into play, because they do extend out to additional services and different protocols. User friction cost. 

I think the other big (user friction) one that I’ll let Todd maybe expand on a little bit more is executive buy in. 

Yeah I I would say the two things that I would say by far are the biggest thing that I see as resistance is more often than not when you go through it you are going to put a little bit of friction in between your employees and and them getting work done. 

00:15:21 Todd 

Uhm, the typical pushback that you will get back from that employee is (action description – I’m holding up my phone This is my phone.) The company doesn’t pay for it. I am not putting your business application on my phone. 

The reality is, there are ways to start to build up the the adoption right? So you can be a little forceful with it and you say, OK, great, well we’re just going to give you a token. We’re going to give you a business phone and bear with me when I walk through some of this because I’m not actually encouraging you to go out and buy 100 phones. But when you start to go hey employee, I’m going to give you 2. I’m going to give you a phone and they’ve got their own person. 

They’re going to think, “I don’t want two phones just to avoid putting in the six digit code”, and they’ll usually adopt it. Or you give them a token and they’re like, “This is inconvenient. I have to make sure I have it with me when I’m logging in from home. I gotta go grab my keys ’cause it’s on my keychain.” Whatever the case may be, that’s usually where they’re kind of pushing back and then inevitably what ends up happening is you go OK, well, here’s a solution, here’s a solution, here’s a solution (action descriptionholding up fingers to count all three items).

They’re (the user is) like, “The reality is, it’s it’s so convenient to just have it on my phone that I carry with me everywhere anyway. I’ll just go ahead and do it and the reality is, it’s not really all that complex.”

It’s not a heavyweight thing, it’s not dipping into any of your personal information. It’s just an app and it’s only doing a couple of things. It’s either generating A6 digit code or longer or it’s pushing you with content that says is this you.

When it comes to Executive adoption (the thought is that) it is inconvenient. 

A lot of people don’t want to be bothered. I’ll give a good example. And as I said, multi-factor’s been around for ages. Back many, many years ago in the early 2000s I had joined in organization and the very first thing I did was (our remote connections is really insecure.) (say) “Let’s implement multi-factor”, and I implemented it. It probably lasted about a month before the CEO said, ” I can’t stand it. Turn it off.” uhm now? 

The security threats weren’t nearly what they are today, but I learned a lot during that time too, so one of those strategies, or several of the strategies Nate covered already is you start small

It starts (with) going well, let’s start with a small group that are my power users. Maybe that’s it and then you get a few other people that go OK. It’s working. It really isn’t that bad and you start to expand it or you. Less than some of the security requirements, as Nate said, you can make an area trusted it’s work, work as trusted I’ve got the adoption in. People are getting used to the fact that when I’m at work I don’t get prompted when I’m at home. I do OK. It’s not a big deal and then you go OK, we’re going to ratchet it up a little bit. We’re going to add another location. We’re going to add another application. We’re going to whatever, and so you can continue to build on the security and you can get that buy in just naturally. 

You know, probably many people have heard the term, and I don’t mean this in a derogatory way is, It’s a bit of a boiled frog scenario as as you start to do what they realize you know really isn’t that bad. Not that we’re trying to boil our employees, but you know conceptually is you just do it a little bit at a time and you’re improving your security as you go. 

00:18:23 Nate 

So one last user friction that I I wanted to call out that’s not as common, but it does come up from time to time is Union policies.

So if you want to have an employee start downloading an application on their phone or start carrying around, you know, a phone just for phone calls and stuff. Sometimes Union policies will say, well, you need to start reimbursing the employees for that. There is a cost associated with that, and so that definitely feeds into some of the other considerations.

That’s sometimes where hardware tokens come into play. You know it’s maybe a $20 hardware token, right, or that’s one time cost.  It’s not reoccurring, so you can still implement multi-factor without having to, you know, start reimbursing for cell phones or paying for the phones outright. 

It’s one that I don’t commonly hear, but on more of the the production environments you know, and I I’m not going to get deep into compliance here, but things like CMMC, right? It’s starting to ask for multi factor.  CMMC tends to be a lot of the manufacturing firms where there’s a lot of union employees so. 

00:19:40 Todd 

Yeah, I’ll expand on the compliance piece too. I mean, there’s a lot coming up. If you’re in any compliance industry, health care, finance, you name it. As Nate mentioned, manufacturing, it’s going to be something that you’re probably already experiencing. As I mentioned, you know you’ve been being prompted for an additional code from your bank for days for weeks, months, years, whatever the case may be, it is coming in. 

