Two’s (or More) Company: How to Use Two-Factor Authentication the Right Way

These days, you need a password to access every aspect of your digital life, and we all know how problematic that can be. You can either come up with a unique (albeit difficult-to-remember) password for every website, or use easy passwords, or even duplicates, that leave your accounts insecure. Fortunately, many prominent websites today – Dropbox, Google, Apple, Facebook and PayPal – all support a security approach known as two-factor or multi-factor authentication. And it’s easy to see why. This process enhances security by adding another step (or more) to the user verification process, making even risky passwords much stronger. That’s because in addition to the factor that a user knows (a password), every login attempt requires the user to supply a factor he or she owns, such as a one-time access code or PIN sent to their mobile device via SMS text or email, and/or one that reflects who they are, like a fingerprint. Through this relatively simple extension of the traditional authentication scheme, a lost or stolen password becomes plain useless to a hacker. No successful login is possible without the additional factor or factors. If your security demands are higher than average, it’s also important to generate the second authentication code, or OTP, only when the user has already started the session and the first factor has been exchanged successfully. It might be simpler to implement and roll out tokens with pre-fabricated codes, but this kind of implementation is inherently easier to compromise, but is still almost impossible to break. As a rule, token solutions require a seed that contains the base data for generating the...

Two-Factor Authentication Transforms Even ‘123456’ Into a Secure Password

Since 2011, the same two passwords have ranked as the most common (and worst) among users. Care to take a guess as to what they are? You don’t have to be a savvy hacker to figure them out – “123456” and “password” have again topped the list this year. The good news is the prevalence of these two passwords in particular has fallen quite a bit, from 8.5 percent of all passwords in 2011 to less than 1 percent now. As a password to an individual’s Facebook or Tumblr account, these are probably adequate. The accounts they’re “protecting” are low-profile, unlikely targets, and hackers wouldn’t really gain much from breaking into them anyway. It’s a different story when a user sets up a work-related email or credit card account – much more likely targets of attackers – using these easy-to-crack passwords. Instead of using brute force and repeatedly trying passwords, hackers barely have to break a sweat or exert any effort. They can simply type in “1-2-3-4-5-6” or “p-a-s-s-w-o-r-d” and they’ll be granted entry on their first try. A gold mine of information suddenly materializes right at their fingertips. At first glance, network administrators appear to have a few different courses of action to prevent these types of weak passwords and shore up their network security. They could try employee education – teaching their workforce best practices when it comes to setting up their credentials. Or they could provide them with tools that both randomly generate secure passwords and then store them securely for easy recall. The problem with each of these solutions is that they’re really just temporary...

Why Two-Factor Authentication is Too Important to Ignore

In August, it happened again: a headline-grabbing warning that 1.2 billion passwords had been stolen by a Russian cyber gang, dubbed CyberVor, caused quite a stir. While questions were raised about the legitimacy of the CyberVor report and the scant details surrounding it, wh In the past, these types of events did not even make it into specialized magazines and news services, much less major news outlets. And if they did, superlatives were required to capture anyone’s attention. However, just because password theft may not always garner a big news report, it doesn’t mean it isn’t happening all the time. On the contrary, and especially during the past year, quite a few companies have admitted to being victimized by data breaches and losing control of large amounts of data. Big retail chains Home Depot and Target experienced security breaches that culled information from more than 100 million cards combined, while 233 million eBay users were put at risk of identity theft after an online security breach.  Going forward, we have to be prepared for the possibility that private information provided to a third party, like a merchant or a public agency, will be stolen. What does this mean for the security of user passwords? “Set it and forget about it” password security simply does not exist anymore. Passwords today can only be regarded as a temporary security measure that should be limited in both time of use and number of accounts. Nevertheless, experience shows that users recycle the same password for many or all of their accounts. For many, it’s just not feasible to memorize dozens of unique passwords that...

