Everything boils down to Identity: A Fireside Chat about Passwords and Multi-Factor Authentication

Everything boils down to Identity: A Fireside Chat about Passwords and Multi-Factor Authentication

This is Episode 2 of the Core Security Podcast.

Bobby Kuzma:
I'm Bobby Kuzma and I'm here with my colleagues—Michael Marks, our product manager covering our identity suite. Prior to coming to Core in that role, Michael was the architect running Coca-Cola Enterprises identity and access management solution. I'm also joined by Jack Blanchert. Jack is a pen tester of various former government roles and a general master of things scary and obtuse. And one of the things that we've been seeing a lot lately in the industry is everything seems to boil down to identities. We're not seeing all of these 'O days' being used to pop environments and migrate through them. It all boils down to getting in, grabbing someone's credentials and then moving on. So, what's the deal with that?

Jack Blanchert:
Bobby, I think that's a really good question. I think it's a much easier way to get into someone's environment. It's a lot easier to use all of the information that we're putting out there on our social networks or to try to compromise someone's credentials and either get a username and password off of a site or off of different ways of getting into the environment and stealing those credentials and doing something. I think that's a lot more difficult than it is to try to find these zero day vulnerabilities or take action and actually exploit something that's in the environment. It's a lot easier to just type in someone's username and password.

Michael Marks:
Yeah that's true. It's like giving the keys of the kingdom, right? So that person might not have admin access or the type of access that you would need, but it's just a pivot point to another account that you could get to. You using that vulnerability as social to get into that network. Another avenue that you would take if you didn't have the actual means of exploiting something on the external.

Bobby Kuzma:
So, one of the things that we see is the advice of don't share passwords and...people are bad at passwords. Let's be honest with ourselves—people are very, very bad at passwords. They're bad at picking complex passwords so they end up with things that are easy to crack. On the attack side, we've got a really huge body of knowledge for figuring out what things people are likely to use as passwords. So how do we exploit that and then how do we protect against that?

Michael Marks:
It's really getting to the people and teaching them the right way. And it's not a one time thing, it's continuous training of the right way to approach this. You can learn a lot about a person on social media and learning about their daily life or things that they love...as an attacker, you would think, "Okay, what would their password be?" Right? I can use these things to generate a list to brute force or go after or test to see if I can actually guess this. It's easier go that route. You just have to mimic of what their day-to-day in and out is. But on the other side of that, to protect yourself, you don't use something in your daily life. Don't use something that ties you back to your personal life or things that you would use daily. I always tell people, use a phrase, something that you would never say. Something off the realm. Something long. But again, it comes down to training your users and understanding what the threat is.

Bobby Kuzma:
You're advocating an approach that's depending on the users, and you're coming at that from a pen test side. Now, there's other ways that we can help mitigate some of that risk.

Jack Blanchert:
Yeah, but before we go into that, I think there's some cognitive dissonance that's happening when we think about passwords. We typically think that there's someone in there that is using social media to try to get what our password could be, the name of our pet with the birthdate at the end, or something like that. So we're trying to encourage people to come up with more unique passwords, but what we're not realizing is that it's not someone sitting there just typing in a password and trying to guess what it is. They're running these passwords against these very large datasets and these really complex algorithms to try to hack your password in a more automated fashion. It's not someone sitting behind the keyboard and just guessing 20 times until your account gets locked out.

Michael Marks:
Agreed, yeah.

Jack Blanchert:
Yeah, so I definitely would encourage the phrase and the length and—the longer the better—because those complex computer algorithms can only go so far when you're making it exorbitantly long and difficult to crack.

Bobby Kuzma:
But, in that type of scenario you're still having to...the attacker is still having to have a list of the hashed passwords to work against that's been compromised from somewhere else. So, we come up to the password reuse problem and...

Jack Blanchert:
That falls into configuration management, too. Across the board.

Bobby Kuzma:
How do we, as an industry, advance this so that people are not finding it easy to use the same password on their bank and on their Amazon and on their domain admin? I can tell you, I've done a number of pen tests where I popped a domain admin off of the LinkedIn password breach from like, 2012.

