Why are we bashing 2FA?

I’m a huge proponent of Two-Factor Authentication (2FA). Is it a perfect system? Absolutely not, but what system is? There are more secure second-factors and less secure second-factor methods; every method has its own pro’s and its own con’s, as well as the issue of many legacy login systems not being compatible with 2FA to begin with. But do you know one thing that 2FA is not? It is not less secure than not having it at all.

Passwords were never going to be the ‘forever solution’ to security; they’re too vulnerable in too many ways. In fact, 2FA is almost certainly not going to be a forever solution either – it still leaves too much room for fraud or human error in the authentication process. But the fact of the matter is that layering on the second factor extends the useful life of password protection in today’s digital age, mitigating (in many cases) the risk of using weak passwords; not to mention the problems caused by the constant breaches of systems around the world leading to the leaking and compromising of millions of passwords at a time.

That’s why I continue to be appalled at how many people seem to criticize 2FA as a methodology. It’s almost like they see one flaw in the system and then bam! The whole system is worthless. Last month I read an article from The Register which seemed to take that exact stance.

I understand that security is a trade-off between user convenience and information protection. It’s no different than physical security – you think anyone enjoys dealing with TSA on their way to catch a flight? But there does need to be an understanding amongst us. An understanding that security is there for a reason; an understanding that cyber criminals will steal peoples’ credentials for no reason and with no bias. This is why security is important and why it will, by definition, cause inconvenience. You could say then that the security itself is not to blame for the inconvenience, but rather the douche bags that cause the need for the security in the first place. If we compare this to airport security, the attempted shoe bomber is the reason that we have to take our shoes off now… thanks a lot Richard Reid. Ok, rant over, let’s get back to 2FA.

In the article from The Register, author Alistair Dabbs makes an interesting – maybe he thinks it is profound – point that his cat does not need 2FA to access the cat door: “the only reason it works brilliantly for my cat is that the other cats in my neighbourhood don’t have any programming skills” (para. 14). Ok, well there is that, but there’s also the fact that cats are (arguably) not malicious by nature. They *usually* don’t break into your house to steal the sticky note with your bank account login written on it. They *usually* don’t ransack your place looking for your social security number. I mean maybe it happens. Maybe?

Humor aside, cats don’t need 2FA because cats don’t exhibit the malicious behaviors that humans do. Cats don’t phish each others’ email boxes trying to steal login credentials. Humans on the other hand do have to live in this type of world, where there are seemingly more people than not who will try to screw you out of your Facebook login or the digits on your credit card just so that they can make a quick buck. Take a quick glance at some of the breaches listed in HIBP and the magnitude of this is astounding… and these are just known breaches. Even worse, the people that do this are frighteningly good at this trade. Phishing techniques are getting increasingly more believable and it seems impossible to have 100% of your user base adequately trained on these types of threats. This is why we need 2FA. Is it inconvenient? Absolutely. Is it necessary? Absolutely.

One struggle today is that we’re accessing many platforms that provide no 2FA support at all; or, commonly, those that provide 2FA capabilities but only through either inconvenient or insecure means (such as TOTP via app or via SMS, respectively). The lack of broad acceptance or mass implementation of 2FA creates problems because simple usernames and passwords are clearly a broken form of authentication. My hope is that we’ll continue to make strides towards a password-less future, but that time is a long ways off. Until then we need to implore developers to add some form of multifactor auth to their applications.

Like I said earlier, 2FA is not going to be a ‘forever solution’ to security. I don’t know if there will ever be one as criminals will always work to break the system. But 2FA is, if nothing else, an improvement to passwords by themselves – we should appreciate it for that while also being mindful of its limits as we strive towards a forever solution.

A Third Florida Town Succumbs to Ransomware

I’m betting that there will some openings for IT positions coming soon in various Florida municipalities. Ars Technica reported today that a third (that’s right – third) city in Florida fell victim to ransomware. According to Ars, Key Biscayne, FL was breached using the Ryuk strain of ransomware (the same as Lake City, FL on June 10th which cost that city just shy of half a million dollars in bitcoin, and possibly the same as Riviera Beach, FL which cost that city $600k).

