Assess Your MFA Risk Fast – For Free

Multi-Factor Authentication (MFA) is one of the most powerful ways to strengthen an organization’s security infrastructure and we are constantly on the look out for new tools and techniques to help make MFA more accessible to businesses like yours.

A useful MFA tool we recently explored is from the company Neustar. They have produced a free MFA risk assessment tool that uses guidance from open standard publications to help businesses determine their overall MFA risk. We’ve downloaded this tool and will share insights about our experiences, but first, let’s take a look at why MFA has recently become such a hot topic.

MFA – (Now) A Legal Requirement to Do Business

As national cybersecurity regulations evolve to protect our digital resources, New York State has taken lead by publishing a set of laws to mandate the use of stronger MFA controls. To protect the U.S. financial system, NY now requires financial firms to implement a set of security controls or they will be subject to penalties. These requirements have been set forth in law 23 NYCRR 500.09, which state the following:

· Each covered entity shall conduct a periodic risk assessment of the covered entity’s information systems sufficient to inform the design of the cybersecurity program as required by this part.

· A risk assessment is designed for companies to evaluate their level of cybersecurity risk and possible threats. It’s important for the company to keep the nonpublic information and their information systems secure.

· Using the risk assessment as a baseline, they can acknowledge possible risks and the ways these risks can be mitigated.

· After completing the risk assessment, companies are then required to implement new levels of securing, depending on the results of their assessment.

Recognizing the urgency of cybersecurity needs, NY has aggressive timelines for implementation.

*Companies must perform the assessments and implement the required security controls by March 1, 2018.

The Neustar MFA Tool Accelerates the Risk Assessment Process

Originally designed to address New York cybersecurity rules and banking specific transactions, the Neustar MFA risk assessment tool is extremely beneficial to all business sectors because it has been developed using open standard MFA guidelines and principles from the most respected, independent security research organizations, including: National Institutes of Standards and TechnologyFederal Financial Institutions Examination Council, and the New York State Department of Financial Services.

How Does the Tool Work?

The Neustar MFA risk assessment tool uses a Q&A flowchart to assess the way your business operates and using the answers provided, it will recommend what authentication level— single factor, two factor or multi-factor (based on NIST guidelines)—should be implemented based on your individual company’s risk level; the higher the risk level, the greater your authentication to be compliant with the law.

The next element of the tool is the Risk Rating Key. The Risk Rating Key uses a graph to show the residual risk after putting mitigating controls on the inherent risks. The color-coded guide will indicate whether your migrating controls are strong, adequate or in need of improvement and then these color-codes are used on the following pages to describe your enrollment, transaction, process, and overall rating.

Within the Enrollment, Transaction, Process, and Overall Rating sections, you will be asked to add:

  • Your current authentication practices
  • The business area your current authentication practices occur in
  • Channels where your current authentication practices happen

Then, you will list your potential risks, threats, and vulnerabilities. Next, using a “high, medium, low” scale, you’ll rate:

  • Probability of occurrence
  • Impact severity
  • Your inherent risk rating

You will then need to document possible mitigating admin/policy controls, mitigating technical controls, and compensating controls you are using.

Using the Risk Rating Key on the previous page, you rate the control effectiveness (needs improvement, adequate, strong).

To determine your Inherent Risk Rating for Enrollment, calculate your risk from one to five. (Note: The risk rating key will help you determine what number you should put down.)

The Migrating Controls Risk Rating for Enrollment is found by assessing the value of the mitigating admin/policy controls (-2, -1, or 0).

To calculate your Residual Risk Rating for Enrollment, you will subtract the Mitigating Controls Risk Rating from the Inherent Risk Rating. The lower the number is, the lower your residual risk. The bottom portion will tell you your average risk for all three categories.

The same calculation process is then repeated for the remaining Transaction and Process categories.The final page at the end of the assessment summarizes your total risk in all areas. You can refer to the Risk Rating Key if you need help determining what the numbers mean.

Now That I Know My Risk, What Do I Do?

Upon assessing your MFA risk, visit the NIST Digital Identity Guidelines for Authentication and Lifecycle Management to learn more about your authentication technology options. The NIST document does a remarkable job of explaining the various available MFA authentication technologies and their assurance level.

If you are at the phase where you need to implement an MFA system fast and want to explore more options, download our free guide, “MFA the PIV Way.” This guide explores how to use the NIST standards to implement the strongest MFA infrastructure in a way that is scalable and compatible.

We hope you found this information useful. If you want to comment or have any suggestions, please send an email to


This information is for informational purposes only. CYBER ARMED SECURITY, LLC MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. All other trademarks, service marks, and product or service names are trademarks or registered trademarks of their respective owners.

