James Thew - Fotolia
How to ensure strong passwords and better authentication
Five steps to ensure stronger passwords and better authentication to reduce the threat of business data theft
Authentication is the process that attempts to establish the identity of a user and is followed by an authorisation process that grants whatever privileges may be appropriate to that identity. Common examples of authentication include logging on to a workstation in a corporate network (using a username and password), withdrawing cash from a bank cash dispenser (a bank card and pin), and internet shopping (an email address and password).
When a user attempts to access a resource, the authorisation process checks that the user has been granted permission to use that resource. Permissions are usually defined by the system administrator in the form of an access control list for each resource.
The most common means of authentication remains the password. Unfortunately, most users do not know how to construct a secure password, nor do they understand the risks involved. Also, people often use the same password in several different situations -- for logging on to Windows, for running the payroll system and for accessing an authenticated website. This makes the attacker's task considerably easier, because once they have one password for a specific user, they have them all.
Anyone who steals the identity of a user becomes that user and has access to their most sensitive systems and data. If just one user's identity is compromised, corporate systems are vulnerable. This is the threat posed by corporate identity theft.
Identity theft takes many forms -- exploiting weak passwords, keystroke capture, phishing, Trojan software, social engineering, password sharing, and so on. Not every attacker is sitting at home with their computer, trying to break into the corporate website. Sometimes all they have to do is call up and ask!
Read more about password security
- GCHQ's guidance on password policy covers some of the most pressing issues facing UK businesses and employees today, according to Skyhigh Networks.
- Fingerprint scanning technology is the most favoured biometric security alternative to passwords for UK bank customers.
- Twitter announces a service that enables users to replace static passwords with a text message-based one-time passcode service.
- The Fido Alliance has published the final technical specification of its password-killing authentication standards.
Organisations often make very dangerous assumptions about the security of data on their networks. It is rare for a business to audit password quality or access permissions on a regular basis -- yet trivial passwords and poor protection of sensitive information remain the most common problem we find when conducting a security review.
Password guessing
Users, even technical experts and senior staff, often use easy-to-guess words, such as 'password', 'holiday', or even their own name. The use of trivial passwords to secure service accounts -- highly privileged accounts used by backup programs, network control software and anti-virus tools -- is so common that gaining control of an entire network frequently takes no more than a few minutes during a penetration test.
Impersonation
Social engineering by impersonation is a popular attack method. For example, an attacker will call the helpdesk pretending to be an employee, claim to have forgotten their password and ask the helpdesk to reset it or give it to them. The helpdesk will frequently do this without verifying the identity of the caller. Our testing shows that this is also a common scenario -- successful at most organisations in all business sectors.
Industrial espionage and organised crime are a real threat, but most surveys show that the more significant risk is within the organisation. An employee can often see far more corporate information on the head office network than anyone realises. If hacking is defined as "attempting to gain unauthorised access to sensitive information", then most organisations will have several hackers on their staff.
Disgruntled employees (and ex-employees) present a very serious threat to business through access to critical data and personal information. Suppose an employee, with just a little internet research, discovers how to read everyone's emails or even send emails as if they were the CEO.
The solutions
Implement strong authentication for all remote users and for all privileged users and accounts. There are many two-factor alternatives to the traditional password, including tokens, smart cards, smart USB keys and even mobile phone SMS texts.
Strengthen your helpdesk password reset process. Permit password resets only with call-back and PIN authentication or some other form of cross-verification. Implement incident reporting and response procedures for all helpdesk staff, together with clear escalation procedures for everyone in the incident chain. Helpdesk staff should be encouraged to withhold support when a call does not feel right. In other words, "just say no".
Train all employees -- everyone has a role in protecting the organisation and their own jobs. If someone tries to threaten them or confuse them, it should raise a red flag. Train new employees as they start. Give extra security training to security guards, helpdesk staff, receptionists and telephone operators, all of whom have a vital role to play in blocking identity theft. Make sure you keep the training up to date and relevant.
Address the issue of easy-to-guess passwords. This is the single biggest hole in most organisations' defence. If your organisation is using a Windows network, you can use passphrases rather than passwords. A passphrase of 15 characters or more is easier to remember than a complex eight-character password, yet infinitely more secure. Compare "I would love to own a big red Ferrari" (29 characters and almost unbreakable) with "nUaY6zOs" (eight characters and impossible to memorise, yet easily broken by today's password crackers).
Finally, have a security assessment test performed and heed the recommendations. Test the company's ability to protect its environment, to detect the attack and to react and repel the attack. Have the first test performed when the company is expecting it, then do a blind test the second time around.
Checklist for securing authentication
Desktop security
- Shred important documents that you no longer need
- Make sure everyone has a lockable drawer or cabinet
- Implement a clear desk policy for sensitive information
IT security
- Encourage the use of passphrases rather than passwords
- Deploy two-factor authentication for privileged users and for remote access
- Require screen savers with password controls and short timeouts
- Use network-based password management software to manage multiple sets of credentials
- Encrypt sensitive information
- Physically destroy unused hard disks, CDs and other media
Helpdesk
- Permit password resets only with call-back and PIN or cherished information authentication
- Ensure there are clear incident reporting and response procedures
- Implement clear escalation procedures
- Helpdesk staff should be encouraged to withhold support when a call does not feel right
Training
- Train all employees as an ongoing process
- Train new employees as they start
- Give extra security training to security guards, helpdesk staff, receptionists, telephone operators
- Keep the training up to date and relevant
Testing
- Have regular security assessments performed and heed the recommendations
- Test the company's ability to protect its environment, to detect the attack and to react and repel the attack (red team testing)
- Have the first test performed when the company is expecting it, then conduct regular blind tests