Wednesday 25 June 2014

Two Factor Authentication Revisted

Passwords are not secure

I talk about two factor authentication (or 2FA, as the kids and marketing people are calling it) a lot and with good reason, passwords are not secure!

Sites like this give you an insight into how secure your password is:
https://howsecureismypassword.net

It also rightly states that sites can steal your password, and if they have it, it doesn't matter how strong it is they know it.  It doesn't matter if my password takes seconds or years to crack, if the bad guys have it, they don't need to crack it.

What are the factors for authentication?

Authentication can be made up of multiple factors, and by using more than one of them (hence the term, two factor authentication) you are adding security and making it difficult for the bad guys to log in as you.  The following are the factors:

  • Something you know
  • Something you are given
  • Something you are
  • Somewhere you are

Something you know
This will include usernames, passwords, PINs, patterns, etc.  This is information you could give to someone else and they could login as you.

Something you are given
If you have a bank account with one of the major banks, you will probably have a physical token or software token, which generates a seemingly random string of number.  This is creating an OTP (or One Time Password) which has a limited lifespan before becoming invalid.  This means that it can only be used in that moment in time.  The OTP can also be delivered via SMS or telephone call.

Something you are
This is where we move into the realms of biometrics, where fingerprints, iris scans, voice scans, etc are used to authenticate you.

Somewhere you are
There are solutions that work in conjunction with GPS devices to locate you in the world, so that you are only able to login if you are in a specific area.

Two Factor Authentication as we know it

For two factor authentication, we traditionally work with the first two; Something you know and Something you are given.  This is where to access the solution, you would need to provide a username, a password and an OTP.  This is something I have been advocating for over eight years, as if I have your password I can login as you.  With two factor authentication running, I would also need access to the device or software that is generating the OTP.

Many high profile hacks have been done using administrative passwords, but if these were coupled with a OTP, it would have made it a lot more difficult to achieve.

Why use two factor authentication?

We understand the importance of it when it comes to money, so it's a given we should be using it for banking.  In fact, many online gaming sites can issue tokens to secure your gambling or your online gaming persona.

I use social media, where I use Facebook for family and friends, I have two Twitter accounts (one for work and one for play) and I use LinkedIn for work.  All of these outlets say something about me, so if they were compromised, there would be a reputation issue I would need to tackle.  Like most people have web based email and although there is nothing too precious there, I wouldn't necessarily want it opened up to all!

Who can offer two factor authentication?

Google: With the Google ecosystem, you have one password for a number of applications, so Google offer two factor authentication, whereby they will send a code to you via SMS.  This is used in tandem with your username and password.  It will mean that you will need your mobile with you to access the applications, but it saves having to carry additional tokens. http://www.google.com/landing/2step/

LinkedIn: My professional profile is on this site, so the last thing I'd want is for it to be tampered with, so fortunately LinkedIn also offer the SMSing of a code to your mobile phone before you can login as you. http://blog.linkedin.com/2013/05/31/protecting-your-linkedin-account-with-two-step-verification

Facebook: Although this is less critical, I won't want people being able to manipulate my profile.  I know Facebook have some good measures in place around logging in from countries you don't traditionally login from, but you can add two factor authentication for browsers that you haven't login from before. https://www.facebook.com/note.php?note_id=10150172618258920

These are just some examples of commonly used sites, but remember passwords are not secure.  If we know this as a fact, why aren't more sites offering two factor authentication?

If you are looking to protect remote access solutions, internal applications, operating systems or even public cloud application, all of these can be protected with third party solutions provided by MTI.

Thursday 12 June 2014

CISSP and CPE Credits...

I know a few colleagues and friends have passed or looking at doing their CISSP (Certified Information Systems Security Professional) from the ISC2 (International Information Systems Security Certification Consortium).  There are two common questions when people find out I'm a CISSP and they are; what books or course did you use? and how easy is it to maintain your CPE (Continuing Professional Education) credits?

I read a few books during my studies, but the ones I would recommend are Eric Conrad's books.  I used the CISSP Study Guide (Second Edition) for my main reading, which I supplemented with the Sybex CISSP Study Guide, when I needed to read about a topic is a different way.  I found Eric Conrad writes is a technically minded way, which I mean it's written for someone with a technical background.  We often don't need the stories and the "fluff" used to pack out study guides making then 1,500 to 1,600 pages!  The Eric Conrad book is just over 500 pages which great when you still have a full time job to do as well.

I used the Exam Cram CISSP Practice Questions to test and validate my newly learnt knowledge.  I also used the questions available from Eric Conrad's companion site.  On the run up to the exam, I used Eric Conrad's Eleventh Hour CISSP: Study Guide.  I hold Eric Conrad in high regard even though I've never met him, without his study guides, I'm not sure I would have passed the exam.

When you have passed the exam, you have to be in good standing and maintain CPEs by continuing your education.  If you work in IT Security, you should been keeping up to date regardless of the CISSP!  I have managed to complete 3 years of required CPE credits in less than six months!

I work in the "channel" which means I have interaction with my vendors regarding security solutions, and have to attend a number of conferences, webcasts, training session, webinars and meetings.  I also read various industry magazines to keep up to date regarding the threat landscape.  Many of these activities count towards your CPE credits.  I read somewhere that you only need to spend an hour a week over the three years to maintain your CPE credits.

There are regular webcasts and InfoSecurity Professional magazine from ISC2, which count towards your CPEs.  Here are other resources that will count towards your CPEs:

Infosecurity Magazine
Infosecurity Europe
SC Magazine UK

Register on these sites and you will receive notifications of webcasts that will keep you up to date as well as count towards your CPEs.

Good luck if you are studying for your exam and happy reading if you are maintaining your CPEs!


