Educause Security Discussion mailing list archives
Re: 2-Factor Authentication / FERPA
From: Nicholas Garigliano <ngarigl8 () NAZ EDU>
Date: Fri, 3 Mar 2017 17:26:52 -0500
I guess I should have added a little more of an introduction to my comments. First of all, great feedback! I'm usually having these discussions with myself (we are a small group) and so it is helpful to have the input. As I mentioned, implementation of the recommendations is no simple accomplishment (I've done most of them) and of course will not be feasible for all institutions. But, they are a baseline and management should be made aware of them. For example, it does no good to implement 2FA for accessing sensitive data if your Domain Admin gets his/her credentials popped from being phished or in a drive-by. If I own your AD it doesn't matter how many authentication factors you have. You are always better off spending the time and effort taking care of the basics first. This applies to not only security but networking, system administration, desktop administration etc. No matter how much time you spend explaining the need, you will not be making friends with the general population implementing 2FA. Not to say that should be the overriding factor in your decision, but something that should be taken into consideration. Ever been threatened by a C-level Exec because he/she can't get their 2FA VPN to work? I'm also not a fan of taking a one off approach to implementing a control because someone up above thinks it is a good idea or based on the latest incident in the news. I consider it my job as a Security Professional to give my expert opinion clearly stating why a different approach might be a better idea. In other words, education. If the recommendations are not taken, then no biggie (unless I am asked to do something unethical) but I have at least been diligent. I gathered from Mike's post that he was like me, an implementer and not the decision maker and that security is not his only job. So it seemed like a good idea to put 2FA into context. There is also the CYA aspect (see above). Nick Garigliano Network Security Engineer Enterprise & Network Solutions Nazareth College 585 389-2109 On Fri, Mar 3, 2017 at 3:22 PM, Shettler, David <dshettle () holycross edu> wrote:
Seconded. 2FA is fundamental in a post-Podesta world, far easier to implement than half the items listed, and not mutually exclusive with any of them. That being said not all 2FA are created equal. Enabling it for G Suite or Office 365 is one thing, but doing a Duo deployment for ERP systems can be trickier. One tip I can offer is buy some hardware tokens. You won't need many (for us, maybe 5% tops opt for them), but some percentage of the environment will argue against using a smartphone or telephone number. We didn't advertise tokens as an option, except to placate those who refused to use their phones. Having it as an unadvertised tertiary option has facilitated our deployment dramatically. Current events are also helpful: "Don't be John Podesta". Best, David On Fri, Mar 3, 2017 at 2:08 PM, Ben Marsden <bmarsden () smith edu> wrote:Hi Nick, I have *no* problem with your list of important security controls. I do have a problem with your assertion that MFA "should only be considered if..." all the elements in your list are already in place. I would contend that the increasing frequency of password-only-protected user account compromise is a real and very tangible threat to both financial and informational resources across the board to the institution (and the individual too), and so mitigating that risk is at a strategic level as important as other priority security controls. Further, I'll suggest that implementing and supporting many of the items on your list require a variety and commitment of Resources (big, inclusive "R") that may or may not be as readily available to you as they deserve. If there is institutional will to implement 2FA/MFA, don't try and rechannel that will and those resources to bolster other initiatives. Take it and run with it. Just IMHO, --Ben On Fri, Mar 3, 2017 at 1:14 PM, Nicholas Garigliano <ngarigl8 () naz edu> wrote:Hi Mike, I'm not really addressing your question directly, just adding my 2 cents worth if you are interested. If I am stating the obvious I apologize. While 2FA can be a integral part of an overall security program, there are significant costs (capital, administrative and political). Been there, done that. Outside of remote access (VPN), where it should be a requirement, my feeling is that for