Cybersecurity managers spend a lot of time thinking about when, and how, to deny or allow entry to certain systems or resources, from digital access points or physical entryways like IT systems, cloud services, elevators, and even doors. Access control is an essential element of security.
Solid security requires control over access to information that matters; the cybersecurity manager who doesn’t take control is not considering what matters and to whom. Anyone who does not have the need to know should not be allowed to have access. Anyone who does need to know should. That’s only logical, but it’s common to find companies with such strict access control that it prohibits the right users from gaining access, or such lax controls that the risk of data breaches and leaks is increased.
Access control is a way to divide the risk of unauthorised access and data breaches. What people don’t know will limit what they are capable of doing. Keep your passwords secret from hackers, and you won’t be hacked. Keep your business plans secret from the competition, and you have a better chance of winning.
Controlling access to information is a complex topic with multiple technologies available. It’s necessary to include some good practices and principles in the high-level policy that sets the management tone for controlling access to information. The highest level of requirements could be phased out like below:
“Access to company information is given to people who need that information at their work, but not to others. This is the need-to-know principle. When the need-to-know ceases to exist, access to information will be removed. Managers in charge will inform IT department to permit the access to information based on their assessment of need-to-know.”
Obviously, there’s a ton of details that could go into more detailed policies for each important system that the company uses.
Here’s a horror story from real life. Most organisations require some sort of ID, access card, or badge to be used in their facilities. Many companies require that employees identify themselves with a lanyard and ID badge that must be worn at all times.
We’ve worked with some quite unbelievable access control scenarios. In one instance, a school was requiring that all of the parents, teachers, maids, and custodians who drop off or pick up their kids wear a lanyard and a photo ID that identifies their face, name, and which child they can bring or take out. Nobody without that lanyard should have been able to access the premises and take the kids. The IDs were supposed to be used to control access to the school area and provide a means to check who has authority to take a certain kid along with them. Nice idea, in theory, but practice turned out to be different.
One of their problems was that the school had more than one entry point, usually manned by staff who were supposed to—but in practice didn’t always—check the parent’s IDs and lanyards.
Every morning and afternoon, the staff came to the gates and greeted parents. They tried to remind the parents to wear a lanyard, but the parents often forgot them at home. The exception was handled by showing the parents to the school office to apply for a day pass. This of course meant that the person could just say, “Sorry I forgot,” at the gate and be guided to enter the premises. Automatic bypass of access control! At the start of a semester, the staff at the gate was strict about it. Staff asked to see the access lanyards and advised parents to wear them because they’re reminded to. But the lanyards were small, and it was hard to see a tiny picture of a face to verify that the person actually matched the ID card, let alone check which parent was matched with a certain kid when they took the kids out. In fact, while exiting the premises with a child, there was no outbound check at all!
As the semester progressed, and a few weeks passed, the staff barely glanced at the IDs; they were only registering a colourful lanyard. At the same time, they could not cover every entrance and exit on the premises. Parents soon learned that they didn’t need to wear the lanyard or access cards anymore because they could either take a route where there was no staff or just rely on them recognising them by looks. In truth, a parent can just smile and walk past them and say, “Sorry, I forgot my badge. A bit of hurry,” and nobody cared. That’s called social engineering access. Show a friendly face, get people used to it, and then enjoy the freedom of access.
Access security lapsed completely once inside the school’s perimeter, where the teachers and other staff seldom wore identification. The badges were just for people trying to access. Once they got inside, there was no way to distinguish between internal staff and parents. Nobody could check to see if they were allowed to remain inside because there are too many people wearing lanyards and too many not wearing them. At best, the ID plan gave a false sense of security.
The school example illustrates a host of different security problems: overly complex and failing access control scheme, multiple points of entry, lax attitude toward enforcement, lack of formality and training, and no real enforceability. Too often, it’s the same with IT security policies.
Access control needs to involve user management, making sure that only authorised users are created and that specific users get access to certain resources and not others. To do that, the cybersecurity manager has to know who the users and user groups are and what resources are appropriate for them to access. The cybersecurity manager also needs to know what systems have to be controlled. Only then can they decide what kind of controls to implement. Those are the basic building blocks of access control. Without them, it’s impossible to do access control well. Systems that allow centralised control like Microsoft Active Directory are essential in building the access control scheme.
