Multi-factor authentication protection – locking down networks with better security procedures
Much of the information we use for our business and personal lives is stored and accessed online. The increasing use of cloud technology and the growing trend to create remote working environments for employees means that our information is constantly at risk of falling into the hands of cyber criminals.
Author(s): Lucy Clark and David Hald
The threats are constantly mutating and evolving, and no sooner have organisations developed the best security defence to thwart a specific threat, cyber criminals are developing the next technique to fool it. One of the most vulnerable areas for organisations is the authentication of users. As two thirds of cyber-attacks involve weak or stolen passwords, there is a greater need for solutions like multi-factor authentication to be used at the point of access.
Over two thirds of big businesses in the UK have been hit by a cyber-attack in the past year, according to the Government’s Cyber Security Breaches Survey (1). A quarter of those firms experiencing a breach did so at least once a month. The report stated that most of the attacks involve viruses, spyware or malware.
Cyber-attacks do not come without a cost. Research from the Ponemon Institute (2) found that the average annualised cost for large organisations is £4.1 million a year, having grown from £3.6 million the previous year. The cybercrimes that cost most dearly are denial of service attacks, malicious insiders and web based attacks. These attacks account for 49% of all cybercrime costs for organisations on an annual basis. But of course, it isn’t just the monetary impact. When data breaches go public, all hell breaks loose and the reputational hit to organisations can be significant.
One of the most vulnerable areas for organisations is the authentication of users. Over two thirds of cyber-attacks involve weak or stolen passwords, according to Verizon’s 2016 Data Breach Investigation’s report (3). Passwords can easily be stolen by hackers who can then access company systems and applications. This means that solutions like multi-factor authentication are key in thwarting hackers and securing access to networks and applications.
Understanding the enemy – what are the cyber threats facing organisations today?
To put the nature of the threat facing IT teams into context, it is useful to take a look at the types of threats emerging. Most cyber criminals are possessed of a dogged determination and have time on their hands – they fixate on finding a way in and will do whatever it takes to find a weak entry point, often focused on authentication.
These are typical examples of the types of cyber threats facing organisations today:
Phishing: as its name suggests, this method is quite literally fishing for sensitive information, like usernames, passwords and credit card information by posing as a legitimate contact, usually through email. Bank customers will often receive bogus emails from their bank – this is called “spear phishing” encouraging them to log on to their internet banking site and input their details, which hackers can then steal to access their bank accounts. Bank employees are also regularly targeted with this type of attack. The nature of these emails have evolved over time from poorly translated spam emails into well written, professionally formatted emails in the tone of voice of the brand, which makes these emails so successful.
Hacking: this is the act of using a variety of tactics to infiltrate an organisation’s systems and applications, which the hackers can then control or use to do some damage. Often, it can be for mischievous purposes – for example, when students see hacking into their school’s computer system as a challenge. But more and more we are seeing hacking become a key part of the strategy of organised crime gangs to steal money. It is also used by terrorist outfits and even by governmental organisations. The US Government’s Office of Personnel Management suffered one of the biggest data breaches of all time last year when hackers – purportedly bankrolled by the Chinese Government – stole identity credentials from two employees at the organisation and proceeded to steal the finger prints and other sensitive data of 5.6 million federal employees. This was an example of using hacking as espionage on a grand scale (4).
Malware: is an umbrella term used to refer to a whole host of intrusive software, such as worms, Trojan horses, ransomware, spyware etc. and takes the form of active content, executable code, scripts and other software. It is often successful because in the hacker’s armoury, it is their stealth weapon, something that can go undetected for a long time as it sets about its business stealing customer information. Early in 2015 Interpol and other law enforcement agencies uncovered a cyber heist on a grand scale that had targeted over 100 banks (5). The attacks started with a good old-fashioned phishing campaign, where employees of the banks were sent interesting looking emails that contained malware. Once installed, the malware recorded key-strokes and took screen shots of the banks’ computers, allowing hackers time to study, gain remote access and eventually to take control of the banks’ systems. The hackers were then able to transfer money into false bank accounts and direct ATMs to dispense cash at certain times and locations. The heist was uncovered when a bank in Kiev went crazy and started spewing out cash at random intervals throughout the day. In total, the cyber criminals hived off almost $900 million in stolen funds (5).
