Password security fail? Add multifactor authentication, behavior analytics
Few people can remember a time when user names and passwords weren't required for access to applications or systems. Ever since they were introduced, however, passwords have been an attack vector, and they continue to be a headache. There are, however, things you can do to better protect them.
One of the first attacks was to download the password file from Unix systems and run password cracking programs against it. Invariably, user passwords were cracked. Another attack vector, “sniffing” passwords in transit over the network, has become less common with the use of IPsec and TLS/SSL encryption.
But account takeover is still relatively easy to accomplish. Hackers can deploy hardware- and software-based keyloggers to obtain authentication information as you type it into the keyboard. Users also often use the same or similar passwords on multiple accounts. And malicious actors can use social engineering to trick users into providing their passwords. A classic example: The attacker pretends to be from the IT help desk and offers to assist with a fictitious problem if the user will just give him the user name and password.
“63% of confirmed data breaches involved leveraging weak/default/stolen passwords.” — Verizon 2016 Data Breach Investigations Report
There are two approaches you can use to deal with the fact that using passwords alone is problematic: require multi-factor authentication and deploy user behavior analytics to detect user authentication compromises before things get out of hand.
Multi-factor authentication
One option for mitigating the risk of user account takeover is to implement two-factor, or multi-factor authentication. Examples of this include a passcode sent to a mobile device via text message; a soft token, which is an application on the mobile device that generates passcodes that can be used just once; or a key fob that provides a passcode that can be used only once.
While these do provide an additional layer of security, they aren't a panacea because users are still susceptible to social engineering, especially less sophisticated users. In fact, a CISO at a large hospital (that will remain nameless) mentioned in a recent conversation that within hours of implementing multi-factor authentication, successful social engineering attacks were being perpetrated. The attackers had less than a minute to use the code, which they repeatedly did—successfully.
User behavior analytics
What can be done? User behavior analytics can be used to detected accounts that have been compromised. It can detect suspicious activity such as access from nonstandard geolocations—for example, an account that's usually accessed from New Jersey is suddenly accessed from Brazil or China—or if an account is accessed outside of normal hours.
However, if an account is already compromised, how can abnormal activity be detected? Detection can be based on what other users in the department are doing. For example, if a user in a business role is accessing finance or human resources sites, but no one else in that business department is accessing those sites, it raises a red flag.
Particularly high-risk roles are administrators in areas such as applications and operating system infrastructure (i.e., firewall, Active Directory, etc.). Group activity can be set up as a baseline and activity outside the baseline flagged.
Before implementing user behavior analytics, however, you need to understand that it may violate the privacy laws of certain countries. Germany, for one, considers monitoring of user activities to be a violation of privacy—have fun hunting for compromised accounts!
Passwords are a problem
In summary, static passwords are extremely easy to compromise. Even complex passwords don't provide the level of security required. Instead, use multi-factor authentication for highly sensitive access, and preferably for all access. Add a process, such as user behavior analytics, to be able to detect compromised accounts and help mitigate risk.
How is your organization taking on the troubled password? Any experience with multi-factor authentication or user behavior analytics? Share your experiences.