There are two types of people in the world: people who have reusable “burner” passwords for things they don’t consider important, and people who lie about it.
In the wake of the news that all GoToMyPC users are being required to change their account passwords due to a “sophisticated attack,” it’s interesting to reflect on whether or not passwords by themselves are a sufficient security measure in the modern computing landscape.
The GoToMyPC attack isn’t surprising
We’ve known for years that the username / password tuple wasn’t enough. That is why multi-factor authentication was invented (more on that in a moment). Even granting that usernames / passwords are sufficient to protect some resources, people are absolutely terrible at using them. It’s another in a long list of cases where “the right way to do it” is unambiguous and well known, yet adhered to with disappointing infrequency.
Password authentication doesn’t share the complete story
This latest attack underscores our unsurprising failures with regard to password security. Our passwords aren’t long or complex enough and we reuse them too often. The attack also reinforces an important point from the Verizon Data Breach Investigations Report which indicates that compromised or stolen credentials were used in 63 per cent of confirmed breaches.
Modern user authentication should be more like good journalism: you can start with “who” but that by itself is an incomplete story. To really be able to make appropriate authorisation decisions, the what, when, where, how, and sometimes why are also relevant. These extra dimensions establish important context which becomes the basis for trusting an entity who is trying to exercise privilege on a resource. As with any sophisticated piece of reporting, the elements will overlap and interrelate. So how do the “5WH” manifest themselves in the real world and how can we translate that to improving authentication?
Context is key in authentication
What. If I am an iOS user, my attempt to access a resource from an Ubuntu system should throw a flag. But even if I am accessing a resource from my usual platforms, it’s important to know the security posture of the underlying device. Have I compromised the OS of my iPad? Have I sideloaded potentially malicious applications? Does my device comply with the policies established by my organisation? Factoring the type of endpoint and its state into authorisation decisions can help protect credentials and resources.
Where. As much as I would like to be able to be in two places at once, physics continues to thwart me. If I attempt to access services simultaneously from Flint, MI and Moutain View, CA, authorisation policies should limit the number of concurrent logons, especially from disparate locations.
When. For some types of employees, restricting logon hours is impractical. For others, it only makes sense. If I only access systems when I am physically on premises, shutting down that access when I have left the building helps prevent misuse of my credentials. It’s been asserted that, after careful examination, Edward Snowden’s login times varied on the days he was exfiltrating his data.
How. If I normally log in via the corporate VPN from my home broadband and I suddenly appear to be coming from a TOR Exit Node, one might reasonably question the sudden change in my MO. In many ways, this is not altogether separate from “what” and “where” but how people attempt to access resources may be an indicator of whether or not their intentions are above board.
Why. I am an IT guy who does not work in our IT department. I also don’t work in Finance or Engineering. As such, one would be well within their rights to question why I might try to access resources holding sensitive data for those departments. Privilege management, while not directly related to authentication, is really the other side of the same coin. If it’s trivial for me to exceed my authorisation or the lifecycle of my authorisation is not appropriately managed (i.e. my entitlements and access don’t change in accordance with changes in my roles and responsibilities), then the risk associated with the compromise of my credentials increases over time.
Stronger authentication and education are required to protect enterprises
There are a number of solutions already available to address these challenges. The promise of Big Data Analytics as applied to user behaviour will likely take us even further toward authentication methods that are more suitable for modern computing.
We’ve already seen some implicit acknowledgement and decisive steps to improve authentication in critical B2C spaces like financial services. Online brokerages issued two-factor authentication tokens in the late 1990’s and today it’s almost unheard for a financial services company to not use some sort of “step up” authentication for their websites and mobile apps.
Of course, the best thing we can do is education. It’s a common refrain, but it bears repeating: people are the weakest links and educating users about good internet safety and security is not only in the interest of organisations, it’s in the interest of their employees too. After all, most cybercrime is like any other crime: it’s based on opportunity and soft targets, so the most effective defence is taking steps to make the effort and cost of a successful attack higher than benefit, and that begins with teaching people the easy ways to make bad actors’ lives harder.
James Plouffe, lead solutions architect at MobileIron.