Key Biscayne became infected with Ryuk through what is known as a triple-threat attack: Emotet, in this instance, was brought into the network as a result of a successful phishing email. Emotet was used as a dropper to bring in the Trickbot trojan, which allowed the attackers lateral movement throughout the city’s infrastructure. At this point, the attackers had enough control to be able to infect the city’s systems with Ryuk – and game over. The city held a meeting tonight in which, one would assume, they’d decide on whether or not they need to pay the ransom or not. That decision has not yet been made known.

Let’s think about the different ways that this attack should have been – but was not – stopped in its tracks before it had a chance to wreak this havoc:

  • Employee Security Awareness training. Training employees to avoid clicking on phishing links will help; although it is still subject to human error and ignorance. I recommend conducting phishing security tests and following up with necessary training – KnowBe4’s training platform is an awesome tool for this purpose.
  • Key Biscayne’s MX record points to, meaning that they’re using email services through Office 365’s Exchange Online platform but also likely that they’re relying solely on Microsoft’s spam filtering. Microsoft is not ineffective at preventing phishing emails, but plenty of phishing emails will inevitably get through. Microsoft provides some advanced phishing prevention when users are assigned Advanced Threat Protection (ATP) licenses – it’s unclear if the city had subscribed to this additional license.
  • Lateral movement was allowed from the infected user’s workstation to the back-end server infrastructure. Key Biscayne is a small city with a population of only around 3,000. What likely happened here is that the city did not invest enough in their IT infrastructure. Most network admins these days recognize the importance of minimizing the possibility for lateral movement, but in an organization this small I imagine that it was not recognized as an important security control.
  • Why aren’t we restoring from backups? I’m making the assumption that they can’t, and that they’ll eventually be paying the ransom. Will this lesson ever be learned by our IT organizations? Back up your data, air-gap it so that the backups can’t be compromised, and have a disaster recovery plan in place that details how you’ll restore systems in a worst-case scenario such as this.

More details are sure to emerge regarding Key Biscayne’s ransom payment decision over the next few days. If anyone from the city happens to read this, please let us know if we can be of assistance in the recovery of your systems.

Desjardins Group: Another Slap on the Wrist from Lawmakers

This is getting ridiculous: companies continue to lose peoples’ personal data and no one seems to care to do anything about it. Where’d it happen at this time? The Desjardins Group credit union co-op, a financial institution that you’d expect would have some of the tightest controls to prevent this kind of breach.

According to CBC/Radio-Canada, this breach was not caused by the nefarious hacks that seem to frequent today, but rather by an insider – an employee who accessed the data of 2.9 million Caisse Desjardins members and decided to share the information outside of the company. Details are sparse, but supposedly the compromised information included “names, addresses, birth dates, social insurance numbers, email addresses and information about transaction habits,” but not passwords, security questions, nor PINs. Well there’s some silver lining: they only stole your personal information, not the information that would let money be withdrawn out of the credit union’s coffers. Doesn’t that make you feel better?

Let’s think for a moment about how this type of data breach would have been possible: First, the malicious insider had a nefarious reason to do it. Maybe it’s being sold? We’re not yet told who this data was shared with (or sold to) but if I was one of these members I’d be very concerned about identity theft right now. From an information security perspective the insider would have needed access to the databases containing this data. Or maybe they improperly accessed a backup copy of the data, stored without proper security controls? Then, they would have been able to obtain the data as well as share it without too many red flags being thrown up. Details are sparse, but if it was shared externally over the network then it apparently was not caught by any Data Loss Prevention (DLP) systems. If it was carried out on media such as a flash drive then there doesn’t appear to be much control around that. Thinking this through, it raises so many questions that need to be asked:

  1. Was the employee’s role one that would have given them access to this data? Or did they find a way around access controls?
  2. How did the action of downloading the data of 2.9 million users not throw up more red flags than it did? How was it allowed in the first place? Database queries to do this should have been setting off all kinds of alarms in any decent SIEM or IDS.
  3. Why did DLP or physical media controls not prevent the exfiltration of the data?
  4. Why was the data stored in an unencrypted format? The fact that some data was lost while other data was not suggests that the Desjardins Group, apparently, cares more about passwords/security questions/PINS more than it cares about the personal information of its 2.9 million members.