The Target Breach: How Network Security Best Practices Could Have Prevented It

Who would have thought that an HVAC system could lead to the data of millions of people being compromised? Target surely didn’t. Recently, it has come to light that the Target breach hackers likely gained access to the areas of its network where customer information was stored by remotely infiltrating the company’s HVAC system contractor. Let’s break down how this particular Advanced Persistent Threat (APT) was able to access Target’s customer information: It all started with an email attack, according to information security expert Brian Krebs. The malware-laced email was likely sent out to a broad range of targets gleaned from Target’s public-facing vendor documentation. It was then downloaded by a contractor at Fazio Mechanical, a heating, air conditioning and refrigeration firm, hired by Target to maintain its HVAC system. The likely malware downloaded was Citadel, a password-stealing bot that is derived from the ZeuS banking trojan. The malware was undetected by Fazio Mechanical’s malware prevention software, the free version of Malwarebytes Anti-Malware. Because the company was not using an enterprise-grade or real-time solution, the malware was able to compromise the employee’s password, thus gaining access to Fazio Mechanical’s entire network. If Target had the right access control and central management mechanisms in place, this is where the malware would have been stopped. From there, the hackers connected to Target’s network and accessed the parts of its network that Fazio Mechanical had access to, its external billing system, called Ariba, and several project management-related portals. According to an unnamed source who was formerly employed by Target on its security team, “the Ariba system has a back end that Target...

The Role of People-Centric Security Systems and Defense in Depth

Is it possible that IT administrators are actually doing too much to secure their corporate networks? Given the rate at which the enterprise security landscape changes, it almost seems like a rhetorical question at first. However, there’s growing concern that all of the remote access policies and procedures in place are doing more harm than good. In fact, at the recent Gartner Security and Risk Management Summit, Research Vice President Tom Scholtz went so far as to say that we have “lost the race in our attempt to throw controls at everything.” Could he be right? A recent ZDNet article makes a strong argument to back Scholtz’s claim. At its simplest, the problem with current controls is that they very rarely speak to individual users in a way that resonates with them. If employees working remotely don’t understand why certain protocols are in place, they probably won’t feel inclined to follow them. But what if companies did a better job explaining the dangers of not adhering to remote access policies? Would that provide the necessary incentive for remote employees? Scholtz certainly thinks so. According to the article, the key is to have companies adapt a people-centric security (PCS) system. In order for this system to be successful, the entire organization must be security-focused, and the best way to accomplish this is through employee education and awareness. It’s a concept that Scholtz compares to the “shared spaces” idea made famous by Hans Monderman, a famous Dutch road traffic engineer and innovator. Despite how dangerous the idea of vehicles and pedestrians sharing roadways with minimal signage may sound, it actually causes...

Countering Advanced Persistent Threats with Comprehensive Network Security

The technological savvy and tenacity of cyber criminals has never been greater, and IT administrators trying to prepare for impending attacks are often left backpedaling. With all of the different ways a corporate network may be attacked, IT administrators must strive to implement a comprehensive remote access security framework within their enterprises.  Especially with the proliferation of mobile devices, with a wide variety of operating systems, being used to access the network, companies need to make sure they have all of their bases (or, in this case, endpoints) covered. While traditional attacks, such as viruses, spyware or bot infections are far from extinct, advanced persistent threats (APTs) have recently been garnering a lot of attention. APTs give IT teams headaches, because they are extremely stealthy in nature and are almost always aimed at a very specific target. Traditional attacks are generally created to quickly harm the machine and network they’re infiltrating, leaving before they can be detected by the network’s intrusion detection system (IDS). APTs, on the other hand, are designed to remain in the network undetected for extended periods of time, all the while stealing sensitive company data. The wide range of methods and vulnerabilities that these attacks use to gain access is what makes them so tricky to discover. Unfortunately, once an attack has commenced, it usually requires an IT administrator to notice anomalies in outbound data before anyone realizes there is a problem at all. Sophisticated APTs can be very difficult to spot, especially without the right framework in place. One recent example of an APT struck the New York Times. It appears that the cyberespionage...