BSides Philly 2017 – MFA: It’s 2017 and You’re Still Doing It Wrong

by | Dec 13, 2017

BSides Philly

Security Risk Advisors is proud to have been a Platinum Sponsor at BSides Philly on Friday, December 8th. In addition to continued involvement in and support for the BSides organization, Security Risk Advisors’ Chris Salerno and Dan Astor also presented on Multi Factor Authentication best practices – and areas for improvement.  The presentation is available to watch on YouTube, and slides are available on Slideshare, below:


Presented at BSides Philadelphia, December 8, 2017

We can all agree that having single-factor remote access gateways (VPN, Citrix, Remote Apps, etc.) exposed on the internet is a poor decision and a large security risk. These portals, can allow for a direct connection into the internal corporate environment. Once there, an attacker can begin to identify internal vulnerabilities, move laterally, escalate privileges, persist, and hoover out all the data they want. Fortunately, these portals are increasingly behind a multi-factor solution (phone call, hard/soft token, certificate, etc.). While this does help to reduce the attack surface from a direct brute force (username and password), there are often overlooked options or misconfigurations that can allow an attacker to bypass this solution or directly disrupt business operations. In this talk we’ll be covering methods that we’ve used to bypass MFA solutions to obtain internal network access from the internet.




Chris Salerno
Managing Director | Archive

Chris leads SRA’s 24x7 CyberSOC services. His background is in cybersecurity strategy based on NIST CSF, red and purple teams, improving network defenses, technical penetration testing and web applications.

Prior to shifting his focus to defense and secops, he led hundreds of penetration tests and security assessments and brings that deep expertise to the blue team.

Chris has been a distinguished speaker at BlackHat Arsenal, RSA, B-Sides and SecureWorld.

Prior to Security Risk Advisors, Chris was the lead penetration tester for a Big4 security practice.

Dan Astor
Principal Scientist | Archive

Dan specializes in network penetration testing, adversary simulation, and red team operations. Dan is a member and lead of SRA’s R&I team, which researches and develops tools, techniques, and public content.

Dan has worked for clients in several industries including banking, entertainment & media, insurance, healthcare, pharmaceutical, manufacturing, and utilities.

Dan regularly contributes to open source tooling and blog posts. He has also obtained his Offensive Security Certified Professional (OSCP) certification.