Despite the severity of this breach (and the apparent lack of security controls at a financial institution!) and other breaches like it, doesn’t it seem like lawmakers are not doing enough about it? CBC/Radio-Canada’s article states that “Quebec’s regulator of financial institutions, the Autorités des marchés financiers (AMF), described the situation as ‘very serious’ but said it is ‘satisfied with the actions’ taken so far by Desjardins Group” (para. 9). Sounds like Desjardins Group will just be getting a slap on the wrist to me. Maybe a small fine? In my opinion, organizations that fail to adequately protect consumer data should be fined in a massive way – one that sets examples for other companies – and the affected consumers should also receive direct financial compensation, not just the B.S. publicity stunt of being given a year of free credit monitoring. Money is what these companies know, and that’s what will make them start caring.

Experience: Duo Security Multifactor Authentication with Office 365

Duo Security is an industry leader in MultiFactor Authentication (MFA) and zero-trust security solutions. Many organizations choose to federate their on-premise identity – Active Directory – with Microsoft so that users have a Single Sign On (SSO) experience when accessing 365 – this is, in many cases, achieved using ADFS. Duo conveniently provides a plugin for ADFS so that MFA can be bolted on to the existing SSO solution.

In fact, I found it to be just about that easy. In my ADFS 4.0 environment Duo’s plugin installed seamlessly and was instantly available for MFA within ADFS. The great thing about this is that, when your users authenticate through a web browser (such as to OWA), if they’re not already enrolled they can be prompted to enroll at that time. This makes user onboarding simple and easy.

Duo’s combination of access policies can be combined with ADFS’ claim rules for a very customizable experience. In my case, I chose to simply require 2FA only for extranet connections:

ADFS access control rules

Just to be sure, I also whitelisted my public IP address within Duo’s application policy. The solution works beautifully – if we connect from outside of our network to OWA (via a web browser), the user will see Duo integrated with the ADFS login page as a next step after a successful login:

Duo's two-factor authentication (2FA) prompt in ADFS

The “Gotchas”

Now, let’s talk about the caveats of this solution. They are few, but they do need to be planned for

Modern Authentication

Non-browser connections (such as those from Outlook installed on user desktops) will now require Modern Authentication. This won’t be a big deal for most organizations, but it does restrict what Outlook clients can be used as well as what mobile mail clients can be used as well. Outlook 2013 or newer is required, though Outlook 2013 will require a registry change to be compatible. For mobile clients, check out Duo’s KB article for more detail.

Mail Relay

Microsoft’s documentation lists 3 options for how to relay mail through Exchange Online, the first of which is SMTP Client Submission – relaying through Exchange Online using an authenticated connection on port 587. This is commonly accomplished using the Windows built-in SMTP relay in IIS, and if this is how you’re relaying then this method will stop working. A good workaround is to add a connector for the IP address that your mail relay sends from, and then reconfiguring it to send to on port 25. For more information, see option #3 of the same Microsoft article.

Alternatively, if you have another domain setup in your 365 account that is not managed (configured for ADFS), you can use an account in this domain to continue to relay since the login for this account will not be subject to Duo’s MFA.

PowerApps / Flow / Other 365 services

Connectors setup in PowerApps and Flow will need to re-authenticate, with MFA, based on the policies setup within Duo. This will be a pain because it will require human interaction to do so. As mentioned in the previous paragraph, if you have a non-managed domain setup in your tenant then it may be easiest to create these connections with an account from one of these domains.

ASCO Industries Falls Victim to Ransomware

Help Net Security reported yesterday that ASCO Industries, an aerospace manufacturing company, was impacted by a ransomware infection severe enough for them to suspend their manufacturing operations around the globe.

It continues to amaze me how effective ransomware is at grinding a business operations to a halt. Ransomware isn’t new by any means; however, organizations don’t seem to be taking the threat seriously. Employees remain extremely vulnerable to phishing tactics that often let malware into the network, however IT departments should be more prepared for this sort of outbreak than they seem to be. Ransomware should be curable with a quick restore of infected systems, and then you’re back online. Users workstations? Re-image and call it a day.

