Tools Archives • PC PORTAL

For years, many organisations – and their users – have struggled with the challenge of password management. The technology industry has toiled on this problem by trying to remove the need to remember passwords at all. Recent developments suggest we might finally be reaching a (finger) tipping point.

At Mobile World Congress this year, Google and the FIDO Alliance announced that most devices running Android 7.0 or later can provide password-less logins in their browsers. To clarify, the FIDO2 authentication standard is sometimes called password-less web authentication. Strictly speaking, that’s a slightly misleading name because people still need to authenticate to their devices a PIN, or a using a biometric identifier like a fingerprint. It’s more accurate to say FIDO2 authentication, but not surprisingly, the term ‘password-less’ seems to have caught the imagination.

Wired reported that web developers can now make their sites work with FIDO2, which would mean people can log in to their online accounts on their phones without a password. This feature will be available to an estimated one billion Android devices, so it’s potentially a significant milestone on the road to a password-less future. Last November, Microsoft announced password-less sign-in for its account users, with the same FIDO2 standard. One caveat: Microsoft’s option requires using the Edge browser on Windows 10 1809 build. So, the true number of users is likely to be far lower than the 800 million Microsoft had been promising. But this is just the latest place where Microsoft has inserted FIDO technology into its products.

It’s not what you know

I spoke to Neha Thethi, BH Consulting’s senior information security analyst, who gave her reaction to this development. “Through this standard, FIDO and Google pave way for users to authenticate primarily using ‘something they have’ – the phone – rather than ‘something they know’ – the password. While a fingerprint or PIN would typically be required to unlock the device itself, no shared secret or private key is transferred over the network or stored with the website, as it is in case of a password. Only a public key is exchanged between the user and the website.”

From the perspective of improving security, Google’s adoption of FIDO2 is a welcome development, Neha added. “Most of the account compromises that we’ve seen in past few years is because of leaked passwords, on the likes of Pastebin or through phishing, exploited by attackers. The HaveIbeenpwned website gives a sense of the scale of this problem. By that measure, going password-less for logging in to online accounts will definitely decrease the attack surface significantly,” she said.

“The technology that enables this ease of authentication is public key cryptography, and it has been around since the 1970s. The industry has recognised this problem of shared secrets for a long time now. Personally, I welcome this solution to quickly and securely log in to online accounts. It might not be bulletproof, but it takes an onerous task of remembering passwords away from individuals,” she said.

Don’t try to cache me

Organisations have been using passwords for a long time to log into systems that store their confidential or sensitive information. However, even today, many of these organisations don’t have a systematic way of managing passwords for their staff. If an organisation or business wants to become certified to the ISO 27001 security standard, for example, they will need to put in place measures in the form of education, process and technology, to ensure secure storage and use of passwords. Otherwise, you tend to see less than ideal user behaviour like storing passwords on a sticky note or in the web browser cache. “I discourage clients from storing passwords in the browser cache because if their machine gets hacked, the attacker will have access to all that information,” said Neha.

That’s not to criticise users, she emphasised. “If an organisation is not facilitating staff with a password management tool, they will find the means. They try the best they can, but ultimately they want to get on with their work.”

The credential conundrum

The security industry has struggled with the problem of access and authentication for years. It hasn’t helped by shifting the burden onto the people least qualified to do something about it. Most people aren’t security experts, and it’s unfair to expect them to be. Many of us struggle to remember our own phone numbers, let alone a complex password. Yet some companies force their employees to change their passwords regularly. What happens next is the law of unintended consequences in action. People choose a really simple password, or one that barely changes from the one they’d been using before.

For years, many security professionals followed the advice of the US National Institute of Standards and Technology (NIST) for secure passwords. NIST recommended using a minimum of seven characters, and to include numbers, capital letters or special characters. By that measure, a password like ‘Password1’ would meet the recommendations even if no-one would think it was secure.

Poor password advice

Bill Burr, the man who literally wrote the book on passwords for NIST, has since walked back on his own advice. In 2017, he told the Wall Street Journal, “much of what I did I now regret”. He added: “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree”. NIST has since updated its password advice, and you can find the revised recommendations here.

As well as fending off cybercrime risks, another good reason for implementing good access control is GDPR compliance. Although the General Data Protection Regulation doesn’t specifically refer to passwords, it requires organisations to process personal data in a secure manner. The UK’s Information Commissioner’s Office has published useful free guidance about good password practices with GDPR in mind.

Until your organisation implements the password-less login, ensure you protect your current login details. Neha recommends using a pass phrase instead of a password along with two factor authentication where possible. People should also use different pass phrases for each website or online service we use, because using the same phrase over and over again puts us at risk if attackers compromised any one of those sites. Once they get one set of login credentials, they try them on other popular websites to see if they work. She also recommends using a good password manager or password keeper in place of having to remember multiple pass phrases or passwords. Just remember to think of a strong master password to protect all of those other login details!

The post Password-less future moves closer as Google takes FIDO2 for a walk appeared first on BH Consulting.

Vulnerability assessments usually involve using automated tools such as Nessus or Qualys to carry out a passive scan of an organisation’s systems. The process produces a list of security gaps and ranks them in order of risk. It gives an organisation clear data to guide the process of deciding which issues to prioritise first based on budget, available resources, or likelihood of the threat.

If forewarned is forearmed, then the value of a vulnerability assessment is that it identifies weaknesses in your systems proactively. It’s different to a penetration test which not only finds security gaps but actively exploits them to replicate the damage a malicious attacker could do without the repercussions.

Why check for vulnerabilities?

Lately, we’re seeing organisations carry out vulnerability assessments, or get an independent provider to do it for them, much more frequently. I think there are two reasons for this. One is the increasing adoption of the ISO 27001 information security standard. We advise organisations that want to get certified or stay compliant to check for vulnerabilities at least twice a year and perform a penetration test at least once a year.

The second driver is – surprise, surprise – GDPR. Growing numbers of businesses and public sector agencies are now aware that they need to protect data. Checking for weak points can help them put safeguards in place to avoid breaches. In the event of a breach, an organisation may avoid heavier penalties if it can prove to the regulator that it has been carrying out vulnerability assessments and doing their due diligence. On the other hand, the authorities won’t look too kindly on breach victims that were running old operating systems with no security controls or patching mechanisms in place.

What to fix

I carry out vulnerability assessments every week, and many of the risks I find are very common. Many of them fall into the categories of medium or high risk. For example, many websites still use old versions of SSL or TLS for encrypting data transfers. Some people might assume that a brochure website doesn’t need this level of protection, but I think that’s a mistake. Even a static page may have a function that calls another function that talks to the database or another application. This is a relatively easy issue to fix, and it addresses a potentially large security hole.

Even for a brochure website, it’s worth doing this upgrade since it’s a big gain for relatively little effort. Implementing TLS carries little cost and eliminates a lot of potential weaknesses. Since SSL was deprecated, it’s a matter of changing to TLS 1.1 or 1.2 which in some cases is as simple as checking a box.

To upgrade or not to upgrade

Another common issue that vulnerability assessments will uncover is out of date software like Apache or OpenSSH. (I recently found one site using a five-year-old version of OpenSSH!) As with the risks I referred to above, fixing them is often a matter of clicking the ‘update’ button in the application.

Whether an organisation updates or not will depend on its attitude to risk. Some choose not to do so because they are concerned about affecting their production environment. Or, they might not have time and resources to test the stability of an application on the new version. I would always argue in favour of acting, but at the very least, a vulnerability assessment will highlight areas that you can rank in order of priority.

The length of time it takes to conduct the assessment will vary. It’s not necessarily as simple a calculation as adding up the number of IP addresses to check. I’ve seen three IP addresses take four hours to scan. It also depends what software the organisation uses, and whether it’s patched or unpatched.

Taking action afterwards

Let’s say the testing lasts a day. Writing the report then involves taking the findings from the automated scanning tool and translating that into language that will allow a client to weigh up its business risk. Some companies take the report and fix the issues that it covers. Some use it as a talking point with their software development teams, to make them aware of certain vulnerabilities. Best practice advises that those organisations run an assessment a few months later to check that any fixes they implemented were successful.

However, I’ve also seen the opposite, where I have carried out monthly vulnerability checks and the client chooses not to fix the issues that the report raises. That goes to the heart of security: making decisions based on the level of risk you’re prepared to bear. Good security practice suggests looking for weak points in your security before someone with malicious intentions does it for you.

The post The value in vulnerability assessments: closing gaps to improve security appeared first on BH Consulting.