Dark Web Monitoring Explained

 

The Dark Web is a scary place.  Even the name sounds very ominous.  Most people know that it is bad when business or personal information shows up on the Dark Web.  But at the end of the day, those same people do not really know what the Dark Web is and what is going on in the shadowy recesses of the anonymous Internet.  That is OK and to be expected.  The Dark Web is shady and cryptic and difficult to understand by design.

But Burk IT understands the threats associated with the Dark Web and the potential sale and distribution of valuable personal and business-related information.  Because the threat is real and awareness is key, Burk IT includes Dark Web monitoring in all of our core Managed Services agreements.  As part of that monitoring service, our customers will from time to time receive emails alerting them to compromises of content associated with their business user accounts.  This article will hopefully shed a little light on that process and how to react to and best leverage that information for the safety of the business and its individual computer users.

What is the Dark Web?

icebergBefore you can understand what is really taking place with Dark Web monitoring, you need first know what the Dark Web is and is not.  The best analogy I have seen to describe the Dark Web is to think about an iceberg*.  The top part of the iceberg, the part that you see bobbing up and down above the water, that is the public Internet or the World Wide Web.  This is the open part of the Internet where you can search for cat videos or find great lasagna recipes or read the box scores for your favorite baseball team.

Just beneath the surface of the water and expanding downward and outward is where the true mass and size of the iceberg lives.  This is the Deep Web.  These web servers are where the work of the Internet gets done.  This is where your online purchases get processed and your banking portal data gets generated.  This is where your social media history lives, and your private chats get hosted.  This is the home of the “cloud” and the backbone of e-commerce.

In an obscure, hard to find corner of the iceberg near the ocean floor lies the Dark Web.  This part of the Internet is not advertised, and it cannot be reached by traditional web browsers like Microsoft Edge or Google Chrome.  Access to the Dark Web requires the use of a Tor Browser which is designed to anonymize the PC and user exploring the far reaches of the Dark Web.  Dark Web websites end in the extension “.onion”, referring to the many layers of obfuscation in place to provide safely anonymous browsing.

Despite its ominous name, not every user on the Dark Web is a cybercriminal peddling his or her wares on the virtual black market.  Because of the anonymity it provides, the Dark Web is used by many legitimate groups including political dissidents, journalists, whistleblowers and even normal Internet consumers simply desiring to avoid the constant gathering of metadata traditional web browsing affords.  Yet, the Dark Web also brings together evil doers trading in child pornography, illegal drugs, violence and identity theft information.  Because of this illegal trafficking, Dark Web monitoring is an important component of any modern cybersecurity program.

What is Dark Web Monitoring?

Given the secretive and anonymous nature of the Dark Web, the logical question arises – what exactly is being monitored on the Dark Web?  This is a very important question to pose because many of the TV, web and print ads touting Dark Web monitoring would lead you to believe that these companies can definitively protect your identity and purge every bit and byte of your personal information from all these criminal forums.  That is not exactly the truth.

Dark Web monitoring was born from federal government contracts with private firms designed to understand what information was being posted and traded on the Dark Web for national security and law enforcement purposes.  These private firms quickly realized the commercial value of the tools and techniques they had developed, so business and personal Dark Web monitoring offerings were quickly designed and marketed to general public.

Dark Web monitoring services basically scour Dark Web news boards, commerce sites, and other forums looking for PII (personally identifiable information) that has been posted for sale or trade.  This research is performed using custom bots, software artificial intelligence and human assets to ensure the information is as timely and actionable as possible.  These services then correlate the PII detected with the corporate domains and user accounts being monitored and report on the findings that match.

The information reported by a Dark Web monitoring service varies from vendor to vendor but generally includes the following:

Username / Email address associated with the compromised account – This ID is typically associated with the domain name for the business or organization being monitored by the service.

Date the compromise was found – This is the date the service’s algorithms and human resources discovered the compromised information in the Dark Web.

Date reported / posted / added – This is the date the discovered information is validated and provided to the monitoring customer, usually via a traditional web portal or secure email.

Password / Password Hint / Password Hash – This is typically the entire cleartext password of the account in question, or a portion of that password as a verification tool for the end user.  A password hash is a masked version of a user password usually compromised from an online website or backend website resource.  These hashes are easily decrypted by cybercriminals and are, therefore, very damaging when discovered in the wild of the Dark Web.

