How to use multi-factor authentication to protect a network

Multi-factor authentication (MFA) is a technique that, when implemented properly, can be an efficient deterrent from cyberattacks, but heed these additional precautions to prevent information from being compromised.
By Dan Capano October 12, 2018

The longer and more complex a password, the longer it will take for a hacker to break through. A 10-character mixed case, number, and symbol password, for example, could take 87 years. Courtesy: Daniel E. CapanoIn this age of pervasive malware and State-sponsored election hacking, it is easy to see we have most certainly been under cyber attack. Malware takes many forms and can be designed to accomplish many goals so a malware attack can come from just about anywhere. Very often it is designed to gather personal information for sale, or as seen in the news, to gather thoughts and opinions that can be used against us. Social media, a favorite avenue of compromise and credential theft, is hacking 101—there is typically no skill required in running the malware that will crawl the web looking for unsecured devices or bad passwords. These two vulnerabilities are due solely to the failure of the human factor.

Authentication is the process of ensuring that a person is who they say they are when attempting to access a device or a service. Email is a common service and it is relatively simple to steal someone’s login credentials. For most email services, all that is required for authentication is a username and password. In a notorious hack on a campaign official, a phishing email was sent, purportedly by Google security, asking the user to reset credentials. This phishing email was either very good or the information technology (IT) security person was very bad, because the official gave away credentials, and the official’s account was compromised by Russian intelligence operatives; it was quite simple, as described. Fifty thousand emails were stolen and released to the public.

Lessons to be learned are many. The first is that not all emails are credible (or social media). Each email, unless it is verifiably from someone you know, is a potential trap. The easiest way to spot a phishing email is to look at the address.

There are some very clever miscreants, and they have become adept at creating bogus email addresses that trick the eye such as "SECURITY at G00GLE.COM," for instance. Aside from being all caps, take a closer look; many unsophisticated people will be fooled, for the presentation in the email can be made to look very authentic and intimidating, drawing attention away from the bogus email address.

Turn on the option in your email client that allows display of the sender’s actual email address. Legitimate companies have domain names. If your client doesn’t allow this, get another client. Avoid web-based email services and opt for a local client that can be controlled. And finally, never give out credentials to anyone, whether it is by email or on the phone. Legitimate companies will never ask for your credentials by email.

Multi-factor authentication (MFA) is a technique that, when implemented properly, can be an efficient deterrent that resists compromise. This technique is already in widespread use; when you use a credit card to purchase gasoline and then are asked to enter a zip code, MFA is being used. Another common example is an ATM card. MFA uses multiple means, beyond a password, to determine if ATM users are who they purport to be.

There are three factors that are used in combination to create an identity that can be authenticated to a variety of devices and services: something you have, something you know, or something you are. The proper use of these factors can prevent a breach. 

Single-factor authentication

Single-factor authentication usually is accomplished by using a password. Unfortunately, many passwords are not chosen carefully and can be guessed easily or obtained by simple means. It boggles the mind people still use "123456" or "654321" as passwords. Even worse is using simply "password" or its several common variants (p@ssw0rd, for example). No amount of training or education seems to deter the use of insecure passwords. Consider the recent hack of a political official, who used "passw0rd" as his password; the Russian hackers laughingly stated that "he could have been hacked by a 14-year-old."

This was, unfortunately, a true statement. And a password such as "1234" could be cracked in less than 0.2 ms. If there’s no other option than a password, remember that longer is stronger. Several websites will test passwords and show the time it takes to crack passwords of various lengths; a 10-character mixed case, number-and-symbol password would take 87 years (see Table). By then, the average hacker will have moved on to lower-hanging fruit.

Using a smarter password reduces the attack surface. Create a formula whose components only you know. It could, for example, be an actual algebraic equation, or it could be a series of words and symbols that are put together in the same order each time, but with different numerical and alphabetic components. Using a set formula as a memory aid also has risks: if the formula is compromised, the entire suite of logins is compromised. Tread carefully. 

