Passwords are no longer sufficient to maintain an adequate level of security for business critical infrastructure and services. Two-factor authentication should be considered the minimum acceptable level of access control.
There have been two types of security stories in the technology news over the last few months that should be of particular concern to system administrators and those responsible for maintaining business network infrastructure.
1. Brute Force Attacks
It's unfortunately a fact of life that people tend to be very bad at choosing and managing secure passwords. This applies less to technically adept system administrators — although they are not immune — , but most other people, including management and others with reason to access network infrastructure and business critical services often don't have sufficient training in basic password hygiene techniques.
When a hacker decides to try a brute force dictionary attack against a business' servers or their email, social media, or third-party infrastructure service provider accounts they are likely to find at least one weak account, and that's often all that's needed to establish a beachhead.
2. Stolen Password Databases
If password databases are properly hashed and salted, it's unlikely that all but the most determined hackers are going to be able to extract usable information for them. Sadly, that's frequently not the case, and password cracking technology has reached the level where inadequately hashed passwords can be fairly easily retrieved in a practical amount of time.
Your business may lose its password database to criminals at some point, but more worrying is the likelihood that employees have used the same identifying information on third party services like forums, which, when their poorly protected password databases fall into the hands of hackers, can be used against your business.
Even if employees haven't used their business accounts improperly, if their personal email falls into the hands of hackers, and they have used it as a secondary address for their business accounts, then it's trivial for the hackers to reset the passwords on the business accounts.
Passwords Are Inadequate
Passwords are too dependent on the level of technical expertise of their users and as technology advances are no longer sufficiently difficult to crack. Two-factor authentication should be implemented on all business critical infrastructure and services.
Two Factor Authentication
Passwords alone are one authentication factor. They are commonly described as something you know. Additional factors can be something you have and something you are. We're not concerned with the latter here, biometric authentication can be very secure, but it can also be complicated to implement.
Instead, we'll focus on something you have as a second factor. If you're a user of Google's services, you may be familiar with their Authenticator app, which is installed on mobile devices and provides a one-time code with a limited lifespan as a second factor of authentication.
Two-factor authentication is much more secure than using passwords on their own, and provides a considerable amount of protection against both brute force attacks and poor password hygiene. There is a small cost in convenience, but compared to the potential losses of trust, data, and business continuity that a security breach can incur, the inconvenience is trivial.
Two Factor Authentication and DNS
DNS is one of the most important parts of the infrastructure of any site or online service. If it isn't secure, hackers could knock a site offline completely or redirect visitors to sites that will infect them with malware. To avoid the embarrassment and loss of reputation and revenue that an attack target against a company's DNS accounts can cause, a DNS hosting service that allows two-factor authentication should be used to verify the identity of those who need access.
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines