Securing the network beyond passwords

Passwords have been a weakness of network security since the development of computer networks. Through guessing weak passwords, exploiting weak passwords, acquiring passwords through social engineering, or more recently using malicious software like Advanced Persistent Threats (APT), attackers have focused on compromising passwords to gain access to the network.

The traditional approach to defending against password attacks has focused on user awareness training, ever increasing password complexity requirements, certificate based authentication, and multi-factor authentication. Defenses that rely on the user are often subject to apathy, non-compliance from the user, and lack of enforcement of company policies that render them ineffective.

Two-factor authentication technologies have suffered from poor adoption because of high costs, resistance from the user community, and in some cases, vulnerabilities in the two-factor technology that attackers can exploit. Current trends in APT malware have targeted both password collection and two-factor authentication, which have further reduced their effectiveness.

[HELP IS ON THE WAY: 15 free security tools you should try]

Further complicating the job of protecting the network is an explosion in mobile devices requiring access anywhere, and a strong focus on international business. The days of having a contained network that only uses company-managed devices on secured networks are largely over. Today's network is global, persistent across devices, and must be available to the user from any device at any location. If the organization does not provide this capability, in most cases the user will work around the organization.

Defending user access to network resources in today's information requires a defense-in-depth approach that consists of understanding the company's risk tolerance, understanding the company's user base, and deploying technology solutions that align with the users and the business.

The first step in developing an effective defense is to understand how the company uses the network and what the expectations for usage are. This requires the network architect to go beyond what is written in the policy documents and observes what users are actually doing. An effective approach to identify this is to meet with non-IT business staff and discuss how they use technology. Additionally, walking around business locations can provide great insight into how people are using technology. Many IT departments that have "banned" mobile devices or remote access from home are surprised to find that users bring their own devices in spite of policies.

Understanding how employees use technology to do their jobs is also essential. The requirements for a sales department may be much different than those of a data entry clerk. Manufacturing personnel may already be using unapproved devices through their tendency to solve technical problems and get the job done.

Finally, understanding the culture of the organization will help determine what technology is acceptable. Are users free roaming creative professionals that stress art over function? Are the users very conservative and professional? Each of these could drive very different solutions. At the end of the day, if the user does not accept the technology, they will find ways around it.

Today, technical solutions to protect the network beyond passwords fall back to two classic concepts in information security that are "least privilege" and Authentication Authorization & Accounting (AAA). All technical mechanisms must take the approach of allowing the least amount of access that users need to do their job, make reasonably sure the users are who they say they are, make sure they are assigned access to limited resources, and their activities are accounted for and anomalies are identified.

[ALSO: The beginning of the end of BYOD as we know it]

Least privilege must be applied based on more than the user's identification. Different levels of access should be applied based on the type of device being used to access the network, when the network is accessed, and where the network is being accessed from. User access profiles should be developed for the most common access scenarios that users utilize to access the network. For example most organizations will have the following categories (most to least secure):

" User on the internal network on a managed device

" User on the external network on a managed device

" User on the external network on a non-managed device

" User on the internal network on a non-managed device

Each of these categories should be assigned a set of resources that they are allowed to access, which could include restrictions to certain server or services. Unmanaged devices should be directed to services that provide abstract access that limit the volume of activity a user can access.

For example, a Citrix Xen App or Microsoft Terminal Services access could be allowed to limit the amount of information an attacker could retrieve from the network. Access controls should be designed to contain a compromised account to the least amount of access and the least amount of data loss possible. This concept can be extended to internal network segmentation to protect sensitive internal networks such as process control, financial and manufacturing systems.

Technologies such as Network Admission Control, SSL VPN with posture assessment, Mobile Device Management (MDM), and virtual desktop/application presentation applications have matured to a point where they provide network designers effective tools to control network access.

The network should be designed in a way that leverages the technologies to provide users the least privilege while at the same time enabling them to leverage technology. Most network vendors are heavily focused at integrating these technologies into their products.

Implementing least privilege is designed under the assumption an account will be inevitably compromised. Even though a compromised account should be expected, steps should be taken to reduce the probability of a compromise occurring and detecting abuse as rapidly as possible.

Classic password policies and user awareness training provide a basic level of protection that most organizations will need to implement. Password policies should be implemented in a way that is accepted by the user base. Requiring overcomplicated or frequently changing passwords in most cases will result in users repeating passwords or writing them down.

Multi-factor authentication is another line of defense that can be implemented to protect authentication. While effective in reducing risk, most organizations limit multi-factor to external access to the network due to the cost of the technology and limited user acceptance of the technology.

Organizations should focus on deploying multi-factor authentication for systems that provide external access to sensitive applications or massive amounts of data. It should be remembered that no multi-factor authentication method is invincible, but is another tool to reduce risk.

Password authentication is a weakness that we will have to live with for the foreseeable future. But through defense-in-depth security architectures that address authentication as a holistic system of people, processes and technologies, a company's risk can be reduced. Reducing risk to a level that allows the organization to function in the most efficient way possible should be the goal of all network and security professions.

Alexander Open Systems (AOS) the premier systems integrator in the Midwest.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags consumerization of ITBYODMDMNetworkingsecuritywirelessIT managementWide Area Network

More about APTCitrix Systems Asia PacificMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mike Mahurin, CISSP, CISM, CISA, a Design Architect with Alexander Open Systems

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts