Solved

dual factor BIA

Posted on 2012-03-29
10
394 Views
Last Modified: 2012-04-12
Have you any view in a theoretical scenario, if 2-factor authentication for all users was outside a companies budget, how would you go about risk assessing which accounts should be mandatory for 2-factor, and which accounts could be made exempt. Have you any guidance in a typical network which youd make mandatory if budget doesnt allow for all, and which youd make exempt.

Do you have a view on the benefits of having say 20% of your remote users using 2-factor for citrix/VPN etc, and 80% not, i.e. is there much point in pursuing this for the high risk 20%, and not 80%, or is it still worthwhile for as many accounts as you can afford.

I'd rather avoid a debate on "well you should do it for all"... and focus on your view on how to prioritise mandatory accounts that should use 2-facor, and lower risk accounts that could be made exempt
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 37785274
I see there would be two scenarios namely the operational and functional aspect.

For operational, we are looking at critical administrators or supersede whom has full privilege or if not able to gain access to critical server either remotely or locally. They formed a risk entry for abuse cases or changes to service backed availability. They required the 2FAR. Can be smarter issued or even rsasecureid type.

For functional, they are users but in this discussion, I will say they are the remote users. They are typically always in the move room bring in sales or have to remain intractable like the viper through email or messenging. As we know once out of the org premises, it sorry out of the wall and needed to come through some vanities alley or we called it MAC check point. The identity to use of 2FA is useful compared to purely username password that can be breached.

Overall risk profile dictate the necessary measure for risk assessment point of view.
0
 
LVL 3

Author Comment

by:pma111
ID: 37785925
So admins - mandatory, users - desirable?
0
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 250 total points
ID: 37789398
I would definitely say admins are a necessity, users are desirable.  

However ---
I would also add that executives/officers etc. & HR personnel of the company should be mandatory also.

The reason being is that these 3 groups have access to highly sensitive information, and are definitely a "tasty" target for hackers.  The other thing is that in my observation, 80% of those groups tend to take data security for themselves very loosely - picking weak passwords, demanding full admin rights on their systems and/or the domain etc.  

Coralon
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 63

Expert Comment

by:btan
ID: 37789843
User being the weakest link as always are still the eventually the reason for technology to balance org security and employee productivity. 2fa can be double edged since it cannot be an one size fit all and we should not striving for that either. This article talks more about it and hopefully it sheds that it is not a walk in the park. Key is get gmt consensus on this...just recall rsa. incident causing by speared phishing email, can 2fa stop that, doubt so.

 http://www.businesscomputingworld.co.uk/why-arent-we-all-using-2fa/
0
 
LVL 3

Author Comment

by:pma111
ID: 37800404
>>2fa can be double edged since it cannot be an one size fit all and we should not striving for that either.

Can you just elaborate on this? I.e. how do you mean when you say its not a one size fits all, i.e. are you getting at its suitable for some companies and not others, or its suitable for some staff accessing remote facilities, and not others?
0
 
LVL 63

Expert Comment

by:btan
ID: 37800787
2FA can be OTP (time based, counter based, secure MAC based) and can be smartcard or crypto chip based. No matter what factor it is, I am not looking at which 2FA is more secure but even then, it cannot really stop a keylogger since eventually user still need to key in the laptop to complete the login transaction or authorising the transaction. But it depends on how it is implemented and choosing the right form of 2FA.

Possibly one scenario is the case of using a mobile phone with crypto chip and keying the OTP appearing the phone, out of band and signed the response in the reply to avoid non-repudiation and tampering of transaction. Heard that there is Mobile Zeus or Zitmo (malware) in phone to snoop but signing response will detect tampering.

Overall, no silver bullet which user may perceive having 2FA. There is cases where smartcard inserted in an infected user machine, can allow attacker to even do some smart proxying when smartcard is always inserted in the machine. That defeats whatever 2FA user is equipped with. I dont have the details of smartcard proxying but Mandiant has shared this before in their investigation of APT.

We just have to provide layer of defense or deterence to make it harder but we also need to note that complexity is an enemy to security
0
 
LVL 3

Author Comment

by:pma111
ID: 37801008
Even with key loggers though, wouldnt they need to be waiting "real time" attacking the system, i.e. the user enters the username/password/passcode - unless the keylogger uses that at that time, the passcode will run out would it not? Or can you login simultaneously using the same 3?
0
 
LVL 63

Expert Comment

by:btan
ID: 37804087
Yes that is why there is the stealthy type and wait for that particular banking url else they would be having huge chunks of logs for exfiltration
0
 
LVL 25

Expert Comment

by:Coralon
ID: 37807877
I can only speak to the RSA passcodes..

They are on a timer based on what you purchased.. typically 15, 30, 45 or 60 seconds.  The token code sequence is pre-determined and is based on time plus the seed value.

The token code is combined with the user pin to create a passcode.  The passcodes are single use - they expire after the first connection, so they cannot be reused in multiple scenarios.  Even if you have 3 of them at the same time, the first passcode use invalidates it for the others.  In that sense, the 2FA is extremely secure.  

The most important part though is the seed of the token.  With hardware tokens it is built in, with software it is provided as a secure XML file.  But, anyone with the seed can impersonate your token, which is why the security of the seed file is *critical*.

Coralon
0
 
LVL 63

Expert Comment

by:btan
ID: 37809018
Agree with Coralon. With man in the browser type of attack esp for ebanking exploitation by well known Zeus or Carp or Silentbanker, 2FA is needed to signed transaction to maintain integrity. Even then, not full proof as mentioned earlier.  it make it difficult but not impenetrable.
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
save browser passwords 11 83
Looking for a program called HoneyMine. 3 66
Report to police 8 45
Behavior-based and anomalies detection for McAfee 2 25
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question