Multi-factor & Risk-based Authentication , Security Operations

CISA Urges Americans to Apply MFA, 'Think Before They Click'

Director Jen Easterly: Password Managers, Automatic Software Updates Key to Defense
CISA Urges Americans to Apply MFA, 'Think Before They Click'
Jen Easterly, director, U.S. Cybersecurity and Infrastructure Security Agency

America's top cybersecurity official urged citizens Tuesday to boost their defenses by choosing strong passwords, opting for multifactor authentication, reporting phishing and enabling automatic software updates.

See Also: How to Prevent Attacks that Bypass MFA

Cybersecurity and Infrastructure Security Agency Director Jen Easterly said consumers and business leaders alike should begin their security journey by choosing passwords that are complex and unique to each sensitive account and using a password manager to generate and store them. From there, Easterly said, multifactor authentication is vital since more than a password is necessary to keep accounts safe.

When it comes to recognizing phishing, Easterly urged users to "think before they click," especially in regard to unsolicited texts, calls and emails as well as attachments from unknown sources. Finally, Easterly said, users should make software updates automatic to ensure they're continuously protected from malicious threats in the ecosystem.

"As we've added more devices and more platforms and more endpoints to the internet, we've increased vulnerabilities," Easterly said Tuesday at an event launching CISA's first-ever public service awareness campaign. "We've expanded that attack surface for cybercriminals to steal our data and to lock it up."

Easterly's remarks were followed by comments from industry leaders as well as a fireside chat with leaders from nonprofits involved in cyber defense. CISA's public service announcement will begin airing days before the start of the 20th annual Cybersecurity Awareness Month on Sunday (see: US CISA Official: 'Forcefully Nudge' Users to Adopt MFA).

"CISA - along with our government and industry partners - are doing everything we can to prevent and disrupt the cybercriminal ecosystem," Easterly said. "But it's critical that every one of us take responsibility for keeping ourselves safe online, and that's why we are here today."

How Google Approaches Secure Authentication

Google Vice President of Security Engineering Heather Adkins believes there will be a future with no passwords. If people no longer have to use a text-based string to authenticate themselves to the most important systems in their lives, Adkins said, the systems in question can no longer be taken over or hijacked by an attacker who could ruin their lives.

"That is a little bit in the future; I'm also a realist," Adkins said Tuesday during the launch event for the CISA public service announcement. "But as an industry, we take these small steps every day."

Adkins has used a password manager for 15 years, and she praised the tool for creating complex passwords that she doesn't have to remember and storing them in a secure place where they can be retrieved at a moment's notice. Google recently turned on multifactor authentication by default for all Gmail users, and Adkins said it's had a "substantial and meaningful impact" on preventing account hijacking.

"We brought secure multifactor authentication to the masses with security keys - which are hardware tokens - and passkeys, which are a software version that's easier to use," Adkins said. "Since adopting these solutions for ourselves as a company, we have eliminated password phishing as a problem at our company."

In a similar vein, Adkins said, the Google Chrome web browser automatically updates so that users don't have to even think about patching. And she said there hasn't been a single known ransomware attack on a Chrome OS device across business, commercial or education users since they were designed with security in mind. Automatically identifying phishing and keeping software up to date is important (see: Google's Christiaan Brand on Bringing Passkeys to the Masses).

"I believe in, 'Think before you click,' but I also believe in, 'Don't make the user think about it if they don't have to,'" Adkins said. "This is an important component of 'secure by default' - automatically removing the threat from people's inboxes. We as engineers can take on the burden for security and free the users up to enjoy the technology how they need to."

Microsoft Pivots to Multifactor Authentication by Default

In a "huge shift" for Microsoft, the software and cloud computing behemoth now applies multifactor authentication by default for both new and existing instances of Microsoft 365, according to Federal Security CTO Steve Faehl. Going forward, Faehl said, any organization that doesn't configure a security policy of its own is going to get multifactor authentication (see: Microsoft Brings Passkeys, Bad Code Protection to Windows 11).

"We were very concerned that people would be locked out of their tenants," Adkins said Tuesday during the launch event. "We were very concerned people wouldn't know what to do. But we were able to roll that out in a way that didn't disrupt anyone, and it's something that makes everyone safer."

Faehl said the industry has a role to play in both helping the U.S. government impose pain and cost on cyber adversaries in a meaningful way as well as providing users with a better experience than before with technologies such as passwordless.

"We don't want to barrage the general public with a ton of cyber risk fearmongering," Faehl said. "We want to let them know, 'This is what it takes to be safe in this environment. This is how you can be secure moving forward, and you can do so with confidence.'"

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.