RSA token attack obscures deeper security flaws

Authentication will always have holes -- which is why you should focus on limiting the damage after bad guys gain access

At the risk of sounding like a broken record, the latest RSA token attack -- the one where researchers can supposedly compromise a private key on an RSA token -- doesn't bother me that much. I said as much about the Flame malware program a few weeks ago and for many of the same reasons.

In this case I care even less. For one, RSA strongly asserts that nothing is broken, and there are strong arguments to back that up. The attack essentially requires complete compromise of the related host computer, possession of the token, and knowledge of the secret PIN. As RSA rightly points out, if you have all that, there's no need to compromise the token. You're already in charge and authenticated. Plus, RSA claims, even if you have all the elements, the private key remains uncompromised.

[ Also on InfoWorld: Roger A. Grimes explains why he can't get inflamed over Flame. | Build and deploy an effective line of defense against corporate intruders with InfoWorld's Encryption Deep Dive PDF expert guide. Download it today! | Learn how to secure your systems with InfoWorld's Security Central newsletter. ]

Even if the argument is completely true, though, there are bigger problems and better solutions.

You have to assume that all authenticators will get weaker over time. You have to assume what was once a perfect defense becomes nearly useless as an authenticator. Years ago, we accepted passwords of any type, short or weak, it didn't matter. Somewhere along the way we recommended a minimum of six characters to stymie hackers, then eight characters, and now 12, with at least three characters sets of complexity. But passwords aren't so good -- they get stolen and cracked -- so we recommend two-factor authentication, tokens, smartcards, and biometrics. It should be no surprise that these forms of authentication will come under increasing attack, too.

In the Windows authentication world, we strive to tell users to move from LANManager authentication to NTLM to Kerberos and beyond. If the attacker gains complete control to your operating system authenticator (hash, token, ticket, certificate, whatever), it's always game over. Assume that authentication, no matter what it is, will always be compromised and weakened over time. I'm not saying there isn't value in strong authentication. Obviously, there is. What I am saying is that authentication shouldn't be your first and last defense.

Better things to worry about
My biggest worry is that some bad guy will take over my whole network. In order to do this, an attacker must take over one computer, compromise authentication credentials, then use that access to take over other computers in the environment -- until the attacker obtains privileged access and can download the main authentication database. In the Windows world, the attackers go from a local system compromise to becoming domain administrator over a domain controller and dumping all the password hashes. If we assume that one or more attackers will always be able to compromise at least one authenticator, the defense becomes limiting the damage.

You do that by limited access. In particular, you accomplish it most successfully by limiting the access that any one authenticator can access. It's least privilege in practice!

In the Windows world, we do this by minimizing or eliminating elevated accounts and memberships, particularly in Enterprise Admins, Domain Admins, and local Administrators. That way a single compromise of a single account doesn't lead to broad and deep access.

When someone is a member of one of the superelevated groups (such as Domain Admins, Enterprise Admins, and so on) they never need all the permissions and privileges the supergroup is given. They're added to the membership to accomplish only a subset of actions the supergroup can accomplish. When you add permanent members (sometimes you absolutely need membership to elevated accounts to accomplish particular tasks), you're essentially saying you're not going to follow least privilege. You've acknowledged it's a nice theory and sounds great, then you don't follow it.

1 2 Page 1
Cybersecurity market research: Top 15 statistics for 2017