I'd like to be kind and say that this advice is from 2015. It isn't; it is older than that. Much older. But we're talking about the government. CISA: Don’t use single-factor auth on Internet-exposed systems
That is the .gov bureaucracy with the name (and the logo) I hate: The Cybersecurity and Infrastructure Security Agency. Was it named by the Department of Redundancy Department? Couldn't Security only be in the name once? Apparently not.
Just for reference on the subject of two-factor authentication... Amazon Web Services introduced 2-factor authentication in 2009, and Google introduced Google Authenticator in 2010. You can't expect the government to be right on top of these changing technologies. (Local governments are still trying to figure out how to deal with these newfangled cellular telephones and the 911 system.)
And it didn't catch on right away, so we can't really say that the .gov is 10 or 12 years behind the times. Or maybe we can. Anyway, it does work. Ring Dorbell only made 2-factor authentication MANDATORY in 2020. But then Ring doorbells aren't exactly "critical infrastructure."
Single-factor authentication (SFA) has been added today by the US Cybersecurity and Infrastructure Security Agency (CISA) to a very short list of cybersecurity bad practices it advises against.
I can hear the screams from here. Multi-factor authentication is hard. I don't want to install another app on my phone. (Oh look, the new Angry Birds!) I don't want to put a security fob on my key-chain. I don't want to [insert lame excuse here].
The number of examples that lead up to this are legion. Just in the past year or so there was that Florida water treatment plant - where someone tried to poison the water - right down to Colonial Pipeline. And though Colonial Pipeline had a raft of problems, 2-factor authentication would have stopped that insanity before it started. (They may have been vulnerable to other attacks. Like I said, they had a raft of problems.)
As the federal cybersecurity agency said, SFA (a low-security authentication method that only requires users to provide a username and a password) is "exceptionally risky" when used for remote authentication or logging into an account with administrative permissions.
"The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety," CISA says.
As I have said before, security is NOT the focus of this blog, but when I see the .gov acting as a conduit for good advice from tens years (OK 8 years) ago, I have to take notice.
Though in thinking about this, I think it might actually be a case of "better late than never." CISA can lord it over federal government agencies, and maybe the statement can be used to move some executives off the "Why do we have to do that?" square.
the problem isn't two factor or single factor authorization. the problem is most of this stuff shouldn't be on the internet AT ALL. (and yes, i'm looking at you internet of things).
ReplyDeleteCritical infrastructure should be air gapped. this is duh level system architecture.
most of the applications for personal use (banking, CC's, etc) are uselessly guarded. the real purpose isn't to make your personal life easier, it's to make it easier for the thieves to steal it. it's way easier for a thief to steal 100,000 banking account numbers on the internet than to steal mailbag after mailbags of checks.
The "advances" of the last 15/20 years are in fact not advances at all.
Unfortunately that ship has sailed, as all the executives see is "we can save money and not have people everywhere."
DeleteThat is what bit Colonial Pipeline. In part. That and they just ignored security on multiple levels.