Lack of Multifactor Authentication on VPN
Priority Level: One Category: Cybersecurity / Compliance
Description: The bank does not enforce multifactor authentication (MFA) on its VPN, despite it providing external access to bank resources. Although the VPN user pool is small, this omission represents a high risk of unauthorized access through credential compromise.
Impact:
- Elevated risk of unauthorized remote access, leading to data breaches, system compromise, or insider threats.
- Non-compliance with FFIEC guidelines on authentication for remote access, potentially resulting in regulatory penalties and audit failures.
- Potential financial and reputational damage from exploited vulnerabilities in external access points.
FFIEC Reference:
- FFIEC Guidance on Authentication and Access (August 2021):
- "Multi-factor authentication (MFA) or controls of equivalent strength... Remote access software, which allows remote access to a user's computer or..." (p. various)
- FFIEC IT Examination Handbook, Information Security (September 2016):
- "Unnecessary remote access, obtains approvals for and performs audits of remote access... Multi-factor authentication: The process of using two or more..." (p. various)
Recommendations:
- Immediately implement MFA on the VPN using a solution like DUO, ensuring all users are enrolled.
- Conduct a security audit of VPN access logs and restrict the user pool to essential personnel only.
- Train users on MFA best practices and monitor for compliance.
Prioritization Rationale:
- Priority One: These findings address critical cybersecurity and data protection risks with high potential for breaches, data loss, and regulatory penalties. They represent immediate vulnerabilities in cloud and remote access.