In celebration of Cybersecurity Awareness Month, NIST will be publishing a dedicated blog series throughout October; we will be sharing blogs each week that will match up to four key behaviors identified by the National Cybersecurity Alliance (NCA). Today’s interview-style blog features two NIST experts —Bill Newhouse and Ryan Galluzzo—discussing different reasons to enable multi-factor authentication (a mechanism to verify an individual’s identity by requiring them to provide more information than just a username and password).
Here are the questions they both were asked, along with their responses:
This week’s Cybersecurity Awareness Month theme is enabling multi-factor authentication. How does your work/specialty area at NIST relate to this behavior?
Bill: Since 2015, I have been a cybersecurity engineer at NIST’s National Cybersecurity Center of Excellence (NCCoE)—where I have brought together experts from industry, government, and academia to address the real-world needs of securing complex IT systems and protecting the nation’s critical infrastructure. The projects I have worked on include a focus on digital authentication as part of the cybersecurity reference design created. Two of my projects, Derived Personal-Identify (PIV) Credentials and Multifactor Authentication for E-Commerce demonstrate uses of multi-factor authentication (MFA).
Ryan: NIST’s identity program focuses on foundational and applied research, standards development, measurement, and implementation guidance to support responsible innovation in identity technology. This includes exploring new, more effective, and more accessible ways to provide MFA to individuals. We achieve this through the development of guidance such as our Digital Identity Guidelines (NIST Special Publication 800-63) and research into emerging technologies such as Mobile Driver’s Licenses and decentralized identity. We also conduct technology integration projects with partners at the NCCoE – such as the Multi-Factor Authentication for E-Commerce project.
What is the easiest way to stay safe online?
Bill: Be intentional—Unless you turn off your computers, tablets, fitness trackers, and mobile phones, you are online. So, if you are always online, increase your online safety by using devices and applications that are supported by automatic security updates. From this foundation, staying safe online also means being as intentional as possible. One way I am intentional is that I enable multi-factor authentication (sometimes called 2-step verification) for all online accounts that hold sensitive or precious-to-me data. If I don’t want to lose control of my account, I visit the security section of my customer profile and turn on MFA which allows me to leverage “authentication apps” that provide randomly generated one-time codes or push notifications, a hardware authentication device that supports public-key cryptography, or I use my mobile device’s built-in biometrics.
If I seek to enable MFA to support online access and the provider does not offer it, I will not continue to be a customer.
Being intentional also means that I try to control the sites I visit. I likely spend more time than most looking at the web addresses when on my browser as I surf the web. If I get an email indicating something about an online account that offers me a link to take an action on that account, I don’t immediately click the link. I don’t want to become a victim of a phishing attack, so I tend to access my online account’s customer portal without having clicked on a link. I like being in control by taking that extra step to open a new browser tab and type in the URL for my customer or user access to that online service.
Ryan: Adding multi-factor authentication to all your sensitive accounts. Many service providers have made this easier than consumers may realize. Proliferation of smart mobile devices have given individuals many more options than had previously been available. From “authentication apps” that provide randomly generated one-time codes or push notifications, to native biometrics on our devices, there are more options for securing our digital selves than ever. The increasing ubiquity of federation has also helped, allowing users to sign in with common providers, where MFA is sometimes incorporated by default. Many of us are probably using MFA every day – particularly with our mobile devices – and simply don’t even realize it.
You may not need MFA for everything – but if your personal information, financial information, or health care data is involved you should make sure to check your providers account settings to see if you can turn it on. I would also consider moving away from using text-based MFA for these services in favor of an authenticator app. These typically offer several different methods to authenticate with different websites and can typically be set up quickly and easily by scanning a QR code. If you are feeling particularly paranoid – or nerdy – hardware tokens and authenticators that use cryptographic authentication (like FIDO tokens) can further increase your digital security by improving resistance to phishing attempts.
What are three things you can do to minimize cybersecurity risks to a person or businesses?
Bill:
Turn on MFA on for all of user accounts. Make it mandatory to use MFA for employee access to the business’ devices, networks, and services on which your employees conduct their work.
Employees who need remote access to your business’ network and security resources should use a virtual private network (VPN) connection. If an employee is not directly connected to your network, they are relying on networks that your business does not control. Using VPN technology for remote access shields your business’ data and process from prying eyes.
Train your employees to use MFA. The more you learn about the risks you face when you don’t enable MFA for any access to an online system or service, the more likely your employees will embrace the use of MFA.
Ryan:
Turn MFA on for all your sensitive accounts. Check your account settings or security settings to see if it is an option. It is probably more available and easier to use than you think. If you are a business, consider default MFA for all your enterprise users. Avoid weaker forms of MFA that are more easily compromised or phished such as text-based OTP. For users with elevated privileges, consider cryptographic authenticators such as hardware tokens or FIDO authenticators.
Use a VPN when connecting to any unsecure or public networks. This is particularly true when you are conducting sensitive transactions – such as banking – but is a good default security setting, regardless. Businesses should mandate the use of VPN access for all company assets and consider mobile device management solutions to enforce security baselines for company or personal phones used to conduct business.
Educate yourself…and if you are a business, educate your employees. Humans are always the weakest link in the security chain. The more you learn about the risks you face, the more likely you are to identify when you are being deceived or targeted. For organizations – have an established, interactive security education program that teaches your employees what to look for in common attacks – such as phishing, social engineering, and business email compromise.
What does #BeCyberSmart mean to you?
Bill: From a very practical point of view, #BeCyberSmart means I can search Twitter to find posts that touch on different aspects of staying safe online using the hashtag #BeCyberSmart. Good advice should not be hard to find. DHS created the #BeCyberSmart campaign to help you find good advice for staying safe online.
Ryan: Vigilance. Just like safety in the real world, security in the digital world revolves around being aware of the threats you face and keeping an eye out for those things that “just don’t look right.” Even if you are using MFA there are still risks – particularly when using text and one-time codes. Just as you would never input your password on a website that looked sketchy, don’t provide MFA codes to sites you don’t trust or may not look legitimate.
What is your favorite thing about working at NIST?
Bill: My work at our applied cybersecurity center, the NCCoE, involves interacting with lots of collaborators from other government agencies, in the private and academic sectors, as well as other nations as we work to identify the cybersecurity challenges that become our projects (to build our reference designs and to communicate what we’ve done together). This work focuses on helping organizations mitigate cybersecurity risk. It is a privilege to work at NIST for 6/25’s of the #NISTCyber50th anniversary years—and to know NIST and its open, transparent, and consensus-based processes have supported my entire federal career that has occurred over 74% of #NISTCyber50th.
Ryan: I am relatively new to NIST, but what I can say is that the mission of improving our national cybersecurity and the collaborative atmosphere were the two driving factors for joining the organization. NIST’s mission depends on engagement, collaboration, and transparency with a broad range of stakeholders – from the individual member of the public to Chief Information Security Officers for major agencies – we get to engage with all of them and learn what matters to each of them. It’s a fascinating and enjoyable atmosphere to work in.
Also, the wildlife at the Gaithersburg campus. There are deer everywhere!