The blame here does fall on the IT organization themselves for being ill-prepared. I don’t pretend to be knowledgeable about the ins-and-outs of ASCO Industries’ IT environment, but today’s hyper-connected world demands that IT professionals rise to the call of taking reasonable measures to protect their environment. We’re not talking about anything crazy, just common protective measures such as:

  • Backups of all servers to meet RTO/RPO as determined by business needs.
  • Endpoint protection – a reputable antivirus and intrusion prevention solution. It won’t catch everything but it is still an absolute necessity.
  • A segregated network. In this specific example it seems logical that the manufacturing network should be separate and more locked-down than other client networks – so why was the production line impacted?
  • An incident response plan: so a workstation does get infected, what do we do? This doesn’t have to be rocket science, it might be as simple as disconnect from the network until the station is re-imaged.
  • Security awareness training. This is no longer optional – staff need to be trained on threats such as phishing, social engineering, and basic information security concepts.

The biggest problem that I’ve seen is lack of urgency on the IT organization’s part to accomplish these bare minimums. It may also be influenced by insufficient understanding (and maybe lack of proper budget allocation) from the C-level executives in the organization. One thing I’m sure of is that the folks at ASCO Industries are re-evaluating those priorities right now.

Sam’s Club Data Breach?

Just a theory – but it may be possible that Sam’s Club (specifically one of their mobile apps, or the data linked to it) has been compromised. I’ve had two reports of users who have recently used the Scan & Go feature only to shortly afterwards find that their account was fraudulently accessed and used.

Sam’s Club recently made a change where they integrated the Scan & Go functionality into their main mobile app. Coincidental timing? Please reach out if you have any information that could help track this down.

Traditional vs. Next-Gen

I had an interesting conversation several days ago with a network admin who was looking into making changes to the network at his company’s main office. This office housed around 100 folks and was fairly straight-forward with technology needs. They had a handful of VLANs for different departments and functions.

What I liked about this setup was the fact that the VLANs were all trunked through to the pair of high-performance, high-availability firewalls at the office that were also the site’s L3 routers. In this way they were able to apply security filtering (AV/IPS/App control) to all inter-VLAN connections rather than leaving this protection at the internet border only. The network admin that I was conversing with wanted to break off this routing, though, so that all VLANs terminated at a dedicated router and the firewalls would only be used as the border gateway.

This is the traditional Cisco way of thinking, and functionally it works. It works great! I have a background in Cisco networking so I understand this very well, and I also realize that different size networks will have different needs – not every design works efficiently for every network. Keep in mind that I’m writing this here while thinking about this small office, and so many companies I’ve worked with that have offices of similar sizes.

Unfortunately, times are changing and this separation of router and firewall is no longer the best direction for small sites. After a few quick searches you can see that more and more threats today come from inside the network. New technology concepts such as BYOD, IoT, web proxies and private VPN’s are all technical contributors to this problem. Especially considering the human factor, administrators should no longer completely trust internal devices. It is too easy for a user to take home their work laptop home and come back into the trusted network where a new virus on that machine can spread un-checked. The typical IT organizations managing these smaller businesses no longer have reasons to allow this to happen:

  1. High-performance network devices are common and affordable; performance on the network cannot be a reason to not implement Next-Gen Firewall (NGFW) protection. Throughput on today’s hardware with NGFW features enabled can easily be greater than 1Gbps while still being very affordable, even for small businesses.
  2. Network availability is not a concern as any business-grade equipment from a reputable vendor should support HA capabilities. Insist on stacked switches for redundancy behind those firewalls? Great! Go for it. Just don’t let those switches be your internal layer 3 routers.
  3. Firewalling should be more than just blocking and allowing ports on the network. Here is the big differentiator between your common router and your NGFW firewall: the router with an ACL is only going to block ports/IP addresses. A firewall of course has this capability, but adds user identification, antivirus, intrusion detection, application control, DDoS protection, and more. If you’re saying to yourself that you’re fine with your Cisco 2900 router because you have ACL’s between your VLANs, you’re wrong. If you want to keep them that is your choice; maybe add a transparent firewall in there too, though.

Lets take network security to the next level. Don’t assume that yesterday’s network design is still the best fit for today’s world. And don’t assume that your inside devices are trusted! Take steps to protect your network at every level. That’s next-gen thinking.

