• Skip to main content
  • Skip to footer

NetworkJutsu

Networking & Security Services | San Francisco Bay Area

  • Blog
  • Services
  • Testimonials
  • About
    • About Us
    • Terms of Use
    • Privacy Policy
  • Contact Us

Andrew Roderos

About Andrew Roderos

I am a network security engineer with a passion for networking and security. Follow me on Twitter, LinkedIn, and Instagram.

Router versus Firewall: What are the differences?

06/22/2020 By Andrew Roderos Leave a Comment

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email
router versus firewall

There seems to be some confusion about the differences between the router and firewall. One of the contributing factors to this is that device manufacturers tend to combine the functionalities into one device. Traditionally, these devices are specialized hardware that does a specific job well.

Both of these devices have advantages and disadvantages over the other, unique features, and different purposes. In this article, we will define what they are, identify their primary use in your network, and explain why you may need both.

What is a router?

A router is a device that quickly forwards data from one network to another. For example, for your devices to communicate to the Internet, you need a networking device to transmit the traffic from your home to the Internet Service Provider (ISP). Typically, this device is a router that either you purchased or provided by your ISP.

The type of router found in most homes and some small businesses is called a wireless router. The wireless router combines the functionalities of multiple devices: wireless access point, switch, and a router.

Furthermore, a lot of routers in the market provide some level of network security by including features like Network Address Port Translation (NAPT), Stateful Packet Inspection (SPI), etc.

What does a router do?

The principal function of a router is to route network traffic between networks. The job of a router is similar to the role of the United States Postal Service (USPS). The router tries its best to forward the data between the sender and the receiver in different networks.

Since the majority of routers in a lot of small businesses are wireless routers, they also allow the connection of wired and wireless devices such as computers, printers, mobile devices, etc.

What is a firewall?

A network-based firewall is a device that provides security by monitoring incoming and outgoing traffic and makes a decision whether to allow or deny specific traffic based on the rule sets.

For many years, the firewall has been an integral part of any successful security program. It serves as the first line of defense in network security.

Today’s modern operating systems, such as Windows and macOS, include a software firewall that provides added network protection. A software host-based firewall functions similarly to a traditional network-based firewall.

Nowadays, firewall manufacturers add extra features like anti-malware, Intrusion Prevention System (IPS), application awareness, URL filtering, etc. referred to as a next-generation firewall (NGFW). An NGFW offers far improved security than a router or a traditional firewall.

What does a firewall do?

The principal function of a firewall is to provide network protection by blocking unwanted traffic. A job of a firewall is similar to the role of the Transportation Security Administration (TSA). The firewall inspects network traffic to make sure everything looks good before it is allowed to pass through.

Some firewalls designed for small businesses or branch offices also combine functionalities of wireless routers, allowing both wired and wireless network connectivity.

Which one should you buy?

Unfortunately, the answer to this question is it depends. Determining the right device for your business requires an understanding of the goals and requirements.

For a small coffee shop, a wireless router from your favorite retailer may be sufficient. For some small and medium-sized businesses (SMB), they may opt to purchase NGFW for better security.

In some scenarios, you might need to purchase both a router and a firewall. For example, if a branch office has the following requirements: WAN connectivity options (both wired and wireless), VoIP, switching, NGFW, and computing. Then, buying a router that can do the majority of these requirements and a separate NGFW could be a suitable solution.

There are some instances where you don’t want to, by default, restrict network traffic. For example, in higher education space, the researchers may expect no restrictions and a fast network to transfer data between each other.

Summary

Both devices can provide a level of network security. However, NGFW gives a higher level of protection compared to a router with some firewalling features.

Choosing between a router and a firewall will vary from one company to another. The key to determining the proper device is by gathering the requirements, goals, and business and technical constraints.

If security is paramount to your company, then purchasing a next-generation firewall with a subscription to the advanced features is the right way to go.

Still unsure on what to get?

Let us answer your questions by contacting us. We’ll help you with hardware selection, design, configuration, and implementation.

LET’S TALK

NetworkJutsu provides networking and network security consulting services for startups, a more established small and medium-sized business (SMB), or large business throughout the San Francisco Bay Area.

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

Choosing a remote access solution

04/01/2020 By Andrew Roderos Leave a Comment

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email
Remote Access Solution

Due to the COVID-19 pandemic, governments around the world are ordering their citizens to stay at home. This order forced a lot of businesses to move their operations remotely, where possible. Some businesses had to make a quick decision in their remote access strategy. However, choosing the right remote access solution requires a thorough understanding of goals, requirements, etc.

