Hank, Rick, and Brian have a special relationship with the Information Security team at our university. Every couple of years, they meet with me to work out security requirements for transport protocols, storage, offsite hosting, data protection, and scheduling. Henry, Rick, and Brian are not IT guys; they are from the University Movers, and this past summer they met with our team to move us to a new location on campus. This is my eighth office move in 10 years, and over this time we have learned from each other. We endeavor to share with every person we encounter the principles that guide information security decisions on campus, noting that we cannot expect that a mass e-mail message or a security awareness website will attract the attention of everyone in our campus community. In addition to protecting online knowledge workers on campus, we from Information Security remind ourselves it is just as important to share pressing awareness issues with people who interact with computers by moving them from place to place.
One principle I've learned from the moving team is that weight matters. The more mass involved, the more important that the path chosen to the new location includes elevators. This time around, our new location does not have an elevator, and thinking it was about time to unload those paper files I had not opened since the last two moves, I obtained a shred bin and got busy. It was one of those 96-gallon locked bins that has a slot in the top, and I had to take care not to throw out any valuable documents (we're talking paper here), which meant I had to schedule the time to examine every piece before it went to a second life as paper mulch. Among the things that I saved for future reference was a one-page security awareness handout from 1998.
What were we preaching about computer security in 1998? The themes are interesting. The top issue was to be careful of floppy disks that could have boot sector viruses. Another threat was the propensity of people to connect to that new Internet thingy, and we had to beware miscreants running automated password guessing attacks against our Unix systems, so the primary admonition was "change your password every 90 days" and change root passwords every month. I was smiling at how the root problem of fraud has not changed, just the means. Then I flashed forward to 2008, when the running joke in my family was that whenever any acquaintance would ask us what I did by profession, we would first say I was the CISO at a university. This generally brought about puzzled looks, and the next explanation was, "Oh, he makes all the professors change their passwords." Indeed, that was our biggest security awareness effort in 2007–2008, creating a community that accepted (mostly) the need for annual password changes to minimize the impact of theft and sharing of user credentials. You get the attention of your users when they have to go through a mandated password change cycle to get to IT resources. You get extra attention when they remind you that they were just fine for the past 15 years with that password that they really liked.
Global Accessibility, Global Threat
Since 2008, practically every academic IT resource we provide to our university has become accessible online, globally. What this has meant is our threat surface has grown geometrically. Today's primary risk to our organization is account theft, and the lowly password is the only defense standing between organizational information and attackers. According to the 2015 Verizon Data Breach Investigations Report, 23 percent of persons who receive a phishing e-mail open the message, and 11 percent click attachments, resulting in passwords being stolen (at best). Attackers are not guessing passwords; users are fooled into giving them away. The attackers steal these user passwords and then use them to further propagate the attack, or they may sell them to others who will misuse them. To mitigate this risk, we have another decision to make about passwords, and we can go two ways: require changing them every minute to reduce their usability if stolen, or stop changing passwords completely to make the users happy. Of course, I like both, and now we have the option for both: two-factor authentication (also referred to 2FA, or multifactor authentication). This means that even if an attacker steals your password, they cannot use it to get into your personal or corporate IT systems. The consequences to a small business are well illustrated in this interesting story of the Cloud Flare hack of 2012.
Before you consider using 2FA, it is best to understand how it works. The most basic form requires using another means to authenticate a user beyond the basic username and password. Many 2FA systems work by calling you on your cell phone or sending a text message after a successful login; that constitutes "extra checking" to make sure the person with the user account password also has the user's preregistered phone number (see this site for a clear explanation with graphics). Some systems use a hardware token that calculates a code, or a mobile app that can generate a one-time password to augment and further secure the login process for a user, but if your university has not integrated it into authentication systems, these might not be available to you. The most significant impediment to adoption of 2FA systems in consumer IT environments has been the need to obtain a hardware token and create an ecosystem where it works, and so it has never been available to general consumers. Since higher education IT has been closely linked to consumer IT, universities that have implemented 2FA had to expend significant cost, and the service was available only to staff or researchers. However, conditions have changed with the ubiquity of mobile phones.
Mobile 2FA
I think of Hank, Rick, and Brian again. They each have a cellphone or smart phone. They could be using two-factor authentication now. My three friends are the best example of a "mobile workforce" (they are always on the move); they still have user accounts and are exposed to the same IT risks as the IT workers on campus. What has been a boon to university Information Security is the advent of 2FA services that are simple and cost-aware, and thus available to all consumers. Our university is using DuoSecurity, which has a mobile app that works for both university and personal accounts. We plan to implement the two-factor services by first getting users to enroll. The DuoMobile app changes its code every minute, effectively making the password sequence change each minute. Then, after our community members have enrolled, we plan to relax the technical controls and switch the password-changing requirement to an annual basis. This is not a promise, but a goal — that passwords will not need to be changed on a set timeframe.
So where does a person begin with getting to know and love two-factor authentication? Fortunately, many services offer a 2FA solution, and you can try it out on personal Google, Yahoo, and Outlook.com services. The site Stop.Think.Connect. has a helpful infographic that explains its use and how to set it up for your online accounts. I strongly suggest people opt-in to two-factor authentication to protect your accounts online.
I predict that two-factor, and then multi-factor, authentication is the wave of the future. Happily, I'll no longer be the guy who "makes the professors change their passwords." I still may need to move my office in another couple of years, though — "Hey Hank...!"
Tom Siu is the chief information security officer at Case Western Reserve University in Cleveland, OH, where he directs the Information Security Office. He also serves as co-chair of the EDUCAUSE HEISC Technologies, Operations, and Practices Working Group. He is a member of the Executive Council for Northeast Ohio InfraGard, holds a SANS GSEC Gold Certification, serves on the GIAC Advisor Board, and is a participant in REN-ISAC.
© 2015 Thomas Siu. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.