Door Anoniem: Hoe meet je dat iets 80% voorkomen is?
Het is een gok. Zoals ook Microsoft zelf, met iets andere woorden, zegt.
Microsoft en andere big tech hebben je nooit verteld dat als je met jouw organisatie de cloud invliegt, je niks meer aan jouw prijzige bedrijfsnetwerkfirewall hebt en dat elke medewerker een SPOF is geworden. Om jou, op korte termijn, niet op nog hogere kosten (in plaats van ongelofelijk veel gedoe met Yubikeys in FIDO2 modus) te jagen, suggereert Microsoft dat jouw users van SMS, TOTP of Number Matching gebruik kunnen maken - zodat niet
elke SPOF in phishing trapt (hoeveel SPOF's heb je trouwens? Bij 100 zullen er
100-n niet in evil-proxy-phishing trappen, da's winst!).
Maar als die 80% en onderstaande percentages kloppen, dan gaat het best hard bergafwaarts (persoonlijk denk ik dat het nog veel harder gaat), uit
https://azure.microsoft.com/en-us/blog/announcing-mandatory-multi-factor-authentication-for-azure-sign-in/:
Announcing mandatory multi-factor authentication for Azure sign-in
Published Aug 15, 2024
[...]
As recent research [1] by Microsoft shows that multifactor authentication (MFA) can block more than 99.2% of account compromise attacks, making it one of the most effective security measures available, today’s announcement brings us all one step closer toward a more secure future.
Uit [1] =
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW166lD, een PDF laatst gewijzigd 2023-05-02 (ik heb de volgorde van de auteurs gewijzigd):
How effective is multifactor authentication at deterring cyberattacks?
Alex Weinert, Sergio Romero, Gabriele Bertoli: Microsoft Identity Security; Lucas Augusto Meyer, Juan Lavista Ferres: Al for Good Lab; Tom Burt: Customer Security & Trust
[...]
Our findings reveal that MFA implementation offers outstanding protection, with over 99.99% of MFA-enabled accounts remaining secure during the investigation period. Moreover, MFA reduces the risk of compromise by 99.22% across the entire population and by 98.56% in cases of leaked credentials.
[...]
Methodology and Data
Our goal is to determine the effectiveness of MFA in preventing account compromise in the population of commercial accounts. It is generally not possible for an authentication provider to obtain the exact number of account compromises in a population without resorting to sampling and manual reviews. When users detect an account compromise, they may simply change their passwords and not notify their administrators. Even when the administrators are notified, they may choose not to notify the authentication provider. Therefore, methods that rely on the authentication provider using reported account compromises will result in an undercount of the actual rate. On the other hand, it is cost-prohibitive for an authentication provider that has billions of accounts to manually review all suspected compromises. Therefore, we have to rely on sampling methods.
To achieve our goal, we obtained a list of active Microsoft Azure Active Directory users that had their account reviewed due to suspicious activity between April 22, 2022, and September 22, 2022. Some accounts had MFA configured, and some did not. If the account had suspicious activity and had MFA configured, a challenge was automatically issued. A sample of the sessions was retroactively reviewed by a specialized team that examines account logs and determines whether a compromise occurred or not. If a compromise was detected, the account was sanitized, and the user notified. To estimate the proportion of compromised accounts in the whole population, we use the benchmark multiplier method [14], commonly used in epidemiological research in situations where individuals tend to underreport the actual frequency of an event. The benchmark multiplier method requires two datasets: one, the benchmark, has a complete and accurate count of the event being studied for a subgroup of the population. The other dataset is a representative sample from the population, used to estimate the proportion of the population represented by the benchmark. The reciprocal of that proportion is called the multiplier.
[...]
Alex Weinert (Director of Identity Security at Microsoft) schreef in
2019 in
https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124:
MFA had failed.Daarnaast heb je niets aan 2FA/MFA als je risicovolle dingen (moet of wilt) doen op een website waar je überhaupt nog geen account hebt, of wel een account hebt maar nog geen MFA-ondersteuning hebt ingeschakeld.
Voor geïnteresseerden die Engels begrijpen: in
https://infosec.exchange/@ErikvanStraten/113124204291514950 beschrijf ik een aantal problemen en oplossingen van 2FA/MFA, en in
https://infosec.exchange/@ErikvanStraten/112974991373414022 herhaal ik het e.e.a. van wat ik hierboven schreef, maar vul dat aan met andere problemen.
Of zie
https://youtube.com/watch?v=wVyu7NB7W6Y (met o.a. Karsten Nohl) over SS7 aanvallen (meer info in
https://infosec.exchange/@ErikvanStraten/113182066906044258).