In February 2024, a major U.S. healthcare technology provider was compromised by a ransomware group that gained access through a remote access portal lacking multi-factor authentication (MFA). The attackers used stolen credentials to enter the network, moved laterally across systems, exfiltrated sensitive data, and deployed ransomware that disrupted healthcare operations nationwide. A post-incident investigation confirmed that the absence of MFA on remote access was the critical vulnerability that enabled the breach.
To mitigate such risks, the Center for Internet Security (CIS) Critical Security Controls developed Safeguard 6.4, which mandates MFA for all remote network access.
What Is CIS Safeguard 6.4?
This safeguard falls under Control 6 of the CIS Controls framework: Access Control Management.
“Require MFA for all remote access to the network, including VPN, RDP, and other remote access methods.”
Why This Safeguard Is Critical
Remote access technologies like VPNs, RDP, and cloud-based remote desktops are essential for modern business operations, but they also present high-value targets for attackers. Stolen credentials, phishing, and brute-force attacks are commonly used to compromise remote access points.
MFA adds a critical layer of defense by requiring a second factor, such as a mobile app, hardware token, or biometric verification, before access is granted. Even if credentials are compromised, MFA can prevent unauthorized access.
Organizations in Implementation Group 1 (IG1) may use basic MFA solutions for VPNs, while IG2 and IG3 should implement centralized MFA enforcement across all remote access technologies, including third-party integrations.
Threat Scenarios
- VPN Credential Theft: Attackers use phishing or infostealer malware to harvest VPN credentials and access internal systems.
- Remote Desktop Exploits: RDP services exposed to the internet without MFA are vulnerable to brute-force and exploit-based attacks.
- Third-Party Access Abuse: Contractors or vendors with remote access may lack MFA enforcement, creating weak links in the security chain.
- Session Hijacking: Without MFA, attackers can hijack active sessions or reuse tokens to bypass authentication.
- Phishing and Smishing Attacks: MFA bypass techniques using fake login portals or adversary-in-the-middle proxies are increasingly common.
- Ransomware Deployment: Remote access points are often used to deploy ransomware payloads once initial access is gained.
Implementing CIS Safeguard 6.4
- Identify All Remote Access Methods: Catalog VPNs, RDP, cloud desktops, and third-party remote tools used across the organization.
- Enforce MFA Across All Remote Access Points: Use secure MFA methods such as authenticator apps, hardware tokens, or biometric verification. Avoid SMS-based MFA due to known vulnerabilities.
- Integrate MFA with IAM Systems: Centralize authentication policies and ensure consistent enforcement across user roles and access methods.
- Monitor and Audit Remote Access Logs: Track login attempts, failed authentications, and suspicious access patterns.
- Educate Users and Vendors: Train internal staff and third-party users on MFA usage and enforce contractual requirements for secure access.
Supporting Safeguards
1.1 Establish and Maintain Detailed Enterprise Asset Inventory: Ensures all remote access systems are identified and included in MFA enforcement.
2.1 Establish and Maintain a Software Inventory: Helps track remote access software and ensure it supports MFA.
4.1 Establish and Maintain a Secure Configuration Process: Ensures remote access tools are configured securely with MFA enabled.
5.2 Use Unique Passwords: Reduces the risk of credential reuse and supports MFA effectiveness.
6.3 Require MFA for Externally-Exposed Applications: Complements 6.4 by enforcing MFA on public-facing login portals.
Resources
Links to relevant CIS documentation, tools, or guides:
- CIS Controls and Safeguards v8.1https://www.cisecurity.org/controls/v8-1
- NIST Cybersecurity Framework (CSF) 2.0[Cybersecurity Framework | NIST](https://www.nist.gov/cyberframework)
- UnitedHealth: Compromised Citrix Credentials Behind Change Healthcare Hackhttps://www.crn.com/news/security/2024/unitedhealth-compromised-citrix-credentials-behind-change-healthcare-hack