Is Two-Factor Authentication a commodity?

The complexity with passwords

We all know we need secure passwords, or at least keep them secret.  The problem is that we are asked to increase the complexity of passwords, either with the addition or inclusion of upper case characters, lower case characters, special characters or numbers.    Making the passwords more complex must increase security… or does it lead to users writing the passwords down or recycling the same passwords for a number of environments?

“Something you know, Something you are given, Something you are”

Obviously one of the downsides with passwords is that they can be passed from person to be person, but you lose the accountability of the actions from the user who has logged in.  This is where the requirement for multi-factor authentication arose, so there would be a number of elements to confirm the validity of the person and action.

Multi-factor authentication is said to be made up with two of the follow three elements.  “Something you know”, such as passwords and PINs, “Something you are given”, such as one time passwords, and “Something you are”, such as iris and fingerprint scans.

Some people will such that using multiple of the same type of authentication, such as the use of multiple passwords and PINs, would make it multi-factor.  I disagree, and would call that “Strong authentication” or I’ve heard of it referred to as “1.5 factor authentication”. 

Two-Factor Authentication requires a specialist?

In the past, there was a high level of complexity associated with two-factor authentication and should only be tackled by specialists within the field.  In the past, there were complicated multi-server implementations to build resiliency, administering more databases, managing a variety of tokens and that even before anything is deployed or secured!!

Hacked… June 2011!

Undoubtedly, most people reading this will be aware of a compromise that was reported in June 2011, where one of the world’s largest token vendor had (reportedly) 40 million tokens compromised.  Suddenly all that hard works seems to have been for nothing.  What did all the complexity bring, other than complexity for complexities sake?

Commoditised market?

There are a number of vendors offering two-factor authentication, but most organisations see it as a must have, rather than a want to have.  The barriers to entry were not only complexity, but security, administration time and in the current economic climate, cost.

Cloud or On-premise?

A cloud service will reduce the hardware cost, the running cost, power, energy, and all the other benefits associated with moving to a host solution.  There is always a concern about physical security, so ensure the provider meets the right criteria and standards.  There will be concerns around uptime, so ensure there is a good SLA in place.  With data security, ensure data is encrypted and not sent to the internet in clear text.

If these concerns are insurmountable, then look at an on-premise solution, but ensure the solution is highly available, if the access is business critical.  Ensure that the administrators looking after the solution can manage it correctly, or have the relevant support contracts to provide this.

It would be useful to have a choice of platforms, whether it is cloud or on-premise.

Ease of use?

In most IT environments we have to manage multiple systems, so we all want an easy to use system.

An intuitive, simple to use management console, with good help features, as well platform parity between the cloud and on-premise solution would be the way forward.

Token options?

Some providers will only offer hardware tokens, some will offer software tokens, some will offer tokens to run on mobile devices, some will offer SMS and/or email tokens, some will offer OATH tokens, and some will offer grid tokens.

What does your user base need?  What mix of tokens is required?  Will there be a company policy to define the type of tokens that will be offered?  What sort of mobile phones need to run tokens?

The preference would be to have all the token types available, but have them at an attractive price point.

Event or Time-based?

To simplify the way a one-time password is generated.  With time based, it take the time, encrypts it using a seed and an algorithm, to generate the one-time password.  With event base, it takes a pseudo-random value encrypts it using a seed and an algorithm, to generate the one-time password.

There are arguments for both solutions, with the time-based potentially going out of sync, or event-based where the password is valid until it is used.  More of a concern is the seed that are pre-populated onto the token, as if that were compromised; someone with it can potentially generate your one-time password!

Ideally, you want to ability to choose either time-based or event-based authentication, and have the ability to generate your own seeds, so even the two-factor authentication vendor would not know it.

Authentication Methods?

Most solutions support RADIUS; some will support Windows logon; some will support integration with OWA, SharePoint, IIS, Apache; some will support Citrix; and occassionally support SAML.

You don't want to be limited with what you can authenticate with, but want a solution that will support standards such as SAML, as this will be used more and more as cloud application usage increases.

Longevity?

With so many new start-ups and small organisations now around, and the largest two-factor authentication vendor being compromised, it is difficult to know who to trust!

We want a vendor with a good security history, but with the foresight to innovate, develop and implement solutions for the future.

