Many organizations have collected applications and systems that store passwords in various ways, making password protection a serious problem for both employee and customer passwords, said Johannes Ullrich, chief research officer at the SANS Institute.
The thing about passwords is the application never needs to know the password, so that allows for hashing and other encryption methods.
Johannes Ullrich, chief research officer, the SANS Institute
Social networks and other organizations should appropriately protect user passwords or face serious issues when an attacker breaks in to pilfer data, Ullrich said. Attackers have proven account credentials are highly coveted, he said, because they provide the easiest way to get in as an authenticated user on the system. The LinkedIn password breach, one in a string of account credential breaches in recent years, is another example of password security missteps.
In an interview with SearchSecurity.com, Ullrich talked about the importance of taking an inventory of the various password databases on the network, deploying appropriate protection and migrating away from legacy applications that store passwords and other personal information in clear text. Enterprises can deploy single sign-on, he said.
It’s difficult to apply similar protections to email addresses, Ullrich said. Applications often need to see the email address in clear text and businesses need the email address available to message customers. Applying encryption to email would likely result in key management issues, he said.
Experts tell me the LinkedIn breach highlighted the need for database security. If you were a CISO at an enterprise, how would you approach the news of this breach?
Ullrich: I think the first thing to do is take an inventory of all of the password databases that you have in the network. The difficult part about this is usually you have more than one. You have them spread all around because there are likely different applications that you have acquired over the years. Trying to get a good inventory and figuring out how they are protected is a first step. Then of course there are applications that are not compliant and still deployed on many networks. They either store the data in clear text or are insufficiently hashed. Try to come up with a transition plan for that, which is questionable, so you would have to come up with some other mitigating controls there.
Why do organizations have password databases that they may not know about?
Ullrich: It is because of the way most networks grow over time. You find the organization may purchase applications that you are not aware of how they store passwords. An enterprise has dozens of applications and they all have their own password store. Ideally you would have some sort of single sign-on implemented. That would be the ultimate goal I would aim for as a CISO, but then again, implementing a single sign-on with all those legacy applications is usually a huge challenge. It’s not something you do overnight.
Are email addresses stored alongside passwords? Should they be protected as strongly as passwords?
Ullrich: Email addresses and usernames, which are often the first part of an email address, tend to be stored next to each other. I don’t think there is much you can do to protect the email address because you need that in clear text in order to send emails to the user. The thing about passwords is the application never needs to know the password, so that allows for hashing and other encryption methods. You don’t really have that option for email addresses. You could encrypt email addresses, but then you would have to do something with the keys because the application would need to decrypt it. So you would have key management issues.
A lot of the data breaches we’ve seen over the last several years have had some sort of social engineering component. Other than training, is there anything you can do to protect end users against social engineering tactics?
Ullrich: You can still do access control. One of the problems of course is that social engineering can convince an insider to leak all the passwords. It doesn’t need to be a malicious attack. An attacker can convince an insider to leak them without social engineering. I think to address social engineering you need internal controls as well as external. What you do against a malicious insider also works well against social engineering attacks.
There’s been a push with “big data” for the addition of network traffic monitoring systems deployed in the enterprise. Are those systems only being deployed at large enterprises?
Ullrich: I think you would need too much manpower for small or mid-sized businesses to deploy and maintain these types of systems. You need a fairly specialized skill to actually be able to operate them. I think smaller businesses will be stuck with outsourced monitoring or monitoring by a part-time system administrator or something like that. I don’t think those systems would help very much because they tend to collect data and don’t get monitored correctly. I think smaller businesses should choose network controls that would have the biggest impact in the end.