PII information – Many monitoring services will also report whether additional personal information was present associated with the compromised credentials including full name, address, phone number, and social security number.

Source or origin of the compromise – This information is often speculative, but most Dark Web monitoring services will provide insight into the source or nature of the breach that led to the presence of these credentials and other PII on the Dark Web.

All of this information is value and warrants a response, but it is also very important to consider the information that the Dark Web monitoring service CANNOT provide and the actions the service CANNOT take on behalf of the compromised entity:

Date / Time of the original compromise – Monitoring services most often cannot pinpoint the exact date or time of a data compromise.  Even if the compromise is attributed to a known breach of a business, service, or website, specifics about the timing surrounding those breaches are not typically public knowledge.  If the compromise was the result of an attack against an end user such as phishing or a malware attack, knowledge of the timing of those types of attacks is nearly impossible.  It is also important to note that most of the information posted on the Dark Web was stolen weeks if not months earlier.

Date the compromised information was first posted to the Dark Web – Monitoring services have become extremely efficient at finding and correlating data from the Dark Web, but they are still far from the ability to monitor the whole of the Dark Web in real-time.  There can be a significant delay of days or weeks between the time information is posted to a site or forum on the Dark Web and its discovery by a monitoring service.

Removal of compromised information from the Dark Web – It is one thing to discover information associated with an individual on the Dark Web.  It is a wholly different problem to try to purge information from these forums and sites.  Generally speaking, once this proverbial genie is out of the bottle, there is no putting it back.  Remember, these are Dark Web MONITORING services.  They can let you know something bad has happened, but they cannot necessarily reverse the damage already done.

What should you do when you receive a Dark Web alert?

Many people will read the previous paragraph and decide that there is no real value in Dark Web monitoring if you cannot remove personal information once it is posted.  I would disagree on the following grounds – 1) It is better to know than to not know what personal information is in the wild, and 2) With knowledge comes power and the ability to better mitigate the situation quickly.  So, what should you do if you or your organization receives an alert that PII is on the Dark Web?

  • Rotate the passwords associated with the affected user account – The biggest fear for most business IT administrators is that when a website is compromised, the user’s password associated with that website may be the same password that person uses on the business network. Internet users have become creatures of habit when it comes to passwords and tend to reuse passwords across multiple sites and systems.  This behavior makes the job of the cybercriminal that much easier when he or she decides to see what all can be stolen using those compromised credentials.  Also, consider three other options when you are changing those passwords:
    • Switch from short, complex passwords to longer, easier to remember passphrases consisting of several words or a memorable sentence. Passphrases are significantly harder to crack for cybercriminals and require changing less often.
    • Consider using a good Password Manager (1Password / KeePass / LastPass). It is a good practice to use unique passwords or passphrases for every website and system you access.  A password manager is a safe way to keep up with all those different credentials.
    • Implement multi-factor authentication for websites and systems whenever possible. Multi-factor authentication in the form of authenticator apps or SMS texts adds a strong barrier to protect against identity compromise.  Even if a cybercriminal gets his or her hands on your username and password, that person still cannot authenticate as you without your phone or token.  Most major websites and services support multi-factor authentication now including Facebook, Twitter, Amazon and Google.
  • Request new credit cards and other account numbers when necessary – In some situations, Dark Web monitoring services can alert you to card or account fraud before the affected bank or store knows something has gone wrong. React quickly by alerting the bank or store and requesting new account info.
  • Consider freezing your credit – The best way to prevent identity theft and stop the bad guys from opening lines of credit in your name is to take away that option. Freezing your credit line by contacting each credit bureau (Equifax, Experian, and TransUnion) is an easy, low cost process that can provide peace of mind despite the scary nature of the Dark Web.
  • Educate! Educate!  Educate! – The best thing anyone can do to fight cybercrime is to learn about the enemies at the gate, learn how to keep out and fight back against those enemies, and then share that information with others.  Train yourself.  Get training for those around you.  Share what you have learned.

Hopefully this article has helped to demystify the Dark Web and add some clarity to the process surrounding Dark Web monitoring.  The tools that protect us from cybercrime keep getting stronger and more effective.  We too need to continue to get stronger in our knowledge of the threats we face and the actions we need to take to protect ourselves.  Keep fighting!

