Who do you think you are?securenvoy 26/11/2012, Archive
How do you protect your systems from fake users, when private data is so easy to come by. SecurEnvoy explore what could happen when user authentication is based on passwords and personal information.
This summer, two seemingly unrelated events occurred that should have caused IT managers everywhere to pause and think. The first was the IT failure at RBS and the chaos caused by a relatively minor software glitch: a high profile event affecting millions. The second was a much lower profile event, with direct consequences for one individual: the epic hack suffered by journalist Matt Honan, who lost his entire digital life.
Why are they related? Because any company that has a dependence on and faith in password protection is open to the same sort of ‘daisy-chain’ hacking suffered by Honan, and but with consequences that make RBS’s problem look like chicken feed.
The full story of Honan’s hack can be read here. But the short version is that over the course of a few hours he discovered that hackers had thoroughly and systematically infiltrated his accounts with leading service providers, wiped the data stored on all his various devices, and created a brand new, foul-mouthed but fake online presence.
The worst week of your life
Imagine that recreated on an enterprise scale, and you have a vision of every IT manager’s worst nightmare. It’s a story that might go something like this:
Day 1: The corporate Twitter account goes rogue.
Without anyone knowing why, or who is writing them, the business’s Twitter feed has started to spew libellous, racist comments into cyber-space, which spread with wildfire speed. Not only is it a huge reputational management problem, it rapidly affects the share price. By the time you have worked out that there has been a security breach, it’s too late because…
Day 2: The CEO has turned into a cyber-stalker.
Before you even get in the building, the CEO is on the phone, demanding to know why his email address is sending out highly suggestive, and very illegal emails to junior staff members – without him going anywhere near his email account. Pacifying the chief executive - and the chief executive’s legal team – while trying to find the source of the problem is the day’s only priority.
Day 3: Customers enter the Bermuda triangle
As the day progresses, and the number of calls from accounts and billing departments increase it becomes clear that important parts of the CRM database are going dark. Customer information is going missing, or being re-written. Billing systems are corrupted with terrible consequences for future revenues.
Day 4: RIP R&D
The head of R&D is pacing outside your office because key data has mysteriously disappeared. The database has clearly been hacked: but has the information been wiped, or is it in the hands of corporate rivals?
Day 5: Server Armageddon
The lights are off and no one is home. Disk-based onsite back-up is wiped, and tumbleweed is blowing through the corporate system. Reconstruction will take weeks. But there’s no chance you will keep your job long enough to do it.
The hacker’s path of least resistance
If the above scenario sounds extreme it is only because we have imagined it taking place over an entire week. In reality, that’s a morning’s work for a determined hacker. When disparate systems are networked and servers connected, a carefully targeted hack on one system can open up an entire digital universe in a matter of minutes.
For the above scenario it is more than feasible that, in a carefully planned attack, a hacker would take the time to gain access to the HR database via a Trojan, and used personal information and some social engineering to facilitate a fake password re-set. With that password he has gained access to the system, and bit by bit has been extracting, deleting and wiping data to cause maximum financial and reputational damage.
In this case, a one-off security breach of one system has led to the wholesale collapse of the network because of reliance on static passwords that are based on known information, which is stored in one environment.
But what really makes this problem stand out is that private information required to establish user identity, create and crucially reset passwords is often no longer that private. Why go for social engineering when you have Facebook? As more and more of us create multi-faceted, comprehensive profiles online, the chances of a hacker finding the right piece of data and then applying it to get into a corporate system increases – particularly as most people are not that imaginative when it comes to password creation.
In the same way that corporates had to control their employees’ use of personal mobile devices on the corporate network, they must now address the very real consequences of the personal data that litters the internet.
Who are you and what you have
In the era of Facebook, LinkedIn and Google+, it is no longer enough to use a personal piece of information to identify and authenticate users. In the real world of all too human users who leave fragmented bits of data all over the internet, a single password-based system, based on what you know, is not enough to secure any network.
A second factor – something unique that the user has in their possession – is increasingly important. This can be a specialist key, card or fob with an extra passcode on it; but where all-too-fallible users are concerned, a tokenless solution such as that provided by SecurEnvoy is often the more appropriate solution. Rather than giving users an extra device that is easy to lose, their mobile phones can be transformed into a token. To enter a corporate network, they must enter their standard UserID and password, as well as a one-time passcode that is sent to their phone.
Once it has been used, the passcode is obsolete. It cannot be used the next time a user wants to access the system- it provides the same high level of security as physical two-factor authentication (2FA) devices but through a mobile phone that the user, as we have seen, will always carry with them so they can authenticate wherever they are. This makes it particularly appropriate for protecting extensive corporate networks. Set up a 2FA solution to protect each main server or system, and it becomes much harder for a criminal to flit from one system to the next on a path of destruction. However, what really sets such a system like this apart is that enables organisations to protect administrator privileges so that the 2FA solution itself cannot itself be wiped or over-ridden – for example, SecurEnvoy SecurPassword uses 2FA to authenticate password resets which was where this hack started.
There are plenty of keylogger blockers, anti-malware solutions, almost impenetrable firewalls and anti-virus programs available. And there is no question that these should be used in the protection of the corporate network. But it is also important to recognise that the weakest link is, and always will be, users and that it is becoming harder and harder to mitigate the risks presented by their online behaviour. Every organization therefore owes it to itself to ensure they have the solutions in place that guarantee that everyone accessing their network is exactly who they say they are.