Commentary|DEBORAH GOLDEN
DEBORAH GOLDEN is a principal and Federal Cyber Risk Services leader at Deloitte and Touche.
Passwords should be a thing of the past
To secure government networks in an increasingly dangerous cyber world, agencies must embrace multifactor authentication
When you are in the cyber business, it’s hard to escape your work. I see cyber risk everywhere, and it has become my mission to help people better understand how the world has changed. Passwords should be a thing of past, as obsolete as the floppy disk or the dial-up modem. The cyber world has moved on, and now we need to catch up — quickly.
Threats are no longer rogue hack- ers relishing the satisfaction of hav- ing infiltrated a protected network. Instead, more dangerous actors
— often sophisticated and state- sponsored cyber “terrorists” — are persistently and quietly exploiting networks to obtain sensitive infor- mation for nefarious purposes.
The federal government is head- ing in the right direction with the focus on multifactor authentication (MFA). Under U.S. CIO Tony Scott’s direction, the government launched a cybersecurity sprint that required agencies to improve the security and resilience of their networks.
The initial focus is on privileged- user accounts, which are held by those who can perform security- sensitive actions, which include the ability to add, change and delete user accounts; read, copy, change and delete any file on the system; install software, potentially includ- ing malware; and confer trust on new digital certificates and certifi- cate authorities. Without MFA, an attacker possessing a privileged user’s username and password could carry out those actions.
Adopting mandatory MFA
can protect against cyberattacks because it increases the degree of difficulty for attackers. Require- ments can include two or more types of factors:
• Something you know (e.g., pass- word or PIN).
• Something you have (e.g., crypto- graphic hardware device, such as personal identity verification card or YubiKey).
MFA is a necessary and critical step on the way to properly protecting federal systems and networks.
• Something you are (e.g., biomet- ric, such as fingerprint, iris or face).
For example, PIV-enabled MFA requires the user to insert his or her PIV card (something the user has) into a card reader and enter
a PIN (something the user knows) to unlock the PIV’s digital certifi- cates. The PIV card, which contains a microprocessor and memory, then participates in a cryptographic authentication process with the protected network or server. The cryptographic process cannot be duplicated by an attacker who does not possess the user’s PIV and PIN.
Although legacy applications can make it challenging for many agencies to implement MFA, there
is a way to achieve it via a multi- tiered approach by requiring PIV authentication where possible, using other MFA tokens where available to eliminate remaining password- enabled accounts and determining mid- and long-term infrastructure changes required to PIV-enable all privileged-user accounts.
The use of MFA is an effective first step, but it is only one element of a comprehensive cyber defense strategy. Other critical components include:
• Establishing policies and proce- dures that govern acceptable user behavior and establish what consti- tutes anomalous behavior.
• Provisioning and managing access privileges to ensure that assigned privileges are still necessary.
• Monitoring account activity and network firewall logs to discover anomalous behavior and respond to attacks in a timely fashion.
• Instituting strong authentication for system-to-system communica- tions to impede an attacker’s ability to access system resources.
• Encrypting sensitive data to make it unreadable by intruders.
• Recording and auditing sessions to log privileged access and specific actions taken during a login session. • Deploying incident response and recovery capabilities to minimize and repair the impacts of successful attacks and restore operations.
Although only part of a holistic approach, MFA is a necessary and critical step on the way to properly protecting federal systems. n
12 February 2016 FCW.COM