 

* Susan Grant of the Consumer Federation of America

Ransomware – Are We Asking the Right Questions?

ransomware-2320793_640

Pete Linforth from Pixabay

A couple of weeks ago, a story broke on our local news outlets involving a ransomware attack against the Smyth County Virginia school system.  Smyth County is located in Southwest Virginia and is comprised of 3 towns (Marion, Chilhowie and Saltville) and approximately 32,000 residents.  The focus of the majority of the news coverage for this cybersecurity event surrounded the fact that the ransomware attack forced the school system to shut down significant portions of their network including student Internet access as a precaution against the spread of the ransomware infection.  Interviews with the school system’s Director of IT revealed that several Windows-based servers were encrypted and inaccessible.  Recovery from backups was underway for those resources as the school system had wisely chosen not to pay the ransom.

Subsequent follow-up coverage of this event has revealed the continued efforts by the school system to recover data and rebuild servers, and the steps the school system has taken to mitigate the impact of a future ransomware attack.  According to the system’s Director of IT, new anti-malware software is being deployed and a previously planned project to move additional systems to a cloud-hosted platform has been moved up on the calendar and expedited.  All of this information has added to the overall ransomware narrative and the difficulties that any organization would face if infected by a ransomware attack.  But as an IT security professional, I find myself incredibly frustrated by this event and the general emphasis of the news story that has been crafted and repeated.  My frustration lies in the simple fact that two very important questions have not been asked and answered – 1) How did the ransomware infiltrate the school system’s network? and 2) What controls were in place to prevent this attack in the first place?

These two questions are at the heart of the “how” and the “why” of this event, and it is from the answers to these two crucial questions that we actually learn something of value from this painful experience.  Everything discussed in the media to this point and everything shared by school system officials has been reactive in nature.  The network was shut down and Internet access was disabled to prevent the spread of the infection after it had taken hold in the Windows environment.  New anti-malware software is being deployed to prevent future attacks.  Data is being moved to the cloud to limit future exposure.  All of this work is important for Smyth County.  But for the rest of us, and more specifically, for other school systems in the region, the conversation needs to be centered on how the infection started, which controls worked, which controls failed, and which controls were simply missing that led to downtime, system failures and the potential loss of critical data.

Many of the reactionary controls mentioned to this point may not be affective against future ransomware attacks based on the changes in attack vectors used by cybercriminals today.  According to the 2019 CrowdStrike Global Threat Report, more than 70% of attacks against healthcare and education targets in past year were malware free.  This means that the initial tactic used by the cybercriminal did not result in a file or file fragment being written to disk on the target platform.  In other words, the bad guys used social engineering, stolen credentials or some other out of band mechanism to gain access to the information they were targeting.  Technical controls like signature-based anti-malware software cannot defend against these types of attacks.  Nor does moving data to a cloud-hosted platform fully mitigate the threat.

Some will ask why should we invest so much energy and money – and in the case of school systems we are talking about tax payer money – into combatting these types of threats.  The biggest publicly disclosed impact of the attack on the Smyth County school system was the loss of Internet access for students and staff over a two- or three-day period.  I have no doubt many parents in Smyth County were pleased to know their students had a break from the Internet for a few hours a day.  But Internet access was the biggest publicly disclosed impact, not the only impact of this type of attack.  Actual data exfiltration has not been confirmed, and data is often the biggest motivator for cybercriminals.

The 2019 Verizon Data Breach Investigations Report revealed that 80% of all breaches targeting the education sector were financially motivated, and of all reported breaches in the education sector, 26% resulted in some form of data disclosure.  Think for a moment about the type of data a school system has under its control.  For students, the school system maintains records including name, address, phone #, email address, social security #, and in many cases, medical records.  For parents, the system has similar information and, in many cases it often has some form of payment-related information.  For school system employees, the records are even more detailed.  All of these data types are incredibly valuable for cybercriminals wanting to forge identities or generate other more targeted attacks.  Consider too the fact that these students are typically under the age of 18 and do not have any form of identity protection in place or at their disposal.