Two-factor authentication

Two-factor authentication (2FA) involves the combination of two of the factors previously mentioned. It could be something you know (password) and something you have (token or card); it could be something you have and something you are (fingerprint scan); or something you know and something you are. 2FA is also a two-step authentication.

Whenever a code is sent to your email or phone and it is entered in addition to your password, this is 2FA. Your credit card and your billing zip code or your ATM card and PIN as described above, are common examples. It is that simple, but there are dangers. Both passwords and tokens can be stolen. Or you could be forced to use your card and password by blackmail or by more forceful means.

A final admonition: secret questions are an example of "something you know" and are used as a factor in authentication; I highly recommend giving false answers to these questions—so long as you can remember them—because information such as a mother’s maiden name or previous address or even a first pet often can be found easily by a hacker using a Google search. This is particularly true for social media, where people may have the compunction to bare their souls. Even with the pitfalls described, with reasonable care and common sense, the use of 2FA can protect an individual against breaches. 

Three-factor authentication

Three-factor authentication is rare in an average consumer setting. In highly secured environments, three factors are in common use. An individual wishing to access a highly secured area, device, or service, can expect to use a password or a PIN, an identification card or token, and a scan of some body part such as a fingerprint, hand-print, retina, or face. This, along with other security techniques, will virtually ensure proper authentication.

However, nothing can protect against a determined individual who has access to secure places or data from using these factors to compromise a system. In this case, the individual has evaded other screening methods used as predictors of behavior. 

Password best practices

There is no excuse for using a poor or weak password. The first attack vector is always against the user’s password. This is done usually through a social engineering campaign. If the victim can be tricked into providing his or her password, then the rest is easy. This happens more often than you might imagine, even with all of the press coverage about this sort of thing. It is a confidence game, and many people, unfortunately, are gullible. It is too much work to formulate and remember a complicated password so it either doesn’t get done or gets written down. Both options can lead to breaches.

Finally, a threat that is often overlooked and has allowed great havoc to be perpetrated on the Internet is the failure to change default passwords on common devices. When you purchase a new internet-connected device, the very first thing to do is to change the default login credentials. Millions of Internet of Things (IoT) devices can be accessed by using a combination of "admin" or "password" or "1234" for either the username and/or the password.

The Mirai Bot was designed to seek out unsecured IoT devices, specifically those devices that had admin for user name and password. This allowed the bot to gain entry into home networks and then beyond. A large portion of the Internet was shut down as a result in the Dyn Cyberattack of 2016. Variants of Mirai were still causing havoc as recently as July 2018.

With some effort, thought, and common sense, the use of MFA can make any device, service, or network virtually impenetrable. The object is to reduce the attack surface, to make it less visible, if not invisible, on the cyberscape. There are those who, with little risk or effort, will prey on others in order to reap large rewards. When it comes down to it, only you can protect your information, and learning how to secure your information is time well spent.

Daniel E. Capano is senior project manager with Gannett Fleming Engineers and Architects, based in New York City. He is also the vice-chairman of the Stamford Water Pollution Control Authority (SWPCA) and chairs the SWPCA Technical Committee. Capano is a member of the Control Engineering Editorial Advisory Board. Edited by Mark T. Hoske, content manager, Control Engineering, CFE Media, mhoske@cfemedia.com.

KEYWORDS: Industrial wireless, cybersecurity, hacking

It’s easy for people to fall for potential phishing and hacking efforts and hackers are counting on people’s laziness.

Single-factor, two-factor, and multi-factor authentication all require additional steps to lower risk.

A multi-factor authentication scheme, used correctly, can make any device, service, or network virtually impenetrable.

CONSIDER THIS

Cybersecurity, like safety, should be on an engineer’s mind constantly.

ONLINE extra

See more about the Russian hacking effort from the U.S. Department of Justice (DOJ)