Heroes of two-factor authentication, or how to "walk in other people's shoes"
Probably I will say a commonplace, but people are very strange (and IT people are doubly). They are keenly interested in marketing innovations and are eager to introduce them, but at the same time indifferently pass by technologies that can actually protect their companies from real harm.
Take for example the technology of two-factor authentication (2FA). An attacker can easily peek and / or steal ordinary passwords ( which happens very often ), and then log in with the rights of a legitimate user. And the user himself most likely will not guess about the fact of the password being stolen before the onset of unpleasant (and sometimes very serious) consequences.
And this is despite the fact that the fact that the use of two-factor authentication methods will greatly reduce the likelihood of some serious consequences, or even completely protect against them, is not a revelation to anyone.
Under the cut, we will tell you how you tried to present yourself in the place of decision makers on the implementation of 2FA in the organization, and understood how to interest them.
For those who want a little theory:
How to steal passwords
When it turns out that employees use simple passwords (" Qq1234567 "), then they usually set strict password policies. For example: the password must be no shorter than 10 characters, at least one lowercase and one uppercase, at least one digit and one other character; the password should not include common words and number sequences; The password must be changed once a month and must not coincide with the previous 12 passwords .
But as a result of the introduction of such policies, passwords became so hard to remember that they began to write them down. And leave on the most prominent places where anyone can spy on them. For example, like this:
Passwords of more accurate colleagues can be peeped standing next to them at the moment when they enter these passwords.
The Kali Linux distribution kit, formally designed for penetration testing, includes software that can be used to intercept and analyze traffic to obtain passwords for authentication, and it does this almost automatically. No need to have high qualifications or special knowledge - just download install the Kali Linux distribution and run the program.
If an employee works outside the office (business trip, departure to the customer, vacation, home office), then they will create fake access points with the same name as legal ones to steal passwords, for example, using WiFi-Pumpkin from the same Kali Linux. A person connects to the Sheremetyevo access point "Sheremetievo-WiFi" and all his traffic becomes accessible to an attacker. Another way to steal passwords is to infect access points with malicious code, after which an attacker can analyze traffic that passes.
But as a result of the introduction of such policies, passwords became so hard to remember that they began to write them down. And leave on the most prominent places where anyone can spy on them. For example, like this:
Passwords of more accurate colleagues can be peeped standing next to them at the moment when they enter these passwords.
The Kali Linux distribution kit, formally designed for penetration testing, includes software that can be used to intercept and analyze traffic to obtain passwords for authentication, and it does this almost automatically. No need to have high qualifications or special knowledge - just download install the Kali Linux distribution and run the program.
If an employee works outside the office (business trip, departure to the customer, vacation, home office), then they will create fake access points with the same name as legal ones to steal passwords, for example, using WiFi-Pumpkin from the same Kali Linux. A person connects to the Sheremetyevo access point "Sheremetievo-WiFi" and all his traffic becomes accessible to an attacker. Another way to steal passwords is to infect access points with malicious code, after which an attacker can analyze traffic that passes.
How two-factor authentication works
Authentication is the process of verifying a user's identity. The user can confirm his identity using several factors:
The combination of two interconnected factors is two-factor authentication.
In most cases, the user needs to connect the token / smart card to the computer and enter the PIN code to access the token (for some OTP tokens you will need to enter a code from the device screen).
The PIN can be thought up quite simple, because even having recognized it, an attacker can do nothing without a token. And if the token is stolen, the owner will immediately detect this fact and immediately call or write to the system administrator, who will have to immediately revoke the user's certificates, which means that entry with the help of the stolen token will no longer be possible.
The Microsoft Windows / Windows Server operating system contains all the necessary software for the implementation in the organization of two-factor authentication based on tokens / smart cards, that is, there is no need to buy additional software, and each employee will need to issue a token .
It should be noted that the use of confirmation codes received via SMS is not a two-factor authentication element, but a two-step verification and provides much weaker protection against hacking. For example, scammers have learned how to fake SIM cards , which allows them to intercept SMS and service messages and, as a result, steal money and information.
And in some cases, access to the SIM card provide unnecessarily gullible or dishonest employees of the mobile operator. Here is a recent article published on Habré , where the author shows which representatives of the operator agreed to go to the meeting to the alleged “hacker”, and which refused.
Also, do not forget about phishing, when people, after some persuasion, help the fraudsters themselves by telling them the codes sent via SMS. To top it off, SMS codes are usually sent to the server via public networks, i.e. the transmission medium is not trusted. And the execution environment is also not trusted - malicious software can live on the smartphone, which will immediately send the sent codes to the attacker.
Recently, instead of sending codes via SMS, it is proposed to use push notifications. It is argued that they are safer, but this is not the case, since all notifications pass through the Push Notification Service before they reach the user's device. And, for example, the Apple Developer Program directly prohibits (the License Agreement, Appendix 1, clause 4) these actions due to the insecurity of such notifications. Details are described in this very sensible article .