This is just me expanding a little bit, in my opinion…

…Compliance is coming and it’s going to be expanding over the next five years, so there are going to be reasons why you’re going to have to adopt something like this. 

So if the threat of cyber attacks isn’t enough, there are going to be other things, and you can already see it’s happening. So This is why I’m saying it. 

If you look over the last year, the Biden administration had come out and said the cyber attacks are getting worse and worse. We’re spending tons of money. We’re constantly under attack. What are we going to do about it? They built out an executive order and they specifically say you’ve got to have MFA, if that’s not enough, the insurance companies are doing it too. 

So if you’re looking at cyber security insurance and almost everybody is asking for it at this point. Uhm, they’re going to be looking forward as well. Uh, as I’m going down this compliance thing, I’ll wrap this up briefly and I’ll pass it back to Nate. But as you’re looking at the compliance thing, I was actually working with one of our customers and they were going through the insurance process and they don’t have any of the compliance from CMC Healthcare. Any of that. But the insurance organization had come in and they did what I would consider pretty much a full IT audit where they were looking at data diagrams. They’re looking at security protocols. I mean, it was everything, so I actually went on site and met with the insurance adjuster just to make sure that we covered all of the information. That we needed to cover and it was significant. It took an hour and obviously MFA is included in that. 

It’s kind of the way life insurance used to be where with life insurance you could just sign on the dotted line (and) off you went. You got a whole bunch of coverage and that’s changed over the years to whereas the underwriting is going (to say) now I need blood work and I need to wait. You and I need health background and family history and yadda yadda. 

It’s just gonna get worse, and where I was going with it… and like I said, I was going to wrap that up quickly and I didn’t, so I’ll stop talking and pass it back to Nate. 

00:22:02 Kelsey 

Yeah, can I interrupt for just just a hot second, as we’ve kind of gone down the compliance path and all of these good things. Kind of looking back at if you’re having user friction and you’re having people there, like, “I don’t want to do it. I don’t have this code pushed to my phone. It’s too much work.” Why is it effective at actually preventing? These attacks, what is it doing for me?

I’m like yeah I get it, I get the phone, I put it (the code or push notification) in and congratulations. So we’re saying yeah, it’s 99, or over 99% effective? Why? 

00:22:30 Nate 

Yeah, a good question there. Before I jump into that. While Todd was talking, I decided to go look at our system here just to see how many of that password spraying attempt I saw in our system in the last 24 hours. It was just shy of 200 attempts, right? I can see the logs, so again, we’re not a big company by any means. It happens all the time, so. 

Why is it (MFA) so effective, right?

So if I just called out, there’s nearly 200 attempts in the last 24 hours to password spray our environment there. The reason why it (MFA) is so effective is, even if a password is compromised the threat actor is not going to have the other form of multi-factor, or the the other form the second form, or the third form of multi factor. 

In order to get into the system so password I’ve showed this to people before is, I say here’s a dummy account in, like a Gmail or something, right? Here’s the password. I’ll give you 100 bucks if you can get into that, because I have the multi-factor keys here. It just doesn’t happen. I’ve never paid someone out, because they would have to retrieve that file from me or that hardware token from me in order to get into place.

So, where we typically see multi-factor fail is not the the technology in itself. 

It’s still the user. 

So there are websites that will try and capture the multi-factor token and pass it through to the legitimate site and then redirect the user so they’ll still log in, but it’s the user who has fallen for a fraudulent website, still entered in their password and given up the multi-factor code gave it both of them to the attacker. Then the attacker just goes logs in and you know there is a timing on these tokens where maybe they’re good for five minutes. Maybe they’re good for 15 minutes. It allows for users to have a grace period to access their phones sitting on the desk access the email, access the text message so if you give it up right away, and then you hand it over. Is someone immediately? They’re going to use it first, right? 

I I just worked with another organization where their multi-factor was a phone call, right? 

So this is actually a pretty common attack method at the moment it’s called. MFA bombing.

So what you do is you just bug the user enough until they just say “I can’t take it anymore”, accept the phone call, and that was the phone call that was the MFA prompt and the attacker just logs in, right?  

