16
September 2015

US Government’s 30-Day Authentication Sprint Points the Way for UK Firms

Andy Harris

The US government has been the subject of some fierce criticism of late for apparent security failings which allowed attackers to steal highly sensitive data on former and current employees. The Office of Personnel Management (OPM) hack may even go down in history as a turning point in how Washington treats data security. But credit where it’s due, the “30-Day Cybersecurity Sprint” announced shortly after has made good progress in shoring up some key gaps – most notably in access controls for privileged staff.

Public and private sector organisations in the UK could do worse than follow their lead and roll out two-factor authentication systems for employees. Coupled with single sign on it’s a simple way to protect your most sensitive data by locking out the bad guys, without causing extra friction to the user.

The story so far

The US OPM hack exposed – potentially to a nation state – the records of 22 million current and former government employees, including highly sensitive details on some who’d applied for jobs requiring security clearance. It’s still not fully clear what happened, but as we reported earlier, attackers are said to have gained privileged user access – most probably by compromising log-in credentials.

The ensuing 30-Day Cybersecurity Sprint has sought to tighten policies and procedures for these privileged users but also roll out two-factor authentication using “a hardware-based Personal Identity Verification (PIV) card or an alternative form of strong authentication”. US government CIO Tony Scott has reported impressive progress.

Specifically, Federal civilian agencies increased use of strong authentication for both privileged and unprivileged users by 30%, from 42% to 72%. For privileged users alone the increase was 40% – from 33% to 75%. In total, more than half of Washington’s largest agencies have implemented strong authentication for 95% of privileged users. Now there’s certainly a lot of work left to do – even one account not secured with strong authentication can be enough for hackers to compromise an entire network. But it’s a good example for organisations looking to fortify themselves against the threat targeted attacks.

A lesson for all

Two factor authentication is certainly not a silver bullet. It can only help firms reduce risk in certain areas, and should be combined – as Scott and his team have mandated – with prompt patching of system vulnerabilities, improved scanning for signs of intrusion, and other steps. But it does mean an end to the folly of traditional password-based systems. Such systems are open to abuse and misuse – users creating easy to crack credentials, or reusing passwords across accounts, for example. And they can often be hacked, phished or otherwise obtained to give targeted attackers, in the case of privileged users, a direct route to your most sensitive data.

At Osirium we’ve long been warning firms that privileged users could be one of the biggest hidden weak points in their organisation. Many IT admins don’t practice what they preach when it comes to security, and these shortcomings can be ruthlessly exploited by covert hackers increasingly keen on targeting users with elevated access rights.

Our Privileged User Management platform offers two factor authentication plus single sign on to maximise the security of privileged accounts, while minimising friction for the user.

We hide the complexity entirely from the user, creating long, random passwords which are impossible to crack in a single refresh cycle. They are stored on our side, meaning they don’t pass through the user’s system so can’t be stolen by hackers or misused by IT staff. Two-factor authentication can boost security even more for customers that want it while SSO simplifies access to all native management tools already in use by the sysadmin staff.