I realize that the tone of this article can and may be seen as an indictment against the IT team in Smyth County, but that is far from the case.  From all accounts, that team of IT professionals identified the threat and responded quickly to limit its spread.  There were clearly requests and plans in place to strengthen the network that are now being green lit and expedited.  I believe they did everything in their power to defend their infrastructure as best they could.  Like many things in IT, success comes down to human resources and budget, neither of which tends to stretch very effectively.  My goal is not to shine a light on any failures in Smyth County, Virginia, but to instead shed some light on the larger problem all of us face in terms of a lack of understanding and preparedness when it comes to these types of cybersecurity threats.

So far in this post, I have provided a ton of critical feedback surrounding how this breach was covered in the news and how the school system did or did not respond, so allow me to stop and provide some applicable recommendations on how to help mitigate if not prevent these types of attacks moving forward:

  • Deploy an Advanced Malware Protection Platform to replace traditional signature-based anti-virus software – Gone are the days when we can wait for and trust a downloaded signature file from an anti-virus vendor to defend us against malicious activity on our PC’s and servers. Threats are evolving too quickly for signature files to keep up and many threats do not involve detectable code.  Organizations need a platform in place that can intelligently monitor, detect and remediate threats based on computer and application behavior, anomalous end user inputs, and unexpected or inappropriate network traffic.  Many sound platforms exist, and many include 3rd party monitoring components that can increase response times to threats and reduce the potential impact of false positive detections.
  • Implement modern UTM (unified threat management) controls and DNS-based content filtering on all ingress/egress points for the network – We can no longer rely on basic stateful packet inspection and port-based firewall rules to successfully filter our Internet traffic. Modern UTM can filter and inspect at the application level, and DNS-based content filtering can successfully identify and restrict access to those command and control servers so many ransomware platforms rely on for effectiveness.  Some statistics give DNS-based content filtering a success rate against ransomware infections as high as 93%.
  • Upgrade and patch your servers and PC’s – This sounds like an obvious statement, but far too many school systems still rely on donated hand-me-down hardware from businesses and higher education resources to survive. Those computers are often running outdated operating systems and have no mechanism in place for properly patching and security updates.  It only takes a small toe hold on the network for the bad guys to land and expand and wreak havoc.
  • Train your employees and students, all of them, frequently – Social engineering (phishing, vishing, in-person) is the biggest threat to most organizations. All the technical controls in the world cannot prevent an end user with authorized access from doing harm to a network.  We have to educate everyone to the threat landscape.  We have to teach individuals how to respond to social engineering and other observed unusual activity.  People need to know who to inform and to do so quickly.  And this education should span beyond the four walls of the organization to the home and personal IT security best practices.  The threats are real whether we are at work sitting at our desks or at home sitting on our couches.
  • Develop more than a backup solution. Build a disaster recovery plan and test it – During the initial interviews with school system officials in Smyth County, those officials indicated that server restoration processes were underway using backup data.  In one follow-up print article nearly two weeks later, those same officials indicated that those restoration processes were still ongoing.  Depending on the criticality of the system and data affected by an attack, most organizations cannot wait weeks for systems to come back online.  It is incredibly important to consider and define a valid Recovery Time Objective for the organization.  How long can you survive without access to your information and systems?  Based on the answer to that question, deploy redundant servers and backup solutions that can have you back online and functioning before it becomes too late for the effective survival of your organization.

Over the last couple of weeks, I have been reading The Only Plane in the Sky – An Oral History of 9/11 by Garrett M. Graff.  This book is a heart wrenching compilation of 1st person accounts from those people who lived through the hours and days surrounding that life altering day in our nation’s history.  Through these personal stories and quotes, I am reminded that we as a nation responded to those attacks using emergency procedures and protocols that were largely born from the Cold War.  Some of that training and some of those plans and procedures were effective and saved lives and restored some order to a chaotic situation.  Other components of those plans and procedures were completely inapplicable to the situation, leaving many government officials and first responders groping in the dark for answers and developing strategies on the fly to cope with the disaster at hand.  We need to learn from that horrific day.

I am wholly convinced that the next great threat to our country is not another series of plane hijackings or a terrorist with a bomb or even a nuclear weapon controlled by a hostile nation state.  The next great threat we face is a cyber-attack against our infrastructure.  It may come from a terrorist cell, a politically motivated activist group, a hostile nation or even a highly motivated disgruntled individual, but it will come, and it will wreak havoc on our way of life.  I am far from convinced that we are properly prepared.   Such an attack can be mitigated, but it will take each and every one of us.  It will take IT professionals willing to work hard, deploy the right controls, and avoid the short cuts that make our computer networks vulnerable.  It will take organizational leadership willing to invest the right amount of time and energy and funding to support those IT professionals.  And it will take the rest of us, willing to train, build good personal security habits, and learn the signs of a cyber-attack and how to respond appropriately.  The time for reactive responses is over.  We need to become proactive.  We need to prepare.  And we need to continue the conversation loudly and publicly.

