Require MFA for Remote Network Access
Description
Require MFA for remote network access.
Implementation Checklist
Tool Recommendations
Cloud identity and access management with SSO, MFA, conditional access, and identity governance
Microsoft · Per-user subscription (P1/P2)
Cloud identity platform providing SSO, adaptive MFA, lifecycle management, and API access management
Okta · Per-user subscription
Multi-factor authentication and zero-trust access platform with device trust and adaptive access policies
Cisco · Per-user subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
VPN Credential Theft Enabling Network Intrusion
ConfidentialityStolen VPN credentials grant attackers direct network access from the internet because remote access relies on passwords alone without a second authentication factor.
Remote Access Broker Selling Stolen VPN Credentials
AvailabilityInitial access brokers sell compromised VPN credentials on dark web markets; buyers use them to access enterprise networks for ransomware deployment when MFA is not enforced.
Vulnerabilities (When Safeguard Absent)
No MFA for Remote Network Access
Remote access connections (VPN, remote desktop gateway) protected only by passwords can be compromised by any attacker who obtains or guesses valid credentials.
Remote Access as Single Point of Failure
Without MFA, the VPN or remote access gateway becomes a single-password-away entry point to the entire internal network from anywhere on the internet.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | MFA enrollment status and enforcement configuration | Reviewed monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |