Heroes of two-factor authentication, part two

Recently, in the first part of the article , we said that we were surprised how few companies consider the lack of two-factor authentication to be a serious threat to information security.

To understand the reasons, we have compiled four descriptions of decision makers - two directors and two IT managers, one each for large and medium-sized companies. With the help of these psychological portraits we will try to understand the reason for the frivolous attitude to the company's information security.

Last time we reviewed the director of the IT department of the Refinery "FlyTek" , and today it is time to get acquainted with its head (and the other two characters).

Konstantin

Company

The Refinery FlyTek, part of the large oil holding FlyOil. In total, the refinery employs more than 3 thousand people, but about a thousand are connected with computer technology. These are both auxiliary units (managers, accounting, logistics, sales service, marketing) and production workers who work with the process control system through terminals on Microsoft Windows.

Position

CEO.

What is responsible

1. For the smooth operation of the refinery as a whole.
2. For the effective coordination of departments - financial, commercial, industrial, transport, Security Council and IT.
   Roughly speaking, oil should be supplied to the refinery every day by rail and oil pipeline, oil should be processed into gasoline, kerosene, fuel oil, etc., all this should be stored, sold and transported with the help of own and own railway and automobile transport, the territory should be protected , employees must receive a salary, computers must work and maintain employees and production. The head of department is responsible for each function separately, Konstantin is responsible for everything at once.
3. For proposals to the board of directors and managers of the holding for the strategic development of the plant.

What does not answer

1. For the daily work of the above units is the responsibility of their leaders. If there is an accident in the production, the tanks have not steamed, money has not arrived from the customer, an attempt has been made to break the network - department heads must deal with all this, because they have the necessary skills, information and tools to solve these problems.
2. For the work of the entire holding.

Professional worldview

From the outside, it seems that the refinery is far from being the largest possible enterprise, and the production, although quite dangerous, is still not a nuclear power plant. But if you look from above, you will see that the refinery is actually a city, with its offices, factories inside factories, pipelines, canteens, firefighters, guards and thousands of employees.

And if this city is poorly managed, poorly coordinated services, then the consequences can be any, up to a halt in production, and even such an accident that does not seem like it. This will jeopardize the provision of fuel to the whole region.

Therefore, Konstantin has a lot of routine and nervous work every day to maintain the efficiency of the enterprise. For this job, he needs so much special knowledge and skills that there is no time and energy left to sort out specific areas, such as the finer points of financial accounting or the implementation of SOC. The maximum of his knowledge and experience is in the field of production, sales and transportation. And this is normal - how many IT people know, at least in general terms, the cracking technology or the basic principles of oil refining?

Of the threats in IT, Konstantin knows viruses and cryptographers (he is not so well versed to know that cryptographers actually have the same viruses, but with a certain symptomatology).

He believes that the responsibility to prevent all threats lies with Fedor, since he has the appropriate education and experience. Deeply delve into the problem he has no desire, no possibility. All attempts to tell him about the problems in IT cause him rejection. Anyone who tells him about the IT threats, he will forward to Fedor.

If the "pugalka" has sunk into the soul of Konstantin, then he asks Fedor to report to him on the likelihood of risk and its potential impact on the refinery, but Fedor’s assessment of objectivity, of course, never checks.

Current relationship to 2FA

1. Konstantin knows that authentication is performed on a PC, Fedor is involved in all PCs, which means that the entire assessment of the need to implement 2FA must come from Fedor.
2. Konstantin does not understand that 2FA is one of those problems that formally fall into adjacent areas of responsibility, but in fact, each of the parties believes that other services should be responsible for stealing passwords.
3. Konstantin does not understand the connection between the incomprehensible for him 2FA and the threats understandable for him (in which he believes) - infection with viruses and extortionists.

Now we have started to emerge a hypothesis about the reason for the absence of two-factor authentication at the “FlyTek” refinery. Perhaps the fact is that Konstantin and Fedor consider 2F to be each other’s concern and do not realize that in the event of a password theft or data dumping this will become a common problem. As a result, Konstantin believes that since Fedor does not signal problems in IT, it means there are none. But Fyodor thinks that the security of passwords is rather an administrative task, and since Konstantin does not focus on it, this problem is not serious.
To confirm or refute this hypothesis, let's look at two more characters.

Since we dealt with two-factor authentication in large corporations, the time has come to find out how things are in the middle. To do this, we came up with the transport company "Tradeks" and described its CEO (and at the same time the owner) and the head of the IT department. With him, perhaps we will begin.

