In February 2024 a municipal government suffered a major ransomware attack after threat actors exploited a vulnerability in an externally exposed internet-facing server. The attackers gained access to the system and conducted covert reconnaissance before deploying ransomware that encrypted critical infrastructure.
A post-incident review identified lack of Multi-Factor Authentication (MFA) as a “root cause” of the breach. To secure the confidentiality, integrity and availability of an organization’s information, the Center for Internet Security (CIS) Critical Security Controls has developed Safeguard 6.3 to ensure MFA is required for externally-exposed applications.
What Is CIS Safeguard 6.3?
This safeguard falls under Control 6 of the CIS Controls framework: Access Control Management.
“Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.”
Why This Safeguard Is Critical
When an organization exposes applications or systems to the public internet, it creates potential entry points for threat actors. These externally accessible assets are often the first targets during reconnaissance and exploitation phases of a cyberattack.
MFA significantly reduces the risk of unauthorized access—even if credentials are stolen—by requiring a second factor such as a mobile app, hardware token, or biometric verification. In Hamilton’s case, full MFA deployment could have prevented the initial breach, saving millions in recovery costs and reputational damage.
Threat Scenarios
- Unauthorized Access: Attackers can exploit login portals on public-facing systems that lack MFA, using stolen or brute-forced credentials to gain entry.
- Credential Stuffing Attacks: Without MFA, reused or leaked passwords can be used to compromise multiple accounts across externally exposed services.
- Privilege Escalation: Once inside, attackers can move laterally and escalate privileges if MFA is not enforced at key access points.
- Ransomware Deployment: Gaining access through unprotected login interfaces allows attackers to deploy ransomware and encrypt critical systems.
- Expose Sensitive Data: Compromised accounts without MFA can be used to access and leak sensitive internal or customer data.
- Security Misconfiguration: Inconsistent or incomplete MFA deployment across departments can leave critical systems exposed to exploitation.
- Malicious Insider Activity: Disgruntled employees or contractors may bypass weak authentication controls to sabotage systems or leak data.
- Authentication Service Failure: If MFA is not properly integrated or has single points of failure, outages can force fallback to insecure login methods.
- Web-Based Exploits Attackers may target login pages with phishing or injection attacks, and without MFA, a single compromised credential can lead to full access.
Implementing CIS Safeguard 6.3
- Identify Externally-Exposed Applications and asses MFA Coverage
Catalog all systems accessible from the public internet, including VPN portals, webmail, cloud dashboards, and remote access tools. Review which externally exposed applications currently enforce MFA and identify gaps in coverage across departments or services. - Deploy MFA Across All Public-Facing Systems
Implement MFA using secure methods such as authenticator apps, hardware tokens, or biometric verification. Avoid SMS-based MFA where possible due to known vulnerabilities. - Integrate with Identity and Access Management (IAM)
Ensure MFA enforcement is centralized and consistent across all user roles and applications, with logging and alerting for failed authentication attempts. - Test and Monitor MFA Effectiveness
Regularly audit MFA configurations, simulate login attempts, and monitor for bypass attempts or misconfigurations. - Educate Users and Enforce Policy
Train staff on MFA usage and enforce policies requiring MFA for all remote or external access. Address resistance to adoption through awareness and support.
Supporting Safeguards
1.1 Establish and Maintain Detailed Enterprise Asset Inventory
A complete inventory of externally accessible systems ensures that MFA is enforced consistently across all public-facing applications.
2.1 Establish and Maintain a Software Inventory
Understanding what software powers externally exposed systems helps identify which platforms support MFA and where additional configuration is needed.
4.1 Establish and Maintain a Secure Configuration Process
Ensures that MFA settings are properly configured and not bypassed due to default or insecure authentication setups.
5.2 Use Unique Passwords
Reduces the risk of credential stuffing attacks on externally exposed systems, especially when MFA is not yet deployed.
6.1 Establish an Access Granting Process
Supports MFA by ensuring that only authorized users are granted access to externally exposed applications, with MFA as a requirement.
6.5 Require MFA for Remote Network Access
Complements 6.3 by extending MFA enforcement to VPNs and other remote access methods that interface with public networks.
8.1 Utilize Security Awareness and Skills Training
Educates users on the importance of MFA, how to use it properly, and how to recognize phishing attempts that target login credentials.
Resources
Links to relevant CIS documentation, tools, or guides:
- [CIS Controls and Safeguards v8.1](CIS Critical Security Controls Version 8.1)
- [NIST Cybersecurity Framework (CSF) 2.0](- https://www.nist.gov/cyberframework)
- City cyber attackers were ‘well-funded, organized,’ it will take years to recover, experts say | CBC News