As tech editorial writers have informed us, this has been the year of the breach. I’m shocked! My go to source for breach stats is the Identity Theft Resource Center, which calculates the numbers by reviewing security incidents as reported in the press. For 2014, they’ve counted over 80 million records that have been exposed–with Home Depot’s breach making up the bulk of that number.
But this year’s ITRC survey had “unknown” filled in for several giant data heists: Dairy Queen, JP Morgan Chase, and eBay. Some are guesstimating that the true number is closer to 200 million records. Ok, it was a bad year–worse than 2008 when we had the TJ Max incident.
While this is all interesting and alarming, why isn’t anyone talking about the ease with which hackers can enter and move around in corporate IT systems?
The root cause underlying many of the major hacks is a terrible system of authentication– and yes, I am talking to you Microsoft–in which basic brute-force techniques of password guessing are far too effective. Multi-factor authentication for remote connections would greatly help matters. But once in, hackers have an easier time then should collecting additional user credentials through replay, man-in-the-middle, “pass the hash”, and other sneaky techniques.
For many in IT, the operating system’s security is seen as a magical force–a Microsoft- will-take-care-of-it philosophy. Microsoft has had long-standing problems with its native NTLM authentication that many in IT security may not even be aware of. By the way, weaknesses in NTLM were implicated in the obliteration of Sony.
The hackers, on the other hand, know this part of the Windows OS very, very will–with the best having the equivalent of PhDs in this arcane area.
And that’s why I wrote “The Essential Guide to Password-based Authentication. IT managers and security pros need to really understand the problems with an technology that was formed in the 1980s and 90s. The ebook explains the basic mechanics that allow us to login to our accounts, the long standing vulnerabilities in NTLM and Kerberos, and most importantly what you need to do to mitigate against authentication-based attacks.
The book is available in iTunes—cost is bupkes—and, if I may be allowed, it is highly readable and accessible. It’s in the form of clever Q&A between a knowledgable pro and a well-meaning and informed novice who needs to quickly get up to speed on data security, cryptography, and NTLM/Kerberos.
And I have mentioned it’s free.