Protect Yourself Against VPN-Based Attacks: Five Do s and Don ts

Similar documents
Authentication Methods

Integrated Access Management Solutions. Access Televentures

FIVE REASONS IT S TIME FOR FEDERATED SINGLE SIGN-ON

Making Passwordless Possible. How SecureAuth is eliminating passwords while improving security and user experience

Five Reasons It s Time For Secure Single Sign-On

Securing Today s Mobile Workforce

IT & DATA SECURITY BREACH PREVENTION

white paper SMS Authentication: 10 Things to Know Before You Buy

Passwords Are Dead. Long Live Multi-Factor Authentication. Chris Webber, Security Strategist

How to Build a Culture of Security

LinQ2FA. Helping You. Network. Direct Communication. Stay Fraud Free!

Unlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.

Using Biometric Authentication to Elevate Enterprise Security

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Crash course in Azure Active Directory

BlackBerry 2FA. Datasheet. BlackBerry 2FA

WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

Yubico with Centrify for Mac - Deployment Guide

Google Identity Services for work

Teradata and Protegrity High-Value Protection for High-Value Data

Next Generation Authentication

Virtual Machine Encryption Security & Compliance in the Cloud

Multi-Factor Authentication (MFA)

The Lord of the Keys How two-part seed records solve all safety concerns regarding two-factor authentication

MOBILITY TRANSFORMING THE MOBILE DEVICE FROM A SECURITY LIABILITY INTO A BUSINESS ASSET E-BOOK

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

Mobile Field Worker Security Advocate Series: Customer Conversation Guide. Research by IDC, 2015

The security challenge in a mobile world

Segmentation for Security

Overview. Premium Data Sheet. DigitalPersona. DigitalPersona s Composite Authentication transforms the way IT

Combating Cyber Risk in the Supply Chain

Securing Wireless Mobile Devices. Lamaris Davis. East Carolina University 11/15/2013

BIDMC Multi-Factor Authentication Enrollment Guide Table of Contents

Cloud sicherung durch Adaptive Multi-factor Authentication

Keep the Door Open for Users and Closed to Hackers

PORTAL PROTECTION. Raising security without raising disruptions

Are You Flirting with Risk?

White Paper. The North American Electric Reliability Corporation Standards for Critical Infrastructure Protection

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Streamline IT with Secure Remote Connection and Password Management

RSA Solution Brief. Providing Secure Access to Corporate Resources from BlackBerry. Devices. Leveraging Two-factor Authentication. RSA Solution Brief

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

Duo End User Education Templates

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

Mobile Security / Mobile Payments

Choosing the right two-factor authentication solution for healthcare

THE SECURITY LEADER S GUIDE TO SSO

SurePassID ServicePass User Guide. SurePassID Authentication Server 2017

The CISO s Guide to Deploying True Password-less Security. by Bojan Simic and Ed Amoroso

Integrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement

Cyber Security Updates and Trends Affecting the Real Estate Industry

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY:

The Quick-Start Guide to Print Security. How to maximize your print environment and minimize security threats

Modern two-factor authentication: Easy. Affordable. Secure.

10 FOCUS AREAS FOR BREACH PREVENTION

Are You Flirting with Risk?

Account Takeover: Why Payment Fraud Protection is Not Enough

Whitepaper on AuthShield Two Factor Authentication with SAP

Best Practices Guide to Electronic Banking

Zero Trust with Okta: A Modern Approach to Secure Access from Anywhere. How Okta enables a Zero Trust solution for our customers

Paystar Remittance Suite Tokenless Two-Factor Authentication

GDPR How we can help. Solvit Networks CA. ALL RIGHTS RESERVED.

New Paradigms of Digital Identity:

Welcome Guide for KT Series Token

5 OAuth EssEntiAls for APi AccEss control layer7.com

BRING SPEAR PHISHING PROTECTION TO THE MASSES

Meeting the requirements of PCI DSS 3.2 standard to user authentication

SO YOU THINK YOU ARE PROTECTED? THINK AGAIN! NEXT GENERATION ENDPOINT SECURITY

Symantec VIP Quick Start Guide. Helping your users. Version 1.0. Author Maren Peasley Symantec. All rights reserved.

Fencing the Cloud. Roger Casals. Senior Director Product Management. Shared vision for the Identity: Fencing the Cloud 1

KT-4 Keychain Token Welcome Guide

Solution. Imagine... a New World of Authentication.

