Welcome to ThatThirdPartyGuy.com – my website highlighting my journey in third party cyber-security.

The Importance of MFA in Your Supplier’s Cyber Security Program


1 May 1, 2024

Two articles recently caught my eye and I thought I’d share how that relates to your partnerships with third parties.  The first is information on the recent Change HealthCare breach.  That occurred earlier this year and resulted in a large portion of US citizen’s PHI, PII, and potentially other information to be discovered later.    The other that caught my attention is a report out regarding password strength and how long it is estimated that it would take 12 RTX 4090 Graphics cards to brute force your password based on characters, complexity, and length.  That report by Hive Systems is updated each year and provides a look at how password complexity and strength can be used to help prevent a brute force attack.  You can read more about both of those at the links below.

The Highlights

Passwords.  They’re still in use and they still serve a purpose.  In some circles that statement is the beginning of a fight.  But let’s be honest, other than the confusion that was created a few years back when NIST published their 800-63b password guidance. Many companies and professionals then said passwords were dead and began celebrating the end of the password. That was premature. Password’s are still used today for a wide range of application authentication and are part of a healthy authentication system.  NIST has since clarified to help people better understand their guidance by the way.    

Multi-Factor Authentication.  Charge HealthCare indicated that the attackers stole valid credentials using information stealing malware. There’s no telling from public information where that occurred, but it was noted by one researcher that this was seen just two days before the attack began. Hindsight is always better, but they should have enforced MFA on their public facing access.  The attackers gained access to the system using the stolen credentials and then spent days inside the network before launching the encryption. To be fair, the attackers are pros and are good at evasive techniques.   But MFA would have at least prevented this particular avenue of attack from being successful and better intrusion detection or monitoring would have helped identify the malicious behavior.  Zero Trust Networking may have a play here in their after action strategy but that’s not likely to be public information. 

The Takeaways

Passwords are a legitimate part of any authentication strategy and are more widely used than bio-authentication or other methods.  I’ll talk about the dangers of bio-authentication methods at a later date.  But for now, recognize that your vendor partners are using passwords.  They are and they will.  What you should look for is that they are using strong passwords paired with MFA where appropriate and that they have adequate processes and tools in place to detect malicious behavior on their network. That will help to make them a harder target and hopefully keep them from a large, embarrassing and costly outage that could impact you and your ability to succeed in your business.

https://www.bleepingcomputer.com/news/security/change-healthcare-hacked-using-stolen-citrix-account-with-no-mfa

https://digg.com/tech/link/how-long-hack-crack-password-hive-systems-2024

https://pages.nist.gov/800-63-3/sp800-63b.html