These are notes from the last session at the 2009 Gartner Security Summit; a tongue in cheek look at the worst best practices in IT.
The real problem here isn’t with all two factor authentication, rather it is with bad implementations. Inconsistent definitions of two factor authentication allow implementers to do whatever they want. Not every method is equally strong and it may be possible to pick two factors that are not as secure as another single factor authentication. The level of assurance and accountability in each factor of authentication should be considered.
In reality even a password by itself can be two factor. Its something you have (company laptop) or some place you are (work) in addition to something you know.
We’ve all logged into our bank where we’ve been asked something we know (our password) and something we know (personal info). When used like this, two factor authentication is security theater.
Use more than just a password when performing two factor authentication. Or the reverse, you must have a PIN when using a token for authentication. Otherwise authentication would be provided by the mere possession of the device.
Archive for July 2009
Worst Best Practices: Two Factor Authentication #GartnerSecurity
Worst Best Practices: Regarding Default Deny Rules #GartnerSecurity
The Gartner Information Security conference is over so I have a chance now to catch up on some blogging. I’m planning to spread my posts out over a few days.
The last session was a tongue in cheek (or sometimes just truthful) look at the worst “best practices”. People have dumb ideas accepted as gospel. Times change and what was once an OK idea now just needs to go away. In addition to ideas, there are also technologies that aren’t as useful as they are billed.
First on the list of questionable security best practices is Default to Deny. Default deny is ingrained in security culture. The discussion leader said that is the problem. What was meant as a technical rule became a cultural mantra. It was a repeated refrain during the conference, “Infosec is known as Dr No”. We need to be aligned with the business first and foremost.
A ” default deny” Infosec is one that is innovation phobic. When Infosec says “no” business will circumvent and now you’re in a doubly worse situation. The activity is taking place, and its completely unmanaged. As an aside, my goal is to allow users to do it, but make it secure. In the case of IM, you get IM security and block IM that circumvents. You provide a VPN and block GoToMyPC.
The presenter argued that default enable supports innovation. You block known bad, you monitor the reset. And here’s the worst part of the argument in my opinion. You use a honeypot to look at what the bad guy is trying to do to your open port and you learn. (This is a horrible argument because you are potentially destroying your companies security for your personal edification. Also honeypots can still exist in other network locations. Default allow on the firewall is not necessary for that.
Ultimately, this presenters goal wasn’t Jericho. Removing default denys goal is expunging Dr No rather than removing the last rule on everyone’s firewall.
The discussion was interesting as well:
1. If you think you’re doing “default deny” you are wrong. The universal firewall traversal exploit (80/TCP) and the secure universal firewall traversal exploit (443/TCP) let through plenty. Beyond that users seem to work to circumvent default deny through other methods accidental and intentional.
2. This talk of needing to align ourselves with business is wrong. We ‘re a part of business.
3. If we don’t assume badness and default deny, then we will be drilled by innovating bad guys who are always a step ahead.
4. Control is an illusion of your personal experience
5. How many companies have failed due to a Infosec breach? (I think this was an argument for default allow).
6. Sometimes you have to let them fail. I hear infosec people say this but what about due care? You can’t just wash your hands and wait for them to shipwreck. Make sure you have a get out of jail free card.
My thoughts:
I hate the concept that if I can’t prove something is insecure than it must be secure. You run into that all the time with patching or with any new service. To these people it is not enough to have a concept of how a service would be exploited, you have to demonstrate the exploit. It will be a challenge going into the future as services become more dynamic, technology more consumer oriented and access to data needed anywhere.