People usually think about access control in terms of horizontal access—how many systems an employee gets access to. The cybersecurity manager should also consider vertical access and depth of access. Is the user a normal user or an administrator? The more privileged access a person has, the greater their power, and the more likely they are to be a target for cyber criminals, whose goal is to gain broad access rights to internal systems. Do they mention in their LinkedIn profile that they are working for your company as IT administrator? Guess who hackers would prefer as a target?
Most user management today is done with usernames and passwords, and it’s clearly inadequate. If we look at the breaches and cyber exposure happening in the world right now, we can see why that many of them involve insecure access control processes.
In fact, passwords still pose the biggest threat related to unauthorised access to information, even with all of the security technology available. People use passwords that are too short and too simple. They use the same password for everything inside and outside of company, and keep the same one for a long time. Recent studies say that half of people use the same password everywhere.
It’s not hard to see why people don’t use a different password for everything and change it regularly. One individual we met had 300 plus accounts across various internet services. That means 300-plus usernames and passwords. Managing that is, of course, a huge problem. This isn’t just a company problem or an individual problem; it’s a planetwide problem.
Some companies have offered an apparent solution to password management woes, like using a Google, Facebook, or LinkedIn authentication to log in with a click of a button. Users with many accounts appreciate this because they can just use the same passwords for their company and private services whenever they use the internet. This is very convenient for the users but also places a lot of trust on these authentication services and centralises the risk of compromise. If one of these big ones gets hacked, a lot of other systems and information will be at risk. LinkedIn was hacked, and all usernames and passwords were stolen a few years back. Everyone should know, right? But few people know that many of these stolen passwords still work today.
Unfortunately, when people use their work-related email and password—their user account at work—they inadvertently identify where they work, information about the organisation, and what services that might apply to. Even if those passwords are encrypted or hashed (in tech language, it means they are protected) in third-party services, once a hacker cracks the passwords (defeats the password protection), he potentially gets access to everything, including the user’s work servers that share the same password.
Login credentials are valuable—they’re a sort of currency that can be traded in the underworld economy. Some hackers actually trade login credentials for money or sell access rights to certain companies or types of business systems. Servers and workstations might trade access for some other service. On the dark web, access to a corporate system or to certain servers in a big company can go for fifty-five US dollars.
Companies have tried to create more effective ways to authenticate people—to identify them and make sure they are who they’ve claimed to be when they log in to a system. A company might link the password to another factor, like an SMS message sent to the user’s phone with a PIN to enter at login. Banks use physical number tokens that generate PINS for you based on time and secret keys. A web bank might issue hardware tokens, or PIN tokens, for its users. A commercial business might be using a Virtual Private Network (VPN) for its users, and VPN software for every user who is working for them. Then they could use a password, username, and digital certificate to authenticate the connection and its users.
Layering on additional factors of authentication is usually quite effective; it increases the difficulty of breaching that system. Having said that, there are some instances that the additional complexity of authentication didn’t actually improve security much. Most people are aware of SMS authentication, or the One Time Password (OTP) solution, for instance. With OTP, whenever a user logs into their web bank, they’re required to answer with a PIN number that’s sent to their cell phone in addition to their username and password. A hacker using another phone to try to access the account, even if he knows the username and password, can’t log in without first getting an SMS, reading the number, and using that to log in.
Additional authentication steps like SMS tokens add complexity to the authentication process, and remember, complexity is the worst enemy of security. Even multifactor authentication like SMS tokens aren’t foolproof. Anybody working in the company that provides the cell phone connection could intercept the user’s SMS. Or, if manual processes aren’t strict, a hacker could portray himself as someone else, then manage to open up a clone SIM that receives the same SMS messages. Ironically, that supposedly super secure multifactor authentication scheme that combines SMS token with a good password could be compromised by the same feature that’s meant to protect the user. How many little shops are working for your mobile service provider and are able to issue cloned SIM cards or change the ownership of the mobile connection? Try enforcing an access control policy on them!
Complexity rarely makes security better. That’s not to say that adding a second factor of authentication is a bad thing. It’s good, but there are limitations. There are a lot of different ways to authenticate people. The lesson here is that the more secure the system needs to be—like a bank, for example—the more security is needed in authentication.
Anyone who has a lot of passwords and usernames—say, more than ten—should get a password management tool. They are usually referred to as “password wallets.” There are several available that can run on a laptop and sync with a mobile phone. For a few dollars a year, all of a person’s passwords can be securely stored in one wallet, so they just have to remember one master password for the wallet. Then it helps them log in and authenticate to different solutions, and stores them securely. Having a password wallet makes life easier for users.
