Skip to main content

The WiKID Blog

The WiKID Blog, musings on two-factor authentication, information security and some other stuff.

4 Steps to Mitigate 95% of Known Vulnerabilities

The article "4 Steps to Mitigate 95% of Known Vulnerabilities" piqued my interest.  The Australian DoD also has their top four mitigation strategies (and their top four for Linux).  While I like the simplification of 4 things versus 35, it would be great to be able to match up the controls/strategies with actual percentage of time the control forces an attacker to adapt or give up.  The 2014 Verizon DBIR, for example, states that lost, stolen or weak credentials were used in three-quarters of all attacks making a strong case for two-factor authentication.

Seven common misconceptions about two-factor authentication

We get a lot of questions from enterprises as they deploy two-factor authentication. There are a good number of misconceptions out there about how to do it. Here's are six that we see frequently as enterprises first start to think about two-factor authentication:

Build your own cloud-based two-factor authentication service

We published a tutorial on how to use packer to build your own cloud-based two-factor authentication as a service with WiKID.  As you can see from the tutorial, it is incredibly easy to setup WiKID on EC2, GCE, Digital Ocean etc. Moreover, this is a very easy way to build a WiKID server for your internal virtual platform if it is supported by packer.   You can download the scripts from our github repo.

A few things to note:

Two-factor auth from the get-go: Eliminating Password1.

Yesterday, Dave Kennedy tweeted:

Belts and Suspenders Security

I continue to be astounded that one server without two-factor authentication caused the JP Morgan breach.  If a sophisticated organization like a major US financial institution can get hacked like that, what are the chances for everyone else? If you were an incoming CIO or CISO, what can you do to avoid such a disaster?

Obviously, JP Morgan is reviewing the status of all their servers (for a start).  As I mentioned before, automation and infrastructure as code will help create idempotent servers so you can be sure that they meet security requirements .  Any servers outside that level of management, should be segmented and brought in line eventually.  But I think it will increasingly make sense for servers to have two-factor authentication for remote access and administrator rights.  This is simple to do on *nix servers as services that use PAM - ie sshd, sudo, login etc can all easily require two-factor authentication.  Copying these configuration files via management tools is quite simple.  By using RADIUS as the authentication protocol, you can perform authorization in Active Directory or LDAP.  If I were going into Sony, I would require two-factor authentication for egress as well.

Certainly, this would break some things.  But that's the idea. The breaks should show you were you have issues. You need to address those issues.

Recent Posts







RSS / Atom