- Knowledge factor ("I know"). The user knows his unique secret password or PIN. Password can be stolen using special software and hardware, or just peep. And also get it with the help of social engineering, when the victim independently transfers his password to the attacker.
- Owning factor ("I have"). The user has a physical device that he must use in the authentication process. Usually, such a device is a USB token or a smart card (it can also act as an electronic pass to the office). To authenticate, a token or smart card needs to be connected to a computer or mobile device. You can also use a software or hardware generator one-time passwords.
- The property factor ("I am"). Biometrics such as fingerprints, iris pattern, DNA, etc. A factor that seems very reliable, but in fact has many drawbacks. High-quality biometric readers are quite expensive, and cheap ones are not reliable enough. Fingerprints have learned how to forge , iris scanners are often mistaken, and face identification can be fooled using a three-dimensional head model . In addition, the number of indicators is very limited (10 fingers, two eyes, one voice). A compromised password can be changed, a lost token can be replaced, but to cut fingers if the information about the print gets to the attacker is somehow not very correct (and it’s impossible to grow new ones). Also, we will not consider the painful procedure of laser burning of fingerprints.
The combination of two interconnected factors is two-factor authentication.
In most cases, the user needs to connect the token / smart card to the computer and enter the PIN code to access the token (for some OTP tokens you will need to enter a code from the device screen).
The PIN can be thought up quite simple, because even having recognized it, an attacker can do nothing without a token. And if the token is stolen, the owner will immediately detect this fact and immediately call or write to the system administrator, who will have to immediately revoke the user's certificates, which means that entry with the help of the stolen token will no longer be possible.
The Microsoft Windows / Windows Server operating system contains all the necessary software for the implementation in the organization of two-factor authentication based on tokens / smart cards, that is, there is no need to buy additional software, and each employee will need to issue a token .
It should be noted that the use of confirmation codes received via SMS is not a two-factor authentication element, but a two-step verification and provides much weaker protection against hacking. For example, scammers have learned how to fake SIM cards , which allows them to intercept SMS and service messages and, as a result, steal money and information.
And in some cases, access to the SIM card provide unnecessarily gullible or dishonest employees of the mobile operator. Here is a recent article published on Habré , where the author shows which representatives of the operator agreed to go to the meeting to the alleged “hacker”, and which refused.
Also, do not forget about phishing, when people, after some persuasion, help the fraudsters themselves by telling them the codes sent via SMS. To top it off, SMS codes are usually sent to the server via public networks, i.e. the transmission medium is not trusted. And the execution environment is also not trusted - malicious software can live on the smartphone, which will immediately send the sent codes to the attacker.
Recently, instead of sending codes via SMS, it is proposed to use push notifications. It is argued that they are safer, but this is not the case, since all notifications pass through the Push Notification Service before they reach the user's device. And, for example, the Apple Developer Program directly prohibits (the License Agreement, Appendix 1, clause 4) these actions due to the insecurity of such notifications. Details are described in this very sensible article .
So, there is a two-factor authentication technology that can effectively protect users from password theft and, as a result, their employers from information loss and other security problems at minimal cost (monetary and temporary).
But for some reason, this technology has been introduced only in a relatively small number of the most protected and advanced companies in the field of information security. What are the others waiting for? Do not fear for the security of your IT infrastructure or do not consider the threat serious? Or can you be sure that the introduction of additional security measures will lead to a deterioration in the working conditions of users and / or a decrease in their efficiency?
To understand this, we decided to turn to the old proven method - to come up with the characters who should be responsible for the implementation of 2FA, and in the process of describing their behavioral profiles to try to fit into their skin (or as the Americans say - to walk in their shoes ). If this method works for designing new products, then why not be just as effective in analyzing the reasons for (not) using time-tested technology?
We created four characters: two directors and two heads of IT departments for two companies - large and medium. And for each of them they wrote their own history. Here is the first one.
Fedor
Company
The Refinery FlyTek, part of the large oil holding FlyOil. In total, the refinery employs more than 3 thousand people, but about a thousand are connected with computer technology. These are both auxiliary units (managers, accounting, logistics, sales service, marketing) and production workers working with automated process control systems (automated process control systems - production of petroleum products) through terminals on Microsoft Windows.
Position
Head of IT department. Manages a team of 10 people.
What is responsible
For the performance of the IT infrastructure of the enterprise. Roughly speaking, so that no one complains about anything.
- Fedor knows that low IT skills of employees can lead to failures on their PCs. He organized a technical support service that works with such minor issues.
- Fedor knows that the equipment is aging and can refuse, making the work of an employee, department or the entire plant impossible. Therefore, he organized a reserve fund in case of replacement and prescribed emergency replacement policies - the procedure and those responsible.
- Fedor knows that hacker attacks, hardware failures, fires, floods, etc., may be damaged by data. He organized the creation of backup copies of data and prescribed data recovery policy in case of failure.
- Fedor knows that failures occur in the server software, which can jeopardize the work of the office or production. Therefore, it uses the methods of online diagnostics of malfunctions and prescribed policies to restore the server software.