Ransomware: is a form of malware that infects computer systems, then blocks access to those systems that will only be removed if the victims pay a ransom to the hackers. Last year, ransomware called TorrentLocker (6) hit Australian and UK users. Masquerading as a Royal Mail package tracking email, the scam tricked users into downloading software that would infect and encrypt their hard drives and then demanded a Bitcoin ransom of $500 if paid within 24 hours or $1000 thereafter to unlock them. Ransomware attacks grew by 4000% in 2014 and have become a much dreaded threat because of its effectiveness (Symantec Internet Threats Report 2015) (7).
One of the major problems is that these threats are not cut and dried – they don’t just fit the profiles above. Threats are constantly mutating and evolving to try and circumvent the technology that is being developed to stop them. No sooner do organisations develop the best security defence to thwart a specific threat, cyber criminals are developing the next technique to fool it.
The blurring of corporate boundaries
One of the main problems for organisations trying to combat cybercrime, particularly where the authentication of users is concerned, is that the practice of building traditional defences around corporate boundaries is not quite as straightforward as it once was. Issues, such as the increasing use of cloud and the growing trend to create remote working environments for employees; have really blurred the perimeters of the organisational technology infrastructure.
So why is this blurring of corporate lines more risky for organisations?
Data security: any breach in a cloud or remote working environment could compromise not only the security of an organisation’s systems, but also the safety of customer data. This is particularly risky in sectors such as healthcare, financial services (FS) and public sector, which deal with highly sensitive customer data.
User authentication: as mentioned, one of the most vulnerable areas of the remote working environment is logging in, where employees are authenticated for access to systems. Over two thirds of cyber-attacks stem from weak or stolen passwords, so inadequate user authentication can come back to bite IT teams.
Proliferation of devices: as the mobile environment evolves, so too do the methods by which employees want to access company systems. It might be a smart phone, a tablet, a laptop or even a smart watch. As wearable devices become more commonplace, of course workers will want to use them to access webmail and other applications. Having to enable the access to cloud applications or company systems through remote working from a variety of devices, adds to the complexity of the environment.
The consequences of a cyber-attack: of course, as with any cyber-attack, one that happens in the cloud or in a remote working environment can cause significant problems for the organisation. The reputational fall out can be huge and it can make headlines all over the world. The consequence of this can be a drop in share price as investors become spooked and want to offload their shareholding. For example, back in November 2015, Talk Talk’s share price plummeted by 20 per cent in the weeks following a massive cyber-attack that exposed the data of 150,000 customers (8). Even worse, it can scare customers into leaving and seek out another provider, so it can result in a loss of market share for organisations. It takes time to repair and restore the reputational and financial loss a cyber-attack can cause. Obviously anything that the IT team can do to prevent an attack happening in the first place will bode well.
The vulnerability of authentication: in 2014, JP Morgan suffered a massive data breach where 83 million customer records were compromised in what is the largest theft of customer data from a US financial institution (9). Hackers were found to have gained access through the computer of an employee working from home. In a sophisticated cyber-attack – which targeted a dozen financial firms – hackers targeted customers’ checking and savings account information. Dubbed by authorities as a “securities fraud on steroids” three men have been indicted on counts of fraud, but not before siphoning off hundreds of millions of dollars. The incident sent three important messages to financial services providers: (1) the increasing power of malware attacks (2) the vulnerability of workers, particularly in a remote working environment, to phishing and spear phishing attacks without having multi-factor authentication in place (3) how easily hackers are able to roam around banking networks once they have gained access.
User authentication – why the log in is such a vulnerable area
For hackers, the ideal scenario is to be able to enter an organisation’s systems as unobtrusively and quietly as possible. From an anonymous position, they can exploit company systems and steal and manipulate data for potentially many months at a time. As in the Office of Personnel Management security breach (4), where Chinese hackers went undercover to steal highly sensitive information about federal officers, or the JP Morgan example, where 83 million customer records were stolen (9), they did this under the guise of being regular employees and went undetected for many months.
This is why the log in and authentication is such a sensitive area. For hackers, it is a hot target. If you steal someone’s user name and password, it is akin to getting the keys to a bank vault.