Companies that have excellent business continuity and disaster recovery (BC/DR or BCDR) plan fared better than most. Some scrambled to come up with ways to serve their customers remotely while providing workers the ability to work from home, which is also known as telecommuting.

Today, we’re going to discuss some options to enable your workforce to work remotely and securely from just about anywhere.

Different types of remote access technologies

The technology to enable employees to work remotely has been around since the 90s. There are several strategies that companies employ to accomplish it. For example, numerous business applications are accessible via the Internet, such as e-mail, file sharing, accounting systems, etc. However, some applications require secure and reliable remote access solutions.

With so many remote access technologies out there, which one is the best for your business? Some of the solutions are easy to implement, but just because you can, doesn’t mean that you should without understanding some of the implications.

Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP)

The fundamental goal of both of these technologies is the same. They both allow users to access a desktop or set of computers from a remote location. However, there are drawbacks to these solutions.

Scalability. They are not scalable. Since it’s peer-to-peer remote access, administrators will need to enable the feature or install the software. Additionally, users cannot share the same computer. Concurrent connections are not allowed.

Security. They are not secure. By default, VNC does not encrypt the whole traffic. RDP, however, supports encryption by default, but there were many discovered vulnerabilities such as CVE-2019-0708, CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226. Exposing it online may have adverse effects if vulnerabilities (discovered or undiscovered) exist.

Additionally, by default, it uses single-factor authentication (SFA), which is vulnerable to credential stuffing. To address this type of vulnerability, it is highly recommended to implement some form of multi-factor authentication (MFA).

Related: What is multi-factor authentication (MFA)?

Compatibility. With VNC, the application is available with a variety of operating systems. Some OS have it built-in. The RDP service itself is only available on Windows, but the client is available in iOS, macOS, Linux, etc.

Cost. Both VNC and RDP come as free solutions. VNC however, can be purchased with additional features.

Remote Desktop Services (RDS)

Microsoft’s RDS is the latest evolution of Terminal Services as a remote access solution. The main difference between RDP and RDS is that resources can be shared. Meaning, users can access the same full desktop or applications concurrently.

Scalability. It is scalable. As the number of users grows, administrators can scale horizontally or vertically to accommodate the growth. Cloud computing is also an option that can provide better elasticity.

Security. Same as RDP, the traffic is encrypted. Since RDS uses RDP, it’s not immune to security vulnerabilities. However, there is a secure implementation that mitigates these RDP vulnerabilities, so they are not Internet-facing.

Administrators can configure RDS to deny file transfers between the client’s device and virtual desktop, which helps to prevent data leak. Same as RDP, it is capable of integrating MFA solutions, which is highly recommended.

Compatibility. The compatibility is the same as the RDP section. The feature itself is only available on Windows, but the client software is available on Linux, macOS, and mobile devices.

Cost. The cost will depend on the implementation. It will require Windows Server licenses and appropriately sized servers. Companies can opt to shift from CapEx (capital expenditures) to OpEx (operating expenses) by leveraging cloud computing.

Virtual Private Network (VPN)

This old but reliable technology has been the most popular remote access solution for many companies. It allows devices to connect securely to the company’s network from anywhere with an Internet connection.

Scalability. It is scalable. Unlike RDP or VNC, the only device that administrators need to buy or configure is the VPN appliance(s). Depending on the hardware, licenses, etc., the device(s) can support from one to thousands of users concurrently.

Security. A lot of VPN implementations out there are encrypted, so it’s safe from eavesdropping. It is also capable of integrating MFA for securing accounts. It is highly recommended to implement MFA.

Compatibility. A lot of the modern operating systems out there incorporate the VPN client. If the feature is not already built-in, there are clients that administrators or users can install on macOS, Windows, Linux computers, or mobile devices.

Cost. The cost will depend on the existing hardware and licenses. It can range from free to thousands of dollars but might be the most cost-effective solution depending on the size of your organization or desired result.

Virtual Desktop Infrastructure (VDI)

VDI provides remote access to a virtual desktop environment hosted on a remote server. Unlike RDS, each user has their own separate virtual desktop instance. Each virtual desktop instance has its own dedicated OS, RAM, disk, etc. that is running on the same server.

Scalability. Same as RDS, it is scalable. Companies can scale their infrastructure horizontally and vertically. Alternatively, companies can leverage cloud solutions for their VDI deployment.