Cryptocard

Offering a cost effective solution, with large variety of tokens, with the ability to choose either a cloud-based or on-premise platform, with an easy to use interface, the ability to have either time-based or event-based tokens, the ability to populate the tokens with your own seed, support a large number of applications and standards, from a company that has been around for over 21 years, makes Cryptocard the solution that should be considered first.

Clickjacking and UAG

I got an email from a customer and friend, regarding penetration test results on a Microsoft UAG environment.  The report highlighted that Clickjacking is way of tricking web user into revealing confidential information or allowing their computer to be controlled while clicking on seemingly harmless web pages.  Clickjacking can be embedded code or a script that executes without the web users knowledge.

I took this opportunity to learn a bit more about this and found a couple of interesting websites.  It seems that other UAG users have encountered this during penetration testing before, and there is a fix:  http://forums.forefrontsecurity.org/default.aspx?g=posts&m=2788

The following code needs to be added into the UAG login.asp script:

<script type="text/javascript">
if(top != self) top.location.replace(location);
</script>

Adding the code is fine, but I had to find a way of testing the Clickjacking.  I found this site, which allowed me to test the vulnerability:  https://www.codemagi.com/blog/post/196

By creating an HTML page with the following code, and replacing the red text with the URL that you want to test, it will show if the website is vulnerable to Clickjacking:

<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>You’ve been clickjacked!</p>
<iframe sandbox="allow-scripts allow-forms" src="http://localhost:8080" style="width:100%;height:90%"></iframe>
</body>
</html>

With a little experimentation, I found the best place within the UAG login.asp to put the additional line of code was here:

var capsLockNote = "<%=GetString(111, "Note: The Caps Lock key is on. Passwords are case-sensitive.")%>";

</script>

<script type="text/javascript">

  if(top != self) top.location.replace(location);

</script>

<script language="JavaScript" src="/InternalSite/scripts/capsLock.js"></script>

I have to stress that it may be different on your UAG deployment, so remember to test it works, rather than assume!

Why use VDI, when I can use Terminal Services?

Working with Neocoretech NDV VDI solution, I see many advantages for using it over VMWare View or Citrix XenDesktop, due to the way it utilises RAM and negates the need for SAN solutions by using “Read only” desktops.  A common question when discussing virtual desktop solutions, is why use VDI when I can use Terminal Services. 

These points were addressed by Christophe Rettien, CTO of Neocoretech.

Architecture

• Neocoretech NDV is a 1:1 connection between 1 Thin Client and 1 Hosted PC (in this case a Virtual PC)
• Terminal Services is a 1:n connection between n Thin Clients and 1 Hosted Server (could be a physical virtual Server)

Protocol

• Neocoretech NDV is not tied to RDP and can use any available protocol including rich multimedia support, bi-directional sound and USB redirection. Available protocols are RDP, UXP, NX, RDP TCX...
• Terminal Services IS RDP so no protocol choice here. If Terminal Services does not provide sufficient performance, nothing can solve that!

Supported OSs

• Neocoretech NDV supports any x86 OS, which allows a user to run a Microsoft Windows XP, Windows 7 or Linux, with 32-bit or 64-bit distributions.
• Terminal Services is only supported by Microsoft servers, so the end user can run a remote session on a Windows 2003 or 2008 Server. Some tweaks exist to create a Windows 7 look and feel from a Windows 2008 session.

Supported Software

• Neocoretech NDV runs a single computer for each user, which means any application available on the OS used will be available to the user.
• Terminal Services runs multiple shared instances of a unique program within the same server (2003 or 2008) and only applications allowed to be shared are available to the end user.

Summary

Neocoretech NDV provides:

• Operating system choice
• All applications are supported
• Different applications installed according to user profile
• All protocols supported
• High availability options

NDV consequences:

• Requires powerful servers

Terminal Services provides:

• High density - good ratio server sizing/number of users

Terminal Services consequences:

• CAL licensing cost per session and per application
• Poor multimedia performance
• Complex GPO settings, if different desktops are to be presented based on user profiles (all applications need to be installed)

Conclusion

As with all solutions, it is more important to understand the requirement, rather than push a technology.  We need to understand when one solution would fit better than the other.

Terminal Services works well in environments with budget constraints or require a “vanilla” suite of applications.  VDI solutions such as Neocoretech NDV offer greater flexibility, management, operating system choice, supports a greater number of clients, and can be easily managed.

Embracing the “Bring Your Own Device” (BYOD) culture?

