Mike Foster has been preventing "bad guys from logging in" for 25 years.
A cybersecurity specialist, the CEO of the Foster Institute, and the author of The Secure CEO: How to Protect Your Computer Systems, Your Company, and Your Job, Foster has consulted with organizations throughout North America and delivered speeches all over the world on cybersecurity issues.
Foster's goal is "to make the world a safer place to live and work."
One of his consulting roles is preparing business owners, CEOs, and IT professionals for the application and renewal process of cyber insurance coverage. Below is a discussion about some of the most common questions that insurance companies might ask and Foster's advice on how to address them:
Why do insurance companies ask if an organization uses two-factor or multifactor authentication?
Foster said the reason for multifactor authentication is to prevent an attacker from logging in even if they somehow obtain a user's username and password.
Foster: The most basic form of two-factor authentication is the text message. The user enters their username and password, and then they receive a text message containing a code they must enter to complete the login process, which dramatically increases login security. Other options are more secure than text messages, but text messages are common.
One of the reasons that we need multifactor authentication so much is that some users have the habit of reusing the same usernames and passwords at more than one website.
When attackers figure out a username and a password for one site or service, they will try that same username and password on other sites such as LinkedIn, Facebook, and Microsoft 365. When the attacker starts plugging that same username and password into all these other sites to see if it works, that's a term called credential stuffing. Bad guys use this technique to compromise users that have reused passwords.
That's why multifactor authentication is so important. Even when a bad guy has the username and password per user, the bad guy still can't log on because they don't have that second factor. Attackers can bypass multifactor authentication, but this security control makes gaining access more difficult.
Why do insurance companies ask if an organization provides password management tools to users?
Foster: The beauty of a password manager is that users do not suffer the burden of needing to remember passwords. Having to remember a password is a primary reason people reuse them.
When users have different passwords for all their logins, credential stuffing fails.
Why do insurance companies ask if an organization provides password management tools instead of being satisfied with users letting their browsers remember their passwords?
Foster: Most browsers now — such as Edge, Firefox, Chrome, or Safari — ask you: Would you like to remember the password? That's not a password manager. That's the browser remembering the passwords. Using password managers can be more secure than storing passwords in browsers because attackers often have easier access to browsers than to password managers. Attackers are constantly striving to break into browsers. It's what they do.
A password manager is a separate program, and it frequently has what's called a plug-in to integrate with the browser. Still, it can be much more difficult for a hacker to access usernames and passwords in a password manager than in a browser. Even though browser developers do an excellent job striving to keep the browsers secure, insurance companies feel reassured if the users have password managers.
Why do insurance companies ask if an organization uses geo-blocking or geo-filtering?
Foster said geo-filtering or conditional access by country settings can block connections or authentication requests based on geographic location.
Foster: If you have people that are only logging in from specific countries such as the United States, Canada, Mexico, and Europe, then set up all your systems to only accept user logins from those geographical locations. That way, if somebody tries to log in from another country, they won't even get the opportunity. They'll just get bounced, which is going to defeat a whole lot of the attacks.
Now there can be an attacker in a different country, and they can use proxying, which means that the attacker would compromise a computer in the United States, for example, and then try to log in through the computer located in an approved location.
Just because you filter out countries X, Y, and Z doesn't mean someone in that country can't attack you. It just means that that person would have to proxy into a computer in the United States or somewhere else and then try to log in through that proxy.
Why do insurance companies want to know if users are local administrators?
Foster: If you're using Windows and Apple computers out of the box, which is what some smaller companies are starting to do, users have local administrator privileges, which can be terrible from a security perspective because local administrators can install applications and perform many other functions.
If an attacker compromises a user's login account, the attacker will have the same level of access as the user they compromised. That's why users need to be restricted to the least privileges to do their work. Privilege levels are something you can change. Whether logging into Microsoft 365, Windows, or Apple operating systems, you definitely want the users to be standard users.
By default, operating systems provide users with a high level of privileges in case it's a family computer and people want to take their computer home from the store and install software. It is an intentional step to create a second account to be an administrator and reduce the user's day-to-day privileges. This process is described as making the user a standard user or making them not an administrator anymore.
It is essential to have a local administrative account available in case the user or an IT professional needs to install software or perform other administrative duties. But the user authenticates to an account with fewer privileges to make it more difficult for attackers to compromise the machine if the user makes a mistake such as clicking a link in an email message that connects to a server an attacker controls. Converting all users to standard users in an organization can sometimes interfere with software. So, making the change isn't always simple, but it is essential to explore, and often users won't even notice the difference. This topic could be another article.
— To comment on this article or to suggest an idea for another article, contact Kevin Brewer at Kevin.Brewer@aicpa-cima.com.