Endpoint // Authentication
Guest Blog // Selected Security Content Provided By Sophos
What's This?
8/7/2014
08:10 AM
Maxim Weinstein
Maxim Weinstein
Security Insights
50%
50%

3 Places to Enable 2-Factor Authentication Now

Two-factor authentication is a ubiquitous, mature technology. Whether or not you use it for your network, here are three external services for which you should immediately enable it.

Two-factor authentication (2FA) -- using something like a security token, an authenticator app, or a code sent via SMS to your phone to supplement a password -- is hardly new. Indeed, you may already use 2FA to provide remote access to your company’s webmail, VPN, or administrative tools. Yet, despite broad availability of 2FA and an increasing awareness of the limitations of passwords, many organizations still fail to implement 2FA for securing high-value external services, such as their social media accounts, domain name registrations, and cloud/web hosting services.

There have been numerous examples in the past year of organizations’ Twitter, Facebook, and other social media accounts being hacked through stolen credentials and used for shady purposes. Given how strongly social media can represent a brand, it’s no surprise that the effects of these hijacks have ranged from embarrassment to fanning political flames to sending the stock market plummeting briefly. (The effects for the IT security people who failed to protect their accounts likely ranged from sleepless nights to termination from their jobs.)

A compromised user account was also responsible for the hijacking of domain names belonging to The New York Times and Twitter last year. A stolen domain name gives the attacker control of a business’s web traffic (i.e., its customers and prospects), its incoming email, and more. In the case of last year’s attack by the Syrian Electronic Army (SEA), the NYT was effectively offline for a time, and both Twitter and the NYT can be thankful that the SEA didn’t use the opportunity to spread malware or otherwise harm their customers.

In perhaps the most extreme case of a compromise gone awry, a company called Code Spaces was recently put out of business after losing control of its Amazon Web Services account. Once the attackers had access to the AWS account, they were able to delete all the company’s servers and data. While this may be an edge case, it’s not hard to imagine a company’s website getting deleted or a critical cloud server getting rooted due to a poorly selected or protected password.

Fortunately, all of the major social media services and many business-focused domain name registrars and hosting providers offer two-factor authentication. One objection I’ve heard from IT professionals is that they need to share access to an account, and 2FA systems are designed by nature to require a single person to have the authentication token or device. Of course, sharing accounts is a bad idea in the first place, and using it as an excuse to avoid 2FA just makes it worse. There are services that allow a company to set up multiple 2FA-protected user accounts that can all control one or more authorized social media accounts. And it’s not uncommon for registrars and hosting providers to offer multiple user logins, each protected by 2FA and each with a different level of access to the account.

If your organization’s social media, domain, or hosting account isn’t secured with 2FA today, add it to your to-do list now. And if your vendor doesn’t offer the security features you need, it’s time to find a new vendor.

Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HAnatomi
50%
50%
HAnatomi,
User Rank: Apprentice
8/9/2014 | 2:33:31 AM
2 is not always stronger than 1 in the real world
2 is larger than 1 on paper but in the real world two weak boys may well be far weaker than one toughened guy.  A truly reliable 2-factor solution requires the use of the most reliable password.

Being a strong password helps a lot against the attack of getting the stolen hashed passwords back to the original passwords.  The problem is that few of us can firmly remember many such strong passwords.

At the root of the password problem is the cognitive phenomena called "interference of memory", by which we cannot firmly remember more than 5 text passwords on average.  What worries us is not the password, but the textual password.  The textual memory is only a small part of what we remember.  We could think of making use of the larger part of our memory that is less subject to interference of memory.  More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-7839
Published: 2014-11-25
DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

CVE-2014-8001
Published: 2014-11-25
Buffer overflow in decode.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.

CVE-2014-8002
Published: 2014-11-25
Use-after-free vulnerability in decode_slice.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?