Using Two-Factor Authentication for the Administration of Critical Infrastructure Devices

Image

Two-factor authentication (2FA) is a type of multi-factor authentication that verifies a user based on something they have and something they know. The most popular 2FA method currently in use is the token code, which generates an authentication code at fixed intervals. Generally, the user will enter in their username, and their password will be a secret PIN number plus the code generated on the token. Support for two-factor is increasing as service providers and banking institutions see the benefit in delivering a stronger authentication method to customers. For example, Apple recently released iOS 9 and OSX El Capitan with support for two-factor authentication, and Windows 10 has support for two-factor baked-in. A growing list of service providers who support 2FA is available at twofactorauth.org. It is important to distinguish the difference between two-factor and two-step authentication, as both terms tend to get interchanged despite significant differences:

1. Two-Factor Authentication: Something the user possesses (a token code) and something they know (a password or PIN.) This is a true multi-factor authentication method.

2. Two-Step Authentication: Something the user knows (a password or PIN) and something the user possesses (a one-time code sent to a smart phone via SMS or to an email account). The code sent to the user is considered a knowledge credential, in effect rendering two-step authentication as a two-step knowledge factor method. Problems exist with codes sent via SMS, as they are vulnerable to man-in-the-middle attacks. Codes sent via email can also be snooped via spyware, for example.

Companies have been using 2FA for years as a secure solution for employees to access resources, whether it's for remote VPN access or public-facing email servers. Now consider leveraging your existing two-factor solution as an authentication method for administrative access into critical infrastructure devices. Using only single-factor authentication for administrator access into sensitive systems casts an extremely wide attack vector across your enterprise. Let's use a thought experiment: a hacker obtains one of your single-factor admin credentials, whether from a server exposed by Heartbleed or through an un-patched backdoor. The hacker, once they have gained access to your network, has the keys to the kingdom that would provide them with admin access into any of your single-factor devices: think firewalls, DLP systems, proxy servers, etc. Take inventory of the devices providing various critical services within your infrastructure, and you will likely find many of them provide administrator access using single-factor authentication. It's a grave scenario that should be taken seriously by C-level Information Security executives. Administrative access into network appliances and servers must use 2FA. Mitigating the vulnerability of single-factor admin access requires minimal effort and greatly reduces the attack vector. 2FA administrator solutions are supported among most of the big players: Cisco ACS (as of v5.7.0.15.1), Cisco ASA, Checkpoint, Juniper/Pulse and Microsoft to name just a few. Consult the admin guides for your devices on enabling two-factor admin authentication. You'll sleep better knowing you've hardened your systems with 2FA. As always, happy computing!   About the Author: Brian M. Thomas (@InfoSec_Brian) is a passionate professional with 17 years’ experience providing Tier-4 data solutions in all disciplines of IT including Network/Server administration and Information Security. Proven experience in HIPAA, ISO 27001 and PCI compliance. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. _{Title image courtesy of ShutterStock}