Part 5 of CampusGuard’s series covering each of the critical controls from NIST SP 800-171 rev.1
In March 2019, college applicants at three private, liberal arts colleges reported that they had received anonymous notes offering them the chance to buy their admissions files, including comments from admissions officers, interview reports, ratings, application decisions, etc.
After the colleges became aware of the situation and investigated this potential breach, it was determined that an unauthorized party had gained access to the campus admissions systems by exploiting weaknesses in the password reset systems used by the colleges. The hackers first used a phishing e-mail to get admissions staff members to provide their credentials. Because these schools were using Single Sign-On (SSO) and had not deployed a two-factor or multi-factor authentication system, the hackers were able to access the systems and steal data without nothing more than the user credentials. Unfortunately, because the hackers were using staff member logins, they were able to go undetected by typical intrusion detection software. One college believed that victims may have had their name, address, birthday, email and other admissions data compromised, as well as Social Security numbers.
With so much sensitive data readily available within college and university systems, it is critical for institutions to continue to strengthen access controls in order to prevent unauthorized access. The fifth control from the NIST SP 800-171 rev.1 covers Identification and Authentication, and outlines the recommended controls that should be in place in order to protect sensitive data.
Basic Security Requirements
3.5.1 Identify system users, processes acting on behalf of users, and devices.
3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
The first step, Identification, is the starting point at which you claim to be a particular user in the system, and is used to tie your user account to appropriate controls based on your identity. This is done by typing in your username or User ID during the login process, placing your finger on a fingerprint scanner, scanning your ID badge, etc.
Authentication occurs next and is what happens when the system is able to determine that you are, in fact, who you are claiming to be. During the authentication process, you will provide evidence proving your identity (i.e. a password). Other authentication methods include PIN numbers, smartcards, biometrics, tokens, etc.
There are many additional controls that should be implemented within the organization’s access control and password policies and procedures. Below are the derived security requirements from the NIST SP 800-171, which include basic requirements for things like preventing the re-use of passwords, enforcing a specific level of complexity for new passwords, and forcing immediate changes on password resets.
Derived Security Requirements
3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
3.5.5 Prevent reuse of identifiers for a defined period.
3.5.6 Disable identifiers after a defined period of inactivity.
3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created.
3.5.8 Prohibit password reuse for a specified number of generations.
3.5.9 Allow temporary password use for system logons with an immediate change to a permanent password.
3.5.10 Store and transmit only cryptographically-protected passwords.
3.5.11 Obscure feedback of authentication information.
With these requirements for creating and maintaining passwords, you may also want to offer or provide users with a password management tool so they do not resort to keeping track of multiple system passwords in spreadsheets, sticky notes, etc. Providing an approved solution can also help prevent your users from installing insecure applications, file shares, etc.
The Derived Requirement 3.5.3 and 3.5.4 call for the use of multifactor authentication (MFA) and replay- resistant authentication mechanisms for both local and network access to privileged accounts (system admins), as well as any user accounts with network access. The Payment Card Industry Data Security Standard (PCI DSS) also requires that all non-console administrative access and all remote access to the cardholder data environment is secured with MFA. This includes all personnel, as well as vendors, with remote access to network resources.
What is multifactor authentication and why has it become such a big topic in recent months that it is now being promoted for personal bank accounts by the likes of Chase and US Bank? Single factor authentication, for example using just a password to authenticate the username, can be easily compromised through phishing e-mails, password spraying, password cracking software, etc. as we saw with the recent college Admissions breach. Therefore, security experts now recommend that all systems with sensitive information implement the use of multifactor authentication which requires two or more different factors to achieve authentication. These factors include: something you know (e.g., password/PIN); something you have (e.g., cryptographic identification device, token); or something you are (e.g., a biometric like an eye scan or fingerprint).
When attempting to access a system that has been setup with MFA, an attacker would need to compromise at least two different authentication methods, increasing the difficultly to access or compromise the system and lowering the overall risk. If your institution has not yet implemented MFA with your Single Sign On/Active Directory system, you could be putting multiple systems and data at risk.
Even with technical controls like MFA in place, continued education of all staff remains important. Give extra focus to those who might be more high profile targets like Deans, VPs of Finance, IT Executives, etc., as well as your System Admins. Ongoing awareness training, as well as targeted phishing tests can help ensure your staff remains vigilant and do not easily give hackers the keys to your environment.
Some additional guidance from the CampusGuard Offensive Security Team:
[Sullivan]: Password-only authentication systems are becoming easier and easier for criminals to break into as breaches stack up, and proven methods such as phishing, password re-use and password spraying continue to be used to infiltrate networks. Any external facing systems should at a minimum be protected by a multi-factor system and if possible, not by connected to the internal active directory system. This increases the level of effort to break-in and significantly slows down any attackers if they do manage to get that first piece of authentication in the form of the user’s password.