Jack Blanchert:
Oh, that hurts my heart. Yeah, I'm a big advocate of multifactor authentication as a solution for that. But the challenge with that is that we've gotten really lazy. We're used to having just the username and password dictionary stored on memory and just spitting it out when we need it. And we need to all agree—from the end user using the service to the IT admins, to even ourselves as vendors—to say we're gonna have to give up a little bit of that convenience factor of not having multifactor authentication. We're gonna have to be comfortable with having our phones and typing in an extra pin and having an extra step to login to these really critical systems. Especially this domain admin. There should be no reason that that person of all people, should be having shared passwords for a social media site they don't control, as well as the keys to the kingdom.

Bobby Kuzma:
So, when we're looking at that multifactor side, there's a bunch of different methodologies that are in common use. In the government space, it's all settled on to a smart card badge that uniquely identifies the individual. And if you don't have the badge or if the badge is expired, good luck getting any work done that day. But in the enterprise space, or even in the small and medium business space, those solutions aren't terribly feasible but there's still ways that we can work with this, that we can implement these multifactor authentication solutions, right?

Jack Blanchert:
Absolutely, yeah. There's some really convenient ways that we're taking the consumer technologies that are available. So everyone that has one of the new iPhones or new Android smartphone has the fingerprint scanner, right? That biometric scan can serve as your second factor as the multifactor authentication component. And we're looking for ways to look at how easy it is for the consumer and adopt that for small, medium, large enterprises as well as the government. So I think, as we get more interesting technologies and more of that biometric authentication offerings, it'll be a lot easier for people to stomach having a multifactor authentication requirements.

Bobby Kuzma:
So, not getting in the way of the user is really the biggest goal toward adoption and accelerating that.

Jack Blanchert:
Exactly. IT always says that they wanna enable the business and usually adding an authentication step doesn't offer that. But if we can make it seamless and make it so that we're not in the way of the user, I think that'll see adoption skyrocket.

Bobby Kuzma:
So, one of the things we have to be careful about when we do pen tests is trying to brute force things a little bit too much because we tend to trip all kinds of alarm bells and accounts get disabled. But sometimes users DOS themselves, particularly when you're introducing shorter password rotation periods and...the horror story is the 20,000 user organization gets 30,000 help desk tickets 92 days after they institute a 90 day password expiration policy. So, being able to reset those passwords gets to be a big deal for that. But then we have to protect that because...I remember a couple of election cycles ago, politicians had their personal emails compromised because everything you needed to answer the knowledge based authentication questions were available on their Wikipedia page. So, in an age where every stupid Facebook survey is yielding potential information that an attacker can use for compromising a recent mechanism. How do we work that? How do we lock that down and secure it so we can have a degree of confidence in allowing the users to self service?

Jack Blanchert:
Yeah, the security questions is always fascinating because you have to make them fact-based, otherwise the end user is going to forget. If you make it opinion, what's your favorite movie? Well, 6 months ago when I filled out this question, it was not the same movie as it was last week when I saw my brand new favorite movie, or what have you. So you have to make them fact-based, and then when you make them fact-based, people can go find out what that answer is. So, the security Q and A offers some level of comfort. What I've done in my previous role is saying, if you're on the network, I've trusted that we've been able to authenticate you. You've gotten...we have very tight network security controls where we have some level of comfort that you are on the network and you've already logged in to the active directory on the domain, if you've gotten onto your laptop. Therefore, the security Q and A is fine.

Jack Blanchert:
But if you're gonna try to do self-service password reset outside the network, then we're going to throw that multifactor authentication onto you. So that adaptive multifactor authentication, the contextual decision of "when are we going to enforce as stronger authentication mechanism", comes into play to better secure the users to allow them to still have that self service reset.

Bobby Kuzma:
Okay, so hold on. We've actually got a way that we can use a risk-based approach to decide how anal retentive we're going to be about authenticating the user?

Jack Blanchert:
We can make it configurable. Our password reset solution is configurable beyond belief. Like, you could do whatever you want it to do. The way I would see it is I would always encourage multifactor authentication first, right? Even if you were on premise and on the network, I would still prefer you to have that multifactor authentication. But you can have that flexibility.

Bobby Kuzma:
So that multifactor authentication, are we talking...things like secure ID fobs? Are we talking SMS based authentication? Are we talking biometric? Where are we going with this?

