Posted by:
root
8 years, 2 months ago
The report from Praetorian is excellent. Download it. Some pertinent (to us) bits:
"The top four attack vectors are based on utilizing stolen credentials. This is a serious problem because credential theft will always work as long as the credentials are valid. Credential theft is highly reliable, repeatable, and has a low likelihood of negative impact for an attacker"
In addition to recommending two-factor authentication for remote access, they have a handful of very useful recommendations such as implementing LAPS, encrypting domain passwords in memory, and forcing complex, 15-character domain passwords. I suspect these are recommended in the spirit of title "How to Dramatically Improve Corporate IT Security without Spending Millions".
I would argue that implementing two-factor authentication for domain admins would be inexpensive too. WiKID can replace static passwords in AD for $24 per user per year or less. A large enterprise might have less than a 100 systems administrators. WiKID also works on Linux so you can implement two-factor authentication for admins across OSs - as is now required by PCI-DSS. In addition, it's not just your domain creds that are targeted. The Synful attack showed how Cisco routers can be targeted. So, it's great that you can add some security to your Window environment, but don't forget about your Ciscos and Check Point admin creds.
Credential theft continues to be the leading attack vector for infiltration and escalation. While we are always for doing the best you can with what you have, it is really worth chosing a two-factor authentication solution that can help stop escalation.
If you are going to implement 15-character complex passwords, you might also be interested in our built-in AD password reset capability!
Share on Twitter Share on Facebook
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)