Passwords: Ending an era…

Passwords: Ending an era…

As I think back to “the old days” in the authentication world, we’ve come a long way; or have we?  In the early 90’s I ran a BBS, who knows what that is?  I required users to connect with a username and password of their choice.  Sounds like what we do today.  While login names and passwords have become increasingly complex the process has not changed.  Tell me, who you are and I will let you in!  This is a great strategy, actually it’s not.  There are millions if not billions of login credentials stolen annually and the majority of data breaches involve stolen credentials.  NY Times reports in August 2014 “Russian Hackers Amass Over a Billion Internet Passwords” and InformationWeek DarkReading reports in April 2014 “Stolen Passwords Used In Most Data Breaches”.  In the technology world we live in today, a username and password by itself is not enough, I repeat, a username and password by itself is not enough.  Have you been or known someone who’s been hacked?  We all do.  Simple steps can reduce the chances drastically for both businesses and personally.

  1. Use multi-factor authentication

    1. What is multi-factor authentication?  Wikipedia says; Multi-factor authentication (MFA) is a method of computer access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism - typically at least two of the following categories: knowledge (something they know); possession (something they have), and inherence (something they are).

    2. Many sites already offer multi-factor authentication.  Turn this feature on.  If you are a business owner add this to access your business resources.

      1. Banks – usually required

      2. Facebook – optional

      3. Google – optional

      4. Amazon – optional

    3. Reduce the complexity and time between password changes.

      1. Change the password requirements to be less complex and less characters required after adding addition factor to the authentication process.

      2. Reduce the frequency between password changes.  If the policy is currently 90 days perhaps 180 days is now acceptable after adding addition factor to the authentication process.

  2. Close access to resources not secured by multi-factor authentication

    1. Shutdown access from outside your network to resources inside your network which are not secured with multi-factor authentication.

    2. Provide a way to access those resources once inside a resource (virtual desktop, published application, etc) within the boundaries of your network.

That’s great Sean, but how do I accomplish the recommendations you have made?  To start with login to each of the sites you use and see if they offer multi-factor authentication.  Usually this will be something like; send me an email or text before allowing access.  If you are a business look at products like Duo, AuthAnvil, Azure, and others to add this functionally to your infrastructure.  The main idea is to determine what needs to be secured, then you can determine the best multi-factor product to secure it.

In conclusion, while all of these technologies have been in existence for many years the viability is now such all sizes of business should adopt.  The deployment of multi-factor products has simplified and with smartphones end user acceptance and adoption is very high.

CryptoWall and its Wreaking Havoc Impacts!

Emerging next-generation threats are everywhere in this digital age.  In the late 90’s we were protecting our systems against unwanted access to our systems, and that’s still the case today.  It’s a never-ending battle that has Security professionals battling “the BAD guys” and the “the BAD guys” who are always 3 steps ahead.  While the complexity continues to rise at all levels in technology so does the knowledge of these systems.  The landscape changes every few minutes thus security professionals can never catch up. 

Enter the world of Ransomware.  Ransomware makes your data unusable and if you want to use it again, PAY ME!  With good backups this world it an inconvenience and disruptive.  Without good backups, welcome to a nightmare.  There are numerous horror stories and likely some “Out of Business” signs as a result of Ransomware incidents like CryptoWall infections.  If you have not been impacted by an infection like this, you most likely know someone who has. 

What is CryptoWall?

CryptoWall is a Trojan virus (Ransomware) that performs encryption on files and requires a ransom to decrypt the files it has encrypted.  The virus was introduced in April of last year and continues to be updated.  CryptoWall 3.0 is the latest version at the time of this article.  It targets all versions of Windows.  CryptoWall generally comes in via emails with attachments or links, the attachments are usually ZIP files that contain PDF files which are actually executables.  These files will commonly be presented as invoices, bills, complaints, PO’s, or some other type of business related communication. 

How do I become infected with CryptoWall?

The typical ways to become infected would be through an email message or through an infected website.  The email message would contain a link or an attachment which would require clicking the link or opening the attachment.  A malicious website will execute against outdated browser addins (Adobe Flash, Java, etc) to infect the system.   

How can I protect against CryptoWall?

There are a number of preventive measures that can be employed.  Again there is no way to prevent an infection; short of disconnecting from the internet grid permanently, but you can reduce the risk by training end users, implementing safe internet surfing practices, leveraging your gateway firewall security appliance (SonicWALL, FortiNET, etc), keeping antivirus updated on all devices, deploying a malware scanner and keep it updated on all devices, using DNS filtering services (OpenDNS, Dyn, etc) and deploying software restriction policies on all end user desktops including Terminal Servers and Citrix Servers.

What are the impacts of these methods of protection?

As mitigations are deployed to reduce the risk there is almost always an impact to end users.  These impacts can be reduced performance, additional steps to do a task, or the inability to perform a task.  When deploying a mitigation it’s important to communicate with end users so they are aware of the potential impacts and what steps they should take when they are impacted. 

Examples of Impacts and Remediation

Implementing Stricter Anti-Virus Protection
Problem: User(s) is not able to launch a program or a program is slow.
Solution: Add exclusions to the antivirus program to allow and/or not scan that program

Deploying stricter Firewall Security Rules (Content Filtering, Application Controls, Gateway AntiVirus, etc)
User(s) are not able to access a business website or public cloud application
Solution: Add a whitelist or exception to the firewall

Deploying Software Restrictions Policy Group Policy
Problem: User is not able to launch an application and is alerted “Your system administration has blocked this program. For more information, contact your system administrator”
Solution: If this is a valid application the systems administrator will add the program to allow it to run

Implementing DNS Threat Protection and Controls
Problem: User is not able to access business website or cloud based application “Site has been blocked” or “Page cannot be displayed in browser”
Solution: Add the site to the whitelist on the DNS Controls Software, Site, or System

Additional Information on CryptoWall