Security for an age of zero trust

A

shift in the information security paradigm is well underway. In 2010, Forrester Research proposed the idea of a “Zero Trust” security model1, one in which the lines of trusted or untrusted users were becoming increasingly hard to credibly define. While the perspective of Forrester was related to thoughtfully inspecting the firehose of data flow from networks for signs of compromise, another view can be taken on this topic: how can we add trust back into the equation of users and network security?

For more information, please contact info@duosecurity.com or 1 (855) 386-2884 © 2013 Duo Security, Inc.

Two-factor authentication:Security for an age of zero trust

www.duosecurity.com

Redefining the perimeter of information security

At its core, information security is about control. The underlying goal of any security technology is to remove potential power from an attacker and shift it back into the hands of the good guys. The increasing decentralization of data and technology, caused by using cloud computing and mobile technologies, creates an increasing challenge for organizations to regain control.

The days of single-vendor computing are gone. With a plethora of powerful and agile technology companies innovating daily, trying to model an information security program around one platform is nearly impossible. Without being able to maintain control, however, the trade-o!s between risk and reward can be hard to reconcile.

In light of this, the goal for an information security team or network administrator should be to answer the question, “How can I leverage the agile nature of modern computing without losing control?"

The Deperimeterization of Computing

The rate at which users are going mobile and in-house applications are headed to the cloud has created an uncomfortable set of circumstances for a walled-garden information security program. With a lack of well-defined walls, how does an organization implement controls in a way that makes sense to their existing model llof security?

The traditional wrapper of a firewall, IDS, and network virtual LANs aren’t readily available for a majority of cloud related solutions, especially ones operating within the Software-as-a-Service (SaaS) model. There’s a direct

lack of control the farther you move up a typical cloud application stack. For many organizations, the ability to deploy a firewall or network ACL is a rarity in this evolving landscape.

For more information, please contact info@duosecurity.com or 1 (855) 386-2884 © 2013 Duo Security, Inc.

The underlying goal of any security technology is to remove potential power from an attacker and shift it back into the hands of the good guys.

The reality of deperimeterization

Consider a business which has moved their Customer Resource Management (CRM) platform to a cloud service provider. Previously, in order for an attacker to gain access to private customer data, the attacker likely had to go through the following steps:

‣ Identify the company’s external network space‣ Determine potential external network or web application vulnerabilities to attack‣ Attempt an attack, fail, and try again until one allows access into the network‣ Completely bypass the Intrusion Detection System (IDS) system‣ Locate the internal network host which provides CRM management‣ Pivot from one VLAN to another where CRM access is available‣ Steal an employee's credentials who has access to the data‣ Leverage the stolen credentials, steal data, and transmit it out of the network,

undetected

In a cloud model for the same software, an attacker’s steps are streamlined to:

‣ Find out which SaaS CRM the organization uses‣ Phish or brute-force accounts for users (found on social media) at the company‣ Login to the SaaS CRM with the credentials, click “Export Data”, and close the

browser

The adage that “an increase in convenience is often to the detriment of security” applies to this and many other scenarios concerning deperimeterization and security. By removing traditional security controls from the equation, the security of high value data is now more easily accessed by an attacker.

Increased risks and increased exposures

Not only are enterprises removing their traditional data security perimeters by increasing their use of cloud service models, but so are their end-users. With the advent of Bring Your Own Device (BYOD), consumer-facing SaaS o!erings like

For more information, please contact info@duosecurity.com or 1 (855) 386-2884 © 2013 Duo Security, Inc.

DropBox, and a seemingly endless choice of social networks, end-users contribute to the blurred lines between personal and business data and separation of privilege.

While an organization’s users may adhere to reasonable best practices for that organization’s data, users may not be aware of security missteps they’re making in their use of new technologies. From issues such as reusing corporate passwords on

random Internet sites, to leaving data within third-party file sharing services, users are increasing the potential exposure of data and their own credentials.

Authentication is the unifying factor — and attackers know it

While traditional network security models may be crumbling, the presence of some form of authentication control is still universally applied. Whether an end-user connects to a corporate VPN, a SaaS CRM, or a social network, authentication still provides the separation between immediate compromise and a fighting chance for data security.

Attackers have been emboldened by the ease with which data can be stolen. No longer are they required to jump over a dozen hurdles to steal a corporation’s data. In many cases, simply logging in as a user with stolen credentials will provide an organization’s intellectual property in minutes. Because of this, attackers are focused more than ever on cracking password hashes, phishing credentials, brute-forcing logins, and all of the other common attacks against password-based authentication models.