Integrating Password Management with Enterprise Single Sign-On

Deprecating the Password: A Progress Report. Dr. Michael B. Jones Identity Standards Architect, Microsoft May 17, 2018

mhealth SECURITY: STATS AND SOLUTIONS

Securing Office 365 & Other SaaS

Enabling Compliance for Physical and Cyber Security in Mobile Devices

Identity Management as a Service

Adaptive Authentication Adapter for Juniper SSL VPNs. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

Information Security BYOD Procedure

Adaptive Authentication Adapter for Citrix XenApp. Adaptive Authentication in Citrix XenApp Environments. Solution Brief

Secure Access for Microsoft Office 365 & SaaS Applications

Welcome Guide for MP-1 Token for Microsoft Windows

HIPAA Compliance discussion

Security for an age of zero trust

USING PRODUCT PROVISIONING TO DELIVER FILES TO WINDOWS 10: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Six Ways to Protect your Business in a Mobile World

Employee Security Awareness Training

Two-factor Authentication: A Tokenless Approach

SECURING CORPORATE ASSETS WITH TWO FACTOR AUTHENTICATION

Getting Started with Duo Security Two-Factor Authentication (2FA)

SAP Security in a Hybrid World. Kiran Kola

SIEM: Five Requirements that Solve the Bigger Business Issues

How Next Generation Trusted Identities Can Help Transform Your Business

Transcription:

White Paper Protect Yourself Against VPN-Based Attacks: Five Do s and Don ts Don t let stolen VPN credentials jeopardize your security March 2015 A TECHTARGET WHITE PAPER

Most IT professionals take for granted their virtual private network (VPN) infrastructure. Yet VPNs have played a major role in some of the most damaging data breaches on record. VPNs are generally mature and reliable when it comes to encrypting communications between mobile and remote offices and the data center. But authentication can be an Achilles heel. Cybercriminals or hackers who manage to acquire legitimate user credentials end up with a huge prize: trusted access to corporate resources. In most enterprises gaining access to the corporate network through a VPN is equivalent to getting the keys to the kingdom. An attacker who comes in through a VPN often finds few barriers. He or she can move laterally through the network, create higher-level credentials, find critical systems, and exfiltrate confidential data and intellectual property for profit or ideological goals. Unfortunately, most VPN products in use today are built on old standards that do not support strong authentication. VPNs and Major Data Breaches The 2013 data breach at Target started when cybercriminals stole the VPN login credentials of a heating and air conditioning firm providing services to the retailer. The breach resulted in the loss of 40 million credit card numbers. In 2014 the United States Postal Service (USPS) was forced to shut down its entire VPN network in connection with a breach that exposed the personal data of 800,000 postal workers and 2.9 million customers. The 2014 data breach at Home Depot resulted in the loss of 56 million credit cards and 53 million email addresses. It started when an attacker gained a foothold in the company s network by obtaining the user name and password of a third party vendor. Assert Your Identity 2

Table of Centents Don t rely on passwords alone... 4 Don t make authentication difficult for users... 4 Do explore alternative two-factor authentication techniques... 4 Do implement adaptive authentication where appropriate...5 Do consider a single solution for VPN, cloud and mobile authentication...5 SecureAuth IDP: Secure, flexible, adaptive two-factor authentication plus single sign-on...5 Assert Your Identity 3

Here we offer you five do s and don ts that will dramatically improve your ability to protect yourself against VPN-based attacks. 1. Don t rely on passwords alone Passwords and static PINs are insecure. Employees write them on sticky notes, store them on devices that can be lost or stolen, and choose values that are easy to guess, like password, admin, and 1234. Contractors and service providers can be shockingly casual about protecting client credentials. According to one information security expert: I ve been in hundreds of software support centers. It was an accident, but I saw your logins. They re written on sticky notes stuck to the side of monitors. They re stored in clear text in Word documents circulated around the support center. They re clearly visible in the vendor s CRM system. 1 To make matters worse, cybercriminals and hackers are working aggressively to capture VPN credentials. One criminal group operating out of Russia and Bulgaria created a phishing and social engineering attack specifically to capture VPN logon credentials of employees of German and Swiss banks. 2 2. Don t Make Authentication Difficult for Users Of course, going beyond passwords can make authentication more difficult for users and more expensive for the enterprise. Many IT professionals have had experience with hard tokens and smartcards that confuse beginners and are easy to leave at home or misplace. These shortcomings can frustrate users, increase support costs, and result in lost time and productivity. However, there are now additional forms of advanced authentication that are much more secure and reliable than passwords, but do not impose burdens on users. 3. Do explore alternative two-factor authentication techniques Two-factor authentication (2FA) has been described as combining something you know with something you have. In the past that meant that users typically needed a password plus a smartcard or a key fob token that could generate a one-time password. However, many alternatives are available today that can supply the second factor for authentication with little extra effort or inconvenience, and with minimal administrative overhead. For example, one time passwords (OTPs) can be sent to mobile phones through apps, SMS messages, automated voice phone calls, and push notifications. They can be sent to laptops, tablets and smartphones in email messages. Users obtain OTPs quickly and easily, and there is no small authentication device that is prone to being lost. Ease of use and productivity can also be maintained by allowing users to register and make changes from a self-service web portal. When appropriate, users can be allowed to use a sign-in for a social network application (such as Facebook, Google or LinkedIn) as a second authentication factor. Another innovative 1 Blog post by Jeff Swearinggen: VPNs at the root of Home Depot data breach. 2 Trend Micro Research Report: Finding Holes: Operation Emmental. Assert Your Identity 4

