Solved

dual factor BIA

Posted on 2012-03-29
10
385 Views
Last Modified: 2012-04-12
Have you any view in a theoretical scenario, if 2-factor authentication for all users was outside a companies budget, how would you go about risk assessing which accounts should be mandatory for 2-factor, and which accounts could be made exempt. Have you any guidance in a typical network which youd make mandatory if budget doesnt allow for all, and which youd make exempt.

Do you have a view on the benefits of having say 20% of your remote users using 2-factor for citrix/VPN etc, and 80% not, i.e. is there much point in pursuing this for the high risk 20%, and not 80%, or is it still worthwhile for as many accounts as you can afford.

I'd rather avoid a debate on "well you should do it for all"... and focus on your view on how to prioritise mandatory accounts that should use 2-facor, and lower risk accounts that could be made exempt
0
Comment
Question by:pma111
  • 5
  • 3
  • 2
10 Comments
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 37785274
I see there would be two scenarios namely the operational and functional aspect.

For operational, we are looking at critical administrators or supersede whom has full privilege or if not able to gain access to critical server either remotely or locally. They formed a risk entry for abuse cases or changes to service backed availability. They required the 2FAR. Can be smarter issued or even rsasecureid type.

For functional, they are users but in this discussion, I will say they are the remote users. They are typically always in the move room bring in sales or have to remain intractable like the viper through email or messenging. As we know once out of the org premises, it sorry out of the wall and needed to come through some vanities alley or we called it MAC check point. The identity to use of 2FA is useful compared to purely username password that can be breached.

Overall risk profile dictate the necessary measure for risk assessment point of view.
0
 
LVL 3

Author Comment

by:pma111
ID: 37785925
So admins - mandatory, users - desirable?
0
 
LVL 23

Assisted Solution

by:Coralon
Coralon earned 250 total points
ID: 37789398
I would definitely say admins are a necessity, users are desirable.  

However ---
I would also add that executives/officers etc. & HR personnel of the company should be mandatory also.

The reason being is that these 3 groups have access to highly sensitive information, and are definitely a "tasty" target for hackers.  The other thing is that in my observation, 80% of those groups tend to take data security for themselves very loosely - picking weak passwords, demanding full admin rights on their systems and/or the domain etc.  

Coralon
0
 
LVL 61

Expert Comment

by:btan
ID: 37789843
User being the weakest link as always are still the eventually the reason for technology to balance org security and employee productivity. 2fa can be double edged since it cannot be an one size fit all and we should not striving for that either. This article talks more about it and hopefully it sheds that it is not a walk in the park. Key is get gmt consensus on this...just recall rsa. incident causing by speared phishing email, can 2fa stop that, doubt so.

 http://www.businesscomputingworld.co.uk/why-arent-we-all-using-2fa/
0
 
LVL 3

Author Comment

by:pma111
ID: 37800404
>>2fa can be double edged since it cannot be an one size fit all and we should not striving for that either.

Can you just elaborate on this? I.e. how do you mean when you say its not a one size fits all, i.e. are you getting at its suitable for some companies and not others, or its suitable for some staff accessing remote facilities, and not others?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 61

Expert Comment

by:btan
ID: 37800787
2FA can be OTP (time based, counter based, secure MAC based) and can be smartcard or crypto chip based. No matter what factor it is, I am not looking at which 2FA is more secure but even then, it cannot really stop a keylogger since eventually user still need to key in the laptop to complete the login transaction or authorising the transaction. But it depends on how it is implemented and choosing the right form of 2FA.

Possibly one scenario is the case of using a mobile phone with crypto chip and keying the OTP appearing the phone, out of band and signed the response in the reply to avoid non-repudiation and tampering of transaction. Heard that there is Mobile Zeus or Zitmo (malware) in phone to snoop but signing response will detect tampering.

Overall, no silver bullet which user may perceive having 2FA. There is cases where smartcard inserted in an infected user machine, can allow attacker to even do some smart proxying when smartcard is always inserted in the machine. That defeats whatever 2FA user is equipped with. I dont have the details of smartcard proxying but Mandiant has shared this before in their investigation of APT.

We just have to provide layer of defense or deterence to make it harder but we also need to note that complexity is an enemy to security
0
 
LVL 3

Author Comment

by:pma111
ID: 37801008
Even with key loggers though, wouldnt they need to be waiting "real time" attacking the system, i.e. the user enters the username/password/passcode - unless the keylogger uses that at that time, the passcode will run out would it not? Or can you login simultaneously using the same 3?
0
 
LVL 61

Expert Comment

by:btan
ID: 37804087
Yes that is why there is the stealthy type and wait for that particular banking url else they would be having huge chunks of logs for exfiltration
0
 
LVL 23

Expert Comment

by:Coralon
ID: 37807877
I can only speak to the RSA passcodes..

They are on a timer based on what you purchased.. typically 15, 30, 45 or 60 seconds.  The token code sequence is pre-determined and is based on time plus the seed value.

The token code is combined with the user pin to create a passcode.  The passcodes are single use - they expire after the first connection, so they cannot be reused in multiple scenarios.  Even if you have 3 of them at the same time, the first passcode use invalidates it for the others.  In that sense, the 2FA is extremely secure.  

The most important part though is the seed of the token.  With hardware tokens it is built in, with software it is provided as a secure XML file.  But, anyone with the seed can impersonate your token, which is why the security of the seed file is *critical*.

Coralon
0
 
LVL 61

Expert Comment

by:btan
ID: 37809018
Agree with Coralon. With man in the browser type of attack esp for ebanking exploitation by well known Zeus or Carp or Silentbanker, 2FA is needed to signed transaction to maintain integrity. Even then, not full proof as mentioned earlier.  it make it difficult but not impenetrable.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Suggested Solutions

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now