Partner of:
The weather has been very nice in Florida this January, and to celebrate, we sometimes like to go to the lake and enjoy time on the water. We double, triple, quadruple checked everything looked to be in order and setout. It started as smooth sailing on calm waters, but as the afternoon progressed, we found ourselves with some hefty waves. As one thing led to another, circumstances presented themselves that caused the vessel to roll over. This is no problem, as all functionality was checked and in place, right? After rocking the ski back and forth to flip it back upright, I realized that my phone, wallet, and keys that used to be inside the dry box had disappeared. A sinking feeling fell over me, as I recalled how the something I hadn’t checked in awhile on the jet ski was plastic latch for the dry box. While not immediately apparent on inspection, investigating and finding it was broken that would have taken 30 seconds and mere dollars. From the outside, the lockbox still closed, and it still looked fine, but I failed to identify the internal problem that only reared it face when things went wrong. A simple tug on the box would have alerted me something was wrong.
Once I got over the embarrassment of not ensuring the functionality of such a simple and truly critical item, I really began to think about how applicable this is to many people and companies in relation to their cybersecurity. Many of the controls we have in place – such as MFA or passwords– work just fine when the waters are calm and everything is normal. But, at the times when rough waters do approach, sometimes we realize there were problems beneath the surface that we did not see, and simply fixing it before trouble was at the doorstep would have saved a world of anguish.
An example of what I am alluding to could be as follows: you have your administrative account setup with MFA, just as you should. It is setup to an authenticator app, and you have a backup email in case you forget the password. Imagine your phone is dropped and becomes inoperable; you have now lost access to those MFA codes to get into the administrative account. Simple fix; access via the recovery email, right? You then realize the MFA to login to your email also was tied to that phone. Now you are in trouble.
While not every situation will play out like this, because of the reliance we must have in on our backup systems and how perfectly they need to work when the time comes, is important to keep track of their functionality. The sections below offer recommendations on how to hypothetically tug on the plastic latch holding your backup plans together or prompt you to install a latch in the first place.
While it is perfectly normal to only store MFA codes on the local device, if this device has the possibility of being lost or broken, it is wise to backup the MFA codes stored on the device. For Microsoft Authenticator, adding an account by email will allow the methods setup on the phone to be saved in the cloud and recovered on another device if needed. One note on these is to ensure proper and robust verification methods are setup on this account, as it holds great capabilities.
Applications which hold sensitive information or encrypt data will usually provide a recovery key to allow for access to be recovered if all other methods of access fail. Notable applications which use this include Windows BitLocker and Microsoft Authenticator. Storing these in a secure location and having them be accessible in the case of emergency could be what allows access into the account.
When setting up accounts, it is recommended to setup 2different ways to perform multifactor authentication. If a Microsoft account is setup to only allow multifactor from a authenticator app, and this becomes lost, the account could be lost. Ensuring a backup method that is not dependent on the same device or service is advisable.
If there’s capability to setup multiple accounts, such as in a Microsoft tenant, setting up a break glass account which is not subject to security requirements such as MFA can be vital in recovering access. These accounts should be created with obfuscated usernames, extremely complex passwords which are rotated, and be monitored for their login attempts.
Ensure that any recovery or disaster recovery plans work by testing them multiple times a year. This may be simply ensuring recovery keys can be accessed, that the backup MFA method is still valid, or that your MFA account is still syncing your MFA codes. Logging in using emergency access accounts if applicable is recommended during this time as well.
It is never in anyone’s plan to get hit by a wave that knocks them off course. It may be easy to say nothing will ever go wrong, but the moment it does and your failsafe fails, it turns into a lesson. Our goal as cybersecurity conscience professionals should be not to wait for calamity to happen, but to learn how to make our systems more resilient before it is necessary. Following the steps above will help move you closer to feeling confident that when things go wrong, you have done things right to prepare.
Copyright © 2022 Security Connections. All rights reserved.
