On July 12, the latest CWP meetup was hosted by DIA, featuring the announcement of Multi-Factor Authentication (MFA) and how it is coming to CWP soon, as well as a demonstration on MFA. Katrina Banks, Security Assurance Manager at Government Chief Digital Office (GCDO), and Danielle Vandendungen, Senior Advisor at CERT NZ, joined us to speak about the long-awaited arrival of Multi-Factor Authentication to CWP, and how it will improve the security of your CMS. Garion Herman, a Senior Developer at SilverStripe, showed us how MFA works within the CMS, and what methods of authentication you can use.
Bringing MFA to CWP
MFA is a security measure that requires a user to have more than one method of authentication when logging in to a system. This generally means a password and a code that’s generated at the time of logging in. Through phishing or credential harvesting, attackers can get access, including administrative privileges, to an organisation’s CWP website. These risks are greatly minimised with the introduction of MFA.
Working closely with SilverStripe for over a year, Katrina Banks spoke about how DIA was assisting SilverStripe with their security certification, especially when it came to how to implement MFA. CERT NZ came on board as a pilot user, as MFA is one of the top four security controls they recommend as part of Cyber Smart Week, NZ’s cyber security awareness week. When agencies begin to implement and use MFA across their digital spaces, they are assured that it has been certified by the lead agency, and that the authorisation method has gone through the right channels to ensure that their websites are secure.
As a member of the team who helps to coordinate and respond to cyber security incidents, Danielle Vandendungen spoke about how CERT NZ is supporting New Zealanders and businesses to increase their security practices. Across different web services, people tend to reuse their passwords. These passwords are at risk of being loaded into databases of passwords that can then be sold. You can run scripts against these databases and try them on different websites to gain access to your information. Government websites are an attractive target for cyber security incidents, such as hacktivism or to get data. There needs to be a secure solution that is not just creating more elaborate passwords to make sure your website is protected. One of the best ways to protect your website is to turn on MFA.
As a free service, MFA asks for another factor when you’re logging in, such as a code from an app on your phone, to authenticate into the system. This greatly increases the security for your website as attackers now need something else as well as your password to get in. It’s easy-to-use and allows you to select a method that suits your organisation. For CWP, your agency will have the opportunity to use an app, such as Google Authenticator, or a security token, such as U2F, as your separate method of authentication when you are logging into your CMS. SMS will not be available for MFA with CWP as it is much easier to intercept text messages, and is therefore not as secure as using an app or token.
It will be available as a module to add from September, and can be easily added by asking your developer or putting in a request with SilverStripe!
Did you attend our last CWP Meetup? We would love to hear your thoughts! Get in touch with Kayleigh Shepherd from DIA if you would like to provide feedback, suggest topics, or even speak at our next meetup. You can reach Kayleigh at firstname.lastname@example.org.