So in the instance that I was looking at with that other customer, it was attacker tried to log in, was prompted with a 6 digit code. They weren’t able to get that, so then they switched over to the backup which is a phone call. Sent the user a phone call. It failed because the user didn’t accept it. 30 seconds later sent another one. It failed. Sent the next one. The user said “I’m sick of this call” accept, and the attacker logged in, so yeah. 

00:25:47 Todd 

Another one I’ll throw in. We don’t see this as often in the endpoint of this is you still need training when you deploy the tool, but we have seen people that have deployed the push technology so that is when you log in and you get a push to your phone that says was this really you? You know we have had people that have been attacked where someone was like, “yeah, I just logged in” and they’ve allowed the attacker in even though they didn’t personally sign in. So there is kind of a training aspect that goes with it. 

Uhm, one last thing that I kind of wanted to dive into – I know we talked about the threats and the attacks and whatnot, but as we’re wrapping this up I just kind of wanted to kind of re illustrate some of the real concerns and and ultimately I we talked about compliance. We talked about the threats we talked about all of that stuff. The reality is the reason behind that is because of the cost, and the cost is built up from a lot of different things. 

From the ransomware, if you get attacked from ransomware, ransomware more often than not they started nowadays. They started around $1,000,000 and they start to get talked down to something real. It includes downtime, it includes unproductive employees, etc. Statistically, the last time I looked at it we were somewhere on average, so that’s average across all SMB market, not you’re a bigger company. You get bigger ransomware, etc. It’s about $500,000 down time, about two weeks, so that’s fairly significant, and if I can deploy something like MFA and protect 90% to 99.9. It’s something you really gotta start to consider and go, “boy, I can reduce my risk by $500,000 in a given year. 

That’s probably (worth it for) something that’s little bit of friction, a little bit of build up. We can find a way to move forward. It’s a good way to start looking at it and thinking about it and go where do we go from here? 

00:27:33 Nate 

Yeah, and the one thing that I’d add to that is the cost is going to be dependent on the the application or system that the threat actor is obtaining access to, right so? So Todd was mentioning ransomware that could have been multi-factor on a VPN for example, right, someone had a compromised password, attacker gets into the VPN. Most companies don’t have a dedicated demilitarized or DMZ zone for VPN users, they just say once you pass through, you have full access to the network. 

That’s where those ransomware costs are going to come into play. 

It could be something like your email system, right? Someone in there just obtaining data. Maybe it’s a fraudulent wire transfer that they’re trying to set up, whatever that number is it could be 10,000, I’ve dealt with the ones that are $500,000 wire transfers, right? 

It’s just a matter of; What are they accessing? What are the costs? and whatever…

…the ransomware remediation costs are I promise that it’s far more than the cost of implementing multi-factor at the end of the day.

00:28:39 Todd 

Yeah, so so kind of as a last thought from me (and Nate can jump in on this too If he’s got any) but the last thing I have is we did talk about, sometimes there’s friction, sometimes there’s a technical hurdle, if you will, beause there are ways to go about it, there’s paid solutions etc. Obviously if you need help, reach out to your trusted partners. There’s a lot of help out there or there course you can go do your Google searches as well. 

So in the end when you need help, reach out. Reach out to those (technology partners) that you trust and you can get some good support from. 

00:29:07 Nate 

Yeah, I I guess my final closing thought is:

Everyone scared of user friction, but in almost every case, it ends up being more of a concern that doesn’t always come to fruition, right, is that the impact is actually fairly minimal if you implement it correctly. So, a lot of those concerns are unfortunately, just not fully grounded based on facts, right? Just feelings. 

00:29:41 Kelsey 

Awesome, thank you so much Todd and Nate for sitting down and chatting about MFA and all of the things that we could go into it. I’m sure that you guys would love to chat with anybody for an extended period of time about any of this that we could tangent on a lot of things. But that wraps up our first Tech for Business podcast here today. 

If you guys have more questions that you want to ask feel free to reach out to or give us a call 651.255.5780 or we’re also online at, but that’s our little marketing spiel on there that. 

We’re here to answer your questions anytime about any cyber security needs or technology for business, and we will chat with you guys next week. 

Is Your Company Ready for a Cyberattack?

Is Your Company Ready for a Cyberattack?

Can you ever be ready for a cyberattack—yes, you can!

Asking if you are ready for a cyberattack is like asking if you are ready for an accident. When an accident occurs, you can have insurance and the coverage you need to take care of the problem—with a cyberattack, if you have a cybersecurity partner on your side, you can do the same.

