An Information Security Place

I posted a few days ago about the password length vs complexity vs. multi-factor authentication debate.  One of the assertions I made was that it is essential to tie in SSO with multi-factor authentication.  Now, I did not assert in my post that SSO makes multi-factor authentication more secure as Chris Hoff says I did in his post.  However, that was a point I wanted to make, so I am not quite sure why I didn’t do it.  So, without further hesitation, I now officially contend that it does make a system more secure in many ways.  SO, let’s look at them:

1. Lowered password complexity when coupled with one or more other factors actually makes for stronger security.  Chris, rightly so, blames many of our security woes on users.  But I believe that the user is less likely, not more likely, to write down a PIN number so he / she can remember it than if they had to remember a strong, complex password (even if they use passphrases).  Yes, I see some users writing their PIN on their RFID card, just like their ATM cards.  But you know, many of those lessons have been learned out there already because ATM security has been beaten into people over the years.  Approach it as being very similar to ATM’s, and a light comes on immediately.  Believe me, I have seen the look of comprehension on quite a number of user faces as I explained a card and PIN in this manner.  I actually think this is the least worrisome of the issues.

2. Most SSO vendors allow for scripting of password changes.  This allows the system to change a password automatically, and (if the system supports it) it can replace the password with a complex AND long password that is not crackable in today’s world and that the user has no knowledge of. 

3. Number 2 also lowers the social-engineering vulnerability from the user’s side because I can’t impersonate Joe Admin and ask for your password.

4. With a properly implemented SSO solution, you have a lessened need for password resets, which lowers you vulnerability to social-engineering from the admin side (someone impersonating a user).

5. In looking at the good ol’ CIA triad, availability is one of the points of the triangle.  Many people forget about this point and just secure the crap out of the network while forgetting that the resources need to be available.  Making the authentication process more difficult is not complete security.  A SSO coupled with multi-factor can make the login process easier while also creating a good layer in your DID infrastructure.

Speaking of DID, Chris makes the point that the SSO structure adds another attack surface.  Well, if it’s worth can be shown as a valid security layer (as I hope I have done to some degree above), then it simply adds another attack surface just like every other layer adds surface or platform for launching attacks.  Your firewall can be used to attack you if it is compromised.  So can your IDS / IPS and other security layers.  Your SSO vendor, just like any other, has to prove that they are making a secure product so it can’t be easily compromised.  They have to protect the keys that are inside the SSO vault.  But when you consider that many of the major security vendors like RSA, Citrix  (yes, they are good at security), CA, Novell, etc. are pushing their SSO solution, I think you have many valid choices.

As to mutual authentication, I am totally and completely in agreement that this is where we need to go.  But how many security vendors are pushing this as a mainstream solution today for SMB’s?  I can sense the swing, but I have to make sure my advice is attainable now, not 5 years in the future.  And I think if you want to mitigate the risks of passwords, the SSO coupled with multi-factor authentication is a valid choice TODAY.

Vet

Just got this little story in an email. The original moral was some kind of feel-good, mamby-pamby crap about sticking together in life (blah blah). But it actually has some valid security points. I need some food right now, so I can’t concentrate on forming the morals, but I am sure you will see the implications. It becomes more appropriate when you consider Michael’s post at MCWResearch. Enjoy.

 

I recently posted about password length vs. complexity vs. two-factor authentication.  But passwords will be around for quite a while, so what are some of the things security professionals can do to keep passwords up to snuff?  One of the ways is obviously to enforce password length and complexity, but politics don’t always let that happen.  So many security shops simply have to set policy and and then try to enforce it as best they can.  But how do you do that?  Two words: password cracker.  Once you crack the passwords and determine the ones out of policy, then you go smack the user upside the head with the rolled-up policy, then make ‘em change the password.

Now here is where I get lazy and point you to this site that lists some of the best crackers and hash grabbers out there.  But I will say that two of my favorites for a Windows environment (which is what most security admins are supporting) are Lophtcrack and Cain and Abel.  Cain and Abel is free.  LophtCrack was put out by @Stake, but they have since been bought by Symantec and it has been discontinued, so you can’t buy it.  However, the site above has some ways of getting access to it.

A couple of disclaimers: I do not condone piracy (AARRGGHH!!!), and only use your powers for good.  Ok then…

As said above, password cracking is a valuable tool for enforcing policies when politics won’t actually let you set the rules for enforcement.  And besides, it’s fun!  You never know what some of those passwords are going to be.

By the way, this security tip is part of a series that Michael at mcwresearch.com and I (and possibly some other bloggers) are trying out this week to see if it catches on.  Michael’s latest tip is here.  [Update: Alan Shimel is joining in on this at his blog.)

Vet