Jack Blanchert:
We have a lot of flexibility in the offerings. We had NIST] strike down the SMS offering, but that's still something that businesses are demanding. They're willing to-

Bobby Kuzma:
Cloning a SIM is still stupidly easy.

Jack Blanchert:
So, we still have a lot of businesses that want that, so we're gonna continue to give folks what they need. We do have the biometric authentication offerings with voice recognition, with the fingerprint scanning. We're currently exploring some of the facial recognition technologies that are coming out. And then we're looking at ways to see, can we not force you to sign up for another multifactor authentication offering. Can we actually tie into something that you've already signed up for within your enterprise? If you're already using a multifactor authentication service provider, why do you have to sign up and download another app or get another text message? Can we just tie into that. So that's something we're exploring.

Bobby Kuzma:
My only concern with relying heavily on biometric for authentication is you can't revoke your own biometrics. You're kinda stuck with them. So, from an attack standpoint, we haven't really seen a sudden rash of people getting their fingerprints removed for highly targeted attacks, but it's ... I've built a fake fingerprint to get passed biometrics on a pen test. I'm pretty sure you have, whether you can admit it or not. But those are some of the things were it's gonna have to be different methodologies and we're just increasing assurance rather than relying solely on X. I don't use the fingerprint reader on my phone, 'cause it can be compelled. Biometrics can be compelled.

Michael Marks:
I think when the biometrics was released on the iPhone, I think it in the first day or two, it was already broken. So ...

Bobby Kuzma:
Oh, of course. Even on the really advanced setups for physical security applications, they're still really, really bad at distinguishing between an overlay on a live finger and the actual live finger. So, that discrimination problem of the false reject rate and the false acceptance rate is something that we've got to deal with as an industry. And I think we've kind of plateaued on that in terms of what we're able to do.

Jack Blanchert:
Yeah, it's more boiled down now to risk appetite.

Michael Marks:
Exactly.

Jack Blanchert:
Are you willing to [crosstalk 00:14:13]. Yeah, go ahead.

Michael Marks:
Everything is human made, right? So there's always gonna be some type of fault. So, now we're in the realm of, what can we physically accept within our company or government agency? We can't say, "Oh, we're never gonna get attacked, this is always gonna work for us." There's always gonna be faults or some type of avenue to take to bypass something. But now we've gotta have a risk based approach to everything saying, "Okay, well how much can we accept in our organization for risk?" And that's really where everything's leading to.

Bobby Kuzma:
So, we're seeing identities being sold on the dark web on a brokering process, both for identify theft purposes but also for gaining access and expanding. We're seeing con profiles being used for very advanced phishing attacks. We're seeing all of these innovative uses of identity from the malicious actors. And, where do you think that that's going?

Michael Marks:
I mean, for the biggest buyer I guess. That information's out there in the wild for anybody to use.

Bobby Kuzma:
So, it's what the market will bear and we're actually seeing innovative business models stumbling up on this?

Jack Blanchert:
Yeah, the issue with the dark web too is you really have to have someone that...it's gotta be a lot more targeted. You have to know exactly what credential you wanna go by, right? So I think it's interesting in that it's gonna flip it on it's head. Instead of saying, "I want to attack company X", I'm gonna go see what identities I could buy on the dark web and see, are any of these privileged accounts? Or can I figure out if any of these people have a high profile account? And that becomes my new attack target instead. So it's interesting to flip it instead of trying to do a brute force attack on a company and try to do it. Now maybe we're going to start seeing the flip of anyone's gonna be a target if their account information's leaked. It'll be interesting to see if that plays out.

Michael Marks:
Yeah, I definitely agree with that. Even if it's not a privileged account, it's just another avenue, even at the lower level of account access. That's an avenue in. It's a foothold that you can get just by accessing that information.

Bobby Kuzma:
So, anyone who has any kind of privileged access is a potential target even on their casual use devices. So, what can we suggest that people do at home, that are non-technical people, to address this? Are password managers safe? I keep seeing vulnerabilities and exploits on password managers. That makes me twitchy, to be perfectly honest. But on the flip side, I can barely remember what day of the week it is. So asking me to remember a 12 character complex password that's unique for every site I visit is not gonna happen.