How to Use PIV as a Cyber Defense Tool

This article provides a practical plan for implementing PIV technologies to immediately bolster your cyber defenses. We have structured this plan to provide fundamental countermeasures against the latest cyber threats while also recognizing organizations require time to fully adopt PIV throughout their entire ecosystem. Therefore, all components of this plan can be implemented using vendor supported point and click configurations and do not require software code modifications. Advanced topics related to PIV software application fortification will be covered in a subsequent article.

Why the latest attacks are succeeding

The latest attacks originate in the form of: malware delivery, credential theft or compromise of an internet accessible system. These attacks work because of insufficient access control or message integrity validation where the attacker either surreptitiously obtained a credential or tricked a legitimate user into installing malware which permitted access to the system. Furthermore, these attacks go from bad to absolutely devastating because of the nature and volume of the data stolen. For example, an organization can rebuild a compromised network server, but they can never recall the intellectual property stolen or repair the negative psychological impact to their customers.

PIV as a countermeasure

Many security features of PIV are underutilized simply because their benefits have never been clearly articulated or explored. The fact is, the rigorous identity proofing protocols that a person goes through to even receive a PIV credential combined with the PIV credential authenticity technology features, provides a remarkably useful tool to stop most attacks before they can even get close to your organization. Below are some of the security features of PIV:

  • Enables deny all by default security policies: Many organizations must keep services available to anyone on the internet. For example, they allow a web browser or VPN connection to be accessed by anyone so that they can reach the password entry screen. With PIV, new cryptographic controls can be implemented to only let those with a valid PIV credential to even access the sign on page. This is critical because now the organization can block anyone without a PIV credential before they can even get to your services.
  • Prevents credential theft: Every relevant attack we have analyzed involves some form of credential theft from an identity repository. Subsequently, these credentials are used by the attacker to masquerade as a legitimate user rendering security systems useless. With PIV, the credentials are only stored in a tamperproof container that is physically possessed by only the approved PIV user which can only be accessed with their biometric or PIN. Therefore, by using PIV, attackers no longer have the luxury of stealing credentials from an identity database.
  • Permits trusted communications: Many attacks occur because a well-intentioned user receives a message from a seemingly trustworthy person and they open an attachment that launches malware. It is critical to understand that these new generation of attacks use a combination of social media harvesting, consumer behavior pattern analysis and psychological trust features to actually make the user believe they are helping their organization by opening a message. By using PIV, an organization can only allow attachments that have been signed by a valid PIV credential to enter their organization thus drastically decreasing the potential of a user accidentally distributing malware.
  • Locks down Devices: Many attacks will focus on business partners, home networks or actual theft of a physical device such as a laptop or mobile device. By using PIV technologies, data can be encrypted so even when someone outside of the control of your security is breached, your data can remain safe.
  • Makes data unusable to attackers: Even if the data is stolen, data is useless unless you possess the PIV card and PIN that encrypted the data.

PIV Protection Plan

Our plan strategically implements PIV at critical locations in order to eliminate many of the popular attack pathways traditionally used to gain access. Our strategy is to mitigate the threats by 1) removing the attack launch points, 2) eliminating common credential theft schemes 3) removing traditional malware distribution channels, and 4) making the data worthless even if stolen.

Fortify boundary: Block any remote transaction that is not PIV based.

Eliminate passwords: Eliminate the password authentication option so that stolen passwords cannot be used.

Lock data: Make data unusable to those without a PIV credential.

Stop malware distribution: Only permit signed attachments from trusted parties.

PIV protection implementation steps

Our goal of this fundamental plan is to enable organizations to start protecting their infrastructures immediately with PIV credentials. Therefore, each of the following steps can be implemented through standard guidance from the vendor and will not require software code changes. For example, Microsoft active directory, Apache web server, Cisco VPN and Apple iPhone all support the use of PIV digital certificates via standard configuration.

Need advanced PIV integration help? We have expertise in PIV application integration, single sign on and biometric technologies to help with advanced PIV usage needs. Contact us to find out more.
Component Implementation Description
Block remote access (to non PIV users) PIV Configuration Task: On your perimeter devices, force mutual authentication via client certificates and refuse any other traffic.

How this protects your organization: This element serves two purposes: 1) block non-PIV traffic so the attackers cannot even begin their attack protocols, 2) force multi-factor authentication to eliminate credential theft attacks. Now, anyone wanting to access your environment remotely must be forced to use their PIV credential. Therefore, attackers can no longer steal or guess passwords to give them remote access to your environment rending numerous attacks useless.

Force client certificates for SSL PIV Configuration Task: Within your web server’s configuration, require SSL and client certificates for all transaction. All other transactions without client certificates will be dropped.

How this protects your organization: This configuration forces anyone accessing your web site to have a trusted client certificate (PIV credential). Otherwise, the web server will completely refuse any further transactions. This countermeasure also eliminates many web based threat vectors because the attacker cannot even perform basic browsing commands without a PIV credential.