A major problem is that a number of organisations still only rely on user names and passwords when granting access to systems and applications. But if an organisation is only password secured, its security defences are only as good as its weakest password. Take the Ashley Madison breach last year (10), where hackers accessed passwords of 11.2 million users of the website that promotes extra marital affairs.
The hacking collective that orchestrated the attack, Cynosure Prime, went on to publish the top 100 passwords. Passwords included “123456” in the top spot, followed by “12345” and “password,” which would hardly give your average hacker sleepless nights (11).
People use passwords that are easy to remember and they use that password over and over again, for personal and work use. It is this that can give organisations a massive security headache. When an employee hands out a business card with their email address, they are effectively giving away their user name. For a hacker with time on his hands, he might start with a “dictionary attack” – literally sitting down and guessing what the password might be. They often succeed because people tend to use short passwords that are commonly used.
Brute force hacks are another commonly used tactic. A computer cluster has recently been unveiled that can process as many as 350 billion guesses a second (12) – it can try every possible Windows password in the typical enterprise in under six hours.
In Symantec’s 2014 security report (13), it was discovered that five out of six large enterprises had been targeted by advanced attackers, a 40 per cent uplift on the year before. It is not just big companies – 31 per cent of total attacks were directed at SMEs. So if your organisation has not been hacked yet, it might just be a matter of time.
Helping to secure log ins, particularly for remote workers and workers using cloud applications, can be the first step in trying to make company boundaries impenetrable.
Traditional authentication strategies
Many organisations are aware of the risks of securing with user name and password alone, which has led to the proliferation of other types of authentication:
Certificates: an encrypted certificate on a PC is another popular way for financial institutions to secure their log in. But there are significant problems with certificates including difficult provisioning and a complicated management process. There is a lack of device support for certificates – they often cannot be installed on mobiles, for example, making it difficult for employees to log on to their emails from their smart phones. Certificates are also very costly to implement and manage.
Two-factor authentication (2FA): wise to the threats that began appearing in the 90s – key logging and passwords that were guessed, cracked, bought or borrowed – two-factor authentication was developed. 2FA involves the use of tokens or cards that generate pre-issued passwords. The problem with token-based technologies – which are very widely used in the FS industry, for example - is that pre-issued one time passcodes are based on a seed file, which is vulnerable to hacking, through unauthorised use or theft. If the seed file is hacked, not only are organisations vulnerable to cyber-attacks, but millions of hardware tokens would have to be replaced. In addition to the inadequate security, hardware token-based solutions are a hassle to manage for IT teams who have to spend a considerable amount of time distributing hardware tokens, maintaining additional user databases, and helping users that forget their tokens, or cannot login due to tokens coming out of sync. Tokens with pre-issued passwords can also be phished and are vulnerable to modern day attacks.
Biometrics: a number of organisations have started to use biometrics to try and protect log-ins. The problem is this technology is often flawed and is very expensive to implement. For a start, IT teams would need to ensure that all employees had the appropriate hardware that could scan retinas or validate finger- prints. Also biometric data can be compromised and there have been incidences of breaches. For example, fingerprint readers have been bypassed using scanned and printed fingerprints and 3D models of a victim’s thumb (14). Face detection and recognition system implementations have been bypassed using 2D pictures of the victim’s face (15). Other techniques like keystroke recognition can be vulnerable to real time keystroke generators using data collected from social engineering attacks.
An alternative solution - multi-factor authentication
Multi-factor authentication (MFA) is a critical element in the armoury of IT and security executives. Advanced MFA solutions use contextual data around the log-in to determine whether the user should be granted access i.e. it adds more factors to validate a user’s identity. These could include the user’s connection, their geographic location, the roles and rights they have as a member of a group (for example, some employees will be authorised to use accounts systems while others will not), a valid point of entry and the time of day. If cyber gangs based in locations across the world are trying to access company systems in the middle of the night, then IT teams can block access at that time of day.
Using this combination of contextual factors, the system then determines whether to grant a user access. Once the username and password are validated, the solution generates the one time passcode. Waiting to generate the code until the session is established, instead of relying on a pre-set 'bank' of existing codes, gains visibility into which computer the login request is coming from. Thereby the solution can create a code and link it to the device so that the code—received on the mobile phone—can only be used from the computer that the login request was initiated from. This boosts your security, since—if for any reason the code is intercepted—it cannot be used on any other device, than the one that established session. That is in sharp contrast to hardware tokens, where codes can be used for any device/session and anyone in possession of the code can use it to create a legitimate login. A challenge and session-based code helps protect against even sophisticated attacks.