Security. The traffic between the client to the virtual desktops are encrypted. Same as RDS, administrators can configure the VDI to deny file transfer between the client’s device and virtual desktop. It is highly recommended to implement MFA as well.

Compatibility. The VDI clients are available on Windows, Linux, macOS, and mobile devices. The majority of companies use Windows as virtual desktops. However, Linux is an option as well.

Cost. The cost will depend on a lot of things. Generally, this solution is costly because it requires a VDI software license and desktop OS licenses in addition to the necessary hardware requirements for the server or cloud compute instance(s).

Final Thoughts

There are many remote access solutions out there like TeamViewer and LogMeIn to name a few. If there are a low number of computers that need remote access, then these software solutions may be the right one for you.

However, these remote access solutions may cost more per user than implementing a VPN tunnel. While RDP and VNC can be attractive options from a cost perspective, it is not a recommended solution without another layer to protect it.

Usually, the most cost-effective and secure solution is to buy a VPN appliance. Most companies already have a VPN-capable device, so only minimal configuration is needed and possibly license acquisition.

Choosing the right remote access solution will vary from one company to another. The key to determining the proper remote access technology is by gathering the requirements, goals, and business and technical constraints.

If you are considering a remote access solution, make sure to discuss it with a qualified and experienced resource to determine a good fit for your company. The right individual or company will guide and assist you through the entire process of picking and deploying what’s right for you.

Need a remote access solution?

Let us answer more questions by contacting us. We’re here to listen and provide the right remote access solution for you.

CONTACT US

NetworkJutsu provides networking and network security consulting services for startups, a more established small and medium-sized business (SMB), or large business throughout the San Francisco Bay Area.

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

5 Network Security Principles for the Enterprise

05/03/2019 By Andrew Roderos Leave a Comment

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

Security incidents are a fact of life in this day and age. U.S. CEOs recognize this fact, and they consider cybersecurity their number one overall external concern1. It is no longer a matter of whether or not a cybersecurity incident will happen to their organization but a matter of when. The faster an organization accepts the inevitability of a cyberattack, the better they are prepared to prevent, detect, and remediate the effects of an attack.

network-security-principle

Introduction

Network security hardware and software solutions are the first layers of protection between your organization and the outside world. They are an essential part of any defense and countermeasure strategy that organizations must have.

Everyone knows that firewalls and anti-malware solutions are vital parts of network security. However, network security is much more than installing and configuring firewalls and anti-malware software. A highly effective network security architecture requires a well-thought-out design based on the risk analysis and security posture you want to achieve.

Network Security Principles

Security is crucial in every organization. If no proper security principles are followed, it will lead to a lot of risks and unwanted public relations. When designing network security architecture, designers should follow the five network security principles discussed below. Following these security principles in small and medium-sized business (SMB), and enterprise environments will help improve your security posture.

1. Zero Trust

Zero Trust is a security model introduced by John Kindervag in 2010 that moves away from the old mentality of perimeter security. Fundamentally, organizations should not automatically trust anything inside their perimeter and instead must always verify everything trying to connect to their systems before granting access.

A lot of organizations use the perimeter security concept. With the perimeter security concept, the organization is heavily invested in protecting the network from outside attacks but trusts everyone inside the network. With this approach, when attackers compromise a machine inside the organization’s network, they can move laterally without much difficulty.

A recent example of perimeter security’s weakness is the Arizona Beverage Company’s ransomware attack2. The ransomware attack has some similarities with WannaCry briefly mentioned in our how to improve your cybersecurity post earlier this year. Both cyberattacks highlighted the organizations’ security weaknesses.

2. Segmentation

Network segmentation has been around for many decades, and a lot of organizations employ this network defense strategy. While many organizations use this strategy, it’s often not as restrictive as most security professionals would like it to be.

Additionally, there are some misconceptions that if you implement different virtual LANs (VLANs) and subnets, you’ve achieved network segmentation. While there’s some level of segmentation, it is still considered a flat network. Flat in the sense that hosts are still able to communicate with each other freely. Real network segmentation requires additional steps that ensure the traffic flows are restricted as much as possible.

With the Internet of Things (IoT) explosion, organizations with a lack of an effective network segmentation will suffer from cyberattacks, such as what happened with the Arizona Beverage Company and an unnamed casino3.