Peter

Company

Transport company "Tradeks". It carries out freight transportation in Russia, the CIS, China and Turkey. It has its own and attracted fleet of cars and trucks, as well as its own warehouse complex. Carries out foreign economic activity (foreign trade), participates in electronic trading.

Position

Head of IT department. Manages a team of three people, where one employee has quite good knowledge in setting up network equipment and software, and the other two are novice enikeyschiki.

What is responsible

For everything related to computers. At the same time, neither work policies nor priorities are spelled out. Thus, the restoration of Windows on the director's computer may be more important than repelling a DDoS attack on the company's website.

At the same time, Peter is confident that most of the breakdowns can be solved on the fact of their occurrence, and the authorities will relate to other problems philosophically. I.e:

• data from CRM / 1C destroyed - bad, CRM / 1C one day does not work - tolerant;
• The director's PC does not work - it’s bad; the PC of an ordinary manager didn’t work during the day - tolerated;
• client-bank does not work - bad; email does not work - tolerant.

What does not answer

For the rights and policies of access to data and services. The head of the department said to give the employee access to the desktop by remote access - they configured VPN and RDP. Whether an employee can “merge” the data is already a problem of the general director and the head of the department.
For increased readiness for various types of risks. Tradeksa do not have money to buy spare laptops in case an employee suddenly breaks his own. Now, if you break it, then we will think what to do with it. At the same time, of course, the most likely risks are taken into account - such as a backup communication channel of the office.

Professional worldview

"It works - do not touch." Director Peter will hardly praise for excessive zeal, but if he spoils the operating services during the process of improvement (or at least temporarily renders it inoperative), then Peter will be guilty. Therefore, Peter does not like experiments. Each time, thinking about whether to introduce something new, he assesses whether the lack of these opportunities threatens the company with problems with which he can be blamed. And if the introduction will not lead to problems in which he is accused.

Current relationship to 2FA

Peter heard about it, but I am sure that this is not about their company. Most of the employees are in plain sight, and if someone tries to merge the data with someone else's password, let the SB or the director himself take care of this. Although if Peter believes in the reality of such a threat, then the director will be told it is necessary so as not to be extreme if something happens.

As you can see, Peter is responsible for all the problems in IT, and even more than his colleague Fedor from the first part. Because the average company is not large, there is no dedicated security service (at least competent in IT matters). Peter can not refer to someone else's area of ​​responsibility, or service instructions.

And finally, we present to your attention the head of Peter - Pavel, the director and owner of Tradeks.

Paul

Company

Transport company "Tradeks". It carries out freight transportation in Russia, the CIS, China and Turkey. It has its own and attracted fleet of cars and trucks, as well as its own warehouse complex. Carries out foreign economic activity (foreign trade), participates in electronic trading.

Position

CEO and owner in one person.

What is responsible

For all. He just understands some things and controls them completely, and delegates the rest to the performers. The fact that he does not understand, the director needs no problems and timely response to the changes. That is, Pavel does not know the word "cryptographer", but if all the PCs in the company suddenly turn out to be blocked, then he will deal with the head of the IT department. And if the drivers unexpectedly leave for a binge, then he will sit behind the wheel of the head of the transport department.

What does not answer

As already mentioned, for knowing the details of certain processes.

Professional worldview

This is the company of Paul, so he wants to believe that he fully controls all of its processes. He periodically meets with department heads and they tell him in detail about the current state, potential threats and updates (and this concerns IT far from being the first place - for example, Pavel was very interested in the impact of Plato’s introduction on income).

Pavel likes to attend various industry conferences, this underlines his status and provides an opportunity to learn something really important. If there they say something that interested him, but from the area where he is not an expert, then Pavel passes the information to the head of the relevant department, asks to sort it out and report to him.

Current relationship to 2FA

Paul doesn't know anything about 2FA. At specialized conferences, these issues are not addressed, Peter does not tell him about it. If he had been told competently about the potential risk, he would have asked Peter to figure out and report on how critical and probable he was in their company. And if Peter says that they do not need 2FA, then Paul will demand to ensure that without the introduction of this technology, the safety of Tradex will not suffer. And then it will be easier for Pavel to implement 2FA than to take responsibility.

findings

There should be smart conclusions about the reasons why four smart people, genuinely concerned about the security of their companies, are aware of the effective and well-proven two-factor authentication technology, but do not implement it in their homes. Given that the implementation is difficult and not critical in terms of cost and time costs.

But the conclusions were very simple. We need to talk more about the danger of passwords and the benefits of 2FA, and not only IT managers, but also general directors - and the number of implementations of 2FA will increase significantly.

Do not agree? I will be glad to discuss in comments!