Passwords don't work multifactor controls do!
1 like191 views
The document discusses the weaknesses of password-only authentication and recommends migrating to multifactor authentication. It provides examples of common password vulnerabilities like weak and default passwords being overheard. The document then outlines steps for evaluating and implementing multifactor authentication, including conducting a risk assessment, piloting solutions, training users, and documenting the process. Migrating to multifactor authentication can help address security risks like data breaches and reduce costs associated with password vulnerabilities.
Passwords don't work multifactor controls do!
- 1. Restricting Authenticating Tracking User Access? Time Is Not On Our Side! Page 1 of 6 The 2015 worst password list was published recently(1). The list is only one confir- mation that leaving password controls to the end user is not secure. Verizon’s 2015 Data Breach Investigations Report(2) revealed that most breaches resulted from harvested credentials. And recently, a former executive for the Cardinals pleaded guilty to accessing the Astros’ player database and email system(3). He gained access by learning the account and password from an employee who turned in their laptop. This type of breach has become much too commonplace. If you haven’t already, it’s time to take action and migrate to multifactor authentica- tion. There is a sound ROI for the investment, and VIMRO is extremely committed to helping our clients migrate to multifactor authentication in 2016! Why Password Don’t Work There is no shortage of case stories presenting a strong case and confirmed ROI for moving to multifactor controls. Here are a few examples: • In addition to the Verizon 2015 Data Breach Investigations Report we referenced above, Wired published an article about the breaches of 2015(4). Most of the year’s largest hacks involved weak authentication. Multifactor controls would drastically reduce or eliminate this threat. (see reference #6) • When the VIMRO Cyber Security Team conducts penetration tests, we almost always gain access to our clients’ systems via captured credentials. There are so many attack vectors to obtain passwords! Multifactor controls would considerably reduce or eradicate the following vulnerabilities: o Through social engineering, in which a workforce member sends us their passwords, tells us their passwords, or enters their passwords into a simulat ed cybercriminal fake web site; or o By intercepting them when conducting man-in-the-middle attacks (in which an attacker secretly relays, often altering, the communication between two parties who believe they are directly communicating with each other); or o By gaining access to the password database/file when breaching a weakly configured or patched system, and then cracking the records with a pass word-cracking application, such as L0phtCrack, OphtCrack, RainbowCrack, Cain and Abel, John the Ripper, etc. 12100 Sunrise Valley Dr. Suite 290-1 Reston, VA 20191 Passwords Don’t Work: Multifactor Controls Are the Answer Learn how to demonstrate ROI There is a sound ROI for the investment of Multifactor Controls
- 2. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL Authored by VIMRO’s Cybersecurity Leaders Passwords Don’t Work: Multifactor Controls Are the Answer Learn how to demonstrate ROI Page 2 of 6 With the right methodology, ROI is easy to Demonstrate The VIMRO security team’s work involves traveling. We overhear a lot of phone conversations when we’re in the airport. On many occasions we overhear support calls. Most support calls we hear involve a traveler forgetting their password, which is understandable given the stresses and distractions of travel. We often can gather where the individual works, their account name, and, yes, even their password, which they typically repeat after a support person gives it to them over the phone. Here are a few default passwords that we have recently heard in our travels: • Winter2015! (It would be a reasonable guess that the next one is going to be Spring2016! or some derivative.) • “name of company”!@#abc • “person’s name”1234 If we were criminals, or even if we were ethically conducting a social engineering experiment by sitting in the airport and listening to calls, we’re pretty confident that we would be able to gain unauthorized access to the individuals’ respective organi- zations. Once again, the solution calls for multifactor controls. ROI for Multifactor Authentication Controls is Easy to Demonstrate All clients need to demonstrate an ROI when they present their solution to a prob- lem. Using passwords only is a major problem. The likelihood of a breach due to weak authentication is high, based on the following risks/threat examples: • phishing (attempt to acquire sensitive information by masquerading as a trustworthy entity in an electronic communication) • man-in-the-middle • gaining access to the password file database The impact of a breach can be high in terms of hard costs: • remediation/corrective action • breach notification letters and credit monitoring for each record compromised • lost sales/consumer confidence
- 3. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL Authored by VIMRO’s Cybersecurity Leaders Passwords Don’t Work: Multifactor Controls Are the Answer Learn how to demonstrate ROI Page 3 of 6 Compare, Contrast, Evaluate the Products that Meet YOUR Needs. In most cases, when VIMRO conducts an ROI assessment for multifactor controls, we can demonstrate to our client that the control is less expensive than the hard costs associated with one mere breach. And this doesn’t even include implied costs: it’s much harder to demonstrate a breach’s effect on a company’s reputation. Indeed, in talking with most C-level executives, we learn that their company’s repu- tation among its customers and shareholders is one of their top concerns, and that any crack in that reputation is, in fact, associated with a high cost. Conduct an IT Component and Sensitive Data Inventory Demonstrating an ROI for multifactor controls is the easiest part of the project. In the next phase of a multifactor implementation project, identify how the solution will be used. This involves in-depth knowledge of your environment. Most clients utilize the CIS Critical Security Controls(5) to acquire and manage this information. Specifically: • CSC 1: Inventory of Authorized and Unauthorized Devices • CSC 2: Inventory of Authorized and Unauthorized Software The inventory should include where sensitive data resides and how authentication is currently handled. Dataflow diagrams also help provide a detailed understanding of all of the components involved in sensitive data transmission, processing, and storage. This enables efficient and effective implementation of the multifactor solution. Once the inventory is conducted, create a list of criteria that the multifactor solu- tion must meet. We have provided a list of common requirements among VIMRO clients in Attachment 1. Evaluate Products that Meet Your Needs There are many good multifactor authentication products on the market. VIMRO is vendor-agnostic, so we help our clients research three or four or more products that work best for their needs, but we do not promote one product over another.