- Fedor is afraid of viruses. He knows that they can infect the computers of employees or the ICS system. Therefore, he purchased and installed anti-virus software and set up its regular update.
- Fedor is afraid of network hackers, so he uses intrusion detection and prevention tools and other network defenses.
What is common in these six points? Fedor understands that if something happens in the framework of the above, they will ask him. Sometimes for the cause (viruses, if they will be distributed without any control over the network), sometimes for consequences (lack of backup copies during recovery).
What does not answer
- For the fact that although it has a source of IT, it falls into the area of responsibility of other managers. For example, if the terminal of the ACS operator breaks down, then Fedor is responsible for this. If the operator of the automated process control system enters the wrong command, then it will be the problems of the production workers. At their request, Fedor can give the command to modify the software of the automated process control system so that it recognizes the wrong commands and does not let them execute. But TK will be written by production workers, Fedor will be only an intermediary and responsible for the implementation and trouble-free operation. An example closer to the topic under consideration is that if an employee who legally has rights to work in an IT infrastructure of an enterprise tries to use them for destructive actions or wants to use corporate information for personal purposes, Fedor will respond only if more rights were given than it is necessary for the employee at the moment to perform his duties. Otherwise it will be a problem of the security service and the immediate supervisor of the employee.
- For the implementation of risks taken by management. It is impossible or too expensive to defend against everything. If management decides, for example, that the complete loss of servers due to a fire or flood is impossible due to the location or protection of the server, then no money will be allocated for backup servers. And in case of problems, responsibility will be borne by the management.
But! This is true if Fedor informed management in advance about these risks. The fact is that top managers are rarely IT specialists, so they may not even assume how much bad things can happen. Therefore, if something happens that the tops were not aware of, then Fedor will be declared guilty. Therefore, he tries to warn about possible problems, but after that the responsibility for making the decision goes to the tops.
Professional worldview
Fedor has enough problems and concerns in carrying out his official duties and in defending himself against threats that he considers probable or with which he himself has come across. He also understands that manufacturers of protection systems are focused on selling their products, so they are interested in scaring as much as possible - invent new threats and exaggerate the likelihood and significance of existing ones. Therefore, Fyodor is usually very skeptical of stories about new threats and how to solve them.
It is easier for Fyodor to believe in new threats caused by the new development of technologies or the opening by hackers of new holes for hacking than in the long-standing threats that he could in theory face, but did not face.
When Fedor learns about the new threat, in which he believes, he writes a simple protection plan against this threat, indicating what resources (people, software, hardware) will be needed for this. This plan is submitted to the tops. If the tops agree to allocate the appropriate resources, then protection against a specific threat is introduced at the refinery, But since the tops are not IT professionals, the agreement to implement the plan often depends on the correct submission of Fedor. From whether he really wants to introduce protection against this threat or wants to shift potential responsibility to the tops, if the threat and the truth turns out to be real, and the plan to prevent it will not be accepted.
Current relationship to 2FA
For all the time, Fedor never faced the serious consequences of password theft. He is ready to admit that some employees could know the passwords of others, and even secretly heard a couple of times as employees discussed their passwords. Fedor is even aware of the fact that employees transfer their passwords, do not block sessions, work out of someone else’s account. But, in his opinion, this did not and would not lead to any serious leaks, much less hacking or damage. He is ready to admit that a causal relationship exists, but he wants someone to clearly show it to him. It will not consider 2FA until there is a clear precedent, or until it is forced
According to Fedor, the security service is responsible for fighting leaks (the IT department can only provide the necessary technical means). In the end, IT does not force IT to monitor the storage of paper documents and iron keys to the office - even if IT maintains video surveillance cameras installed on the SS order.
Fedor believes that the company has policies that require employees to securely store their passwords signed by the employees themselves. And if something happens, then a specific person will be punished for his carelessness. And oversees the execution of the politician let the Security Council. Here, however, it is impossible not to notice that theory often disagrees with practice. A particularly important or honored employee is not touched even if he writes a password on his forehead, and a disfranchised low-level employee doesn’t care, since he has nothing to lose. Only the use of technology can equalize everyone.
The only area where Fedor is really worried is the security of system administrators passwords. Because if someone harms the IT infrastructure on behalf of the sysadmin and with his extensive rights, then a serious investigation will inevitably be conducted, where not only the careless sysadmin can be appointed as guilty persons, but also (depending on the severity of the damage) Fedor himself.
Well, where are the conclusions? They are not there yet, because beyond the scope of this article there is a story about three more characters - the immediate superior of Fyodor, the general director of the refinery, as well as the head of the IT department and the owner of the logistics business. Very soon we will tell you what they think about two-factor authentication.
In the meantime, I would very much like to know what you think about 2FA - both in the form of free comments and in the form of responses to a survey. Do you think this topic is relevant? Is the threat real from your point of view? Should enterprises spend money on implementing 2FA?
And by the way - did you recognize yourself in Fedor, or perhaps your boss / colleague looks like him? And maybe we were wrong, and these characters have completely different interests?
Source: https://habr.com/ru/post/436926/