Token-based authentication, by its very nature, cannot match this level of security.
Mobile phones are a key part of MFA because users do not have to be issued with tokens, which are expensive and require a higher degree of management. The mobile is an ubiquitous part of most people’s lives and employees should always have them in their possession, meaning they can use it as part of their log in whether they’re in the office, working at home or working whilst travelling.
So why is MFA better than other alternative ways to authenticate organisational systems?
It is real time and session specific: if it is not a real time solution, it means that passcodes have been pre-generated and are sitting on a seed file somewhere. This means they are vulnerable to hacking and could potentially be stolen or corrupted. A real time solution means the passcode is generated there and then, making it impossible for hackers to crack. And even if the hacker could intercept the one-time-passcode, he would not be able to use it since it is bound to each individual login session.
Geo-fencing: modern authentication solutions use “geo-fencing” which can restrict access to systems and applications from certain countries. For example, if there is a high incidence of hacking from China – which if media stories (16) are to be believed, is allegedly the case – access from there can be blocked. But if a team of executives are traveling to China on business, those employees’ log-ins can be enabled to allow them to log in from that location.
Use of mobiles makes it easy to use and deploy: when passcodes are delivered to employees’ mobile phones, IT teams do not have to deal with the administrative and management burden of supplying and supporting devices. As employees join or leave the company, the process to add or delete them as an authorised user is easy. This ease of administration is good news for the IT department, as it does not impede their productivity. Authentication solutions that take advantage of existing infrastructure such as Active Directory or general LDAP directories without the need for schema extensions or additional databases are to be preferred for a smooth deployment. An added security benefit of going token-free is that people might never mention or even notice if they have lost their hardware token, but they will act immediately if their phone has been lost or stolen. This minimises the risk for the organisation, since users typically are quick to respond and call their carrier to terminate their service which re-establishes security within the organisation.
User friendliness: generally, the response to MFA solutions is that they are very user friendly. The problem with not being user friendly is that users will not want to engage with it and this could damage an organisation’s attempt to improve its authentication. The importance of user convenience should not be underestimated. Make sure the solution has a good user experience in that it is easy and straightforward to use, is not overly complicated and does not extend their authentication procedure for longer than they are used to, and enables an intuitive login process. Reliability is also key. Employees are increasingly mobile and need to login from many different locations.
MFA in practice - DTU (Technical University of Denmark)
DTU is recognised internationally as a leading university in the areas of technology and the natural sciences and is known for its business-oriented approach, its focus on sustainability and its appealing study environment. Today, DTU is ranked as one of the foremost technical universities in Europe. It continues to set new records in publishing, in the partnerships it develops with industry and in assignments undertaken by DTU’s public sector consultancy. DTU’s IT service function serves a wide range of departments, university entities and affiliated companies who benefit from their modern IT setup and infrastructure.
To provide 1400 employees with secure access to a wide range of systems and applications, and to protect patient data processed by Computerome, DTU’s super computer.
An adaptive Multi Factor Authentication solution. In this instance, software called CensorNet Multi Factor Authentication was used.
- Citrix NetScaler
- Cisco ASA VPN
- SSH Gateway
- Computerome (Super computer)
- Leaving hardware tokens behind
At DTU, employee remote access from across Europe is enabled through a number of login systems including Citrix, Cisco and SSH. At first, the users accessing these systems were required to carry around hardware tokens for authentication when logging in. But the token-based setup was becoming increasingly time consuming to manage and was causing frustration for both users and the IT team managing the solution. The team previously found that the hardware tokens they were using as part of a two-factor authentication strategy were very difficult to manage. With more than 1000 token users at DTU, the IT team constantly had to replace tokens that had been damaged or lost.
Making life easier for IT
Multi Factor Authentication (MFA) was identified as the ideal answer to support DTU’s security requirements. The system uses contextual data around the log-in to determine whether the user should be granted access. Once the user is given the green light, a one time, session specific passcode is sent in real time to the user’s mobile phone, which the user then keys in to access the DTU systems and applications they are authorised to use.