If you are not already prepared for a cyberattack, it is imperative you understand the serious and imminent dangers of an attack.

With global cybercrime damages predicted to cost up to $10.5 trillion annually by 2025, having a quality cybersecurity service is no longer an option, it’s a requirement. Hackers are coming at your company from all angles, intent on stealing (or holding hostage) your most valuable assets, and you need to be ready.

It’s no longer a matter of, “you should probably do something about that,” it’s a, “you NEED to make the necessary adjustments as soon as possible,” and here’s why.

Cybercrime costs organizations $2.9 million every minute, and major businesses lose $25 per minute as a result of data breaches. It takes 280 days to find and contain the average cyberattack, while the average attack costs $3.86 million. Companies in the United States have the highest average total cost at $8.64 million per breach, and it is estimated that half of all data breaches globally will occur in the United States by 2023. If you haven’t already, take a minute and look at one of the many cyber threat maps to see how many attacks are detected every second—there are hundreds of thousands every day!

That’s why you need to understand what kinds of threats you are up against and how your defenses will fare.

A cybersecurity partner can help ensure the safety of your company’s most critical assets. The reason to rely on a cybersecurity partner is because teams like ours are full of cybersecurity experts who have the extensive education and experience needed to combat various types of cyberattacks. If you have some kind of cybersecurity product installed to your network of devices, you are going to be able to prevent a good number of attacks, but without an expert who constantly reads reports and anticipates the different attacks, you are at risk. Experts don’t need to turn to an incident response manual every time there appears to be a threat. You need a team to be on constant lookout for things such as zero-day attacks and other unseen threats that may appear.

Attacks can come from your cloud, servers, firewalls, SDS systems, personal devices, and more.

With a threat detection solution—such as Security Information and Event Management (SIEM) continuously monitoring your environment—you’ll not only get preventative software, but real-time notifications on serious threats, not false positives. In addition, if an attack is detected, our team of experts will start working with you to find a solution within minutes of an attack.

Analysis finds that 80% of data breaches can be prevented with basic actions, such as vulnerability assessments, patching, and proper configurations.

Although the reality of cybersecurity threats and malicious attacks is challenging, CIT is here to help you realize your cybersecurity capabilities and risks and provide recommendations for improving your overall defense in-depth for the best possible cybersecurity outcomes.

Let’s discuss!

Combatting Business Email Compromise Risks 

Combatting Business Email Compromise Risks 

An old scam that keeps reinventing itself with new victims. Don’t become one! 

You’ve probably heard the classic business email compromise (BEC) scam about Nigerian princes who want to deposit money in people’s bank accounts—but first need their prey to send them money to make it all work to plan. It’s an oldie but goodie. Unfortunately, it’s also one that keeps reinventing itself along with another batch of unwitting victims. In fact, it happens so often, BEC scams currently outdo ransomware as the most damaging cyberattack in the world. 

In fact, according to the FBI’s Internet Crime Complaint Center (IC3), in 2020, losses from BEC exceeded $1.8 billion—that’s a fourfold increase since 2016! The number of BEC incidents also rose by 61% between 2016 and 2020. Using tactics that play off real-time world events, such as COVID-19 or the trust of established interpersonal relationships, criminal elements have managed to stay ahead of the good guys with increased sophistication and swiftness. 

  • Healthcare provides bilked by criminals posing as trusted vendors with access to much-needed personal protection equipment 
  • A large social media firm handed over personal payroll information about employees to an individual they thought was their CEO 
  • A non-profit organization was fooled into transferring a large loan to a business partner right into the hands of the threat actor  

To protect yourself and your business from these types of attacks, employee education is essential. For example, if someone in your accounts payable department receives an email from a business partner requesting you alter established wire transfer information, be sure your staff are trained to recognize the request as a red flag and confirm directly with their point of contact details of the change. It seems second nature, but when people are busy and working against deadlines, it’s easy to miss a well-disguised ruse.   

From a defense in-depth perspective, it’s also essential to ensure you have a layer of threat detection in place to help identify malicious behavior, alert of the threat, and inform the correct response and remediation measures. This would include: 

Monitoring for anomalous behavior, both on-premises and in the cloud  

BEC threats rely on looking like normal user activity. With an increase in remote work, companies are relying more on cloud services like Microsoft® Office 365® which puts data into a complex environment that’s often under-protected. Once threat actors can get access to Office 365, getting to the juicy data is just a few clicks away. Traditional perimeter security tools, such as firewalls, aren’t able to monitor suspicious activity in cloud-hosted applications like Office 365, SharePoint, or OneDrive. The same applies to monitoring of your endpoints for suspicious activity. If a threat actor slips past perimeter defense and acquires user credentials, it will be difficult to identify threats that appear as typical activity. 