Quite a few people I speak to tell me that BYOD is next “big thing”, and we need to embrace it as it will be a way of life for all IT environments.  The argument is that it will reduce capital expenditure (CAPEX) and it makes for happier employees by giving them choice, allowing them to use a variety of devices, such as laptops and tablets, as well as a variety of operating systems, including Windows, Apple and Android.  Much as I understand these statements, I don’t necessarily agree with them

Network Infrastructure

The common assumption will be that a majority of your machines are desktops, but with a BYOD policy, a majority of the devices will be laptops.  One of the major technologies driven from a domestic to commercial environments is wireless, so the expectation will be the requirement for wireless at work with their new BYOD.

Anyone who has felt the pain with a badly configured or deployed wireless solution will know there will be a struggle with either getting a large number of devices on the same wireless network, bandwidth and throughput issues, as well as struggling with coverage in a large or distributed building.

Security must be considered, ensuring the wireless network has the appropriate level of encryption and access.

This can be solved with solutions such as Xirrus, which uses innovative ways to solve the capacity, coverage and throughput issues, while coupling this with coverage guarantee.

Endpoint Security

I’ve read a number of comments from the big AV companies, suggesting that AV alone will not secure your system from malware.  It should be a layered approach, with a number of solutions working in conjunction to tackle all the possible threat vectors.

As minimum anti-virus software should be on the device, but how do you ensure this on a BYOD.  There are several AV solutions that can be managed centrally, but a number of employees will not agree to this as it is “their device” and don’t want the company controlling it.  The company policy may stipulate that anti-virus software must be installed, updated and running, but how do you check?

Network access

Having implemented a wireless network, a consideration is to ensure that only the trusted devices can access the network.  A Network Access Control (NAC) solution will be required to ensure that the devices can be checked, and then either quarantined or allowed access. 

These checks may be the type of device, the software installed, the software running, or the MAC address, then allowing the appropriate access, be it full access to the network, or only internet access to allow the device to update the anti-virus software.

IT Support

What happens to the IT Support function within your organisation with a BYOD policy?  Do they now have to support a vast array of devices?  Do you get rid of them and move the onus of the support function to the user and their chosen solution provider?  Who will ensure that the applications used by the organisation will function on the BYODs?

The cost saving efficiencies from the BYOD policy may be lost several fold, if the IT Support team now have to support devices they are not familiar with.  Although getting rid of the team will not help as they are the team who have ensured that the company applications work on the devices.

Compliancy

We have read in the news about organisations losing personal data and run the risk of up to a £500,000 fine from the Information Commissioners’ Office (ICO).  The onus is on the organisation to prove either the data was not on the device, that the data was wiped or that the device is encrypted. 

As the company is responsible for the data, the “it’s my device” attitude will not work with ensuring information security.  The viable options will be to ensure the data is not stored on the device, effectively making the device a “dumb terminal” or to ensure the device is encrypted.

Device Compatibility

What devices will your users choose?  It shouldn’t matter as long as it enables them to do their job.  So the device will probably be a Windows laptop, an Apple laptop, a Linux laptop, a Windows tablet, an Apple tablet or an Android tablet.

The issue you will have is whether the operating system or form factor selected by your users is compatible with the applications run by your organisation.  Although there has is much talk about cloud solutions and web-based applications, there will still be a number of applications that will only work with Windows devices.

The only way to make some of these Window solutions work, is to either use Terminal/Citrix server or VDI solution.  With these solutions the application will run on the server, and the device will have a view to either the application or a full operating system.  Something to bear in mind is that these solutions will require client software to be installed, so ensure that the solution you use is supported by the devices that your users are using.

Conclusion

The initial thoughts about reducing CAPEX are quickly removed, when considerations around the network and security are taken into account.  I don’t believe that BYOD is a pipedream, but there must be a level of understanding and planning before embarking on a BYOD policy.

Children and Internet Safety... do they mix?

As an IT Security professional and a father, I'm often asked how to filter the internet for their children.  I would suggest there are three elements that need to be looked at including IT security, education and computer location.

My children use a Windows 7 computer, but in order to secure the system, I run Avira Internet Security 2012, which is a lightweight, low footprint but highly effective anti-virus software.  It offers anti-malware, a software firewall and a basic level of web filtering.  I ensure all these components are enabled, updated and running.  I have created limited access Windows user accounts for the children, where no administrative rights are available.

Everyone assumes that controlling the computer or access to the internet is the answer, but your children need to understand why they are in place.  We have spoken to the children that if they encounter anything that they did not expect, then they should make us aware of it.  We have also spoken about password security to them, to ensure that the passwords they use are not shared with anyone beyond the family.

