How to ensure strong passwords and better authentication
Authentication is the process that attempts to establish the identity of a user and is followed by an authorisation process that grants whatever privileges may be appropriate to that identity. Common examples of authentication include logging on to a workstation in a corporate network (using a username and password), withdrawing cash from a bank cash dispenser (a bank card and PIN), and internet shopping (an email address and password).
When a user attempts to access a resource, the authorisation process checks that the user has been granted permission to use that resource. Permissions are usually defined by the system administrator in the form of an access control list for each resource.
The most common means of authentication remains the password. Unfortunately, most users do not know how to construct a secure password, nor do they understand the risks involved. Also, people often use the same password in several different situations – for logging on to Windows, for running the payroll system and for accessing an authenticated website. This makes the attacker’s task considerably easier, because once they have one password for a specific user, they have them all.
Anyone who steals the identity of a user becomes that user and has access to their most sensitive systems and data. If just one user’s identity is compromised, corporate systems are vulnerable. This is the threat posed by corporate identity theft.
Identity theft takes many forms – exploiting weak passwords, keystroke capture, phishing, Trojan software, social engineering, password sharing, and so on. Not every attacker is sitting at home with their computer, trying to break into the corporate website. Sometimes all they have to do is call up and ask!
Organizations often make very dangerous assumptions about the security of data on their networks. It is rare for a business to audit password quality or access permissions on a regular basis – yet trivial passwords and poor protection of sensitive information remain the most common problem we find when conducting a security review.
Password guessing
Users, even technical experts and senior staff, often use easy-to-guess words, such as ‘password’, ‘holiday’, or even their own name. The use of trivial passwords to secure service accounts – highly privileged accounts used by backup programs, network control software and anti-virus tools – is so common that gaining control of an entire network frequently takes no more than a few minutes during a penetration test.
Impersonation
Social engineering by impersonation is a popular attack method. For example, an attacker will call the helpdesk pretending to be an employee, claim to have forgotten their password and ask the helpdesk to reset it or give it to them. The helpdesk will frequently do this without verifying the identity of the caller. Our testing shows that this is also a common scenario – successful at most organisations in all business sectors.
Industrial espionage and organised crime are a real threat, but most surveys show that the more significant risk is within the organisation. An employee can often see far more corporate information on the head office network than anyone realises. If hacking is defined as “attempting to gain unauthorised access to sensitive information”, then most organisations will have several hackers on their staff.
Disgruntled employees (and ex-employees) present a very serious threat to business through access to critical data and personal information. Suppose an employee, with just a little internet research, discovers how to read everyone’s emails or even send emails as if they were the CEO.
The solutions
Implement strong authentication for all remote users and for all privileged users and accounts. There are many two-factor alternatives to the traditional password, including tokens, smart cards, smart USB keys and even mobile phone SMS texts.
Strengthen your helpdesk password reset process. Permit password resets only with call-back and PIN authentication or some other form of cross-verification. Implement incident reporting and response procedures for all helpdesk staff, together with clear escalation procedures for everyone in the incident chain. Helpdesk staff should be encouraged to withhold support when a call does not feel right. In other words, “just say no”.
Train all employees – everyone has a role in protecting the organisation and their own jobs. If someone tries to threaten them or confuse them, it should raise a red flag. Train new employees as they start. Give extra security training to security guards, helpdesk staff, receptionists and telephone operators, all of whom have a vital role to play in blocking identity theft. Make sure you keep the training up to date and relevant.
Address the issue of easy-to-guess passwords. This is the single biggest hole in most organisations’ defence. If your organisation is using a Windows network, you can use passphrases rather than passwords.
A passphrase of 15 characters or more is easier to remember than a complex eight-character password, yet infinitely more secure. Compare “I would love to own a big red Ferrari” (29 characters and almost unbreakable) with “nUaY6zOs” (eight characters and impossible to memorise, yet easily broken by today’s password crackers).
Finally, have a security assessment test performed and heed the recommendations. Test the company's ability to protect its environment, to detect the attack and to react and repel the attack. Have the first test performed when the company is expecting it, then do a blind test the second time around.
Checklist for securing authentication
Desktop security
Shred important documents that you no longer need
Make sure everyone has a lockable drawer or cabinet
Implement a clear desk policy for sensitive information
IT security
Encourage the use of passphrases rather than passwords
Deploy two-factor authentication for privileged users and for remote access
Require screen savers with password controls and short timeouts
Use network-based password management software to manage multiple sets of credentials
Encrypt sensitive information
Physically destroy unused hard disks, CDs and other media
Helpdesk
Permit password resets only with call-back and PIN or cherished information authentication
Ensure there are clear incident reporting and response procedures
Implement clear escalation procedures
Helpdesk staff should be encouraged to withhold support when a call does not feel right
Training
Train all employees as an ongoing process
Train new employees as they start
Give extra security training to security guards, helpdesk staff, receptionists, telephone operators
Keep the training up to date and relevant
Testing
Have regular security assessments performed and heed the recommendations
Test the company's ability to protect its environment, to detect the attack and to react and repel the attack (red team testing)
Have the first test performed when the company is expecting it, then conduct regular blind tests