Implement Active Directory Smart Card Logon PIV Configuration Task: Within your active directory, configure smart card logon.

How this protects your organization: One of the highest value targets for an attacker is your active directory. The reason is, this repository contains the credentials for everyone in your organization which attackers can download and decrypt using a plethora of utilities. By using smart card logon with a PIV card, the end user must perform multi-factor authentication to gain access. So, even if an attacker gains access to your network, they must also have a trusted PIV card to authenticate. There are no longer easily decrypted passwords available for them to steal and use for impersonation.

Digitally sign attachments PIV Configuration Task: Utilize digital signatures for email and attachments.

How this protects your organization: Many of the most effective attacks have originated by an attacker sending a perfectly crafted, trustworthy email with malware embedded in an attachment. One of the most effective techniques is to force the use of PIV digital signatures for emails and attachments. This technique prevents an attacker from distributing malware because if they do not have a PIV card to sign the message, the message cannot be further distributed.

Encrypt devices and laptops PIV Configuration Task: Implement data encryption for laptops and devices

How this protects your organization: Devices and laptops often contain core organization data in clear text. Additionally, many of the computing platforms are used remotely from networks that may not be trusted or verified which can enable the device to be attacked. To mitigate this, the PIV credential should be used to encrypt the data on the end user devices.

Encrypt database backups PIV Configuration Task: Configure your database backups to be encrypted

How this protects your organization: Many organizations overlook their database archives. We have seen many occasions where the entire DB is simply moved to a different network share or even offsite to a different datacenter with no security on the archive. The attacker then simply downloads this data and can read this without even a password. By using PIV encryption, a valid PIV credential and PIN is required to view the data, thereby making the data useless to an attacker.


PIV technologies can provide extremely effective countermeasures to prevent system compromise and deter attackers before they even begin. However, these features must be adopted and utilized otherwise attackers are only one stolen password, malware infected email or stolen device away from completely devastating an organization and their customers with the next wave of cyber attacks.

How to develop an enterprise encryption policy

An enterprise encryption policy governs the technical standards and operating procedures for the entire organization. Unfortunately many organizations either do not have an enterprise wide policy or rely on different business units to implement encryption technologies as point solutions without thought of the corporate wide impact. The lack of organizational wide encryption standards leads to inconsistent technology implementation, low or negative return on investment or the worst, needless exposure to regulatory liability for lack of data protection.

This article provides the fundamentals for designing an enterprise encryption policy to properly align corporate resources so that encryption technology is applied consistently across the organization. With proper planning, implementation and monitoring, the enterprise encryption policy can ensure the organization is properly utilizing encryption as a security control to protect business data and minimize liability.

Encryption concepts and policy impacts

From a business perspective, encryption can be summed up with the following sentence – Encryption locks data, only people with the correct key can unlock it. To get more of an understanding, let’s analyze each sentence element to explain the details and the associated policy impact in the table below:

Sentence element Description and Policy Impact
Encryption locks Description: A computing process that uses algorithms and ciphers to transform readable data into data that cannot be read or processed.

Policy impact: The strength of encryption can be determined by different cipher and algorithm selection. If an enterprise policy does not dictate the use of the strongest encryption settings, then the encryption can be applied with weak settings thereby rendering the organization’s encryption tactics useless. The enterprise policy must specify that the strongest algorithms and ciphers be used.

Data Description: The information the organization is protecting.

Policy impact: Like any other security tool, encryption should be applied in a manner that supports the business need. Deciding what data to protect is very important because the organization wants to ensure the most sensitive data is protected while not wasting resources on noncritical data or information published for public consumption. The enterprise policy must use the organizations data classification policy to ensure the most critical data is protected. .

Only people Description: The users that will be able to decrypt the data.

Policy impact: A critical, and often overlooked aspect to an enterprise encryption policy is training. The most important element of an encryption system is the user. If they select the wrong option, fail to protect their key, or do not encrypt sensitive data, all of the organizations efforts on data protection can be wasted. Therefore, it is critical that adequate training and education be provided to the user so they use encryption effectively and in accordance with the organization’s security goals. The enterprise policy must specify training and education for users to ensure effective use of encryption.

With the correct key Description: This key works with the cipher to descramble the data.

Policy impact: Another core element to encryption is key management. When data is encrypted, it uses a key for both the encryption and decryption process. If that key is not protected or is not strong enough, it can either be stolen or guessed to decrypt the data originally protected. The enterprise policy must specify key size and the key protection technique.

Can unlock it Description: These are the users that have access to the key to decrypt the data.

