Endpoint // Authentication
Guest Blog // Selected Security Content Provided By Sophos
What's This?
08:10 AM
Maxim Weinstein
Maxim Weinstein
Security Insights

3 Places to Enable 2-Factor Authentication Now

Two-factor authentication is a ubiquitous, mature technology. Whether or not you use it for your network, here are three external services for which you should immediately enable it.

Two-factor authentication (2FA) -- using something like a security token, an authenticator app, or a code sent via SMS to your phone to supplement a password -- is hardly new. Indeed, you may already use 2FA to provide remote access to your company’s webmail, VPN, or administrative tools. Yet, despite broad availability of 2FA and an increasing awareness of the limitations of passwords, many organizations still fail to implement 2FA for securing high-value external services, such as their social media accounts, domain name registrations, and cloud/web hosting services.

There have been numerous examples in the past year of organizations’ Twitter, Facebook, and other social media accounts being hacked through stolen credentials and used for shady purposes. Given how strongly social media can represent a brand, it’s no surprise that the effects of these hijacks have ranged from embarrassment to fanning political flames to sending the stock market plummeting briefly. (The effects for the IT security people who failed to protect their accounts likely ranged from sleepless nights to termination from their jobs.)

A compromised user account was also responsible for the hijacking of domain names belonging to The New York Times and Twitter last year. A stolen domain name gives the attacker control of a business’s web traffic (i.e., its customers and prospects), its incoming email, and more. In the case of last year’s attack by the Syrian Electronic Army (SEA), the NYT was effectively offline for a time, and both Twitter and the NYT can be thankful that the SEA didn’t use the opportunity to spread malware or otherwise harm their customers.

In perhaps the most extreme case of a compromise gone awry, a company called Code Spaces was recently put out of business after losing control of its Amazon Web Services account. Once the attackers had access to the AWS account, they were able to delete all the company’s servers and data. While this may be an edge case, it’s not hard to imagine a company’s website getting deleted or a critical cloud server getting rooted due to a poorly selected or protected password.

Fortunately, all of the major social media services and many business-focused domain name registrars and hosting providers offer two-factor authentication. One objection I’ve heard from IT professionals is that they need to share access to an account, and 2FA systems are designed by nature to require a single person to have the authentication token or device. Of course, sharing accounts is a bad idea in the first place, and using it as an excuse to avoid 2FA just makes it worse. There are services that allow a company to set up multiple 2FA-protected user accounts that can all control one or more authorized social media accounts. And it’s not uncommon for registrars and hosting providers to offer multiple user logins, each protected by 2FA and each with a different level of access to the account.

If your organization’s social media, domain, or hosting account isn’t secured with 2FA today, add it to your to-do list now. And if your vendor doesn’t offer the security features you need, it’s time to find a new vendor.

Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/9/2014 | 2:33:31 AM
2 is not always stronger than 1 in the real world
2 is larger than 1 on paper but in the real world two weak boys may well be far weaker than one toughened guy.  A truly reliable 2-factor solution requires the use of the most reliable password.

Being a strong password helps a lot against the attack of getting the stolen hashed passwords back to the original passwords.  The problem is that few of us can firmly remember many such strong passwords.

At the root of the password problem is the cognitive phenomena called "interference of memory", by which we cannot firmly remember more than 5 text passwords on average.  What worries us is not the password, but the textual password.  The textual memory is only a small part of what we remember.  We could think of making use of the larger part of our memory that is less subject to interference of memory.  More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio