How to ensure strong passwords and better authentication

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computerweekly.com/feature/How-to-ensure-strong-passwords-and-better-authentication

Authentication is the process that attempts to establish the identity of a
user and is followed by an authorisation process that grants whatever
privileges may be appropriate to that identity. Common examples of
authentication include logging on to a workstation in a corporate network
(using a username and password), withdrawing cash from a bank cash
dispenser (a bank card and PIN), and internet shopping (an email address
and password).

When a user attempts to access a resource, the authorisation process checks
that the user has been granted permission to use that resource. Permissions
are usually defined by the system administrator in the form of an access
control list for each resource.

The most common means of authentication remains the password.
Unfortunately, most users do not know how to construct a secure password,
nor do they understand the risks involved. Also, people often use the same
password in several different situations – for logging on to Windows, for
running the payroll system and for accessing an authenticated website. This
makes the attacker’s task considerably easier, because once they have one
password for a specific user, they have them all.

Anyone who steals the identity of a user becomes that user and has access
to their most sensitive systems and data. If just one user’s identity is
compromised, corporate systems are vulnerable. This is the threat posed by
corporate identity theft.

Identity theft takes many forms – exploiting weak passwords, keystroke
capture, phishing, Trojan software, social engineering, password sharing,
and so on. Not every attacker is sitting at home with their computer,
trying to break into the corporate website. Sometimes all they have to do
is call up and ask!

Organisations often make very dangerous assumptions about the security of
data on their networks. It is rare for a business to audit password quality
or access permissions on a regular basis – yet trivial passwords and poor
protection of sensitive information remain the most common problem we find
when conducting a security review.

Password guessing

Users, even technical experts and senior staff, often use easy-to-guess
words, such as ‘password’, ‘holiday’, or even their own name. The use of
trivial passwords to secure service accounts – highly privileged accounts
used by backup programs, network control software and anti-virus tools – is
so common that gaining control of an entire network frequently takes no
more than a few minutes during a penetration test.

Impersonation

Social engineering by impersonation is a popular attack method. For
example, an attacker will call the helpdesk pretending to be an employee,
claim to have forgotten their password and ask the helpdesk to reset it or
give it to them. The helpdesk will frequently do this without verifying the
identity of the caller. Our testing shows that this is also a common
scenario – successful at most organisations in all business sectors.

Industrial espionage and organised crime are a real threat, but most
surveys show that the more significant risk is within the organisation. An
employee can often see far more corporate information on the head office
network than anyone realises. If hacking is defined as “attempting to gain
unauthorised access to sensitive information”, then most organisations will
have several hackers on their staff.

Disgruntled employees (and ex-employees) present a very serious threat to
business through access to critical data and personal information. Suppose
an employee, with just a little internet research, discovers how to read
everyone’s emails or even send emails as if they were the CEO.

The solutions

Implement strong authentication for all remote users and for all privileged
users and accounts. There are many two-factor alternatives to the
traditional password, including tokens, smart cards, smart USB keys and
even mobile phone SMS texts.

Strengthen your helpdesk password reset process. Permit password resets
only with call-back and PIN authentication or some other form of
cross-verification. Implement incident reporting and response procedures
for all helpdesk staff, together with clear escalation procedures for
everyone in the incident chain. Helpdesk staff should be encouraged to
withhold support when a call does not feel right. In other words, “just say
no”.

Train all employees – everyone has a role in protecting the organisation
and their own jobs. If someone tries to threaten them or confuse them, it
should raise a red flag. Train new employees as they start. Give extra
security training to security guards, helpdesk staff, receptionists and
telephone operators, all of whom have a vital role to play in blocking
identity theft. Make sure you keep the training up to date and relevant.

Address the issue of easy-to-guess passwords. This is the single biggest
hole in most organisations’ defence. If your organisation is using a
Windows network, you can use passphrases rather than passwords. A
passphrase of 15 characters or more is easier to remember than a complex
eight-character password, yet infinitely more secure. Compare “I would love
to own a big red Ferrari” (29 characters and almost unbreakable) with
“nUaY6zOs” (eight characters and impossible to memorise, yet easily broken
by today’s password crackers).

Finally, have a security assessment test performed and heed the
recommendations. Test the company's ability to protect its environment, to
detect the attack and to react and repel the attack. Have the first test
performed when the company is expecting it, then do a blind test the second
time around.

________________________________

Checklist for securing authentication

Desktop security

Shred important documents that you no longer need
Make sure everyone has a lockable drawer or cabinet
Implement a clear desk policy for sensitive information

IT security

Encourage the use of passphrases rather than passwords
Deploy two-factor authentication for privileged users and for remote access
Require screen savers with password controls and short timeouts
Use network-based password management software to manage multiple sets of
credentials
Encrypt sensitive information
Physically destroy unused hard disks, CDs and other media

Helpdesk

Permit password resets only with call-back and PIN or cherished information
authentication
Ensure there are clear incident reporting and response procedures
Implement clear escalation procedures
Helpdesk staff should be encouraged to withhold support when a call does
not feel right

Training

Train all employees as an ongoing process
Train new employees as they start
Give extra security training to security guards, helpdesk staff,
receptionists, telephone operators
Keep the training up to date and relevant

Testing

Have regular security assessments performed and heed the recommendations
Test the company's ability to protect its environment, to detect the attack
and to react and repel the attack (red team testing)
Have the first test performed when the company is expecting it, then
conduct regular blind tests

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!