More Related Content More from FitCEO, Inc. (FCI) More from FitCEO, Inc. (FCI) (14) Passwords Don't Work - Multifactor Controls Do 03-01-20161. Restricting
Authenticating
Tracking
User Access?
Time Is Not
On Our Side!
Page 1 of 6
The 2015 worst password list was published recently(1). The list is only one confir-
mation that leaving password controls to the end user is not secure. Verizon’s 2015
Data Breach Investigations Report(2) revealed that most breaches resulted from
harvested credentials. And recently, a former executive for the Cardinals pleaded
guilty to accessing the Astros’ player database and email system(3). He gained access
by learning the account and password from an employee who turned in their laptop.
This type of breach has become much too commonplace.
If you haven’t already, it’s time to take action and migrate to multifactor authentica-
tion. There is a sound ROI for the investment, and VIMRO is extremely committed
to helping our clients migrate to multifactor authentication in 2016!
Why Password Don’t Work
There is no shortage of case stories presenting a strong case and confirmed ROI
for moving to multifactor controls. Here are a few examples:
• In addition to the Verizon 2015 Data Breach Investigations Report we referenced
above, Wired published an article about the breaches of 2015(4). Most of the year’s
largest hacks involved weak authentication. Multifactor controls would drastically
reduce or eliminate this threat. (see reference #6)
• When the VIMRO Cyber Security Team conducts penetration tests, we almost
always gain access to our clients’ systems via captured credentials. There are so
many attack vectors to obtain passwords! Multifactor controls would considerably
reduce or eradicate the following vulnerabilities:
o Through social engineering, in which a workforce member sends us their
passwords, tells us their passwords, or enters their passwords into a simulat
ed cybercriminal fake web site;
or
o By intercepting them when conducting man-in-the-middle attacks (in
which an attacker secretly relays, often altering, the communication between
two parties who believe they are directly communicating with each other);
or
o By gaining access to the password database/file when breaching a weakly
configured or patched system, and then cracking the records with a pass
word-cracking application, such as L0phtCrack, OphtCrack, RainbowCrack,
Cain and Abel, John the Ripper, etc.
12100 Sunrise Valley Dr. Suite 290-1 Reston, VA 20191
Passwords Don’t Work: Multifactor Controls Are the Answer
Learn how to demonstrate ROI
There is a sound
ROI for the
investment of
Multifactor Controls
2. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS
(800) 272 0019
Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL
Authored by VIMRO’s Cybersecurity Leaders
Passwords Don’t Work:
Multifactor Controls Are the Answer
Learn how to demonstrate ROI
Page 2 of 6
With the right
methodology, ROI
is easy to
Demonstrate
The VIMRO security team’s work involves traveling. We overhear a lot of phone
conversations when we’re in the airport. On many occasions we overhear support
calls. Most support calls we hear involve a traveler forgetting their password, which
is understandable given the stresses and distractions of travel. We often can gather
where the individual works, their account name, and, yes, even their password,
which they typically repeat after a support person gives it to them over the phone.
Here are a few default passwords that we have recently heard in our travels:
• Winter2015! (It would be a reasonable guess that the next one is going to
be Spring2016! or some derivative.)
• “name of company”!@#abc
• “person’s name”1234
If we were criminals, or even if we were ethically conducting a social engineering
experiment by sitting in the airport and listening to calls, we’re pretty confident that
we would be able to gain unauthorized access to the individuals’ respective organi-
zations. Once again, the solution calls for multifactor controls.
ROI for Multifactor Authentication Controls is Easy to Demonstrate
All clients need to demonstrate an ROI when they present their solution to a prob-
lem. Using passwords only is a major problem. The likelihood of a breach due to
weak authentication is high, based on the following risks/threat examples:
• phishing (attempt to acquire sensitive information by masquerading as a
trustworthy entity in an electronic communication)
• man-in-the-middle
• gaining access to the password file database
The impact of a breach can be high in terms of hard costs:
• remediation/corrective action
• breach notification letters and credit monitoring for each record
compromised
• lost sales/consumer confidence
3. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS
(800) 272 0019
Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL
Authored by VIMRO’s Cybersecurity Leaders
Passwords Don’t Work:
Multifactor Controls Are the Answer
Learn how to demonstrate ROI
Page 3 of 6
Compare,
Contrast,
Evaluate the
Products that
Meet YOUR Needs.
In most cases, when VIMRO conducts an ROI assessment for multifactor controls,
we can demonstrate to our client that the control is less expensive than the hard
costs associated with one mere breach. And this doesn’t even include implied costs:
it’s much harder to demonstrate a breach’s effect on a company’s reputation.
Indeed, in talking with most C-level executives, we learn that their company’s repu-
tation among its customers and shareholders is one of their top concerns, and that
any crack in that reputation is, in fact, associated with a high cost.
Conduct an IT Component and Sensitive Data Inventory
Demonstrating an ROI for multifactor controls is the easiest part of the project. In
the next phase of a multifactor implementation project, identify how the solution
will be used. This involves in-depth knowledge of your environment. Most clients
utilize the CIS Critical Security Controls(5) to acquire and manage this information.