At the same time, we have to remind users that wallets also pose a risk, especially online wallets. Passwords are stored in an encrypted file, and in some solutions, that file is sent to a central repository on the internet. If that application or an individual’s computer is hacked, all of those passwords may be compromised in one place. Still, online wallets are an effective solution for people who have a lot of passwords and companies that have a lot of users, even though it has a single point of failure. Anyone choosing an online wallet should choose one that’s been thoroughly tested—by more than one person or one company. It needs to be more than just a convenient solution. It needs to be a secure one.
We couldn’t begin to cover all of the options for access control today. There’s a multitude of authentication and access control technologies, services, and solutions that go under this topic, and all of them would solve bits and pieces of the whole problem. No single solution will cover all of the access control needs of the organisation. This is because no single service can be compatible and integrate with all the various services out there. The cybersecurity manager’s job is to gain understanding of which access control technologies are a good fit for his business and to help IT to design a scheme that is flexible, has good coverage, and is able to secure the business well enough.
Avoiding Security Theatre
For staff to use passwords effectively, they will need to understand what matters in password management. There’s a lot of conflicting information out there. Many government and corporate guidelines, for instance, say that a password has to be eight characters long. It has to contain a mix of letters, numbers, uppercase and lower case, and a special character, and it has to be changed every thirty to ninety days. However, research and practical experience has shown that there’s one property above others that makes passwords strong: the length. Some argue that the complexity of the character set is also significant, but it’s not as effective as sheer length. A long password is a strong password. Researching this subject will reveal a lot of academic papers and calculations pointing to different directions. But hackers think different, they are only interested in defeating the password protection in any means necessary. From attackers’ perspective, only that outcome matters. Not the computational difficulty!
Subscribe To Our Newsletter
Get the latest intelligence and trends in the cyber security industry.
What’s So Special about Those Special Characters?
Why did we start using special characters in passwords in the first place?
The argument for comes from mathematics. In theory, adding special characters increases the workload needed to defeat password protections (encryption, hashing, and so on).
The thing is, we don’t care about the math debates about password complexity. We care about the outcomes, if it’s possible to be a happy password user while making it impossible to crack the password.
Instead of making passwords hard to remember and enter, just make them long but easy to type and remember. “Oh dear a black swan crossed the road” is actually a very good password. Password length is the single most effective way to make the passwords secure. Remember, hackers have no way of knowing if you used special characters, uppercase letters, numbers and so on in your password. They have to assume that all types of characters were used when they try to crack yours. Besides, a password over twenty characters long is virtually undefeatable by any practical means.
Even poor password policies can seem fine on the surface. That’s a problem because people will think their login is secure when it’s not. If people think they are safe, they will drop their defences. They figure, “We already did this two-factor thing. Nothing else can hit us.” Part of access control is spreading the best practices of security and managing the sense of security. Or maybe they think that their Windows AD policy requiring ten-character passwords with all the complexity is good enough. Guess what, it isn’t! If a hacker could crack it, it’s no good, and that’s the only metric that matters.
Is It Cracked Already?
Try this easy trick yourself. Go to www.sha1-online.com and type in any password. You’ll see a long string of characters as a response. Copy and paste that string to Google. Did you get any search results? If you did, that password has been already cracked somewhere out there! Here’s an example. Try this password: [email protected]—you’ll get this response: 21bd12dc183f740ee76f27b78eb39c8ad972a757. After googling it, you’ll see that there are many results. This password would meet most of the password complexity requirements but is very unsecure.
SHA-1 is an outdated algorithm, and using it to secure passwords is a really bad idea. Yet, a few years back, LinkedIn.com used this method for their password security. And when the service got breached, all the passwords were easy prey for hackers.
The bottom line is that you can’t know if your internet services are using good password protection mechanisms or not. But you can use a good password that can’t be cracked even if someone is dumb enough to store it with something silly like SHA-1.
What’s the security theatre then? Ineffective password policy is like airport security, when air travellers have to take certain items out of their bags in airport security, like the liquids. It’s not because they need to be scanned separately but because security wants people to participate in the security process. When you participate, you feel like it’s effective. This is called “security theatre.” It’s the same with two-factor authentication, bad password policies, and so on. Users who have to type something extra feel like they’re actually part of the security process. Unfortunately, two-factor authentication won’t prevent someone from listening in on mobile phone calls or tracking where people internet surf. People just think it’s safe because they’re participating in the security protocol, while in reality, the threat still exists, and the security can be defeated.