While network segmentation reduces the attack surface, it doesn’t always reduce it enough. Fortunately, technology companies introduced an emerging technology called micro-segmentation that enhances the existing network segmentation techniques. Micro-segmentation allows for a more granular approach in preventing lateral movement between hosts.

3. Defense in Depth

defense in depth

The concept of defense in depth originated from the military since the Roman days. It is intended to slow down the attackers rather than stopping them in a single and strong layer of defense. It also relies on the tendency of an attack to lose momentum over time.

In computing, defense in depth refers to having multiple layers of protection in physical, technical, and administrative controls of your network. It is designed in a way that defenses are not dependent on any single layer of protection. Since the strategy originated from the military, it similarly seeks to delay an attacker to allow time for detection and response.

A lot of people mistakenly believe that layered security (or defense) is the same as the defense in depth. While they have a lot of concepts that overlap, they are two different concepts. To put this in perspective, let’s revisit the Arizona Beverage Company’s security incident. From a layered security perspective, minimum reasonable technical controls will be firewalls, endpoint security software, and operating systems with security patches. From a defense in depth perspective, it encompasses layered security and additional controls. Additional controls include data backup, ensures backup integrity and accessibility, monitoring, etc.

4. Principle of Least Privilege

The principle of least privilege is an essential concept in security. The idea of least privilege is that any user, application, etc. should have only the minimum rights and privileges necessary to perform its function. For example, finance users should not have the same level of access as users in the engineering department.

The least privilege helps reduce the attack surface by eliminating unnecessary rights and privileges that can result in security incidents, such as a major data breach. For example, the National Security Agency (NSA) had to reduce the number of people who had access to secret information after Edward Snowden had leaked classified data4.

Organizations should also implement periodic checks, possibly yearly, for any privilege creep. The idea is to prevent a gradual accumulation of rights and privileges beyond what the subject needs to perform its function. For example, when an IP address gets reused and serves a different function in the enterprise, they will gain a new set of firewall rules directly serving its new purpose. However, they continue to have the same network access privileges as the previous owner unless it is removed.

5. Monitoring

network security monitoring

With the ever-evolving threat landscape, you should not make network security monitoring an afterthought. It should be one of the first defense strategies on your list. Why? Because it provides an ability for you to monitor your network for security threats, vulnerabilities, suspicious behavior, etc., and respond appropriately.

68% of breaches took months or longer to be discovered. In many cases, a third party, like law enforcement or partner, discovers the breach. The worst-case scenario is when your customers spot the breach5.

Fortunately, organizations are getting better at reducing dwell time compared to previous years. Dwell time is the number of days an attacker is present on a victim’s network. It is measured from the first evidence of a compromise to detection. Currently, the median dwell time is 78 days6.

Conclusion

In this day and age, managing network security is getting to be a lot more complicated and requires thoughtful planning. The threat landscape will continue to evolve, and organizations must continuously adapt in order to protect their infrastructure and data. Implementing these five network security principles into your organization will immensely improve your security posture.

Achieving these principles will require cooperation from all employees and not just the IT teams. More importantly, IT teams should have supportive executives who are fully committed to improving your organization’s network security.

Remember the saying “prevention is better than the cure”? This saying is very much applicable to cybersecurity. Applying a prevention mindset will harden the organization’s security posture. It doesn’t guarantee that it will prevent an attack from happening since cybercriminals are sophisticated and determined. However, implementing these network security principles will help make it less attractive or an easy target for cybercriminals.

Are you in need of network security consulting in the San Francisco Bay Area?

We specialize in helping enterprises improve their network security.
Get in touch with us today!

ENGAGE US

NetworkJutsu provides networking and network security consulting services for startups, a more established small and medium-sized business (SMB), or large business throughout the San Francisco Bay Area.

You might also like to read

How to improve your cybersecurity
What is multi-factor authentication (MFA)?

______________________________________________________________________________________________________________________________
1 C-Suite Challenge 2019
2 Arizona Beverages knocked offline by ransomware attack
3 Casino Gets Hacked Through Its Internet-Connected Fish Tank Thermometer
4 NSA to cut system administrators by 90 percent to limit data access
5 2018 Verizon Data Breach Investigations Report
6 M-Trends 2019

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

WebAuthn: Moving to a passwordless world

03/31/2019 By Andrew Roderos Leave a Comment

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email
passwordless

What is Web Authentication (WebAuthn)? It is a new mechanism for authenticating to websites, replacing traditional username and password login credentials with security keys or built-in authenticators.