The Failure of PasswordsAccording to Mandiant’s research, 100% of security breaches involve the use of stolen credentials2. A decade ago this statistic may have been more shocking, but it makes sense when you consider the prevalence of password reuse and success rates of attacks against user credentials via phishing and other methods. Because attackers no longer have to breach carefully deployed layers of a network to access

For more information, please contact info@duosecurity.com or 1 (855) 386-2884 © 2013 Duo Security, Inc.

data, attackers have shifted their e!orts to determining the easiest ways to gain access to an individual’s credentials.

Instead of spending time writing complex exploits for network software, attackers are simply sending your employees a phishing e-mail. All they have to do then is wait for someone to be tricked into giving them the inbound credentials that will allow them to access your organization’s data. That scenario may not make an exciting of a story, but the results can be devastating.

The reality of passwords and the end-user

While hard-to-guess passwords have been a security best practice for decades, we continue to see weak passwords used in high volumes3. The common use of weak passwords is revealed every time there is a public breach of an online service. In 2007, Microsoft Research found that the average web user had 25 accounts but only utilized 6.5 passwords among them4, which is understandable, because who can keep 25 passwords in their head?

In Internet time, a lot has happened since 2007. It’s no stretch to assume that today the number of per-user accounts is more like 50 while the number of passwords is probably the same. With so many accounts to maintain, reusing passwords is likely the only way the average end-user can manage to remember them all without deploying a sticky note on their monitor. Even using password management software like LastPass is more complexity than the average user wants to deal with.

If authentication fails, other security controls may not help

Attackers succeed with stolen credentials because the act of impersonating a user is generally undetected by security controls. Users by their very nature interact with systems and data, which makes it exceedingly di"cult to detect anomalies in most cases. Unless an attacker really makes their presence known, a system administrator will likely never notice there has been a breach.

For more information, please contact info@duosecurity.com or 1 (855) 386-2884 © 2013 Duo Security, Inc.

Because attackers no longer have to breach carefully deployed layers of a network to access data, attackers have shifted their e!orts to determining the easiest ways to gain access to an individual’s credentials.

When a user logs into a Virtual Private Network (VPN) they are often granted privilege and access similar to what they would have if they were physically in an o"ce. By authenticating to the VPN an attacker can bypass traditional security controls such as a firewall and IDS, giving them direct access to data and infrastructure. This is just one example of how authentication is not just another layer of security, but rather a keystone to to the success or failure of many other mechanisms.

Two-Factor Authentication

Whether cloud or on-premise, mobile or local, the authentication of users remains a consistent part of the information security landscape. If an organization can strengthen their authentication mechanisms, the power shifts away from the attackers and back into an organization’s favor.

When a company utilizes two-factor authentication, attackers are unable to login with a set of credentials that they were able to compromise. This additional factor strengthens your password perimeter from a chain link fence into a brick wall for an attacker. Whether those credentials were stolen from a password-leak of a popular web site, guessed through a brute-force attack, or lifted during a phishing campaign, the attacker is out of luck.

By using something that you have (such as your mobile phone) in combination with something that you know (like a password), the ability for an attacker to login as you becomes extremely di"cult in a majority of cases. While an attacker in a foreign country may be able to steal your password online, they will not likely be motivated to hop on a plane to steal your mobile phone as well.

As the deperimeterization of computing continues, authentication is the only place that strong security controls can be applied ubiquitously across the enterprise. When walls cease to exist, consistency of vendor disappears, and traditional security models no longer apply, authentication is the best hope for strong security to remain in-tact.

For more information, please contact info@duosecurity.com or 1 (855) 386-2884 © 2013 Duo Security, Inc.

Two-factor, beyond other security controls, can be applied broadly from web applications to servers. In the never-ending fight for control, two-factor gives a fighting chance against the attackers who have nothing but time to break in and steal your organization’s data.

Duo Security is a pioneer in providing simple, secure, and a!ordable two-factor authentication solutions for business. Learn more at www.duosecurity.com.

1. “Build Security Into Your Network’s DNA: The Zero Trust Network Architecture”, Forrester, Published: November 2010

2. “Dispelling The Myth: Bar of Security”, Mandiant: https://www.mandiant.com/blog/dispelling-myth-bar-security/

3. “The science of guessing: analyzing an anonymized corpus of 70 million passwords”, University of Cambridge, Published: May 2012

4. "A Large-Scale Study of Web Password Habits", Microsoft Research, Published: May 2007

For more information, please contact info@duosecurity.com or 1 (855) 386-2884 © 2013 Duo Security, Inc.

While an attacker in a foreign country may be able to steal your password online, they will not likely be motivated to hop on a plane to steal your mobile phone as well.