Companies should make efforts to train their people and to enforce proper security policies and procedures as much as possible. Enforcement usually means setting technical limitations and requirements for passwords, but not the ineffective eight-character codes we talked about earlier, with or without special characters. As we saw earlier, it’s the length of the password that makes the biggest difference. Now go back to sha1-online.com and try something like “my password is very secure,” and Google it. No findings, right?
If users are, for example, advised to make at least twenty-character-long passwords, using a poem and some sort of string to add to that poem, like a system name or something only they can guess, passwords will become so impenetrable there is no way to crack them, even if they leak.
When the company sets a password policy, it affects users’ behaviour not only in the office, but in their personal lives as well. If the company says, “Eight is enough,” people will use eight in their personal lives. If the company mandates twenty characters, maybe their personal passwords will also become longer. That’s important because security exposure also comes from the employees’ and management’s personal lives. Make “twenty-plus” their mantra.
Long passwords sound like a pain, but they are actually easier to remember; the user can type something that makes sense to them. It doesn’t have to be random. It could be as simple as what you usually buy from grocery stores: “my favourite milk is from Australian cows”
One tip: if a user keeps the same recipe for their shopping, they can just add the system name. If it gets breached, no one can use it because it won’t match with any other system, but it will still be easy to remember. Example: “google.com is my favourite milk.”
Cracking the Passwords
There are several approaches to cracking a password, including dictionary attacks, rainbow tables, and brute force methods.
A dictionary attack uses all the words in all the languages in the world, as well as millions of leaked passwords from data breaches. When a hacker has obtained an encrypted form of a user’s password, all he has to do is to take that long dictionary and hash the words in the dictionary. (Remember that sha1-online example earlier? Same idea but just faster!) If he finds a match, he knows that this was the clear text, human readable, password of the user. A variation of this technique is when the computer sifts through all of the dictionary words and tries the words with tiny changes, like an exclamation point or a hashtag or something linked to the words. A normal computer can make millions of guesses per second, and cloud services can do it in parallel many times faster.
The next method is brute force. Here, the hacker uses as much computing power as they have, then they start blindly searching all possible existing passwords, perhaps like A, AA, AAA, AAAA, and so on, and with different lengths of the search, doing millions of guesses per second. The idea is to try until the produced hash value is the same that hackers stole from the victim. Then they would know that it’s the same password!
The brute force method takes a lot more computing power and time, of course, because it requires going through all the different possible versions of passwords. That’s where the name comes from—it requires a lot of brute force! Hackers do this when the easy way doesn’t work. They use stolen credit cards to buy Amazon accounts, then use cloud computing servers to crunch the numbers and try to crunch as many passwords as possible.
The longer the password, the harder it becomes to crack it by brute force. A password of “ilikegoingtothebeachonsaturdays”, works because going through all the passwords that long will take literally forever using a brute force method. But if you use short ones, with eight characters or alike, no matter how complex they are, given enough time, they will be cracked. And sometimes brute-forcing is just work that can be skipped entirely. Enter rainbow tables!
Another type of password-cracking method puts the dictionary attack on steroids—it’s called the rainbow table. A rainbow table is a pre-computed version of all possible passwords that can exist up to a certain length. A rainbow table would start with short and simple passwords like A, B, AA, AB, and so on, and contain the corresponding hash values of these passwords. These tables are huge, usually terabytes in size. They are powerful because a hacker can do one lookup to his table, find the corresponding password hash value, and see directly the corresponding human-readable password. This method compromises passwords quickly—in a fraction of a second. And the table only has to be created once, though it takes terabytes to store. Typically, a rainbow table would contain all passwords up to a certain length, something in the order of eight to ten characters long. And because everything is nowadays cheap in the cloud, a hacker could just go and search all existing rainbow tables online, as a service, without bothering to store or create the tables himself! This is the final nail in the coffin of short passwords, no matter how complex they may be.
We read about hundreds of major breaches in the news every year. In 2012, for example, around 170 million LinkedIn user accounts were breached. The accounts of 170-plus million people were available to hackers. The majority of these passwords were easily cracked in no time by using rainbow tables and brute force techniques. Soon, lists of cracked LinkedIn passwords started circulating around the dark web. Many of these users were not aware they were compromised and did not change their password, or chose to keep the old one, perhaps not on LinkedIn but in other internet services they used. Now hackers had access to a multitude of these accounts and passwords at LinkedIn and many other internet services where users were using the same credentials.