On March 4, 2019, World Wide Web Consortium (W3C) and Fast IDentity Online (FIDO) Alliance finalized the Web Authentication (WebAuthn) specification1. This web standard is a major step forward in making the web more secure, passwordless, and easy to use.

The WebAuthn specification is a major and collaborative leap forward in the evolution of simpler, stronger user authentication.

James Barclay, Senior R&D Engineer, Duo Security, a Cisco business unit

Why are we moving to a passwordless world?

81% of hacking-related breaches leveraged either stolen or weak passwords

As mentioned in the multi-factor authentication (MFA) article posted last month, protecting accounts using passwords has been unsuccessful for many years. Credential theft via phishing is very popular and successful social engineering attack employed by cybercriminals. In addition, there are instances where collections of user credentials are posted online2. The credentials are used to launch attacks known as a credential stuffing attack. The industry’s response to such attacks is the implementation of MFA, but some implementations do not adequately address attacks such as phishing and man-in-the-middle (MITM).

WebAuthn solves phishing and MITM attacks in a way that is more manageable and user-friendly but does not guarantee a rapid rate of adoption. Users are slow to adopt better security. In fact, Google revealed in a presentation on January 17, 2018, that only 10% of active Google accounts have two-factor authentication (2FA)3.

How it works

Traditionally, when we sign up for an online account, we are asked to create a unique username and password. With WebAuthn, we are instead presented with several choices for authentication such as username and password combination, multi-factor authentication, or passwordless authentication.

The next time the user connects to the website, the server sends a challenge and provides a list of credentials that are registered to the individual and can also indicate where to look for the credentials – internal or external authenticator.

Authenticator choices

There are two main authenticators available: internal and external authenticators. The internal authenticators, which are referred to as platform authenticators in WebAuthn specification, are built into the device. For example, Apple’s Touch ID, Windows Hello (e.g., fingerprint or facial recognition), etc.

The external authenticators, which are referred to as roaming authenticators in WebAuthn specification, are removable from and can roam among devices. For example, a security key, smartphone, etc.

Is it better than existing solutions?

It depends. Users have different levels of risks they’re willing to take. Some users are risk-averse than others. For people who, to this day, do no use a password manager software or a sort of algorithm to remember different passwords for their accounts, then this is a great solution. It doesn’t require them to remember any passwords, which means no password reuse issues, and it’s convenient to use yet still provide strong account protection.

Conclusion

In our previous post, we highlighted the importance of utilizing multi-factor authentication. While it provides an additional layer of security, some MFA strategies fail to address phishing, MITM attacks, etc. These cyberattacks enable cybercriminals the ability to compromise accounts even with an additional layer of security in place. WebAuthn attempts to address the shortcomings of both password-based authentication and multi-factor authentication.

From a security standpoint, it is a significant step in providing users a simpler and stronger authentication mechanism. WebAuthn may take some time for full adoption, but it is definitely a step in the right direction. In the meantime, being vigilant about protecting our passwords by enabling multi-factor authentication, where possible, is a must in this day and age.

NetworkJutsu provides networking and network security consulting services for startups, a more established small and medium-sized business (SMB), or large business throughout the San Francisco Bay Area.

You might also like to read

How to improve your cybersecurity
What is multi-factor-authentication (MFA)?

______________________________________________________________________________________________________________________________
1 W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless Login
2 2.2 Billion Accounts Found In Biggest Ever Data Dump — How To Check If You’re A Victim
3 Anatomy of Account Takeover

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

What is multi-factor authentication (MFA)?

02/28/2019 By Andrew Roderos Leave a Comment

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

What is MFA?

If you haven’t been living under the rock these past few years, you’ve probably heard of multi-factor authentication (MFA) or two-factor authentication (2FA) by now. In the last few years, MFA has gained enormous popularity in companies that are improving their cybersecurity posture.

Before we delve into MFA, lets define what is authentication. In simplest terms, it is a process to confirm if someone is in fact who they say they are.

A lot of people make mistakes that the combination of username and password is authentication. However, it is actually a combination of identification (username) and authentication (password). The username is used to claim an identity, while the password is used to verify the identity.

Authentication factors

There are three basic methods of authentication:

Type 1: Something you know – password, PIN, etc.
Type 2: Something you have – smart card, hardware token, smartphone, etc.
Type 3: Something you are or something you do – biometrics, signature, keystroke dynamics, etc.