For DTU, the advantages have been clear. The IT team has found that life is much easier managing token free authentication and they have saved significant costs by renouncing tokens and migrating to the MFA solution. The tight integration to Microsoft ActiveDirectory makes it much easier for the DTU IT team to manage and add or delete users as they need to.
Securing access to “Computerome”
Since the initial implementation, the use of the MFA solution has also been expanded to cover user authentication of around 400 scientists accessing DTU’s super computer named Computerome.
Computerome is currently listed as number 236 of the top 500 most powerful super computers in the world and is used to process large amounts of data for scientific research in medicine and biology. Given the fact that Computerome stores and processes patient data, it was vital for DTU to add multi-factor authentication protection in order to meet regulatory requirements around storing health care data. The Computerome users are stored in an OpenLDAP directory.
IT security will always be a battle for organisations. As long as there are systems and applications and security in place to protect them, there will be hackers out there who are focused on gaining entry. As quickly as the technology is developing to deal with cyber threats, threats themselves are evolving and mutating, fixated on finding a way in, a weak entry point.
But authentication is the one area organisations can really do something about. The fact that it is such a key target for hackers means the right strategies have to be put in place. Not having robust authentication in place is a bit like leaving your back door open. The faster organisations are able to lock down their authentication, the quicker an avenue for hackers is closed. MFA is a way to help IT teams do this.
- Government’s Cyber Security Breaches Survey 2016: https://www.gov.uk/government/publications/cyber-security-breachessurvey-2016.
- Ponemon Institute and IBM’s Cost of Data Breach Study: http://www- 03.ibm.com/security/data-breach/.
- Verizon’s 2016 Data Breach Investigations Report: http://www.itgovernance.co.uk/blog/63-of-data-breaches-involve-weakdefault-or-stolen-passwords/.
- Office of Personnel Management 2015 data breach: https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach. https://www.opm.gov/CYBERSECURITY.
- Interpol, security company Kaspersky and other law enforcement agencies uncovered massive security breach in 2015: http://www.independent.co.uk/life-style/gadgets-and-tech/news/the-1- billion-bank-heist-cyber-gang-steals-from-100-institutions-in-unprecedentedrobbery-10048003.html.
- Torrentlocker malware – background: http://www.welivesecurity.com/2014/12/16/torrentlocker-racketeeringransomware-disassembled-by-eset-experts/. and http://www.welivesecurity.com/2014/09/04/torrentlocker-now-targets-ukroyal-mail-phishing/.
- Symantec Internet Threats Report 2015 https://www.symantec.com/security-center/threat-report.
- Talk Talk’s share price plunged by 20% in the weeks following its data breach: http://www.cityam.com/228714/talktalk-share-price-plunges-twice-as-deepas-sony-carphone-warehouse-barclays-and-ebay-after-cyber-attacks.
- JP Morgan data breach: https://www.theguardian.com/business/2014/oct/02/jp-morgan-76mhouseholds-affected-data-breach. and http://www.reuters.com/article/usjpmorgan-cybersecurity-idUSKBN0K105R20141223.
- Ashley Madison breach – Cyber lessons learned from the Ashley Madison attack: http://www.forbes.com/sites/ericbasu/2015/10/26/cybersecuritylessons-learned-from-the-ashley-madison-hack/#6c1e2d66ed99.
- Weakness of passwords in Ashley Madison hack: http://www.zdnet.com/article/these-are-the-worst-passwords-from-theashley-madison-hack/.
- 25-GPU cluster cracks every standard Windows password in less than 6 hours: http://arstechnica.com/security/2012/12/25-gpu-cluster-cracksevery-standard-windows-password-in-6-hours/.
- Symantec’s 2014 security report: http://www.symantec.com/content/en/us/enterprise/other_resources/bistr_main_report_v19_21291018.en-us.pdf.
- 3-D printing of thumbprints to unlock phones: http://www.theverge.com/2016/7/21/12247370/police-fingerprint-3Dprinting-unlock-phone-murder.
- Most biometric methods have been bypassed: https://securitycafe.ro/2015/02/02/concerns-regarding-biometricauthentication/.
- Obama administration covered up Chinese hacking government computers: http://www.ibtimes.com/obama-administration-covered-chinese-hackinggovernment-computers-republicans-claim-2391354.