- 4. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL Authored by VIMRO’s Cybersecurity Leaders Passwords Don’t Work: Multifactor Controls Are the Answer Learn how to demonstrate ROI Page 4 of 6 Vet the strategy by conducting a pilot project. One of our methods for identifying the best candidates for our clients’ evaluation is suggesting solutions that worked well for similar organizations. We add those vendors to the evaluation list in Attachment 1. We also identify good solution candidates by staying current with industry reporting on these products. Some good resources for this are: • Search Security: http://searchsecurity.techtarget.com/feature/The-funda mentals-of-MFA-Comparing-the-top-multifactor-authentication-products • Forrester: https://www.forrester.com/How+To+Get+Away+With+Mur der+Authentication+Technologies+That+Will+Help+You+Kill+Pass words/fulltext/-/E-res126341 • Gartner: https://www.gartner.com/doc/2930517/magic-quadrant-us er-authentication • SANS: https://www.sans.org/reading-room/whitepapers/authentication • SC Magazine: http://www.scmagazine.com/two-factor-authentica tion-smart-cards-tokens/products/83/0/ Conduct a Pilot Project VIMRO recommends that you conduct a pilot project using the one or two high- est-scoring solutions on your evaluation sheet. Together we will select one or two users from each of your organization’s business units. VIMRO recommends mixed-skill pilot groups consisting of power users, intermediate users, and users needing more support than most. This provides you with adequate feedback to conclude whether the solution will work for your organization. Documentation Thorough documentation is critical to a successful implementation and lifecycle of the multifactor solution. Dedicate resources to documenting everything. This includes: • Design documents • As-built documents • Support documents • User instructions • Pilot project lessons learned
- 5. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL Authored by VIMRO’s Cybersecurity Leaders Passwords Don’t Work: Multifactor Controls Are the Answer Learn how to demonstrate ROI Page 5 of 6 ...must conduct continuous exercises that test the effectiveness of training. Awareness Training is Still Important Multifactor controls are critical, but it is still important to have a layered defense. This is especially true when it comes to protecting your user. Multifactor controls can be compromised if a user shares their verification code with an attacker through social engineering(6). It is important to conduct cyber security awareness training with workforce members and to conduct continued exercises that test the effectiveness of your training program. See VIMRO’s “Strengthening the Weakest Link”(7) paper for more information. Conclusion Antimalware, IDS/IPS, and firewalls have become important tools to protect businesses over the years. Breach data and research prove that ever-increasing threats now require the use of multifactor controls to protect our businesses, employees, and customers. We encourage you to contact VIMRO to discuss how we can help make multifactor controls part of your business practices. References. (1) 2015 Worst Password List: http://www.theguardian.com/technology/2016/- jan/20/123456-worst-passwords-revealed (2) Verizon 2015 Data Breach Investigations Report: http://www.verizonenterprise.com/D- BIR/2015/ (3) Ex-Cardinal Executive Pleads Guilty to Accessing Astros’ Database: http://espn.go.com/ml- b/story/_/id/14531169/christopher-cor- rea-former-st-louis-cardinals-executive-pleads-guilty-hacking-houston-astros-database (4) Wired List of 2015 Largest Hacks: http://www.wired.com/2015/12/the-years-11-big- gest-hacks-from-ashley-madison-to-opm/ (5) CIS Critical Security Controls: https://www.sans.org/critical-security-controls (6) Two-Factor Authentication Social Engineering Vulnerability: http://www.homelandsecuri- tynewswire.com/dr20160204-vulnerability-found-in-in-twofactor-authentication (7) VIMRO Strengthening the Weakest Link Paper: https://www.vimro.com/wp-content/up- loads/2015/12/Strengthening-the-Weakest-Link-151210_2225opt.pdf
- 6. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS (800) 272 0019 Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL Passwords Don’t Work: Multifactor Controls Are the Answer Attachment 1 – Multifactor Authentication Evaluation Requirements Page 6 of 6