Familiarity breeds carelessness

Share this article:
Peter Stephenson, technology editor, SC Magazine
Peter Stephenson, technology editor, SC Magazine

The notion of authentication is one that is so familiar to most of us that it hardly bears discussing. Or does it? I became aware of a breach awhile back where a privileged user had authentication only by password for external access to the network and the network resources she administered. Her home machine was compromised in a client-side attack and her ID and password harvested and cracked. After that it was “game over.” The attacker used her creds to penetrate the network and wander about it at will. Because it appeared to be a legitimate login, there were no alarms, and because she was an administrator, nothing the attacker did in her name raised any eyebrows.

There is a serious lesson here. Just because this incident occurred in the not so distant past does not mean that we now know enough not to fall into the same traps today. We haven't learned, it seems. I'm sure every one of you is sitting there asking what right have I to expose your recent breach. The fact is that the breach just described is a hybrid of several over the past couple of years, and that is more troubling than if it was a single attack. So, if it sounds like yours, relax. It's not.

That said, the story points out the importance of strong authentication. I have a large button in my office that is a red circle with a line through it and the word “passwords” in the circle: “No Passwords.” That is a bit radical, perhaps, but the perhaps inconvenient truth, as pointed out by our cautionary tale, is that passwords of just about any flavor are breakable. So why would we ever use simple authentication for external access to the internals of an enterprise at the administrator level?

The key to strong defense-in-depth is to do each layer the best it can be done. Leave no fruit hanging low, especially authentication fruit. Make it impossible for an administrator to reuse admin passwords on other systems or to store them where they can be stolen. The only answer to that is single-use passcodes, preferably requiring a dynamic token – two-factor authentication should be required for any privileged user entering the network through a VPN from outside. 

That's what this month's reviews are all about: various authentication tools. We ran several good ones through the labs and these are the results. There are lot of ways to do authentication. Some are a bit pricey – even there the prices are coming down with increasing commoditization of authentication tools – but the real answer is to develop a mix of appropriate tools, and match such factors as strength and ease of use to the task and the user.

I was talking to a colleague about these reviews and he asked me what one could say about a topic as simple as authentication. My response to that is, “If it's so simple, why do so many do it wrong?” The products this month may help you deal with that problem.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in Reviews

Managing access is a tricky, multilayer process

Managing access is a tricky, multilayer process

This month we look at network access control (NAC), identity management (IDM) and data leakage prevention (DLP) tools.

Protecting email both ways

Protecting email both ways

Protecting your organization from attacks brought into the system by email is an ongoing challenge, says Peter Stephenson, technology editor.

Attestation at its best

Attestation at its best

Private Core vCage protects systems. It's a little complicated under the covers, but in practical use is simplicity itself.