October is Cybersecurity Awareness Month, and the theme for 2022 is “See Yourself in Cyber.” This...
Best Practices for Passwords and Multi-Factor Authentication within the DOD
This blog is part of a series for Cybersecurity Awareness Month 2022. If you missed the previous articles, you'll find them here: What DOD Agencies Can Learn from Baseball…for Talent Management and The Three Phases of Keeping Burglars and Cybercriminals Away.
This year, Cybersecurity Awareness Month focuses on promoting four core tenets:
- Enabling multi-factor authentication (MFA)
- Using strong passwords and a password manager
- Updating software
- Recognizing and reporting phishing
MFGS, Inc.’s Cyber Resilience framework for cybersecurity strongly addresses each of these four behaviors, as Cyber Resilience is the dynamic process that encompasses positive adaptation within the context of adversity. In other words, Cyber Resilience is the constant updating of processes, capabilities, tools, and knowledge that enable a network owner to protect and detect resources from malicious entities, while intelligently adapting to the changing world. Far too often, the mentality around security is, "It's not broken. We haven't been compromised. Why fix it?" Cybercriminals count on this mentality, and insider threats are constantly evolving and discovering new and highly sophisticated methods to accomplish their nefarious goals and minimize possible detection. Why not get ahead of the curve?
For years, the thought process of cyber experts around the world has been to protect from the outside within. That means hardening the border and looking for potential indicators of compromise or attack, with almost complete disregard for insider threats. Insider threats do not necessarily equate to an individual with mal-intent, but can also be classified as users that cause damage by unintentionally performing actions that weaken the security state of a network or its assets.
In 2020, at the height of the pandemic, the National Institute of Standards and Technology (NIST) established a framework and guidelines for a new approach to cybersecurity known as none other than Zero Trust Architecture. Zero Trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to a focus on users, assets, and resources. The key focus with Zero Trust Architecture is the assumption that there is no implicit trust granted to assets or user accounts. This is a major shift from the age-old process of over-privileged accounts cleverly known as "super users." These users were generally considered to be valuable assets or members of the enterprise, based on the premise of knowledge or role. Knowing this, bad actors specifically target these types of accounts, because security teams tend to overlook these accesses due to the positional authority this type of user historically held.
Per NIST, Zero Trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege-per-request access decisions in information systems and services in a network. The goal of a network that incorporates Zero Trust is to prevent unauthorized access to data and services, coupled with making the access control enforcement as granular as possible, and to incorporate stringent methods that prevent or deter unauthorized access to these accounts. These actions can be defined by various means; however, for the purposes of this blog, we will focus specifically on enabling multi-factor authentication (MFA) and using a password manager that enforces strong passwords.
According to the Cybersecurity and Infrastructure Security Agency (CISA), MFA is defined as a layered approach to securing data and applications in which a system requires a user to present a combination of two or more credentials to verify a user's identity for login. MFA increases security because, even if one credential is compromised, unauthorized users will be unable to meet the requirement for the second authentication method. Therefore, they will not be able to access the targeted physical space, computing device, network, or database. This approach coincides with maintaining a strong password policy and enforcing the policy with a password manager.
Typical infrastructure relies on active directory (AD) topology, in which enforcing a password policy that encourages strong passwords is generally not possible. In other words, while AD is able to enforce password length, when it comes to password complexity, it fails. Incorporating a strong password policy, coupled with a password manager that uses a series of calculations to determine whether minimum standards are met is imperative to eliminate password cracking at a base level.
Password managers will transform your network's password policy into actual enforceable criteria. The bare minimum password policies used across global computer networks revolve around a certain length and minimum usage of characters and numbers. Many users take advantage of these simple policies for their own easy management of passwords, and create passwords such as "keyboard walks," that still meet the criteria of the policies but are also guaranteed to be in every password dictionary available to malicious actors. A properly configured password manager can prevent these types of actions by denying these types of passwords per policy, preventing users from creating passwords utilizing part of their account name, or even word-usage-based passwords. The right kind of passwords become extremely complex and are even harder to crack, which could potentially take years to reveal.
Solution? Our NetIQ solution can not only provide and enforce the granular accesses outlined in the NIST Special Publication 800-207 (Zero Trust), but also provides and enforces two of the four core tenets outlined in this year's Cybersecurity Awareness Month: multi-factor authentication and enforcement of strong passwords through a password manager.
The components supporting those tenets? Advanced Authentication and Password Management.
NetIQ's Password Management component not only provides the ability to create and enforce advanced administrator-defined password rules and policies, but includes a strong password encryption mechanism and self-service password portal. NetIQ's Advanced Authentication satisfies a multi-factor authentication solution that goes beyond the typical username-and-password-based authentication, incorporating various methods such as biometrics, card readers, one-time passwords, and security tokens, to use in combination with other MFA approved solutions.
Both of these targeted components, derived from NetIQ's vast and comprehensive solution, satisfy not only these critical and time-sensitive tenets of cybersecurity, but also significantly enhance the security posture of any network or enterprise on which the solution is implemented.
Jeremy Kelley is a sales engineer at MFGS, Inc. with a specialization in all aspects of cyber security. He has nearly a decade of experience in the industry and holds a degree in cybersecurity from Saint Leo University and maintains ten certifications.