On the surface, it seems that this is solely a personal problem for LinkedIn users, but in reality, it came back to bite a lot of businesses too. Those compromised accounts were used to collect personal user information, create fake messages to lure people to click phishing links, and other kinds of fraud. Success rates of these kinds of attacks was fairly high, as hackers were basically exploiting trust that people place on each other’s social media profiles. When messages are coming in from user’s real LinkedIn or other social media profiles, and he sends you a link, will you be included to click it? Of course!
Even worse, although LinkedIn is a huge company, it used a lousy password-encryption technology back then, just a plain and simple SHA-1; the passwords were not protected against rainbow tables, brute force, or dictionary attacks, although this should have been a very basic thing to do for any security-aware software developer.
Then, since people were using their business credentials to log in to other systems, hackers were able to use them to log in to many of those business systems as well. That massive external LinkedIn breach led to a multitude of other breaches. It was, and still is, like one big avalanche that never ends, moving from one service and victim to another.
At the time, this breach was titled the worst breach of the decade, or even throughout history, because the exposure was so huge, and the quality of stolen data was high. LinkedIn is not an isolated case either. A normal week in cyber intelligence services starts when we see another few hundred million accounts exposed in one internet service or another. This unfortunate trend isn’t going to get any better anytime soon.
Consequences of Oversights
Let’s look closely at access control security issues in a company we worked with. This company had thousands of people set up on a Windows network. We worked with the twenty-member IT staff, each of whom had access to some of the servers in the network. That level of access was appropriate; many of these people needed administrator or root-level access almost daily in their work. Few of them had the highest-level privileges and access rights to every system in the company, and that was justifiable because it was their job. Naturally there were times when more than one person needed to access the systems, so they had to share some administrative passwords between the team members.
With twenty people and 200 servers, there were a lot of usernames and passwords to remember. The complicating factor was that all the accounts in question were prime administrative accounts for all of the systems in the company. They had a username for each system, then different passwords for different users, and so on. Suddenly, they had the same problem we talked about with individual user account; they needed a solution that would allow them to share the passwords and store them somewhere. We’ve already mentioned a password wallet solution earlier, but this wasn’t their answer, unfortunately.
The company’s solution? They set up a Windows shared folder in the network, which is a folder that users in the same network can open on their computers. The shared folder was accessible to the IT team members, and they could all edit the same files in it. So IT put all of their passwords for those 200 systems and twenty IT professionals in one Excel file in that shared folder—one file containing all of the passwords in the network.
The new system was convenient from a usability perspective, but the company overlooked the risk and impact this set-up caused. One beautiful day, someone in IT forgot that he made that folder, and all files inside shared to all users inside the same Windows domain. They could have limited access to that shared folder, where only those twenty people could open the file and use it. They could have also encrypted the file so that only people with special decryption software—like a password wallet on their computer—could have opened it. Even if a hacker gained access to it, they couldn’t have decrypted the file.
Instead, anybody in the company could log in to that folder, open it, open the file, and look up the main user account, password, and username for any system in the company.
So what happened? Hackers penetrated the network—they used the LinkedIn breach to log in to one account belonging to a C-level executive. From that account, they fabricated a phishing message and sent it over to few select individuals in the company. These people were naturally inclined to click the link and got their computers infected by remote-access software. Now the hackers had access to the network. The first thing they did was crack the local passwords of these users. Next, they proceeded to look around inside the network, looking for anything interesting or of value. After these initial steps, they used something called Windows PowerShell to automatically look for network folders and systems within the network. Kind of like mapping the terrain where they found themselves. Of course, they found the shared folder, named conveniently “IT passwords,” and the Excel file where all of the passwords were located. This led to the compromise of all 200 servers. Now all they needed to do was to log in to all those servers and install covert remote access programmes called rootkits on each of them. Now that they had even better access to the servers than the administrators, they simply exfiltrated all interesting data from the company systems.
The company learned about this incident the hard way—someone contacted them for ransom, asking for money, or otherwise, the hackers would leak all of the information they had stolen.
Otherwise, professional people failed to control this problem. It was a huge disaster at the time, and it took a lot of work to clean it up. A rootkit is so stealthy that you cannot know if it’s still there. They had to spend a lot of time and money to fix the issue, blocking communications in and out, reinstalling a lot of their servers, changing passwords, and so on.