WannaCrypt / WannaCry: What you need to know

By now, most of the world is aware of the major cyberattack in the form of ransomware that hit and rapidly spread Friday known as “WannaCrypt” or “WannaCry”.  Though initially concentrated in Russia and Eastern Europe, the ransomware infection quickly spread around the world, including significant infections in Great Britain’s medical and hospital communities.  This attack was and is particularly nasty and potent because it has incorporated a worm that lands on the initially infected host and then spreads to all other servers and PC’s on the network by leveraging a known Microsoft vulnerability.  The initial infection mechanism appears to be in the form of email phishing, but after that point, the spread of the worm is automated and ruthlessly effective.  Infected systems experience the encryption of critical data and receive a ransom notice demanding $300 in bitcoin for access to decryption keys.  Encrypted files on infected systems use the extension “.wncry”.

Microsoft addressed the exploit leveraged by the worm (EternalBlue) on all supported platforms in a patch released in March 2017 – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx – though unsupported legacy platforms (Windows XP, Windows Server 2003, Windows 8, etc.) remained susceptible to infection.  Due to the rapid spread of the WannaCrypt worm around the world on Friday, Microsoft developed and released a special legacy patch for unsupported platforms as well – https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ .

Major security firms have worked diligently to develop and deploy signature updates to anti-malware and IPS solutions to limit the spread of this strain of ransomware.  The ransomware appears to attempt to communicate via an SMB flaw over specific UDP and TCP ports – UDP ports 137 / 138 and TCP ports 139 / 445.  Fortinet released an IPS signature in March to address these types of SMB vulnerabilities and has since updated the IPS signature to enhance detection.  Over the weekend, Fortinet also released a specific AV signature capable of detecting and stopping the attack.  See the following link for more details – https://blog.fortinet.com/2017/05/12/protecting-your-organization-from-the-wcry-ransomware .

What should you do to protect your organization from “WannaCrypt”?  Make sure you have done the following:

  • Verify that all Microsoft platforms have been patched with the March 2017 release – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  • Identify and manually patch any unsupported, legacy Microsoft systems (Windows Server 2003, Windows XP, etc.) with the Friday release – https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
  • Verify all IPS and Anti-Malware/Anti-Virus signatures are up to date on all systems including servers, desktops, firewalls and other security appliances.
  • Isolate any vulnerable systems and specifically isolate communication to UDP ports 137 / 138 and TCP ports 139 / 445.
  • Educate your end users. Explain the nature of the threat.  Make them aware that they should be cautious when dealing with unexpected or unknown email messages.

The following are additional links to good information and guidance concerning this ransomware outbreak:

https://isc.sans.edu/forums/diary/WannaCryWannaCrypt+Ransomware+Summary/22420/

https://www.infosecurity-magazine.com/news/wannacry-ransomware-orgs-patch/

The Shadow Brokers, Microsoft, and the NSA – What you need to know

Over the Easter Holiday weekend, the Shadow Brokers, a hacking group that came to light over the summer of 2016, released a list of exploits and zero-day attacks targeting Microsoft Windows operating systems and applications among other technologies.  These exploits and zero-day vulnerabilities are purported to be part of a leaked list of NSA tools used for covert surveillance.  This is the fifth release of information by the Shadow Brokers since August 2016.  Speculation as to the motives behind this group of hackers ranges from the possibility of an internal NSA whistle blower to potential Russian hacking and propaganda.  Regardless of the motivation, these exploits and vulnerabilities pose a significant threat to many organizations and should be addressed immediately.

On Friday, April 14, 2017, Microsoft’s Security Response Center (MSRC) published a response to the list of exploits detailed in the Shadow Brokers release (MSRC Response can be found here).  Fortunately, most of the exploits listed have been addressed and patched by Microsoft prior to April 2017.  Three remaining exploits are not actionable on currently supported Microsoft platforms (Windows 7 / Exchange 2010 and forward), but are threats to unsupported, legacy Microsoft operating systems and applications.  Microsoft is actively encouraging all users to upgrade to a supporting platform or offering as soon as possible.

