Familiarity breeds carelessness
Peter Stephenson, technology editor, SC Magazine
The notion of authentication is one that is so familiar to most of us that it hardly bears discussing. Or does it? I became aware of a breach awhile back where a privileged user had authentication only by password for external access to the network and the network resources she administered. Her home machine was compromised in a client-side attack and her ID and password harvested and cracked. After that it was “game over.” The attacker used her creds to penetrate the network and wander about it at will. Because it appeared to be a legitimate login, there were no alarms, and because she was an administrator, nothing the attacker did in her name raised any eyebrows.
There is a serious lesson here. Just because this incident occurred in the not so distant past does not mean that we now know enough not to fall into the same traps today. We haven't learned, it seems. I'm sure every one of you is sitting there asking what right have I to expose your recent breach. The fact is that the breach just described is a hybrid of several over the past couple of years, and that is more troubling than if it was a single attack. So, if it sounds like yours, relax. It's not.
That said, the story points out the importance of strong authentication. I have a large button in my office that is a red circle with a line through it and the word “passwords” in the circle: “No Passwords.” That is a bit radical, perhaps, but the perhaps inconvenient truth, as pointed out by our cautionary tale, is that passwords of just about any flavor are breakable. So why would we ever use simple authentication for external access to the internals of an enterprise at the administrator level?
The key to strong defense-in-depth is to do each layer the best it can be done. Leave no fruit hanging low, especially authentication fruit. Make it impossible for an administrator to reuse admin passwords on other systems or to store them where they can be stolen. The only answer to that is single-use passcodes, preferably requiring a dynamic token – two-factor authentication should be required for any privileged user entering the network through a VPN from outside.
That's what this month's reviews are all about: various authentication tools. We ran several good ones through the labs and these are the results. There are lot of ways to do authentication. Some are a bit pricey – even there the prices are coming down with increasing commoditization of authentication tools – but the real answer is to develop a mix of appropriate tools, and match such factors as strength and ease of use to the task and the user.
I was talking to a colleague about these reviews and he asked me what one could say about a topic as simple as authentication. My response to that is, “If it's so simple, why do so many do it wrong?” The products this month may help you deal with that problem.