It is critical that an access control policy to decrypt encrypted data is defined. Otherwise, data may be encrypted with a shared key that provides little or no access control which renders encryption useless.The enterprise security policy must specify that the key is managed properly and is only available to authorized personnel. Additionally, the policy should have an escrow element in place to clearly outline the security processes required to access decryption keys for data recovery purposes.

Encrypt database backups PIV Configuration Task: Configure your database backups to be encrypted

How this protects your organization: Many organizations overlook their database archives. We have seen many occasions where the entire DB is simply moved to a different network share or even offsite to a different datacenter with no security on the archive. The attacker then simply downloads this data and can read this without even a password. By using PIV encryption, a valid PIV credential and PIN is required to view the data, thereby making the data useless to an attacker.

How to structure your enterprise encryption policy

With the basics of encryption covered, the next phase is to understand what an enterprise encryption policy should include. The ultimate goal of an enterprise policy is to ensure encryption technology is being applied consistently and used correctly to ensure critical data is protected and organization risk and liability is minimized. The table below provides guidance for the minimal content consideration for the encryption policies.

Policy area Description
Encryption technical standards This policy area should specify the encryption technical elements the organization must implement. For example, this policy will specify the strength of ciphers, algorithms, key sizes and key management protocols to ensure the organization securely implements encryption in a consistent manner.
What to encrypt This policy area should specify what data must be encrypted. For example, most organization should use their data classification policy to determine their most critical data. Upon which, they should ensure this data is being encrypted. .
When to encrypt This policy area should specify when the data should be encrypted. Below are common examples of when encryption should be applied:

-Stored offsite
-Stored on a mobile computing platform
-When being transmitted over a public network
-When accessing a remote access session

Key protection This policy area should specify the strength of keys to be used as well as the protection mechanism to secure the respective keys. Common policy guideless are:

-The keys must be protected using multi-factor based access control
-The keys must be generated in accordance with NIST standards

Key escrow This policy area should define how keys will be stored and retrieved for legal or disaster recovery purposes.
Training This policy area should specify how users will be trained to use encryption technologies. Components such as user guides, computer based training and in person briefings are commonly used to train users how to effectively use encryption technologies.
Monitoring This policy area should specify how the organization will ensure the encryption policy will be enforced. Common assessment activities include:

-Database assessments will be performed to verify critical data is being encrypted
-Email gateways will be analyzed to ensure messages are being protected
-Desktop builds will be analyzed to ensure file system encryption has been implemented.

Author, Implement and Monitor

Implementing an enterprise encryption policy is a challenge that will require extensive planning, testing and continuous refinement. The following framework can be utilized to enable your organization to rapidly begin to implement a policy to protect your business operations.


Do not wait to begin this activity. Using the guidance previously discussed, create a baseline enterprise encryption policy that sets the technical standards, operating procedures and monitoring activities required to implement encryption organization wide. Although the first the version of the policy may not be perfect, it still enables the organization to prepare for the usage of encryption.


With the policy completed, create awareness programs to notify the organizational units that encryption technologies will be implemented throughout the organization. Instruct the organizational units to educate and prepare staff of the upcoming changes so they can properly implement and use encryption techniques.


In many organizations, engineers and security managers may have already implemented encryption techniques to protect data. Send out a questionnaire to determine if encryption is already being used. The sample matrix below provides different questions for different technology units.

IT area Question
Security Management Is there an encryption policy in place
Is there a key management plan in place
Database Are we encrypting the sensitive columns in our database?
Are the backups being stored in the clear or encrypted .
Networking Are we using VPN technologies for site to site connections
Are internal links being encrypted
Mobile Are mobile devices protected via an enterprise mobility management technology
Is containerization being used
Desktop/server management Are we using any of the following Full disk encryption
Encrypting file system
File or folder encryption
Backup management Are our backup archives being encrypted
Cloud Computing Are we using encrypted storage
Do we encrypt our data before uploading to the cloud
Cloud Computing Are we using encrypted storage
Do we encrypt our data before uploading to the cloud
Remote access Are we enforcing encryption between the client and the server
Virtual machine management Are we encrypting our virtual machines
Messaging Do we encrypt the email messages we send
USB Keys Are we using storage media that is encrypted by default

Compile the responses from the questionnaire to determine how and where encryption is being used. Next, if encryption is being used, verify it meets the standards set within the organizational policy. If encryption is not being used for sensitive data, develop a plan to implement the encryption technologies as defined by the enterprise encryption policy.


Once the encryption technologies have been put in place, conduct periodic internal assessments to ensure the encryption standards are being implemented and used in accordance with policy.


When properly implemented, encryption is a remarkably powerful security tool that drastically reduces risk and liability. However, encryption technologies must be implemented consistently across the organization to achieve maximum effectiveness. By setting clear standards and operating procedures through an enterprise encryption policy, organizations can reap all of the benefits of strong data protection and protect themselves against needless financial losses due to data breaches.