Having enough IT Security staff 

When something nefarious goes down, you need to know immediately. Too many businesses lack the ability to dedicate staff to 24/7 monitoring of their environment. If an alert goes off at 1 a.m., the time lost until someone sees it and makes sense of it could be the difference between defense of the business or catastrophic damage. Managed threat detection and response can be a force multiplier if you are unable to monitor your environment 24/7. 

While there are many aspects to improving your defense in-depth, the following from the FBI act as good and effective tips to share with employees to help elevate everyone’s awareness of how to avoid business email compromise attacks. 

  • Be skeptical—Last-minute changes in wiring instructions or recipient account information must be verified. 
  • Don’t click it—Verify any changes and information via the contact on file—do not contact the vendor through the number provided in the email. 
  • Double check that URL—Ensure the URL in the email is associated with the business it claims to be from.
  • Spelling counts—Be alert to misspelled hyperlinks in the actual domain name.
  • It’s a match—Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it’s coming from. 
  • Pay attention—Often there are clues with business email compromise, e.g.:
    • An employee who does not normally interact with the CEO receives an urgent request from them 
    • Data shows an employee is in one location at 1 p.m. but halfway around the globe 10 minutes later
    • Active activity from an employee who is supposed to be on leave 
  • If you see something, say something—If something looks awry, report it to your managed service provider or IT Security supervisor. And if you have been a victim of BEC, file a detailed complaint with IC3.

To learn more about business email compromise threats and defense against them, CIT can provide you with guidance, education, and technology to strengthen your security posture. Give us a call and let’s discuss.

What is CMMC?

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a program developed by the Department of Defense (DoD) to help measure the cybersecurity maturity level of contractors across the defense industrial base (DIB), which includes over 300,000 companies. The CMMC is the DoD’s response to significant increase in compromises of sensitive data located on contractors’ information systems.

When did it go into effect?

September 2020.  Many companies have already been required to meet certain requirements outlined by the DoD to meet CMMC requirements.  The expectation is that CMMC will be a requirement of all new DoD requests for proposals beginning in 2026.

What companies are included?

The certification is applicable to contractors who work directly with DoD, and to subcontractors who contract with primary contractors to provide fulfilment and execution of those contracts. 

As mentioned above, all contracts with the DoD will include CMMC requirements by 2026.  It is worth noting that the DoD has indicated they intend to issue contract opportunities at all levels of the maturity model, meaning that there will be some number of requests issued that will require only a low level of certification.

What are the levels of CMMC?

The levels of CMMC can be directly related to the security maturity of organizations.   They are accumulative meaning, as organizations implement stronger controls, they can achieve a higher level.  The level of maturity may be a differentiator for retaining or gaining new contracts with the DoD

  • CMMC level 1: Preformed – Creation requirements.  Processes are informal
  • CMMC level 2: Documented meaning a security program exists, is documented, and understood throughout the organization.
  • CMMC level 3: Managed.  Tools and processes are in place, consistent and followed by all within the organization
  • CMMC levels 4: Reviewed.  Tools and processes are reviewed periodically and updates as opportunities are identified from review.
  • CMMC level 5: Continuous improvement throughout the organization.  Organization has implemented all requirements.

What is included in the review?

The CMMC includes the following cybersecurity domains, all of which need to have at least Basic Cybersecurity milestones to be CMMC compliant:

  • Access control 
  • Asset Management
  • Awareness and training 
  • Audit and accountability 
  • Configuration management 
  • Identification and authentication 
  • Incident Response 
  • Maintenance 
  • Media protection 
  • Physical protection 
  • Personnel security 
  • Recovery
  • Risk management
  • Security assessment 
  • Situational awareness
  • System and communications protection 
  • System and information integrity

Still have questions?

CIT is a Registered Provider Organization (RPO). RPO’s are the “implementors” and consulting organizations that help companies achieve the various levels of certification.