Monday 9 June 2014

The importance of introspective security

Hundreds of years ago, security amounted to the biggest wall that could be built.  This was seen with castle walls, but as these were penetrated, additional security measures were added, such as moats and draw bridges.  As these were compromised, towers with lookouts were built, then then armed guards, then the defensive measures became offensive measures with heavy weaponry used as part of the defence mechanism.  These measures were in place to protect a central keep, where typically the crown jewels were kept.

(Warwick Castle - Photo by A.Tang) 

Fast forward many hundreds of years, and IT security took the same attitude.  Firewalls were deployed to protect the organisation, but as these measures failed or were penetrated, additional layers of security were added, in the form of anti-virus and anti-spam, when the threat was delivered within internet traffic, web content filtering was employed, then application white-listing/filtering.  When more intelligent and proactive approach was required, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) were used.  Despite all of these functionalities, there are still reports about breaches where the company loses its Crown jewels, their data.

How can all this security be breached? Much like the castle, the defences look outwards not inwards. Once inside, there is rarely the same level of security in place monitoring the outbound. With Edward Snowden, he must have undergone security checks prior to beginning his contract the NSA. Although once inside it is believed that very basic and "noisy" exfiltration techniques were used to remove data. Even the NSA shows that the security is predominantly external facing, but once inside there are much lower levels of security.

The breaches from an external source typically (although there are surveys to suggest, all breaches) used privileged credentials to access the data. Not only are the threats going through the perimeter security using trusted user credentials, once in they have access to the network as the credentials will have privileged rights, the data can leave as most security solutions look at inbound, not outbound traffic.

Organisations need to look at what data is important to them, who can use it and how they are going to use it.  The security should be applied intelligently to control the elements of concern, rather than tar all data in the same fashion.  The protection needs to be centrally managed, but decentralised in its approach to protection.  Data can reside on servers, corporate computers, removable drives, in email systems, private cloud solutions, public cloud solutions, mobile devices, tablets and these environments will be both trusted and untrusted.

The safeguards need to go beyond the firewall and our mind sets need to move on from a firewall rule mentality.  We need to give much greater consideration to our data and the rights we issue to users. The protection should not only work from outside-in, but also from inside-out.

Technologies are starting to use behavioural analysis, as this will analyse computers, users, data, time, access and many other factors to then decide if your network is under threat or not. This requires an even greater mindset change as we no longer look at rules to prevent hoping all bases are covered, but to analyse a number of actions before deciding on the appropriate course of action. 

I've heard many times, it's a case of when, not if your network gets breached. If this is true and the layers are going to fail, then the requirements are to slow down the intruder and prevent the exfiltration of your data, while understanding what has occurred.

Don't think of security in terms of a castle's protection, think of it as complex maze.

Tuesday 3 June 2014

"Gameover Zeus" Botnet Disruption...

It has just come to light in the news that a major malware threat has been temporarily neutralised, by a collaboration of public and private organisations globally.  The recent information suggests that over 15,000 computers in the UK are infected.

How does this affect you and your computer?

The malicious software (malware) can be installed onto the computer by either a phishing email or after being downloaded from the internet is some fashion. A Command and Control (C&C) server can communicate with the infected computer and send commands to it, taking control.  All these computers talking back to the server will create a Botnet (Robot Network), which again means the your computer will be controlled as part of a bigger network.

What was the threat of this current malware called "Gameover Zeus"? 

The Gameover Zeus malware would scan the computer for financial information, such as banking details, credit card information, etc.  This information is collected and stored on your computer as a file.  When the Command and Control Server communicates to the infected computer, it would send the financial information to a server on the internet.

I'm safe if I don't have financial information on my computer, right?

Well no, there is a twist that if financial information was no found on the computer, it would install and infect the computer with another piece of malware called Cryptolocker.

 This malware will encrypt the computer and prevent the user from accessing the data on the computer.  This effectively holds the user to ransom, as it will be difficult even for a highly skilled technical person to decrypt the computer, so the only option left is to pay the fee, typically £200-300.

This is effectively like having some unsolicited person come to your house when the owner is out, changing the locks and adding additional security, then making the owner pay before they can gain access to their own house.

If the user is fortunate, then the computer will be decrypted.  If the user is unlucky, the ransom is paid, but they are still stuck with an encrypted computer.

What have these organisations done to disrupt this malware?

These organisations have worked together and taken control of the Command and Control Servers.  With the bad guys unable to access the Command and Control Servers, the financial information can't be harvested and the deployment of the Cryptolocker malware prevented.

The link between the infected computers and the Command and Control Server has been severed.

So I'm safe from the Gameover Zeus malware?

Again no.  The infected computers won't be able to be controlled from the servers that the organisations have seized, but this is only a temporary hitch to the bad guys, as they will be able to deploy new Command and Control Servers.  As soon as these new Command and Control servers are online, they will be able to communicate with the infected computers and carry on where the old servers left off.

Is my computer infected?

Update the anti-virus software and run full scan to check.

What if I don't have anti-virus software installed?

Really??!  If there isn't anti-virus software installed, have a look here for some free scanning solutions.

What else can/should I do?

The usual advice applies:

  • Keep the operating system on the computer up to date
  • Keep the security software on the computer up to date
  • Do not open emails from unknown sources and/or people
  • Don't click on links (in emails or or on the internet) if there is any uncertainty
  • Back up important files such as photos and documents, either into cloud storage or removable media
  • Try not to save passwords in the browser
More and more threats seem to make the news, but it's not a bad thing. Treat these news artcles as a reminder that security awareness needs to be maintained.  And in the words of Hill Street Blues (if you're old enough to remember) "Let's be careful out there"