The WiKID Blog | WiKID Systemshttp://www.wikidsystems.com/blog/2015-06-01T20:05:00+00:00The WiKID Blog, musings on two-factor authentication, information security and some other stuff.The two things that actually work in information security and how to deploy them.2015-06-01T20:05:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/the-two-things-that-actually-work-in-information-security-and-how-to-deploy-them/<p>I was struck by this tweet by <a class="external-link" href="https://twitter.com/chrisrohlf" target="_self" title="">@chrisrollf</a>:<br><img alt="2FA and VPNs - 2 things that work" class="image-inline" height="228" src="https://www.wikidsystems.com/static/media/uploads/images/WiKIDBlog/.thumbnails/vpns_2FA.jpeg/vpns_2FA-615x228.jpeg" width="615"/></br></p>
<p><br>Because of the truth of it (and yeah, because we sell two-factor authentication). IPS/IDS, anti-virus, etc really haven't performed as advertised. You can see the move to de-perimeterization pushing all those security products, when just implementing two-factor authentication would have been as or more effective.</br></p>
<p>Thanks to this year's Verizon DBIR, we can see the impact of these two technologies and how to implement them. Verizon has aggregated their mitigation recommendations and summed the percentage of time where a Critical Security Control should have been applied.</p>
<p class="callout">We gathered up all the nuggets of mitigation wisdom from our reviews and tallied up the<br>percentage of incidents where a CSC control could be applied as the recommended strategy.</br></p>
<p>(That's a direct quote, btw, the DBIR is saying 'Critical Security Control control'.) </p>
<p>I have amended the table to include a column on if the control can be supplied by one of the two 'effective security technologies'.</p>
<table class="listing">
<tbody>
<tr>
<th>CSC</th>
<th>Description</th>
<th>%</th>
<th>Category</th>
<th>Notes</th>
</tr>
<tr>
<td>13-7</td>
<td>Two-factor authentication</td>
<td>24%</td>
<td>Visibility/Attribution</td>
<td><strong>2FA</strong>: The biggest bang for your security buck.</td>
</tr>
<tr>
<td>6-1</td>
<td>Patching web services</td>
<td>24%</td>
<td>Quick Win</td>
<td> </td>
</tr>
<tr>
<td>11-5</td>
<td>Verify need for Internet-facing<br>devices</br></td>
<td>7%</td>
<td>Visibility/Attribution</td>
<td><strong>Firewall</strong>: You should do this on setup and periodically. Remember - it's easy to block ports and see what breaks.</td>
</tr>
<tr>
<td>13-6</td>
<td>Proxy outbound traffic</td>
<td>7%</td>
<td>Visibility/Attribution</td>
<td><strong>Firewall</strong>: We've suggested <a class="internal-link" href="https://www.wikidsystems.com/WiKIDBlog/getting-the-most-out-of-your-two-factor-authentication" target="_self" title=""> combining this with 2FA too</a>. </td>
</tr>
<tr>
<td>6-4</td>
<td>Web application testing</td>
<td>7%</td>
<td>Visibility/Attribution</td>
<td> </td>
</tr>
<tr>
<td>16-9</td>
<td>User lockout after multiple failed attempts</td>
<td>5%</td>
<td>Quick Win</td>
<td><strong>2FA</strong> (etc). All 2FA systems have this feature.</td>
</tr>
<tr>
<td>17-13</td>
<td>Block known file transfer sites</td>
<td>5%</td>
<td>Advanced</td>
<td><strong>Firewall</strong>: Most firewalls offer URL blocking.</td>
</tr>
<tr>
<td>5-5</td>
<td>Mail attachment filtering</td>
<td>5%</td>
<td>Quick Win</td>
<td><strong>Firewall</strong>: Most firewalls offer attachment filtering.</td>
</tr>
<tr>
<td>11-1</td>
<td>Limiting ports and services</td>
<td>2%</td>
<td>Quick Win</td>
<td><strong>Firewall</strong> - Pretty much the point of VPNs.</td>
</tr>
<tr>
<td>13-10</td>
<td>Segregation of networks</td>
<td>2%</td>
<td>Configuration/Hygiene</td>
<td><strong>Firewall</strong>. Your firewall should be able to create virtual private networks. </td>
</tr>
<tr>
<td>16-8</td>
<td>Password complexity</td>
<td>2%</td>
<td>Visibility/Attribution</td>
<td>OS - but if you use <strong>2FA</strong> in more places, it's better.</td>
</tr>
<tr>
<td>3-3</td>
<td>Restrict ability to download software</td>
<td>2%</td>
<td>Quick Win</td>
<td><strong><strong>Firewall</strong></strong></td>
</tr>
<tr>
<td>5-1</td>
<td>Anti-virus</td>
<td>2%</td>
<td>Quick Win</td>
<td> </td>
</tr>
<tr>
<td>6-8</td>
<td>Vet security process of vendor</td>
<td>2%</td>
<td>Configuration/Hygiene</td>
<td>Require <strong>2FA</strong> for vendor access for control.</td>
</tr>
</tbody>
</table>
<p>I've always been a "work with what you have" and "get the most out of what you have" type of person. This list screams that. I also think that companies will need to consider the source. While the DBIR is a great resource, it is a work in progress and your industry may be under-represented or your company may be different. And security is a moving target. The description of "Vet security process of vendor" seems a bit vague. I suspect that many organizations are now considering deploying some form of "Privileged access management" solution to monitor not only internal account but also vendor accounts. If so, they should use two-factor auth for their PAM solution (and you should make sure your PAM solution supports RADIUS).</p>