Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Just thinking out loud... SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Just thinking out loud...
I had an idea a while ago that I have been researching, but wanted to find out if anyone else has any solutions, experience, etc., because I doubt I'm the first one to come up with said idea.

Ever been to a nuclear missile silo? The level of two-factor authentication necessary is insane. Reason being is pretty obvious: this prevents single points of failure.

Then it hit me, why haven't we been doing this in InfoSec already? Consistently, we see single points of failure with admin credentials being used to conduct large scale compromises. Examples include Snowden, Sony, etc..., just to name a few.

So with that being said, some thoughts occurred to me:

Why don't we incorporate more two-factor authentication in to our business? I.e., we have RFID cards at my employer to get in to the building, etc.. Why don't we just use the RFID cards as part of the login process? Users have to type in their passwords, and use their employee badge?

Question here is: do solutions for this already exist? Yes, I've done some cursory looking around and I see a bunch of vendors pushing stuff. What really works?

Furthermore, what if we take the idea of "no alone zones" to the infosec realm as well. What if you had to have two admins authorize anyone logging in to certain servers? It would look like this: Charlie needs to get in to said critical server. In order for him to do so, I will get an email with the authorization code he has to enter for the server to let him in. Or maybe I get the authorization code in a text on my cell phone. While it is cumbersome, it's going to be a lot tougher for bad guys to compromise Charlie's admin login credentials, and my cell phone. Or is it?

Like I said, just thinking out loud...

1 Posts
Hi Stormy,
Both ideas are already in use in many places. The main detractor for many organisations relating to using the building pass as the second factor is usually cost and responsibility issues. From a cost perspective you need specific readers for each workstation in the organisation usually at $100+ so multiplied by the number of workstations you have. The second challenge is usually the fact that building systems are managed and owned by other parties. So now your security relies on them getting things correct. There are a few systems I'm aware of that utilise the RFID component independent of the original building system, but they obviously require some sort of enrolment process. The third challenge I come across is that it is seen as "to much" for the organisation or as I like to call it "we are not a secret government agency" excuse.

The second idea is also implemented in many organisations through the use of their password management products. In order to release a password (or broker the SSH or RDP connection) secondary authorisation has to be provided. There are several product in this space, implementing this concept with varying degrees of success.


ISC Handler

Sign Up for Free or Log In to start participating in the conversation!