Stung by two data breaches, the White House last month ordered a so-called “30-day Cybersecurity Sprint” to tighten IT protection across all federal departments.
High on the list: “Dramatically accelerate implementation of multi-factor authentication, especially for privileged users.”
There are any number of ways attackers can get into IT systems. But arguably they are after two things: Credentials, to more easily move around the network, and valuable data.
Unfortunately, too many organizations are making it too easy for attackers to get usernames and passwords for data access, particularly by going through partners or contractors.
Last week, for example, the head of the Office of Personnel Management told Congress the breach at her department leveraged a compromised credential from a contractor that led to the loss of millions of OPM personnel files.
Need more proof? According to an industry analyst, lack of two-factor authentication on an internal server led to the 2014 breach at JP Morgan & Chase Co. that compromised information from 76 million households and 7 million small businesses.
It’s clearly time for organizations to stop relying on user names and passwords alone on networks that in any way have access to sensitive data. And according to an industry analyst, there’s no better time than now to shift to two-factor (2FA) or multifactor authentication — not only something users know (a one-time password or code) but also something they have (a smart card) or something they are (fingerprint or retina scanner).
Costs are dropping for using technologies such as fingerprint scanners, smart cards, codes sent by SMS to smart phones and USB fobs that generate random numbers, says Jon Oltsik of the Enterprise Strategy Group.”What we’re seeing is a commodification of two-factor authentication,” he said in an interview.
There are still infosec pros that are reluctant to shift to 2FA, he said, because organizations have been burned in the past by staff losing a device or card. Plus there’s the time expense of setting up added processes on the back end with an authentication server.
But pushed by boards of directors and headlines of breaches which invariably include a loss of credentials as a key element, CISOs are increasingly getting funding for 2FA and MFA projects.
Still, Oltsik added, “if there is a tipping point, we’re just at the on-ramp.”
What’s helping are new approaches that make 2FA more inviting:
— an increasing number of smart phones are adding fingerprint readers, which not only make those devices more secure they can also be used as credentials for other systems;
—the FIDO (Fast IDentity Online) Alliance, a coalition of vendors including Microsoft, Google, Intel, Lenovo, RSA and Qualcomm, developing open specifications for stronger authentication, said so far this year 31 partners have products that have passed its certification. It’s still early days for FIDO, Oltsik said, but he’s optimistic;
–Windows 10, to be released July 29, includes a number of capabilities to make implementing 2FA easier for enterprises.
“The dirty little secret of cybersecurity is while patch and configuration management is very important, when you look at how the bad guys are getting in it’s by compromising an existing user’s identity,” says Jeff Carpenter, senior manager for identity and access products at RSA.
He advises CISOs not to look too narrowly on authentication: There’s a temptation to reduce everything down to passwords or multi-factor authentication devices or tokens, and that’s the wrong focus.
“In most organizations there are two groups that need to address this problem,” he says: The infrastructure group, which usually looks after authentication, and the identity group, which provisions those who come on the network. “Those two group[s have to get married,” says Carpenter, along with the governance group (which look for orphan accounts).
On the other hand, Jeremy Spilman, CTO at Taplink, a cloud service that says it improves the protection of existing password databases, warns that 2FA/MFA “gives users a false sense of security … in many ways it can be a net loss.”
One possible weak spot is the so-called “two-factor bypass,” where an attacker asks call support to resend a password to a hacked email account or a different smartphone number.
“In my opinion two-factor protects against a very narrow use case. You have to very carefully evaluate the pros and cons of implementing it. … It sound so simple — I’ll just send you a text message with five digits. But when you dig into all the ways it can fail, it’s actually a tremendous amount of complexity you add to your system.”
Certainly 2FA/MFA has to be used to secure access to servers and for those with privileged accounts. Providers offering access to sensitive services — everything from email to bank accounts — will increasingly have to think about adding it.
On the other hand, not every login needs it. For example, Mark Keating, CIO at the Peel District School Board (immediately west of Toronto) decided it isn’t necessary for the 150,000 students who have Wi-Fi Internet access. That’s because the board fully segregates the Internet from its internal network with a virtual LAN.
“When you walk in (to a school) we know who you are and drop you into the appropriate VLAN,” he said. There is no guest access. To access instructional resources students have to use school-owned wired PCs that are fully locked down.
However, Keating is looking at adding 2FA for a small number of staff who sometimes log in remotely to sensitive resources.
At a recent conference in Toronto, Dell Inc. CSO John McClurg summed up the argument nicely: “It’s very hard to find an example of a corporation or an entity having been compromised if they have robust two-factor authentiation deployed. It isn’t going to happen.”
Two-factor authentication means the CISO can do away with insecure usernames and passwords, Oltsik points out. “This is one of those few technologies that has a business benefit, a user benefit and a security benefit.”