Two cybersecurity questions most organizations aren't asking
Posted on
August 9, 2016
Computer security concept coworkers discuss manual

Information security is a critical technology function that often flies below the radar of technology and business leaders. As long as things are going well, security teams often work in the shadows, only coming into the spotlight when adverse events take place. That said, the ever-present looming threat of a security breach is one of the nightmares on the minds of IT leaders around the world.

Every IT professional should maintain situational awareness of the changes in the information security landscape and how they affect organizations both today and in the foreseeable future.

Some trends in information security are easy to spot because they're openly discussed in the trade and mass media, as well as being the subject of water cooler conversations among IT professionals. It's hard to imagine a security-aware technologist who isn't aware of the dangers of spear phishing attacks, the danger posed by advanced persistent threats, or the possibility that ransomware might infect an endpoint, rendering critical business information inaccessible.

Not every serious security issue, however, makes its way into the spotlight and the consciousness of IT professionals around the world. There are important cybersecurity questions that aren't on every organization's radar, but should be. Two such problems areas involve two-factor authentication and encryption. Both are valuable information security tools, yet neither one is foolproof. Vulnerabilities exist in both technologies that attackers are exploiting this very moment. Let's take a look at both of these threats in more detail.

Two Factor Authentication Isn't Foolproof

Two factor authentication (2FA) is a hot topic in information security circles and promises to protect organizations against many attacks that involve password theft. The basic premise behind this technology is that users should present two different forms of authentication when attempting to gain access to a sensitive system. The most common example of this is combining something the user knows (a password) with something the user has (a smartphone) to gain added assurance.

Recent advances in 2FA technology streamlined the user experience, fueling rapid adoption by the public and private sectors. When a user wishes to login to a system, he or she enters a username and password in the traditional manner.

At that point, an alert pops up on the user's smartphone asking if he or she is trying to access the system. Once the user clicks yes, the login proceeds. The idea is that, even if an attacker steals a password, the attacker would still require physical access to the smartphone to complete an attack.

As with any security technology, however, 2FA isn't a foolproof silver bullet. Recent attacks have used a man-in-the-middle approach where a user is directed to a phishing website that looks like a legitimate system and asks for the username and password. After the site obtains that information, it automatically reaches out to the real service and enters the same username and password, prompting the 2FA service to pop up an alert.

The user, seeing this alert, believes it is a normal request, because the user does not know that he or she is accessing a phishing website. Once the user completes the authentication request, the attacker's login successfully completes.

Despite the existence of this threat, 2FA justifiably remains an important and valuable part of many strong information security programs. The key lesson for security professionals is that 2FA is not a cure-all and it does have limitations. Organizations should deploy it as one component of a defense-in-depth strategy that includes user education, content filtering and other protections against phishing attacks.

Encryption Effectiveness Expires

Encryption is another technology that many organizations see as a panacea for information security issues. While it is a valuable technology in the toolkit of security professionals, encryption also has its limitations.

Encryption software uses mathematical algorithms, in conjunction with a secret key, to transform information into a form that makes it unreadable to anyone other than authorized recipients. It provides an important capability to protect sensitive information in cases where it might be otherwise insecure.

For example, an employee might encrypt a file containing sensitive information before sending it as an email attachment to protect it while in transit. Encryption can also protect information that is stored on a device in the event that the device is lost or stolen. Most modern mobile devices and operating systems now include built-in encryption technology that prevents a thief from gaining access to information stored on the device.

While most organizations understand that some encryption algorithms are flawed or use short keys that are susceptible to brute force attacks, they don't realize that the state of "secure" encryption technology is constantly changing. It is quite possible that a security researcher will discover a flaw in a popular encryption algorithm tomorrow that renders that algorithm insecure for future use.

The impact on organizations can be profound if they handle information that will remain sensitive for years to come. An employee data file that contains Social Security numbers, for example, will retain its sensitivity for decades.

Security technology constantly changes. Are you aware of emerging threats?

If an attacker gains access to a file encrypted with a key that is strong enough to avoid attack today, he or she may simply hold onto that file for months or years, waiting for the technology to become available that allows a successful attack in the future. It's only a matter of time.

The easiest step that organizations can take to protect themselves against this risk is to choose very strong encryption options that are likely to withstand attack for many years. For example, organizations using the Advanced Encryption Standard face a choice between 128-bit, 192-bit and 256-bit keys.

While all three options are considered secure today, 256-bit keys are far less susceptible to a brute force attack and, if we experience a sudden advance in computing technology, will likely be more resilient against attack than their 128-bit counterparts.

Act with the future in mind

The shortcomings of two factor authentication and encryption both have the potential to pose grave threats to enterprise information security over the next few years. By taking steps to address those risks today, business and technology leaders can position their organizations to remain safe in a dynamic and dangerous threat landscape.

About the Author

Mike Chapple is Senior Director for IT Service Delivery at the University of Notre Dame. Mike is CISSP certified and holds bachelor’s and doctoral degrees in computer science and engineering from Notre Dame, with a master’s degree in computer science from the University of Idaho and an MBA from Auburn University.

Posted to topic:
Tech Know

Important Update: We have updated our Privacy Policy to comply with the California Consumer Privacy Act (CCPA)

CompTIA IT Project Management - Project+ - Advance Your IT Career by adding IT Project Manager to your resume - Learn More