Some people are surprised with the final piece of advice, but I suggest putting the computer, or using the laptop in a high traffic area of the house.  Some recent research has shown that paedophiles are less likely to engage in a webcam chat, if it is in a family area of the house, compared to a bedroom.  We have situated the desktop computer in the kitchen, where the children are rarely using the computer unsupervised.

Some think this attitude may be a little paranoid, but the key component is education and for your children to understand why.

Thanks to Jason Jones for pointing out this Ofsted report, which makes for some interesting further reading.

“To The Cloud…”

For the last year or so, it seems marketing people have moved away from terms such as “... as a Service”, and replaced the words with Cloud.

We are seeing hosted applications, hosted infrastructure, hosted servers, hosted platforms, managed services, VPNs, MPLS networks, distributed networks, hosted virtual servers, remote VDI solutions, all termed with the phrase Cloud.

I understand the drivers that are used to move services out of your own server room, by lowering infrastructure costs, moving capital expenditure to operational expenditure, upgrading or downsizing by modifying your service plan, removing running costs (such as air conditioning, trained server administrators, etc.), having your systems monitored and changing applications on the fly.

I have a few issues with Cloud offerings, which include:

Authentication

• How do users connect to the solution? 
• Are they using a username and password?  

There are many issues around authentication, such as weak or insecure passwords, using common words, using easy to guess words (such as favourite bands, football teams, children’s names, car, etc.) and that’s before the fact the password can be told to someone else. 

People often talk about multi-factor authentication, but to surmise it, the factors are “something you know” such as passwords and PINs, “something you’re given” such as a one time passwords from a token, or “Something you are” where biometric devices are used to read fingerprints or iris scanners.

A combination of two of these will be known as two factor authentication, where passwords are coupled with a token generated one time password, offering much improved security.

Encryption

• How is your data protected?
• Who has access to your data?

With the Information Commissioner’s Office issuing fines of up to £500,000 for the loss of personal data, it is more critical than ever data is encrypted. 

I would expect the data to be encrypted with to a minimum level of 256-bit AES, although another consideration who has access to your data.  It may be encrypted, but if the key is held by the service provider, then they will have the ability to decrypt your data.

Backup and Archive

• Is the data backed up?
• Is the data archived?

Your data should be backed up regularly, giving a point in time that the data can be restored to.  The issue with back up is that it will back up current data, but the ability to roll back and restore can be more destructive and time consuming than working round the missing/lost/corrupted data.

If your data was archived, then it would offer the ability to manage and archive all versions of the data.  Archiving is driven by compliancy and traceability, rather than disaster recovery.

Access to the service

• Where can you access the data from?

It would be great to be able to access your service from anywhere in the world, wouldn’t it?  A concern is that although this great for remote users, should everyone be able to have access?  Data security may dictate that the service or data should not be access from non-trusted IP addresses, or by specific users or during specific times.  If this level of control is required, ensure your provider is able to deliver this.

Disaster Recovery

• Are there multiple servers hosting your service?
• Are there multiple datacentres hosting your service?

One of the draws with a Cloud offering include having your applications and services available from anywhere, so there perfect disaster recovery solution.

The issue will be when the provider has a server failure.  Will they be able to move your service to a new server in a timely fashion?  Whether the services are being run on virtual or physical servers, ensuring your service up time is vital. 

Another concern will be if the provider only has one datacentre or one WAN connection, so if there service is delivered well I would expect multiple datacentres, with multiple links running an active/active configuration, along with an active/active or active/passive server configuration.

Conclusion

My concern with Cloud solutions is the number of providers who are “jumping on the bandwagon” offering cloud services as quickly as possible.  The issue is that some providers offer very favourable pricing, but the infrastructure may not be in place until there is some uptake.  This can only be a bad thing for the early adopter, especially if it is not making money and they stop the service or become bankrupt.

My advice is to proceed with caution, check the provider thoroughly and try not to be price driven.

VMWare View on IAG & UAG - Borrowing Advice!

Good to see that my advice from this blog post is of use:
http://blog.andytang.com/2010/05/vmware-view-on-microsoft-iag.html

Spot the differences:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1025861

http://www.nappliance.com/blog/uag-publishing-vmware-view-using-forefront-unified-access-gateway

I don't have issue with my advice being used, but at least show credit from where it was from!