In early February, the user database of popular business collaboration tool Slack was compromised. User data was leaked, such as email addresses, hashed passwords, and other profile related information. Slack disclosed the incident on its blog. Along with the disclosure, Slack announced it was adding two-factor authentication to its product, as well as increasing the capability of administrators to reset passwords with a “password kill switch.” While these are great additions to the product, it is disheartening that Slack did not support two-factor from the beginning. It is just another incident that illustrates we have far to go in communicating the importance of strong and adaptive authentication in the security ecosystem.
Breaches resulting from weak access control measures are certainly not a new trend. Some of the highest profile breaches in recent years stemmed from the lack of strong authentication. In incident response firm Mandiant’s 2015 M-Trends report, there is a heavy focus on the lack of strong authentication as a security gap. In the breach of a major retailer, Mandiant reports an attacker used legitimate credentials to initially penetrate the network. Once in, the attacker gained access to a critical directory server, and again obtained legitimate credentials to pivot into other areas of the organization. The attacker eventually gained access to systems in the retail environment with valuable credit card numbers.
Private enterprise is not alone. In the federal landscape, the OMB FISMA report for fiscal year 2014 highlighted the absolute dire need for accelerating the rollout of strong authentication. The report cited over half of recorded federal cybersecurity incidents falling into the category, and some disappointing statistics about the slowing pace of rollout across the federal government.
A recent study conducted by SecureAuth in the U.K. provided some truly impactful statistics around the implementation of strong authentication. Two in five IT decision makers reported that they were relying on passwords as the primary access control measure. The study makes the lackadaisical attitude to strong authentication apparent. 22 percent of decision makers reported a plan to improve their authentication within 1-2 years. 12 percent reported having no plan at all.
Implementation of strong authentication should be a top priority, post-breach or not. There are many implementations that drop in very easily to your organization. The reason for the urgency is simple: even if you have completed an incident response, there may be attackers hiding deep within your environment. It is notoriously difficult to completely remove a persistent attacker from your systems, especially if you are large and geographically distributed organization. Often, an attacker will go dormant once detected, and wait for the right time to resume activity. They will continue to look for legitimate credentials, to allow them to quietly move laterally around your network.
Strong authentication should empower you in a post-breach situation. Once you have your solution implemented, consider quickly switching workflows to a zero-trust style of control. In this model, you are being cognizant that an attacker may have already compromised credentials and are “stepping up” the authentication for everyone. This may tip off the attacker, but you are slowing their progress and giving yourself more time to outmaneuver them. An example of this might be disallowing device fingerprinting until the remediation has been completed.
Slack also took the interesting and innovative move of implementing a “password kill-switch” feature in their application. This feature allows an administrator to instantly log out and force the reset of passwords for an entire group of users. This is a very interesting feature that empowers administrators to take control in a breach situation.
Strong and adaptive authentication is a first line of defense, but it is also a second line of defense. It allows you to increase the safety net at the edges of your infrastructure, whether they be external or internal. It helps you to stay ahead of lateral movement once an attacker is in. It empowers you when a breach has occurred.
Join us on April 16th, 10am PDT/1pm ET as we discuss whether or not organizations are still placing too much trust in the password. Follow along or join the discussion with the hashtag #SecureAuthChat.
Follow me on Twitter at @StephenCoxSA.