In today’s world, simply going to any tech blog or turning on the news there are constantly reports of breached websites, hacked accounts, stolen identities and compromised passwords.
The reality, regardless of the expectation, is that there is no one or two magic wands that can guarantee 100% security in a computer environment. A computer environment can be fully patched at both the desktop, server and infrastructure level and still be completely at risk of a compromise. The best that we can do is reduce the footprint of our environments that we show to the public world and make sure that security basics are followed, and even more importantly, taught to the employees.
Over the course of my career, regardless of the sector or whether I was on the administration side or the security side, the most common risk factor identified and often the cause of an incident was an uneducated or non-caring employee.
We can implement firewalls, intrusion detection, intrusion prevention, Security Event Information Management system (SEIM) or any flavor of technology to prevent security lapses, but there is nothing we can do if an employee decides to click on a malware infested website and/or email or decides that their system password is going to be catlover123.
The reality is, in my opinion based on research and psychology, that if we want to start changing the security culture in corporations around the world and reduce/limit the number of breaches we are currently witnessing, we have to begin with employee education.
In the realm of employee education on issues of network security, chapter 1 of that book should absolutely be dedicated to secure passwords and how to create them. It should cover what complexity is expected and all the do’s and don’ts of a good secure password. The sad fact is that this will not convince many employees to follow suit. They will do their best to keep their catlover123 password, like it is the lifeblood that flows through their body.
Enter multi-factor authentication stage left.
So, what is multi-factor authentication? Multi-factor authentication (MFA) is a method of confirming a user’s claimed identity in which a user is granted access only after successfully presenting 2 or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something they and only they know), possession (something they and only they have), and inherence (something they and only they are).
Simple enough right? No, it is not quite as simple and can be very expensive and very complex to implement but, it has also been around for a long time, just not widely adopted. If you have been in the corporate world for some time you have probably worked in an environment where someone logging into a website or their computer had to pull out what we called a “RSA Device” so that they could get a key that they used in combination with their password. Again, this was a secure solution, although not perfect, but it was quite pricey and very complex to implement.
But as technology advances, so do our options!
There is a solution that will give us an additional layer of security that is personal to the employee and is considered multi-factor authentication. The beauty of the solution is in the fact that it is widely adopted across many open source vendors and therefore can be implemented with little to no cost, with the exception of the engineers who need to implement it.
Let me introduce you to two–factor authentication, often referred to as, and for the rest of this document, 2FA and two-step verification. 2FA is defined as a type (subset) of multi-factor authentication. It is a method of confirming a user’s claimed identity by utilizing a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.
A good example of two-factor authentication is the withdrawing of money from an ATM; only the correct combination of a bank card
(something that the user possesses) and a PIN (personal identification number, something that the user knows) allows the transaction to be carried out.
Two-Step Verification is an important piece of this puzzle and it is defined as a method of confirming a user’s claimed identity by utilizing something they know (password) and a second factor other than something they have or something they are. An example of a second step is the user repeating back something that was sent to them through an out-of-band mechanism. Or the second step might be a 6-digit number generated by an app that is common to the user and the authentication system.
Many of us may already have experienced one of these two security mechanisms or a combination of them in interactions with our online bank, investment account or even something as simple as Google mail. Microsoft Azure and Office 365 even supports 2FA and two-step verification, if you enable it and provide users with instructions on how to deploy the out of band mechanism, which in this case would be your mobile phone.
Wow, but what is this all mean?
Paul Simon taught us that there are 50 Ways to Leave Your Lover, but hackers have taught us there are thousands of ways to steal your password.
The advantage of 2FA is that even with a compromised password the hacker would have to have the ability to gain access to the verification device. Now the key to the success of this formula is that the password in question cannot and should not be connected to the verification mechanism.
For example, it would defeat the purpose of protecting the log into your email account if you’re verification step was an email with a pin code to the same email account that you’re trying to protect. This should be a simple concept, but many employees do not understand this, if your password is compromised and your
verification method is the email of the account that uses that password then the hacker has access to both.
Enter mobile authentication to potentially save the day. There are two variants utilizing a mobile phone. Google and Microsoft both have an authorization application that can be installed on your mobile phone and when you login, depending on how your systems are set up, it will either ask you to open up the app and input the code on the screen or it will ask you to open the app and login, and yes bio-metrics can be used, to authenticate and verify your login attempt on your computer.
Another common method utilizing mobile technology is to send a text via SMS to your phone with a code to input into the login screen. Simple, easy but generally effective.
In this scenario if your password is compromised the hacker would have your password but would be unable to utilize it to login as they would not have your verification method.
The following website provides lists of sites that offer two-factor authentication and resources to contact other companies to request that they adopt it: https://twofactorauth.org
Now, for full disclosure, as I said earlier nothing is 100% and neither is two factor authentications and two-step verification. By relying on your mobile phone as the out of band personal source of verification, if your mobile phone was cloned then the hacker could in fact get the same texts and, in some instances, generate the same codes in the smart phone applications. But the reality is, we have reduced our footprint on passwords by significant amount and reduced the risk associated with employees who come up with many ways to get past the complexity requirements and still have passwords that are very easily cracked.
I lay awake at night, wondering why in today’s technological environment, why every login to every system across the world does not implement two factor authentication and two-step verification. These are not the days of having to purchase a six-figure application to generate a token as the secondary login mechanism, but often can be a simple piece of software installed in conjunction with your active directory environment or LDAP server. And to compound my confusion, many of the cloud environments that we are moving into as a default now, come with two factor authentications and/or already built into them.
Implementation of this technology would significantly decrease risk factor for an organization while also helping them comply with PCI – DSS and HIPAA regulations at the same time.
While we still need to educate users in the philosophical nature of complex password creation, and yes that will be another topic coming soon, the best way to protect against the uneducated user or the user who just doesn’t care is multifactor authentication.
Repeat after me: 2FA Today!
Let Longevity Technology manage the technology, so you can focus on your business!!!
About the Author:
Stephen Turner is a 24-year veteran of the Information Technology world that began as a crypto technician in the United States Marine Corps. He has worked all facets of the Information Technology world including administration, security, consulting, project management, Director and as a Chief Information Officer for nationwide organization where he was responsible for architecting the security infrastructure during the migration of the organization’s entire data center to the “cloud”. He also served as the Director of Cyber Security – Cybersecurity and Research for the Florida Center for Cyber Security, a Florida organization established by legislation to position Florida as a national leader in cybersecurity through education and workforce development; innovative, interdisciplinary research; and community engagement
He is currently a partner and President of the MSSP Services for Longevity Technology, a Tampa, FL based company that is uniquely designed to provide managed technology services, but also true managed security services for the small to mid-size business community.
Stephen has trained as a Certified Ethical Hacker, Certified Information Systems Security Professional and as a Red Hat Certified Architect with a focus on Linux security and is a Microsoft Certified Systems Engineer.