Why I hate McAfee (the company) and why you should, too

Companies have a tough time fighting spam. I get it. Spam fuels the spread of viruses, phishing, identity theft, and general user confusion. I despise it as much as the next guy, but it has quickly become a part of day-to-day life with any email user or mail-enabled organization. Because of how rampant and aggressive spam email has become, as well as the ever-increasing danger of websites that spam may try to lead you to, companies that fight spam have taken up blacklisting: adding email domains and server IP addresses to one of several lists that are used be various spam filters to more easily detect spam emails. Getting on one of these blacklists can be entirely too easy, and oftentimes it is entirely too difficult to be removed once on one.

At this point you’re probably thinking “good, lets stop as many of those spammers as we can!” Well, the problem is that legitimate email-sending companies can get added to these lists. Before anyone knows what is going on, a legitimate and honest company is having problems sending (or even receiving) emails and business starts to grind down to a halt. At this point the company’s IT resources will begin sorting out the issue and eventually begging and pleading for their server to be removed from one or more blacklists that is crippling their email service. Some of the blacklist providers offer a simple web-based removal process that requires just a simple explanation… but then there is McAfee.

McAfee has a ‘special’ group within their anti-spam division, known as McAfee Messaging Security. This group, from what i have gathered, takes recommendations from affiliate organizations of domains that should be flagged as spammers and arbitrarily adds them to their blacklist without any sort of verification or validation of an actual offense. The only way to be removed from McAfee’s blacklist? Send an email to [email protected] or [email protected] and wait for them to tell you how they picked your domain randomly out of a hat and blacklisted it for no reason.

What’s the real problem, you ask? The real problem is that this Messaging Security group is ONLY AVAILABLE BY EMAIL! No phone call can reach them, no tech support case (even with Gold Support) will be escalated to them, EMAIL ONLY. So while your business is stagnant, crippled, and waiting for McAfee to get back to them to resolve the issue, your customers are fleeing, getting bounce-backs, and wondering why they aren’t receiving prompt replies. But wait, there’s more.

McAfee Messaging Security likes to keep things as vague as possible, that way you have trouble telling that they have no real reason for blacklisting you. Their first response to your email will be “uh, well, this website here has junk html files that need to be removed before we consider removal” (you may think I’m exaggerating, and I wish i was… this is how it actually happens). So, five email exchanges later (12 hours in between each one, mind you) and hopefully you’ll have the problem fixed, or at least have an idea of what you actually need to do to satisfy these ruthless email dictators. Hopefully the affected company won’t also be a subscriber of McAfee’s cloud-based spam filter, because if it is then the email replies from Messaging Security could even be caught in their own spam filter and the exchange could take even longer.

I’ll stop here with my rant. Hopefully you get the picture and take warning. McAfee produces sloppy, sub-par software and backs it with even worse service and support. McAfee is one company that I will never recommend to peers and customers for these reasons.

Data Backups: Can you rely on tape?

Almost every small business that I’ve had a chance to work with has used tapes as their primary means of backing up data (the others have had no backups or no data to backup). Tapes are used widely for several good reasons: they can be stored and archived for many years, they are fairly inexpensive, easy to rotate, and many backup software packages are designed around the use of them. But have you ever had to restore from tape? It’s a tedious process. First, you have to find the tape (or tapes) that has the data you want to restore from (hope you’re labeling them well!), then you have to catalog it, then you have to mount and restore it… something that should be so simple can actually be an excruciating process. After all of that (and the time it takes if you’ve been there) you had better hope that the backup was tested, otherwise it may not even restore properly. What if your business is completely down until the restore is done? That would make for a very stressful day.

In my opinion, tape is a legacy technology. Disk and flash storage is so affordable these days that companies can easily purchase storage capacity that can exceed the amount of space that they have with tapes. This can translate to faster and more reliable backups, longer retention periods, and more available space for future growth. Restores are usually completed faster, too. Interested in a hybrid model? Tapes can still be a good means of off-site archival. Or, you can look into cloud based backups options or even offsite disk-based backups. The options are out there, but you have to make the choice for the backup solution that is best for your business.

Did you know: Standardized Risk Assessments

Did you know that the National Institute of Standards and Technology (NIST) publishes Special Publication 800-30, Guide for Conducting Risk Assessments? This is one of several guides that GROUND Security incorporates within our assessment and analysis framework.

You can find the document on NIST’s website: