Mainstream
news has covered many compromises of internet facing services over the last
five years. This has included compromises of email systems, retail
outlets, Internet auction sites and last year Apple's iCloud service, which led
to a number of private photographs being exposed to the public. The first
assumption was that iCloud was hacked or compromised, which Apple denied.
Accounts Compromised
Rather
than iCloud in its entirety being compromised, the compromise was to individual
accounts. It is assumed that the celebrity accounts were compromised with
a brute force attack, allowing multiple tries of various passwords to each
account. This meant with the right software toolset which could be
acquired cheaply, meant that numerous passwords could be tried against each
account.
Simple Passwords
Despite
education from service providers and IT departments, the most commonly used
passwords in a recent 2014 survey are "123456" and
"password"! With relatively simple passwords or common words,
the password can easily be compromised quickly using a dictionary attack in a
matter of seconds.
Security (?) Questions
There
are many ways to recover a password. It may be to request a new password
and the service delivers the new password or asked for confirmation via an out
of bound method, such as the registered email address or registered mobile
number via SMS. There may be a need to telephone a call centre and
provide details over the telephone to reset your password. The least
secure is the ability to answer security questions that the user has the
answer.
It
may seem like a secure way of resetting a password, as how many people would
know your mother's maiden name, where you were born, what your favourite
football team is, etc? The internet and social media has been great in
many respects, but it exposes a lot of information about an individual out into
the wild. Once it's out there, there is no way to control, edit or delete
it. Bear this in mind if you have to use to methodology for any website
or application.
It
would seem that this current compromise is a new thing, but something very
similar happened over ten years ago when Paris Hilton's mobile phone was hacked
in 2005. How was this done? The T-Mobile Sidekick device had an
internet facing dashboard. If you forgot your password, you could answer
some security questions including date of birth and your pet's name. All
the security questions could be answered with an internet search engine.
Even
before then, hackers were wise to how to gather this sort of personal
information. Around 15 years ago, there were email chains on how to
generate your pornstar name. You took your first pet's name and combine
it with your mother's maiden name. Information such as "Fido Jones"
would have been very useful!
Complex Passwords, hard to remember?
As
the levels of security have to rise, so this can only make it more difficult to
use the services or applications. There is always a balance between
usability and complexity. We can encourage people to use a mixture of
upper and lower case, special characters and numbers, but will only mean more
password resets these complex passwords will be forgotten more easily.
Also
common advice is not to use the same password over multiple applications and
services. This only increases the users capacity to forget a password!
Phishing
Even
with strong and complex passwords in place, the user can still be a victim of a
phishing attack. We are reminded to check the legitimacy of an email
before acting on it, and if it seems fishy (excuse the pun) to ignore it or
delete it. Many people have fallen for one of the simplest tricks, as the email
looks so legitimate.
The
bad guy sends out emails that looks like an email from the service provider.
It tells the user that there is some sort of issue with the account that
requires a password reset/change/confirmation. The user will enter their
password which is stored by the bad guy. The user will be presented with
either a failed message screen, a confirmation all is OK and if they were
clever, even synchronise the password with the service provider, so all seems
right for the user.
Multi Factor Authentication
There
are various ways or factors, when authenticating users. So one form this
can take is "Something you know", where the information is known,
such as username, password, PINs and patterns.
Another
form this information can take is "Something you're given", where the
information is provided to the user through technology, such as a passcode from
a token, a passcode from a device such as a smartphone or computer, or a
passcode set via SMS to a known mobile telephone number. If the known
information and the provided information are different types of information, or
factors, it becomes clear where the term two factor authentication comes from.
Other
factors can include "Something you are" through the use of
biometrics, through iris scans, fingerprint readers, voice recondition and
other forms tied to the physicality of the user. There also ways of
analysing "Somewhere you are" through the use of geolocation, thereby
allowing or denying access by the users location.
A
combination of these authentication methods, or factors create Multi Factor
Authentication (MFA)
Proof and compliance
With
the factors of authentication described above, it would be harder for a hacker
to access the service or website, but would also make it hard to deny an
action. Many online banking systems uses a combination of passwords,
PINs, tokens, SMS and unique codes to ensure transactions are genuine. By
using multi factor authentication, the processes within compliance processes
can be tied to specific users and the actions cannot be denied.
Free protection
Service
providers such as Apple's iCloud, GMail, eBay and Facebook give the option to
switch on two-step verification, where if you try to login from a new device, a
new browser or a different country, the user will be prompted to enter a code
that is sent to the registered mobile phone number. The security is there
and it's free.
The
use of multi factor authentication is accepted as commonplace and widely used
for by users for personal services, such as email and banking.
Consumerisation
Recent
technology adoption within a corporate environment has been driven by domestic
technology. The rise of wireless, tablet and mobile computing has been
driven from the use of these technologies within the domestic environment.
There
is often a concern that the user community with an organisation struggles with
new technology, but it's often the enforcement of unfamiliar technology that
causes the user to become disengaged.
The
use of multi factor authentication can only strengthen a network or website,
and with this technology used for personal consumption, the use corporately
will offer less resistance from the user community, especially if there is a
familiarity with the technology.
Cloud Support
As
more corporate applications move to the Internet, cloud security becomes the
concern of every IT Manger, IT Director, CSO, CISO, and in fact every member of
an executive team.
As
cloud based applications such as Salesforce and Microsoft Office 365 become
popular, it is essential to remember these applications are the very lifeblood
of an organisation. The need for security and multi factor authentication
become more apparent when looking to protect these web based applications.
There are protocols such as SAML designed to support cloud applications, and
offer multi factor authentication.
Impact to the business
A
poorly designed or poorly designed solution will impact the user adoption of
any technology, but a familiar system will offer acceptance and executive
sponsors. Security is high on the executive boards agenda, so the impact
of a compromise or a disgruntled employee is greater than financial
considerations such as return on investment.
Multi
factor authentication is not new, but is an obvious solution the the many
security challenges for organisations, whether the data and applications are
located on premise, in data centres, in public cloud, in private cloud or a
hybrid approach. Security is no longer the concern of technical sponsors, but of the
Executive Board.
Familiar
security solutions such as Multi Factor Authentication, can only increase the
security posture of an organisation, protecting the data and reputation of an organisation.