As a Microsoft user or admin, what should you do to address these threats in your environment?  The following are several important steps to consider:

  • Make sure that all your systems are properly patched with the most current Microsoft critical and security related updates. Use Microsoft’s WSUS (Windows Server Update Services) or other third party tools in your patching process to ensure you have a reporting mechanism in place so that no systems are missed.
  • Have a process in place to monitor the existence of legacy, unsupported operating systems and applications and have a plan to upgrade these systems to supported platforms before they become a risk. If you have Windows XP, Windows Vista, Windows 2003 Server, or Exchange 2003 in your environment, you are at risk.
  • Strengthen your perimeter defenses by using mature firewalls and content filtering solutions to limit the amount of malicious traffic entering your network. Consider DNS-based content filtering and advanced malware protection as layers to protect against intrusions, viruses and malware that can leverage these released exploits and harm your network/computer environments.
  • Do not ignore third party applications in your patching process. Patching Windows updates alone is not enough.  There are many other exploits and zero-day vulnerabilities in the wild for third party applications that can threaten your network.  There are strong 3rd party tools that can address other applications like Adobe Flash, Adobe Acrobat Reader, Java and web browsers along with your Microsoft operating systems and applications to ensure all your systems are fully patched and monitored.
  • Train your users and share threat information as it becomes available. Do not shy away from making users aware of the threats they face.  Decent, focused training and timely awareness emails can make a difference.  An aware user will hesitate before clicking on a suspicious link or opening an email from an unknown source, and that hesitation can and will keep malicious content off your network.

MFA in the USA

defenseindepthCastleWhat prevents a democratic republic like the United States of America from devolving into a dictatorship?  What stops the President from seizing control of the country?  What limits the power of Congress and stems the possibility of corrupt and unjust laws?  The answer to these questions is a simple one and known by every child in every social studies class across America – a system of checks and balances.  All the power and all the responsibility is not invested in any single branch of government.  Responsibility is divided and power is shared.  This simple, yet ingenious approach to government has preserved the sanctity and security of our nation for more than 240 years.  This concept of checks and balances has also proven its value in other segments of life and business including the principles of IT security.

Checks and balances permeate almost every aspect of a sound IT security program.  The practice of this concept is known by many different names – separation of duties, layered perimeter defenses, 3rd part auditing, and most recently multi-factor authentication.  The latter (Multi-factor authentication or MFA) has become particularly relevant in the last several months and has spurred many debates over the how’s and why’s of identity and access management.  As such, there is tremendous value in exploring its significance as a check in the computer authentication process and understanding what it does and does not do to protect a user’s identity and system access.

At its core, MFA is built on the principle of “something you know” and “something you have”.  The “something you know” is fairly straight-forward.  You know your username and your password.  The “something you have” can be a little trickier.  Sometimes it is a physical token you use, such as a key card or a USB drive you insert into your computer.  Other times it is a piece of software generating a code on your smartphone or a text message you receive from an authenticating system.  The end goal of this authentication process is to separate the two items.  The “something you have” is separate from the “something you know”.  It is out-of-band and not easily intercepted by someone or something attempting to compromise the authentication process.  In a modern world filled with cyber criminals lurking around every corner armed with phishing attacks and social engineering tricks and treats, protecting user identities has become a full time job and the most trusted tool in the trade has become multi-factor authentication.

The title of “most trusted tool” for MFA is frankly quite accurate and far from a literary exaggeration.  What was once an optional security feature left to IT security aficionados and the truly paranoid, MFA has, over the last year, become a standard authentication mechanism for numerous businesses, online retailers and service providers.  This tremendous growth in use has been fueled by the fear of identity theft and financial loss associated with email phishing schemes and online hacking.  Multi-factor authentication has provided some much needed peace of mind as a second layer of protection for users fearing compromise because it prevents access to systems and websites even if a user’s password has been successfully stolen or intercepted by a cybercriminal.  Just because “something you know” has been stolen, the “something you have” still protects your account.