Not All MFA is Created Equal: Advantages and Disadvantages of Common Forms of MFA

Not All MFA is Created Equal: Advantages and Disadvantages of Common Forms of MFA

If you’ve spoken to anyone in the cybersecurity industry in the past few years, you’ve probably heard at least once “multi-factor authentication (MFA) is one of the best things you can do to protect yourself and your organization.” But what, you may be asking, does that specifically entail? MFA comes in all different shapes and sizes and like anything else in the cybersecurity and technical worlds, there is a fair amount of nuance in the available technologies. There are many things to consider when attempting to determine what type of MFA is best for you and your organization, including security, ease of implementation, ease of use, cost, etc. Let the below information serve as a high-level overview of those considerations for the four most common forms of MFA: SMS OTP, software TOTP, hardware TOTP, and push OTP.

SMS One-Time Password (OTP) 

  • Description: a random, numerical password, usually six digits, sent via SMS message to a designated mobile device. The password can only be used once.
  • Advantages: easy to implement and better than no MFA at all. It can also be free or inexpensive to set up (disregarding the cost of the mobile phone).  
  • Disadvantages: requires the user to own a mobile phone that can receive SMS text messages. One of the least secure forms of MFA (see Vulnerabilities).
  • Vulnerabilities: susceptible to SMS intercept attacks, wherein the text message is “intercepted” by a cyber attacker who receives the text message instead. SMS intercept attacks can be accomplished in a variety of ways, including SIM-swap scams, mobile number port-out scams, and SMS-stealing malware. Several high-profile security breaches have occurred over the past few years that were the result of SMS intercept attacks, including the 2018 data breach at Reddit and the 2019 compromise of Twitter CEO Jack Dorsey’s Twitter account.
  • Other info: SMS OTP was deprecated by the National Institute of Standards and Technology (NIST) in 2016.

Software Time-based One-Time Password (TOTP)

  • Description: a random, numerical password, usually six digits, generated via an authenticator app installed on the associated mobile device. The code regenerates at regular intervals, usually every 30 seconds, and each code may only be used once. There are a variety of authenticator apps available, including Google Authenticator, Duo Mobile, Authy, etc.
  • Advantages: more secure than SMS OTP and fairly easy to deploy, though not as easy as SMS OTP. It is can also be free or inexpensive to set up (disregarding the cost of the smartphone).
  • Disadvantages: requires the user to own a smartphone and install a mobile app. The security of software TOTP is heavily dependent on the authenticator app being used, as well as the parameters specified by the authenticating server. TOTP relies on a shared secret key that is portable, often shared via a QR code, which makes it susceptible to cloning.

Hardware Time-based One-Time Password (TOTP)

  • Description: a random, numerical password, usually six digits, generated via a hardware token, like a key fob or smart card, with a digital display. The code regenerates at regular intervals, usually every 30 seconds, and each code may only be used once.
  • Advantages: very secure, as most hardware tokens are difficult to compromise remotely. The use of hardware tokens does not require users to own a mobile device or smartphone or install an authenticator app.
  • Disadvantages: can be very expensive (~$15+ per token). Hardware tokens can be difficult to deploy, as they are set up using NFC, which can be temperamental to use. The hardware tokens, which can be quite small, can be easily lost. Additionally, some hardware tokens, such as Yubikeys, require a physical connection to the device attempting the authentication and are thus not compatible with devices that do not have the token’s connection type (i.e., USB-A, USB-C, Lightning, etc.). Hardware tokens with more than one connection type are available, but they tend to be more expensive.

Other info: Push One-Time Password (OTP)

  • Description: a push notification is sent to the user’s device via an installed mobile app, giving the user the option to approve or deny the authentication request. The push notification usually includes the context of the authentication request, such as the IP address and corresponding location from which the login request originated.
  • Advantages: very secure, as the authentication communication is out-of-band and encrypted. Unlike TOTP, push OTP links a single device to the user’s identity, so it is not susceptible to cloning. It is easy to deploy and extremely easy to use, requiring only the click of a button to approve the request. It can be free or inexpensive (disregarding the cost of the smartphone).
  • Disadvantages: possible for users to accidentally approve fraudulent requests. It requires the user to own a smartphone and download a mobile app. Push OTP requires that the smartphone have an internet connection and it is a relatively new technology that is still not widely supported.
  • Other info: often used as a replacement for passwords. The push notification does not usually carry the OTP, but upon approval by the user, a unique OTP is generated internally on the device and sent back to the authenticating server to verify it.