Out of these three methods of authentication, Type 1 is the weakest and Type 3 being the strongest. Malicious actors, however, can still bypass some of the Type 3 authentication factors. For example, some fingerprint readers can easily be fooled by a duplicate fingerprint on a gummy bear candy1.

Single-factor authentication (SFA)

As the name implies, single-factor authentication only requires one method of authentication. For many years, accounts for our email, web, social media, etc. were protected by this single form of authentication.

For a time, passwords were enough to secure the accounts. However, as cybercriminals become more successful in stealing credentials, it became clear that passwords alone were no longer enough to protect accounts.

Multi-factor authentication (MFA)

As you might have guessed, multi-factor authentication requires at least two methods of authentication. It can be a combination of any two or perhaps all three of Type 1, 2, and 3.

The use of two methods of authentication is called two-factor authentication (2FA), which is a subset of MFA. 2FA is the most popular method that is currently available on a lot of websites, applications, etc.

The concept of multi-factor authentication is not new. In fact, you’ve probably been using it but didn’t realize that you were. If you’ve ever withdrawn money from an ATM, then you’ve used MFA.

Withdrawing from an ATM requires you to present two forms of authentication: something you know (PIN) and something you have (debit card). Satisfying these two requirements will give you access to withdraw money from your account – assuming you have sufficient funds.

Importance of MFA

52% of the users have reused the same passwords

Protecting accounts with passwords has been unsuccessful for many years. A lot of people use easily guessable passwords for their accounts and in some cases have them written down within an arm’s length. The reuse of passwords across multiple accounts is also common. In a Virginia Tech University paper, they found in a study that 52% of users have reused the same passwords or modified existing passwords instead of coming up with something new2. What’s worse is that these users are also using the same passwords for their personal and work-related accounts.

Related: WebAuthn: Moving to a passwordless world

Password reuse creates huge risks and undermines security for both individuals and businesses. Some organizations are starting to offer free password manager software to their employees to combat this issue. This is a way of potentially arming their employees with the ability to practice good security in both their personal and professional lives.

The use of a password manager helps immensely in improving password security. It allows users to create unique and strong passwords without memorizing them. In fact, a few weeks ago, there was a data dump of 2.2 billion accounts3. Stolen credentials from personal accounts could be used to try and compromise business accounts as well.

81% of hacking-related breaches leveraged either stolen or weak passwords

There have been many instances where cybercriminals successfully acquired account credentials. In fact, according to Verizon 2017 DBIR, 81% of hacking-related breaches leveraged either stolen or weak passwords4. Reducing this number by implementing MFA solutions should be one of the top priorities of companies.

Common MFA methods

There are many approaches to MFA that companies take. Unfortunately, some of the approaches are weaker than others. We’re going to examine the most commonly used MFA methods.

OTP hardware-based

OTP-based hardware tokens, also known as security tokens or hard tokens, are one of the oldest MFA methods that are still in use today. RSA SecurID was very popular back in the early 90s.

There are drawbacks in using hardware tokens. Since they are small devices, they can be lost, stolen, or forgotten. When this happens, users won’t be able to access their accounts.

This scenario brings another disadvantage of hardware tokens. It can be hard to manage since it costs money to replace and logistics of delivering the hardware token.

The possibility of key extraction from a hardware token is another downside5. Additionally, cybercriminals can target manufacturers to steal information that could be used to compromise the security of the hardware tokens6.

OTP software-based

OTP-based software tokens are one of the most deployed MFA methods. It is very much the same as hardware tokens, but more convenient and less expensive. Assuming that users have smartphones – not everyone has one7. Instead of carrying another device, the user installs an app on their smartphone. The app generates six-digit passcodes for authentication.

Same as the hardware token, there are drawbacks to OTP software-based token. Smartphones get lost, stolen, or forgotten. In contrast, users are less likely to forget their smartphones at home than lose a hardware token. One can assume that users are more attentive with their smartphones than they may be with a hardware token.

Another thing to consider is the reliance on a smartphone’s battery life. Users won’t have access to the app to get their codes when smartphones are out of battery. It is also true that OTP-based hardware tokens also run on batteries, but their batteries can last anywhere from five to ten years.

Similar to hardware tokens, the seed value (or secret key) on a software-based token is vulnerable to theft, but in this case by smartphone malware or malware on the server. When malicious actors get a hold of the seed value, then they can replicate this to their own smartphone.

Both hardware and software tokens can suffer from a MITM (man-in-the-middle) attacks. To describe this attack, imagine a cybercriminal creates a fake bank website. Then launches a phishing campaign that entices users to give up their credentials including OTP. The server captures everything and passes your credentials to the real website. If done right, the server will maintain the session until the attacker is ready to make fraudulent transactions.

OTP SMS-based

Receiving one-time passwords (OTP) SMS (or text message) is another popular MFA method – possibly the most popular. With this method, upon successful first-step authentication, the user receives an SMS message with a random code.

Sometime in 2016, NIST (National Institute of Standards and Technology) seemingly deprecated SMS-based authentication but eventually softened their stance in the SP 800-63B (Digital Identity Guidelines) document8.

The key takeaway is to verify that the OOB (out-of-band) device is uniquely tied to a device. This means that users should not use VoIP-based services (Google Voice, for example) to receive passcodes.

While it is still acceptable to use OTP via SMS per NIST, it doesn’t mean users should keep using it. There are vulnerabilities in using this method such as SIM swap, SS7 (Signaling System No. 7) vulnerabilities, etc.

To highlight the insecurity of using this method, one virtual currency investor lost around $150,000 after the cybercriminal took control of his phone number9. Another instance where SMS-based 2FA was ineffective to protect the account was when Reddit got hacked via SMS intercept10.

Push-based notification

This method is taking the best of both worlds from SMS-based and mobile-app based MFA. The main advantage of this method over others is the balance between security and convenience.

The push-based method has been gaining popularity in the enterprise. In fact, Cisco Systems invested $2.35 billion to acquire Duo Security, an industry leader in the MFA space11.

The beauty of this method is that when the user sees a push notification, the user can choose to allow or deny the authentication attempt. If it was the user who initiated the authentication attempt, then it gets approved. Authentication attempts not initiated by the user can be rejected.

Push technology, in theory, is a more secure method, but it doesn’t mean it is immune to attacks. One possible attack is by social engineering. Imagine a cybercriminal gets a hold of a user’s credential and tries to access the account. When the cybercriminal is ready to send the push, he/she can call the user impersonating a trusted entity such as an IT personnel convincing the user to accept the push.

Universal 2nd Factor (U2F)

Google and Yubico initially developed U2F, but now it is an open authentication standard supported by the FIDO (Fast IDentity Online) Alliance. It aims to provide strong second-factor authentication while also enabling users to quickly and securely access websites.

When a user wants to authenticate to a website (that the U2F is registered), the user will need to insert the USB token as the second-factor authentication. It is not vulnerable to phishing attacks, session hijacking, and MITM attacks.

Same as the OTP-based hardware token; however, it can be forgotten, lost, or stolen. It can get costly when supplying or replacing these tokens to all employees in large organizations.

Conclusion

While MFA is not perfect, it is still better than not having it at all. Our recommendation is to enable it wherever possible. Especially, when it comes to systems, websites, or applications that contain sensitive data.

When choosing an MFA method for your organization, you must strike a balance between security and convenience. The MFA strategy must be easy to use and sustainable. Without these factors, users may find ways to circumvent it, which in turn undermines the security provided by the second-factor authentication.

Are you ready to improve your network security?

Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.

ENGAGE US

NetworkJutsu provides networking and network security consulting services for startups, a more established small and medium-sized business (SMB), or large business throughout the San Francisco Bay Area.

You might also like to read

How to improve your cybersecurity

______________________________________________________________________________________________________________________________
1 Passwords: 4 Biometric Tokens and How They Can Be Beaten
2 The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services
3 2.2 Billion Accounts Found In Biggest Ever Data Dump — How To Check If You’re A Victim
4 Verizon 2017 Data Breach Investigation Report
5 Efficient Padding Oracle Attacks on Cryptographic Hardware
6 RSA breach leaks data for hacking SecurID tokens
7 Smartphone penetration rate
8 Questions…and buzz surrounding draft NIST Special Publication 800-63-3
9 Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency
10 We had a security incident. Here’s what you need to know.
11 Cisco Completes Acquisition of Duo Security

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email
  • Go to page 1
  • Go to page 2
  • Go to page 3
  • Interim pages omitted …
  • Go to page 18
  • Go to Next Page »

Footer

WORK WITH US

Schedule a free consultation now!

LET’S TALK

Copyright © 2011–2023 · NetworkJutsu · All Rights Reserved · Privacy Policy · Terms of Use