As users have become more comfortable with and accustomed to MFA, a new question has arisen that deserves our attention.  Users are now asking, “If my password is now protected by multi-factor authentication, then why do I need to worry about following all of these strong password requirements?”  Those requirements typically include longer, randomized passphrases comprised of case-sensitive letters, numbers and symbols.  The answer to this question is also quite simple.  Multi-factor authentication is not perfect.  As a process, it can be broken, sidestepped, or even experience outages.  In just the last week, PayPal announced that it had corrected a flaw in its two-factor authentication mechanism that allowed for the bypassing of the secondary security layer altogether.  Apple in the last 72 hours announced an emergency security update that addressed among other issues a flaw in its authentication process that would allow for remote access to and jailbreaking of iOS devices.  These are only 2 examples among many others because, at the end of the day, we are dealing with technology written and maintained by humans, and humans make mistakes.

Remember that at its core, MFA is an extra layer of protection for the authentication process.  It is not a replacement for strong passwords, but instead should be viewed as in addition to strong passwords.  It is part of a checks and balances system that has evolved in the world of strong authentication, and in this system, just as we discussed in the introduction of this article, power and responsibility is both divided and shared, but never exclusive.  IT security defenses, like the defenses used throughout the history of humanity, are most effective when they are layered.

This article began with the example of a historically validated and somewhat aloof core principle of democratic society.  Allow me to end it with some of the sage advice I received from my grandmother over and over throughout my formative years.  Don’t put all of your eggs in one basket.  Do not assume that just because one of your layers of defense is strong, the others are suddenly less important.   You need both checks and balances.  The responsibility for secure authentication is both divided among and shared by the multiple factors in use.  Every factor needs to be strong and reliable to ensure the safety of the user involved and the system being accessed.  Given the prolific growth of cybercrime in the world, now is not the time to cut corners and to sacrifice security for expediency.  Now is the time to strengthen your walls, to deepen your moats, and to raise your drawbridges.  The cyber criminals are coming, but you don’t have to let them in.

Lions and Tigers and Passwords and Hoaxes, oh my!

Many of you may have seen a great deal of bluster in the main stream media and general interest IT circles over the last few days concerning the possible breach and release of tens of millions of Google, Yahoo, and Microsoft credentials.  This breach was attributed to a Russian hacker after a huge, low cost dump of credentials flooded the black market.  I have personally seen multiple emails and alerts floating around the Internet from “experts” spreading large quantities of FUD (Fear, Uncertainty and Doubt), claiming that passwords should be rotated immediately, not only for Google, Yahoo, and Microsoft, but also any other systems that might have the same or similar credentials.  Fortunately, professionals in the IT Security community saw through this hoax fairly quickly and never raised the red flag.  The data dump in question proved quickly to be more than 98% dummy data.  Even on the black market, too good to be true usually means it is not what it appears to be.

So what should be the takeaways and lessons learned from this type of event?  We can certainly learn a great deal from these types of false alarms.  Here are a few of my thoughts and suggestions:

  • Don’t overreact – Wait for the IT Security professionals and the vendors in question to weigh in before assuming that all is lost. Google, Yahoo and Microsoft were quick to verify the data was false and confirm that a breach had not occurred.  Though I am never against periodically rotating passwords, sometimes these hoaxes are designed to fuel a mass password change panic which is then exploited by phishing attacks and other credential harvesting techniques by the bad guys.
  • Don’t focus only on passwords – Consider utilizing multi-factor authentication for web mail and social media accounts. Twitter, Linkedin, Google, Yahoo, Microsoft and others all support free, multi-factor authentication mechanisms as a protection against the theft of usernames and passwords.  Multi-factor authentication basically means that in order to sign into a service, either via your PC or your mobile device, you must have something you know (your username and password) and something you have (your smartphone text message or token).  This type of protection can buy you the time you need to investigate alerts while knowing your credentials are safe from misuse.
  • Lessen the impact of lost credentials – Always use separate passwords for different services and accounts. In the event a credential is lost or compromised, you are only exposed for that one service or resource.  I fully realize this strategy creates some overhead in managing lots of usernames and passwords, but fortunately there are many great password management tools on the market today to help remedy this problem.  I am personally a fan of tools like 1Password and LastPass.
  • Have good resources on stand-by to help – IT Security is an ever-evolving, specialized field. Make sure your IT services team has expertise on staff and is ready to help.  Consider finding trusted sources you can follow via an RSS feed or Twitter to know what is really going on in the world of IT security so that you can better differentiate between the hoaxes and the real threats.