internal access it should only be considered if the following are already in place: - Have a verifiable patch management process in place which includes categorizing and applying patches on a regular schedule. This would include applying critical patches outside of the schedule. - Run regular authenticated vulnerability assessments to discover, inventory and asses systems on on your network. This is also used to verify patching. - All sysadmins/domain admins/network admins/DBA's etc have dedicated accounts that are used for administrative functions only and do not have access to the internet. In addition, they use dedicate workstations that do not have access to the internet. This is especially critical if you are using AD. - Developers should not have direct access to sensitive data, i.e sql access to a database. - Have a centralized logging system in place from which you can generate alerts (SIEM like functionality). - Segment the network to put those systems containing sensitive information behind an enforcement point and control access to these systems from only dedicated workstations/servers using only the protocols/ports that are needed. - Systems which store sensitive data should be dedicated to this purpose and not used for other purposes as well. - Do not use shared service accounts to access data and monitor the use of these accounts. Have a password management process in place which creates an audit trail for password use. - Do not use sensitive production data in non-production systems, if possible. - Have visibility into the traffic on your network (taps, aggregation switches, span ports etc). Use a tool such as Bro to monitor this traffic. - Perform threat modeling/pen testing on the apps consuming the data. Yes, these are terms that can mean different things to different people. The app should undergo some basic assessment at the least. This list is by no means comprehensive and I'm aware that doing all of the above is no minor accomplishment. For many institutions all or part might be unrealistic for all sorts of reasons. But, from my experience it makes more since to direct limited resources into these areas before implementing something like 2FA. Nick Garigliano, CISSP, GCIH Network Security Engineer Enterprise & Network Solutions Nazareth College 585 389-2109 <(585)%20389-2109> On Fri, Mar 3, 2017 at 11:36 AM, Dodor, Michael <DodorM () uwstout edu> wrote:Greetings, A number of regional campuses are in discussions on requiring 2-factor for access to High Risk data and one of the elements would be non-directory (private) FERPA records. The consensus concern with such a rollout would be usability on such a large scale and backlash from Faculty. Has anyone implemented and required 2-factor authentication for faculty accessing non-directory records? And if so, any tips? Thank you. Mike Dodor Network Administrator/Information Security Learning and Information Technology University of Wisconsin – Stout 327 Millennium Hall Menomonie, WI 54751 Phone: 715-232-2671 <(715)%20232-2671> dodorm () uwstout edu-- [}--> BEWARE of links and attachments in email! * Stop, Think before you click * ============================================ Ben Marsden : Information Security Director, CISSP ITS, 201 Stoddard Hall, Smith College, Northampton, MA 01063 --------------------------------------------------------------------- =--> Any request to reveal your Smith password via email is fraudulent!-- *DAVID SHETTLER* *Information Security Officer* Information Technology Services dshettle () holycross edu *phone: *(508) 793-3073 One College Street Box ITS Worcester, Mass. 01610 www.holycross.edu *Don't get Phished: Hover over links in your email to see where they go BEFORE you click! * Do you have what it takes to spot a phish? http://phishingchallenge. holycross.edu Watch our online sessions on phishing identification: http:// phishmenot.holycross.edu/online-training Follow us on Twitter: @hcinfosec
Current thread:
- 2-Factor Authentication / FERPA Dodor, Michael (Mar 03)
- Re: 2-Factor Authentication / FERPA Thomas Skill (Mar 03)
- Re: 2-Factor Authentication / FERPA Shawn Merdinger (Mar 03)
- Re: 2-Factor Authentication / FERPA Nicholas Garigliano (Mar 03)
- Re: 2-Factor Authentication / FERPA Ben Marsden (Mar 03)
- Re: 2-Factor Authentication / FERPA Shettler, David (Mar 03)
- Re: 2-Factor Authentication / FERPA Nicholas Garigliano (Mar 03)
- Re: 2-Factor Authentication / FERPA Ben Marsden (Mar 03)
- <Possible follow-ups>
- Re: 2-Factor Authentication / FERPA Hudson, Edward (Mar 03)