Penetration Testing and Two Factor Authentication
Recently I had the opportunity to present to a very technically savvy crowd at Security B-Sides Detroit 2013 regarding the process behind hiring a well qualified penetration tester. In the world of security assessments, penetration testing often stands out as "the service I need to have done" when businesses are desiring (or more likely, required) to seek out a third-party evaluation of their security posture. However, there can be a large gap between the reality of penetration testing versus what a company actually needs to have done. The purpose of the talk was to engage the audience to think about not only what type of security assessment should be done, but also how to determine that the work being done is being handled with the appropriate amount of skill, focus, and ethical treatment.
Passwords and login credentials in the crosshairsAuthentication is often the first target for attack, which you know if you've ever worked to breach an enterprise network (legally or otherwise). Whether it's a phishing email that yields a login and password, a successful brute-force against a network service, or a cracked password hash, credentials are the foothold most attackers need to wreak havoc. Users are the softest target for most organizations in terms of compromise-potential, so their credentials become the fastest way to breach network security.
Two factor authentication - an effective barrier if deployed correctlyAs someone who's performed penetration testing and other security assessment services, I can safely state that two factor authentication generally results in a big brick-wall in front of an otherwise successful attack against infrastructure. Notably, architecture which broadly applies two factor authentication makes it hard for even the most skillful attacker to abuse their newly acquired password.
Unfortunately many companies only deploy two factor authentication on one or two systems they identify as 'high risk'. A determined attacker will look for ways around strong authentication. They will look for a weaker system that will allow a pivot-point to breach their target server. Consider an attacker who is able to login to a web application that has no two factor and is then able to leverage a vulnerability in that application to access other systems internally. You could make the assumption that by hardening the SSH (or other remote login) server with two factor authentication, no breach would occur using credentials. But the attacker could breach your system by attacking a web application that does not have strong-authentication and through that application achieve their original goal. An oversight like that in two factor deployment can lead to a very angry call from your CSO late at night.
Like any other security control, how and when you apply two factor authentication matters more than any single feature or vendor claim. Whether you're trying to appease your security assessor or a compliance requirement, remember that this new technology will be most effective if utilized wherever possible, instead of just in areas you classify as 'high risk'. A well-executed threat modeling exercise will help ensure successful deployment of any security technology, but you also need to consider edge cases beyond classic perceived threats.
Easy integration makes for effective deploymentAt Duo, we're focused on allowing people to easily and readily integrate our two factor platform into their own software offerings. Through providing our Web SDK, language-specific libraries, and REST API, Duo is committed to allow your team the flexibility to broadly deploy strong authentication to your enterprise. Of course, we provide numerous integrations for great technologies including WordPress, RDP and SSH.
Frustrate your attackers -- hired or otherwise. To implement an effective security plan, you need to think like a penetration tester. Spend time putting yourself in the mindset of a creative attacker. Think about how a breach could occur and what avenues you could take to get around existing security controls. By thinking like an attacker and building security controls around your thoughts, you stand a much better chance at staying safe.
What are your experiences with compromised servers? Have a story to tell about stolen credentials leading to a breach? Let us know in the comments!