Skip to main content

The WiKID Blog

The WiKID Blog, musings on two-factor authentication, information security and some other stuff.

Deloitte and the need for 2FA on Admin accounts

Deloitte Touche Tohmatsu Limited has 263,000 employees.  That's an astounding number of people, computers, networks, access points etc, etc.  Very hard to keep attackers out of such a vast network with so many needs and uses.  It would cost a lot of money to provide 2FA for all those users.  It would take a lot of effort to monitor the SIEM events for all those users.

Evading Microsoft ATA > Another reason to use 2FA for Windows Admins

Nikhil "SamratAshok" Mittal has a great series of posts on how to avoid detection by Microsoft's Advanced Threat Analytics (ATA).

Defeating pass-the-hash attacks with two-factor authentication

Implementing two-factor authentication for remote access is a great way to keep attackers out of your network.  Users' credentials are floating all around the internet.  But attackers can still get in your network through malware and other tools.  In the past, we described how two-factor authentication can be used at each stage of an attack to make detection easier and execution much harder:

Two-factor authentication for banking

Clearly, you should not use SMS for banking authentiation.  We have been saying this for over eight years now.   The solution must use encryption that you control.

It always comes to this: why making the right security designs up front matters.

When we started WiKID, we knew we had to be as secure as or more secure than the leading players at the time (RSA, Vasco, mostly, way back then). We decided that using asymmetric keys generated on users' devices was the best way to overcome objections to software-based tokens. After all, R,S & A had developed public key encryption to overcome the weaknesses of shared secret encryption.

Fast-forward and the dominant form of consumer-oriented two-factor authentication is "two-step" authentication using a shared secret-based protocol (even after hackers successfully stole the shared secretsof a major 2FA vendor) or worse, using SMS. Of course, we know the saying that marketing trumps technology. This seemed like a typical case of that. No one much cared about the increased security offered by asymmetric encryption.

But, security is a slightly different beast because: 1. Attackers are always getting better. 2. Regulationsand compliance can force a market to change despite marketing. The #PCI-DSS Council may be in the process of doing that with their most recent guidance on multi-factor authentication, stating that multi-step authentication leaks account information and should not be used. NIST has said that using SMS as an authentication mechanism is deprecated.

In a way, this will be easier for many systems administrators. Most VPNs and remote access services by default support OTP-based 2FA via RADIUS (which also allows authorization in AD/LDAP another recommended practice) and they do not support a multi-step authentication process. There is no way, for example, to do two-step authentication on a Cisco ASA. But, two-factor authentication is easy and can be added to ASA Admin accounts as well, a great idea and soon to be required for PCI's non-console admin access requirements.

Recent Posts

Archive

2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom