Work article: The perils of single-factor authentication

QA Cyber Security Trainer, Graeme Batsman, offers a first-hand opinion on single-factor authentication and the exposure of company platforms to the internet.

As someone who has worked on/off in 'cyber', 'data', 'information' security for around thirteen years I have seen some things change for the better and many things which have not changed from when I started working in 2004 plus many hilariously stupid things I have seen across both public and private sector. Products like ticketing systems (Peregrine & Remedy), CRMs (Salesforce & Microsoft Dynamics), defect trackers (Jira & Confluence) and other categories are or really have moved away from the days of desktop installations.

Desktop installations had pros (speed, security and no internet connection needed) and cons (installation needed, configuration is fiddly and a company device is needed). With desktop installations you needed to have the right software, configuration settings, user/password, company issued device and be on the network for it to work. You couldn't simply download the general software and enter a user/password. Now things have changed for the better or worse depending on your stance – SaaS (software as a service).

These days organisations can simply rent a service, host an off-the-shelf product on their own servers or install a product or website on Azure, Amazon, Rackspace etc. Borders have changed and rarely does everything solely sit within the four walls of the hardware firewall. Remember the security triangle which you probably learnt from a book or exam? Security, ease of use and cost. As ease of use increases and in this case cost reduces the by-product is security decreases.

Nowadays instead of installing software you simply visit jira.organsation12345.com and login with a username of firstname.surname, initialsurname or email address. All are very guessable from an attacker's viewpoint. Many people think sub-domains cannot be found out but staff may post them online by 'mistake', think support forums or GIThub. Free tools such as: dnsdumpster, pentest-tools and crt.sh (a tool for looking up SSL/TLS certificates on domain names) will reveal 'hidden' sub-domains to anyone which you thought were hidden.

Once an attacker has found out the sub-domain or login address by using the tools above they can do a number of things:
  1. attack the actual application, mainly by SQL injection or trying default accounts
  2. crack general low-privilege accounts by guessing the password or by running brute force tools
  3. simply phish for the password by emailing the victim at their work address or at home
  4. intercepting the traffic even if it is encrypted – by knowing what software is running you can understand the authentication options it has and how people login

Let's use two off the shelf open source CMS's (content management systems) as a good example. Both can be downloaded for free without registration and use PHP/MySQL. Joomla has separate login methods for front end and back end users. Back end users which are administrators go to /administrator and front end users just use a form on the general website. Every attacker knows /administrator exists and controls can be put onto this directory and denying administrators using the front end form or reducing what they can do once logged in using the front end form.

Drupal is another CMS which also runs on PHP/MySQL though it is easier to use and has less options than Joomla. This product does not work like Joomla. Administrators and user's login by using the same form which makes applying technical security controls harder. Two-factor authentication should be applied to administrators by default but it rarely is. You will also find administrators can login from any device and from any network not just within the four walls of the organisation. Even if a low-end user account at ServiceNow was compromised internal secrets would still be leaked.

Still in the last three years I have seen projects (mainly all) that are rolling out platforms for internal users only yet they are being placed on the general internet with no two-factor authentication nor IP address whitelisting. ServiceNow, Confluence, Microsoft Dynamics, Salesforce, BMC Remedy, Stash, Slack, BYOD enrolment, website administration and platforms which contain highly sensitive data being loaded onto Azure or AWS with very few technical security controls apart from an easy to guess user/password combination.

IaaS, PaaS and SaaS maybe more secure than on-premise depending on who you ask but configure it poorly and it is arguably less secure than on-premise. All organisations are opening themselves up to a wide range of risks and it only takes an attacker a few hours with just a spend of £10 to exploit these exposed platforms with almost a 100% success rate. The problem here is the configuration of the platform itself and of course 'layer 8' the user who is stupid enough to set a poor password or fall for a spear phish email.

I have two-factor authentication, doesn't this protect me?
If an attacker has found the sub-domain or login address, guessed the username and found the password by various means then what stops him or her asking the end user for the two-factor code? These one time codes last for 30 seconds, 60 seconds or at times forever. With the user, password and two-factor code an account can be exploited. Challenge response in the form of a USB token which needs to be plugged in each time would very likely defeat the attacker. A smartcard is another option along with an app which 'rings' for approval.

If two-factor authentication can be defeated then what?
By all means use second factor along with a good password. Do not use obvious usernames especially email addresses. Use something with numbers in like: GB5478615. An attacker cannot guess this without phishing for it unless it is exposed on Pastebin or similar. The best defence is IP address whitelisting. If your clients and staff are solely based within the UK and never dial in from abroad, why does the whole world need to be able to see and login to your internet facing platform? Implement a firewall rule or application firewall rule so only your offices or the IP address of your VPN can access the platform. Then even if an account login is stolen it cannot be used unless they have physical access to the building(s). ServiceNow offer this feature out of the box and with most others it can be setup within minutes.