approach is to record a fingerprint of a device (a collection of characteristics such as the type of chip, the operating system, the level of the browser, and the language and time zone settings), and use the device itself as the second factor. In short, you can probably find a two-factor authentication method that provides high levels of security, while keeping life simple for your users and minimizing the administrative burden on your IT staff. 4. Do implement adaptive authentication where appropriate Adaptive authentication represents a leap forward in the ability to match authentication challenges with risk factors. The basic principle is to evaluate a series of risk factors related to an access request, then assign an authentication method or methods that appropriately reflect the potential risk. For example, an authentication solution at the data center might assess the request for a VPN connection coming from a mobile user. It might check to see if the source IP address is on a blacklist of IP addresses associated with hackers and botnets. It might see if the device (identified by its fingerprint ) is known to be associated with the person purportedly making the request, and if the request is consistent with the identity and group memberships of that person. It might consider whether the request is coming from a geographical location associated with user, and check to make sure that the location is not improbably distant from the location of the user s last login, given the time between logins. Based on the assessed risk, the user could be asked to authenticate with merely a password, or with a set of personal questions, or with a second authentication factor. If the circumstances are suspicious, the user could be restricted to a limited set of resources, or simply denied access to the corporate network. On the other end of the spectrum, users assessed as low risk and physically present in an office facility could be authenticated transparently, without requiring even a password. 3 5. Do consider a single sign-on solution for VPN, cloud and mobile authentication There are many advantages to having a single sign-on (SSO) solution that also provides strong authentication to VPNs, cloud-based applications and mobile connections. From the user s point of view, a unified SSO solution maximizes simplicity and minimizes the number of passwords and authentication procedures that need to be learned. It meets user expectations for strong security and a clean, easy to use interface. For the IT operations and security groups, a unified SSO solution ensures that a single, consistent set of policies and procedures are followed for all authentication requests. It reduces implementation, training and support costs. It improves security by controlling the proliferation of passwords. It also eases compliance burdens. SecureAuth IdP: Secure, flexible, adaptive two-factor authentication plus single sign-on An ideal solution to protect against attackers attempting to exploit VPN connections, SecureAuth IdP prevents cybercriminals and hackers, even those who have obtained valid user passwords, from using VPNs to burrow into corporate networks. SecureAuth IdP supports 3 For a case study of an organization that has implemented adaptive authentication, see: Houston Methodist Continues Leading Medicine with SecureAuth. Assert Your Identity 5

over 20 two-factor authentication methods, including SMS, telephony and e-mail OTPs, push notification, OATH tokens, social network IDs, device fingerprints, and of course traditional smartcards and tokens. With SecureAuth IdP, users can enroll their own devices, reset passwords, update their profiles and register authentication methods. These self-management features increase user satisfaction and reduce help desk costs. SecureAuth IdP also offers some of the industry s most advanced adaptive authentication capabilities. It performs dynamic risk analysis using multiple factors, including source IP addresses, device fingerprints, user identities and group membership and geographical locations. Integration with the industry-leading Norse DarkMatter platform ensures that IP addresses can be checked against a continuously updated list of malicious and compromised websites and other live threat intelligence. SecureAuth IdP s single sign-on also streamlines access to all applications with one set of credentials, regardless of whether the user is using a VPN, LAN, mobile, cloud or web connection. In short, SecureAuth IdP offers a secure, flexible solution that can eliminate dependence on insecure passwords, simplify the logon experience for users, match appropriate authentication challenges with risk factors, and provide single sign-on across all major connection and application types. To learn more, visit www.secureauth.com/adaptive. Assert Your Identity 6

8965 Research Drive Irvine, CA 92618 p: 1-949-777-6959 f: 1-949-743-5833 secureauth.com TechTarget 2015

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback