Application: When Single-Factor and Multifactor Authentication Controls Fail
Imagine you are a rookie cop on your first solo patrol. While walking your beat, you stop a man for suspicious behavior and ask him for his ID. While examining his ID, you ask a few probing questions. His answers seem consistent and his ID seems genuine. However, something still seems amiss and you ask for an additional form of ID. Fortunately, he has his passport with him. Everything appears to be in order. But as one last precaution, you “run” his name for warrants. He comes back “clean.” You hand him back his ID and passport, wish him a good day, and continue on your patrol. A few days later during a briefing, your sergeant is passing out pictures of suspects. The second one is the man you stopped a few days ago—he is wanted for identity theft.
Authenticating users is difficult. Regardless of how sophisticated your authentication controls are, they still can fail under the right circumstances. For example, a hacker might crack a bunch of weak passwords (single factor) or a pickpocket might steal a wallet containing a bank card that has its PIN written on it (two factor).
To prepare for this Assignment, read the Unit 2 Notes, located in this week’s Learning Resources, and find two cases within the last two years where single-factor and multifactor authentication controls have failed.
For this Assignment, write a 1- to 2-page paper that analyzes why these authentication controls failed and recommends mitigating controls.
Unit 2 Notes
Discussion notes: In small organizations, IT changes often can be made quickly and carefully without any formal planning. However, for more mature organizations, the situation is much more complex because of the sheer number of IT assets across departments. Therefore, IT departments must proceed cautiously and systematically before making any major changes. To properly effect change, large organizations typically employ change management. This methodology requires a well-documented process that clearly defines the roles, responsibilities, and procedures related to any changes. Before any changes can be effected, they must be reviewed, approved, scheduled, and ultimately communicated to impacted users. Furthermore, roll-back capabilities must be determined ahead of time to avoid service disruptions. Configuration controls (also called configuration management) are concerned with how devices’ baseline settings (or configurations) are setup and managed. Because these settings are tuned to corporate security policy requirements, any changes to existing systems or any introduction of new systems can generate risks. Therefore, configuration controls often are put in place to ensure that systems comply with stated policies and standards. Any changes to the configuration controls also must go through the change management process. Assignment 2 notes: In cases where physical security controls cannot be bypassed, attackers still may be able to steal data by convincing employees (or computer systems) that they are legitimate users. Authentication is the process of validating someone’s identity. The most common form of authentication is the username-password mechanism, which assumes that the username and password are difficult to guess (and crack). Yet, the conformity with which users are provisioned often translates into highly predictable usernames (e.g., first six letters of the last name followed by first initial). If the username is known or can be guessed easily, the strength on the authentication system now depends on the strength of a user’s password. A 2012 report (Cowley, 2012) found that one of the most commonly used passwords on business systems is Password1 (three character classes: uppercase, lowercase, and numeric).
Obviously the use of single-factor authentication (to which username-password belongs) is too weak for cases where sensitive data must be protected. Besides the government, classified, and military sectors, more businesses and even some banks are adopting two-factor (or more) authentication. The ubiquity of mobile devices has led many to adopt soft-token authentication mechanisms where a token is generated and sent to your mobile devices as a text message. You then log in with three pieces of information: username, password, and token. Yet, even two-factor authentication is proving vulnerable to attacks, especially when the endpoints cannot be trusted.
Reference: Cowley, S. (2012). If you're using 'Password1,' change it. Now. CNN Money. Retrieved from http://money.cnn.com/2012/03/01/technology/password_security/index.htm
Unit 2 Case
Study Pixelated Pony Corporation (PPC) has achieved tremendous growth over the past decade. The company, a leading provider of online education, now serves over a million students worldwide. What started as a side business by the company’s founders quickly grew to achieve a leading position in the online education market. However, PPC’s rapid growth also has been marred by a series of missteps in which key servers were down several times during the past year, and for nearly 10,000 students, their personal information and grades accidently were posted to a public-facing server for six months.
At the request of PPC’s Board of Directors, an investigation was launched that revealed the cause to be poor IT management. The investigation recommended that PPC implement new policies and procedures to help prevent and mitigate future incidents. The controls recommended included implementing a change management process for the entire organization and a configuration control process for all IT services.
The investigation pointed out that at several times during the past year, PPC IT failed to provide the required level of availability for key company servers. In one instance, the company’s new surfing policy was activated before management had a chance to fully test its impact and to notify faculty and staff. The chaos resulting from hundreds of users complaining about Internet access issues cost the company several days of disruption and many frustrated faculty members whose courses “broke overnight.” In another case, an administrator pushed an OS update onto some key servers. However, this particular update resulted in degraded server performance and ultimately had to be rolled back after days of complaints from employees and customers alike.
Student Data Exposed:
As a result of a data breach involving the grades and personal information of nearly 10,000 students, PPC had to spend nearly half a million dollars in post-data-breach investigation and notification costs. While it is unknown whether the data was accessed for malicious purposes, PPC did offer each student a complimentary subscription to an identity protection service. The root cause analysis of the breach was determined to be the configuration of a backup server that allowed unrestricted access to anyone. Because this server also was indexed by major search engines, it was relatively easy to find.