Skip to main content

DBIR once again makes the case for two-factor authentication

(0 comments)

The 2014 Verizon DBIR once again points to the need for two-factor authentication, just like last year.  Hackers continue to use lost, stolen or weak credentials in attacks - three-quarters of all attacks. Imagine implementing a control that impacted 3/4ths of all attacks?  Would that be beneficial.  You bet.

But the data provides even more guidance.  The vast majority of attacks are from the outside:

external_attackers

Therefore,  locking down remote access with two-factor authentication is a must.  The DBIR's recommendations such as use anti-virus, disable Java in the browser,  patching etc. point to implementing NAC as well.   We recommend using RADIUS and configuring it so users can be easily disabled.  Configure the NPS RADIUS plugin to perform authorization based on the AD username in AD and  then proxy the authentication to your two-factor auth server.  Note that the users login with their AD username and OTP, not their AD passwords.

Attackers may still get in perhaps through vulnerable software.  The next step is to harden their targets, which are increasingly your servers where the critical data is stored:

Secure your servers - hackers are targeting them.

Time to start segmenting your servers and locking them down as if your admins are coming in remotely.  If you are under PCI, you're doing this already for your in scope servers.   It might be time to expand that policy. If you use pam-radius on Linux or either an SSL-VPN  or RDP gateway on Windows (or many other possible mechanisms), you can use the same RADIUS setup for network segmentation that you do for remote access.  Don't over-complicate things.

The DBIR continues to improve with age.  Kudos to the team at Verizon!

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

Recent Posts

Archive

2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom