Monday 31 August 2015

Cloud services, Multi-factor authentication and the death of the security question

Mainstream news has covered many compromises of internet facing services over the last five years.  This has included compromises of email systems, retail outlets, Internet auction sites and last year Apple's iCloud service, which led to a number of private photographs being exposed to the public.  The first assumption was that iCloud was hacked or compromised, which Apple denied.

Accounts Compromised

Rather than iCloud in its entirety being compromised, the compromise was to individual accounts.  It is assumed that the celebrity accounts were compromised with a brute force attack, allowing multiple tries of various passwords to each account.  This meant with the right software toolset which could be acquired cheaply, meant that numerous passwords could be tried against each account.

Simple Passwords

Despite education from service providers and IT departments, the most commonly used passwords in a recent 2014 survey are "123456" and "password"!  With relatively simple passwords or common words, the password can easily be compromised quickly using a dictionary attack in a matter of seconds.

Security (?) Questions

There are many ways to recover a password.  It may be to request a new password and the service delivers the new password or asked for confirmation via an out of bound method, such as the registered email address or registered mobile number via SMS.  There may be a need to telephone a call centre and provide details over the telephone to reset your password.  The least secure is the ability to answer security questions that the user has the answer. 

It may seem like a secure way of resetting a password, as how many people would know your mother's maiden name, where you were born, what your favourite football team is, etc?  The internet and social media has been great in many respects, but it exposes a lot of information about an individual out into the wild.  Once it's out there, there is no way to control, edit or delete it.  Bear this in mind if you have to use to methodology for any website or application.

It would seem that this current compromise is a new thing, but something very similar happened over ten years ago when Paris Hilton's mobile phone was hacked in 2005.  How was this done?  The T-Mobile Sidekick device had an internet facing dashboard.  If you forgot your password, you could answer some security questions including date of birth and your pet's name.  All the security questions could be answered with an internet search engine.

Even before then, hackers were wise to how to gather this sort of personal information.  Around 15 years ago, there were email chains on how to generate your pornstar name.  You took your first pet's name and combine it with your mother's maiden name.  Information such as "Fido Jones" would have been very useful!

Complex Passwords, hard to remember?

As the levels of security have to rise, so this can only make it more difficult to use the services or applications.  There is always a balance between usability and complexity.  We can encourage people to use a mixture of upper and lower case, special characters and numbers, but will only mean more password resets these complex passwords will be forgotten more easily.

Also common advice is not to use the same password over multiple applications and services.  This only increases the users capacity to forget a password!

Phishing

Even with strong and complex passwords in place, the user can still be a victim of a phishing attack.  We are reminded to check the legitimacy of an email before acting on it, and if it seems fishy (excuse the pun) to ignore it or delete it. Many people have fallen for one of the simplest tricks, as the email looks so legitimate.

The bad guy sends out emails that looks like an email from the service provider.  It tells the user that there is some sort of issue with the account that requires a password reset/change/confirmation.  The user will enter their password which is stored by the bad guy.  The user will be presented with either a failed message screen, a confirmation all is OK and if they were clever, even synchronise the password with the service provider, so all seems right for the user.

Multi Factor Authentication

There are various ways or factors, when authenticating users.  So one form this can take is "Something you know", where the information is known, such as username, password, PINs and patterns.  

Another form this information can take is "Something you're given", where the information is provided to the user through technology, such as a passcode from a token, a passcode from a device such as a smartphone or computer, or a passcode set via SMS to a known mobile telephone number.  If the known information and the provided information are different types of information, or factors, it becomes clear where the term two factor authentication comes from.  

Other factors can include "Something you are" through the use of biometrics, through iris scans, fingerprint readers, voice recondition and other forms tied to the physicality of the user.  There also ways of analysing "Somewhere you are" through the use of geolocation, thereby allowing or denying access by the users location.

A combination of these authentication methods, or factors create Multi Factor Authentication (MFA)

Proof and compliance

With the factors of authentication described above, it would be harder for a hacker to access the service or website, but would also make it hard to deny an action.  Many online banking systems uses a combination of passwords, PINs, tokens, SMS and unique codes to ensure transactions are genuine.  By using multi factor authentication, the processes within compliance processes can be tied to specific users and the actions cannot be denied.

Free protection

Service providers such as Apple's iCloud, GMail, eBay and Facebook give the option to switch on two-step verification, where if you try to login from a new device, a new browser or a different country, the user will be prompted to enter a code that is sent to the registered mobile phone number.  The security is there and it's free.

The use of multi factor authentication is accepted as commonplace and widely used for by users for personal services, such as email and banking.

Consumerisation

Recent technology adoption within a corporate environment has been driven by domestic technology.  The rise of wireless, tablet and mobile computing has been driven from the use of these technologies within the domestic environment.

There is often a concern that the user community with an organisation struggles with new technology, but it's often the enforcement of unfamiliar technology that causes the user to become disengaged.

The use of multi factor authentication can only strengthen a network or website, and with this technology used for personal consumption, the use corporately will offer less resistance from the user community, especially if there is a familiarity with the technology.

Cloud Support

As more corporate applications move to the Internet, cloud security becomes the concern of every IT Manger, IT Director, CSO, CISO, and in fact every member of an executive team.

As cloud based applications such as Salesforce and Microsoft Office 365 become popular, it is essential to remember these applications are the very lifeblood of an organisation.  The need for security and multi factor authentication become more apparent when looking to protect these web based applications. There are protocols such as SAML designed to support cloud applications, and offer multi factor authentication.

Impact to the business

A poorly designed or poorly designed solution will impact the user adoption of any technology, but a familiar system will offer acceptance and executive sponsors.  Security is high on the executive boards agenda, so the impact of a compromise or a disgruntled employee is greater than financial considerations such as return on investment. 

Multi factor authentication is not new, but is an obvious solution the the many security challenges for organisations, whether the data and applications are located on premise, in data centres, in public cloud, in private cloud or a hybrid approach.  Security is no longer the concern of technical sponsors, but of the Executive Board.

Familiar security solutions such as Multi Factor Authentication, can only increase the security posture of an organisation, protecting the data and reputation of an organisation.