Michael Marks:
Like we were talking about 2 factor authentication. I definitely suggest it. There's so many offerings out there that don't come at a price that you can utilize this.

Bobby Kuzma:
Like, Google authenticator.

Michael Marks:
Exactly. Even Facebook has their own...that's SMS too, so...that's not really a good example.

Bobby Kuzma:
The app can generate out a code to use rather than going through SMS on that. So, those APIs getting opened up so that there's gonna be a consolidation at some point and a standardization. Sort of like how in the locksmithing world, there's only a couple of key ways that are in common use. And then there's a couple of high security ones, and I just have this feeling that we're gonna see a consolidation in the identity in multifactor authentication space toward that over time. And we're beginning to see some aspects of that.

Michael Marks:
The problem we're running into and you said how can you utilize that at home...our nature as humans is, we've gotten to that mindset of, "I want it right now. I gotta have it. I don't want anything stopping me, I've gotta have my information right now." And in that mindset, we don't wanna put another stop gate in there, like another sign on or another text message that we get or have to go to a password manager. We want it right then. But again on the flip side of that, you're putting yourself at risk to be vulnerable to an attacker. And both at home and at work, you have to keep the mindset of, "Yes, we need it right now, but we need to put these things in place in both personal and professional life".

Jack Blanchert:
There's a concept in the identity space called Least Privileged Enforcement, and I think it goes beyond just having the least number of privileges that are assigned to you. It's just, what is the bare minimum that I need to have stored on my laptop or on the internet or if you're at home, do I really need to scan my social security card and have that stored on my hard drive at home. You just have to make those decisions about-

Michael Marks:
It depends on who you ask about that one.

Jack Blanchert:
Yeah, right. It's all about the least amount of data that I need to have out on the computer or in the digital space that's going to be vulnerable.

Bobby Kuzma:
Wait, wait. You mean that there's actually organizations who treat the social security number as privileged information? You're giving it out to every bloody company you do business with practically.

Michael Marks:
That's a crazy concept.

Bobby Kuzma:
I know! And it's not even guaranteed to be unique!

Michael Marks:
Yep. I know.

Bobby Kuzma:
What's up with that?

Jack Blanchert:
So yeah, the least privilege of, share it when you only absolutely need to. And that goes beyond just the level of access you get access to. It's just your information in general.

Bobby Kuzma:
So, with this evolution that we're seeing on the enterprise side, it's becoming much more challenging from a defensive posture to deal with this. It's becoming a lot easier from an attack posture to deal with this, so what's the last word on this? Where are we going?

Jack Blanchert:
There's ways that identity can be leveraged as...you've mentioned that their vulnerabilities, almost. Identities are becoming the vulnerability to get into an enterprise. But, there's also a way that identity can be leveraged as a security asset. Identities can have a lot of flexibility in what we want to do with them. We can remove access rights, we can reset passwords, we can disable accounts, we can delete accounts. There's a lot of different things we can do to take action on something that's recognized as compromised. So it's not necessarily a scare tactic to say identities are the new vulnerability and we're all screwed here. They can be leveraged as both.

Jack Blanchert:
So I think there's a really interesting play and there's kind of a mind shift happening within the identity community to see that we are not just a business process operation where we're trying to give people access to systems as quickly and painlessly as possible. We have a seat at the security table, and we need to take that role very seriously and we need to make sure that we have the mindset of, how can we leverage identity and leverage our processes to better secure our organizations and ourselves.

Michael Marks:
Yeah, I totally agree with that. That aspect, I'm just glad that it's shifting to that, because in the pen testing realm, the human factor's always been an issue. And it's kinda been that back burner because there have been exploits out there that we could utilize in this space and take advantage of. But now, organizations are getting locked down and that avenue is actually drying up. And the easier attack factor has always been the human factor. But now the time is to lock down that identity piece and close that gap too, and I think that's the right move to make right then.

Bobby Kuzma:
And until we get that gap closed, we're living in the golden age of social engineering.

Michael Marks:
Exactly.

Bobby Kuzma:
That's all the time we have this week. Thank you, Michael and Jack, for coming on to discuss identity and attacks. And please check out all the great resources that we have at coresecurity.com. We'll catch you next time.