Passwords have been a weakness of network security since the development of computer networks. Through guessing weak passwords, exploiting weak passwords, acquiring passwords through social engineering, or more recently using malicious software like Advanced Persistent Threats (APT), attackers have focused on compromising passwords to gain access to the network.
The traditional approach to defending against password attacks has focused on user awareness training, ever increasing password complexity requirements, certificate based authentication, and multi-factor authentication. Defenses that rely on the user are often subject to apathy, non-compliance from the user, and lack of enforcement of company policies that render them ineffective.
Two-factor authentication technologies have suffered from poor adoption because of high costs, resistance from the user community, and in some cases, vulnerabilities in the two-factor technology that attackers can exploit. Current trends in APT malware have targeted both password collection and two-factor authentication, which have further reduced their effectiveness.
[HELP IS ON THE WAY: 15 free security tools you should try]
Further complicating the job of protecting the network is an explosion in mobile devices requiring access anywhere, and a strong focus on international business. The days of having a contained network that only uses company-managed devices on secured networks are largely over. Today's network is global, persistent across devices, and must be available to the user from any device at any location. If the organization does not provide this capability, in most cases the user will work around the organization.
Defending user access to network resources in today's information requires a defense-in-depth approach that consists of understanding the company's risk tolerance, understanding the company's user base, and deploying technology solutions that align with the users and the business.
The first step in developing an effective defense is to understand how the company uses the network and what the expectations for usage are. This requires the network architect to go beyond what is written in the policy documents and observes what users are actually doing. An effective approach to identify this is to meet with non-IT business staff and discuss how they use technology. Additionally, walking around business locations can provide great insight into how people are using technology. Many IT departments that have "banned" mobile devices or remote access from home are surprised to find that users bring their own devices in spite of policies.
Understanding how employees use technology to do their jobs is also essential. The requirements for a sales department may be much different than those of a data entry clerk. Manufacturing personnel may already be using unapproved devices through their tendency to solve technical problems and get the job done.
Finally, understanding the culture of the organization will help determine what technology is acceptable. Are users free roaming creative professionals that stress art over function? Are the users very conservative and professional? Each of these could drive very different solutions. At the end of the day, if the user does not accept the technology, they will find ways around it.
Today, technical solutions to protect the network beyond passwords fall back to two classic concepts in information security that are "least privilege" and Authentication Authorization & Accounting (AAA). All technical mechanisms must take the approach of allowing the least amount of access that users need to do their job, make reasonably sure the users are who they say they are, make sure they are assigned access to limited resources, and their activities are accounted for and anomalies are identified.
Least privilege must be applied based on more than the user's identification. Different levels of access should be applied based on the type of device being used to access the network, when the network is accessed, and where the network is being accessed from. User access profiles should be developed for the most common access scenarios that users utilize to access the network. For example most organizations will have the following categories (most to least secure):
" User on the internal network on a managed device
" User on the external network on a managed device
" User on the external network on a non-managed device
" User on the internal network on a non-managed device
Each of these categories should be assigned a set of resources that they are allowed to access, which could include restrictions to certain server or services. Unmanaged devices should be directed to services that provide abstract access that limit the volume of activity a user can access.
For example, a Citrix Xen App or Microsoft Terminal Services access could be allowed to limit the amount of information an attacker could retrieve from the network. Access controls should be designed to contain a compromised account to the least amount of access and the least amount of data loss possible. This concept can be extended to internal network segmentation to protect sensitive internal networks such as process control, financial and manufacturing systems.
Technologies such as Network Admission Control, SSL VPN with posture assessment, Mobile Device Management (MDM), and virtual desktop/application presentation applications have matured to a point where they provide network designers effective tools to control network access.
The network should be designed in a way that leverages the technologies to provide users the least privilege while at the same time enabling them to leverage technology. Most network vendors are heavily focused at integrating these technologies into their products.
Implementing least privilege is designed under the assumption an account will be inevitably compromised. Even though a compromised account should be expected, steps should be taken to reduce the probability of a compromise occurring and detecting abuse as rapidly as possible.
Classic password policies and user awareness training provide a basic level of protection that most organizations will need to implement. Password policies should be implemented in a way that is accepted by the user base. Requiring overcomplicated or frequently changing passwords in most cases will result in users repeating passwords or writing them down.
Multi-factor authentication is another line of defense that can be implemented to protect authentication. While effective in reducing risk, most organizations limit multi-factor to external access to the network due to the cost of the technology and limited user acceptance of the technology.
Organizations should focus on deploying multi-factor authentication for systems that provide external access to sensitive applications or massive amounts of data. It should be remembered that no multi-factor authentication method is invincible, but is another tool to reduce risk.
Password authentication is a weakness that we will have to live with for the foreseeable future. But through defense-in-depth security architectures that address authentication as a holistic system of people, processes and technologies, a company's risk can be reduced. Reducing risk to a level that allows the organization to function in the most efficient way possible should be the goal of all network and security professions.
Alexander Open Systems (AOS) the premier systems integrator in the Midwest.
Read more about wide area network in Network World's Wide Area Network section.
This story, "Securing the Network Beyond Passwords" was originally published by Network World.