dual factor BIA

Have you any view in a theoretical scenario, if 2-factor authentication for all users was outside a companies budget, how would you go about risk assessing which accounts should be mandatory for 2-factor, and which accounts could be made exempt. Have you any guidance in a typical network which youd make mandatory if budget doesnt allow for all, and which youd make exempt.

Do you have a view on the benefits of having say 20% of your remote users using 2-factor for citrix/VPN etc, and 80% not, i.e. is there much point in pursuing this for the high risk 20%, and not 80%, or is it still worthwhile for as many accounts as you can afford.

I'd rather avoid a debate on "well you should do it for all"... and focus on your view on how to prioritise mandatory accounts that should use 2-facor, and lower risk accounts that could be made exempt
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
I see there would be two scenarios namely the operational and functional aspect.

For operational, we are looking at critical administrators or supersede whom has full privilege or if not able to gain access to critical server either remotely or locally. They formed a risk entry for abuse cases or changes to service backed availability. They required the 2FAR. Can be smarter issued or even rsasecureid type.

For functional, they are users but in this discussion, I will say they are the remote users. They are typically always in the move room bring in sales or have to remain intractable like the viper through email or messenging. As we know once out of the org premises, it sorry out of the wall and needed to come through some vanities alley or we called it MAC check point. The identity to use of 2FA is useful compared to purely username password that can be breached.

Overall risk profile dictate the necessary measure for risk assessment point of view.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
So admins - mandatory, users - desirable?
I would definitely say admins are a necessity, users are desirable.  

However ---
I would also add that executives/officers etc. & HR personnel of the company should be mandatory also.

The reason being is that these 3 groups have access to highly sensitive information, and are definitely a "tasty" target for hackers.  The other thing is that in my observation, 80% of those groups tend to take data security for themselves very loosely - picking weak passwords, demanding full admin rights on their systems and/or the domain etc.  

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

btanExec ConsultantCommented:
User being the weakest link as always are still the eventually the reason for technology to balance org security and employee productivity. 2fa can be double edged since it cannot be an one size fit all and we should not striving for that either. This article talks more about it and hopefully it sheds that it is not a walk in the park. Key is get gmt consensus on this...just recall rsa. incident causing by speared phishing email, can 2fa stop that, doubt so.

pma111Author Commented:
>>2fa can be double edged since it cannot be an one size fit all and we should not striving for that either.

Can you just elaborate on this? I.e. how do you mean when you say its not a one size fits all, i.e. are you getting at its suitable for some companies and not others, or its suitable for some staff accessing remote facilities, and not others?
btanExec ConsultantCommented:
2FA can be OTP (time based, counter based, secure MAC based) and can be smartcard or crypto chip based. No matter what factor it is, I am not looking at which 2FA is more secure but even then, it cannot really stop a keylogger since eventually user still need to key in the laptop to complete the login transaction or authorising the transaction. But it depends on how it is implemented and choosing the right form of 2FA.

Possibly one scenario is the case of using a mobile phone with crypto chip and keying the OTP appearing the phone, out of band and signed the response in the reply to avoid non-repudiation and tampering of transaction. Heard that there is Mobile Zeus or Zitmo (malware) in phone to snoop but signing response will detect tampering.

Overall, no silver bullet which user may perceive having 2FA. There is cases where smartcard inserted in an infected user machine, can allow attacker to even do some smart proxying when smartcard is always inserted in the machine. That defeats whatever 2FA user is equipped with. I dont have the details of smartcard proxying but Mandiant has shared this before in their investigation of APT.

We just have to provide layer of defense or deterence to make it harder but we also need to note that complexity is an enemy to security
pma111Author Commented:
Even with key loggers though, wouldnt they need to be waiting "real time" attacking the system, i.e. the user enters the username/password/passcode - unless the keylogger uses that at that time, the passcode will run out would it not? Or can you login simultaneously using the same 3?
btanExec ConsultantCommented:
Yes that is why there is the stealthy type and wait for that particular banking url else they would be having huge chunks of logs for exfiltration
I can only speak to the RSA passcodes..

They are on a timer based on what you purchased.. typically 15, 30, 45 or 60 seconds.  The token code sequence is pre-determined and is based on time plus the seed value.

The token code is combined with the user pin to create a passcode.  The passcodes are single use - they expire after the first connection, so they cannot be reused in multiple scenarios.  Even if you have 3 of them at the same time, the first passcode use invalidates it for the others.  In that sense, the 2FA is extremely secure.  

The most important part though is the seed of the token.  With hardware tokens it is built in, with software it is provided as a secure XML file.  But, anyone with the seed can impersonate your token, which is why the security of the seed file is *critical*.

btanExec ConsultantCommented:
Agree with Coralon. With man in the browser type of attack esp for ebanking exploitation by well known Zeus or Carp or Silentbanker, 2FA is needed to signed transaction to maintain integrity. Even then, not full proof as mentioned earlier.  it make it difficult but not impenetrable.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.