A little over a year ago, banking regulators released the “Authentication and Access to Financial Institution Services and Systems” guidance. Since that time, Bedel Security has been taking the guidance to heart and delving much deeper into authentication and access controls when we perform risk assessments.
The results have been eye-opening. We have discovered allegedly secure systems that are much more exposed to attack than previously thought. In this article, I will attempt to walk through steps that the owner of a critical system can use to identify potential weaknesses that could be used to gain access to the system by an outsider.
It starts with password lengths and complexity. If a critical system still uses a password length of eight characters or does not require numbers, upper case, lower case, and special characters, it is too short and/or simple by today’s standards. We optimally look for passwords that are at least 14 characters (longer for administrative passwords) and complex.
Next, determine where a system is accessible from, especially if the system is accessed using a web browser. Microsoft uses the term “conditional access” to describe controls that limit where a system is accessible from. Critical systems should be locked down so that employees can only access them from the corporate network and/or from a corporate-controlled device. If a user of a critical system can log in from a home PC or a personal cell phone that is not on the corporate network, it likely means that a hacker that steals the password will be able to access the system from anywhere also. Just as scary is the thought that a terminated employee can access the system remotely if they are not immediately removed from the system by an administrator.
Finally, determine what type of multifactor authentication (MFA) is required by employees to access the critical system. If a system has weak passwords or is accessible from anywhere on the network, MFA strength will be the last control keeping an outsider from accessing data. While no MFA method is perfect, the stronger methods are those that require authentication apps or hardware devices that utilize digital tokens or biometrics to gain access. If a terminated employee gets access to a system that has strong MFA, an organization will at least have evidence that it was indeed the terminated employee that accessed the data.
A critical system that is accessible over the Internet should use all three of the above controls (strong passwords, critical systems, and multifactor authentication) to control access to the system. A weakness in any of the three areas means that there is at least a moderate risk of unauthorized access present. A weakness in two or three of these areas means the risk level may be high.
Many of the systems we find with these weaknesses are provided by third parties. In some cases, system owners simply need to ask to activate stronger controls and the third party will help them to implement them. But in other cases, we have found that there are vendors and government agencies out there that handle customer data but do not provide the capability to implement stronger passwords, strong multifactor authentication, or conditional access. In these cases, institutions need to work with the third party to stress the importance of these controls, possibly working within user groups to demand better controls as a group.
Bedel Security helps financial institutions understand their cybersecurity risk, including risk from poor authentication and access controls. If you believe that your institution needs help in this area, please feel free to reach out at support@bedelsecurity.com!