Specifically:
• CSC 1: Inventory of Authorized and Unauthorized Devices
• CSC 2: Inventory of Authorized and Unauthorized Software
The inventory should include where sensitive data resides and how authentication is
currently handled. Dataflow diagrams also help provide a detailed understanding of
all of the components involved in sensitive data transmission, processing, and
storage. This enables efficient and effective implementation of the multifactor
solution.
Once the inventory is conducted, create a list of criteria that the multifactor solu-
tion must meet. We have provided a list of common requirements among VIMRO
clients in Attachment 1.
Evaluate Products that Meet Your Needs
There are many good multifactor authentication products on the market. VIMRO is
vendor-agnostic, so we help our clients research three or four or more products that
work best for their needs, but we do not promote one product over another.
4. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS
(800) 272 0019
Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL
Authored by VIMRO’s Cybersecurity Leaders
Passwords Don’t Work:
Multifactor Controls Are the Answer
Learn how to demonstrate ROI
Page 4 of 6
Vet the strategy
by conducting a
pilot project.
One of our methods for identifying the best candidates for our clients’ evaluation is
suggesting solutions that worked well for similar organizations. We add those
vendors to the evaluation list in Attachment 1. We also identify good solution
candidates by staying current with industry reporting on these products. Some good
resources for this are:
• Search Security: http://searchsecurity.techtarget.com/feature/The-funda
mentals-of-MFA-Comparing-the-top-multifactor-authentication-products
• Forrester: https://www.forrester.com/How+To+Get+Away+With+Mur
der+Authentication+Technologies+That+Will+Help+You+Kill+Pass
words/fulltext/-/E-res126341
• Gartner: https://www.gartner.com/doc/2930517/magic-quadrant-us
er-authentication
• SANS: https://www.sans.org/reading-room/whitepapers/authentication
• SC Magazine: http://www.scmagazine.com/two-factor-authentica
tion-smart-cards-tokens/products/83/0/
Conduct a Pilot Project
VIMRO recommends that you conduct a pilot project using the one or two high-
est-scoring solutions on your evaluation sheet. Together we will select one or two
users from each of your organization’s business units. VIMRO recommends
mixed-skill pilot groups consisting of power users, intermediate users, and users
needing more support than most. This provides you with adequate feedback to
conclude whether the solution will work for your organization.
Documentation
Thorough documentation is critical to a successful implementation and lifecycle of
the multifactor solution. Dedicate resources to documenting everything. This
includes:
• Design documents
• As-built documents
• Support documents
• User instructions
• Pilot project lessons learned
5. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS
(800) 272 0019
Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL
Authored by VIMRO’s Cybersecurity Leaders
Passwords Don’t Work:
Multifactor Controls Are the Answer
Learn how to demonstrate ROI
Page 5 of 6
...must conduct
continuous exercises
that test the
effectiveness of
training.
Awareness Training is Still Important
Multifactor controls are critical, but it is still important to have a layered defense.
This is especially true when it comes to protecting your user. Multifactor controls
can be compromised if a user shares their verification code with an attacker
through social engineering(6). It is important to conduct cyber security awareness
training with workforce members and to conduct continued exercises that test the
effectiveness of your training program. See VIMRO’s “Strengthening the Weakest
Link”(7) paper for more information.
Conclusion
Antimalware, IDS/IPS, and firewalls have become important tools to protect
businesses over the years. Breach data and research prove that ever-increasing
threats now require the use of multifactor controls to protect our businesses,
employees, and customers.
We encourage you to contact VIMRO to discuss how we can help make multifactor
controls part of your business practices.
References.
(1) 2015 Worst Password List: http://www.theguardian.com/technology/2016/-
jan/20/123456-worst-passwords-revealed
(2) Verizon 2015 Data Breach Investigations Report: http://www.verizonenterprise.com/D-
BIR/2015/
(3) Ex-Cardinal Executive Pleads Guilty to Accessing Astros’ Database: http://espn.go.com/ml-
b/story/_/id/14531169/christopher-cor-
rea-former-st-louis-cardinals-executive-pleads-guilty-hacking-houston-astros-database
(4) Wired List of 2015 Largest Hacks: http://www.wired.com/2015/12/the-years-11-big-
gest-hacks-from-ashley-madison-to-opm/
(5) CIS Critical Security Controls: https://www.sans.org/critical-security-controls
(6) Two-Factor Authentication Social Engineering Vulnerability: http://www.homelandsecuri-
tynewswire.com/dr20160204-vulnerability-found-in-in-twofactor-authentication
(7) VIMRO Strengthening the Weakest Link Paper: https://www.vimro.com/wp-content/up-
loads/2015/12/Strengthening-the-Weakest-Link-151210_2225opt.pdf
6. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS
(800) 272 0019
Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL
Passwords Don’t Work:
Multifactor Controls Are the Answer
Attachment 1 – Multifactor Authentication Evaluation Requirements
Page 6 of 6