When the ash cloud from Eyjafjallajokull volcano caused the closure of vast portions of European air space in April 2010, hundreds of thousands of people found themselves stranded in places where they had not expected to be.  Many of them started working from wherever they were—hotels, friends’ homes, Internet cafes, and airport hotspots.  Even the Norwegian prime minister was working remotely from the airport when he could not get home after attending President Obama’s nuclear summit.  Clearly, teleworking is no longer a capability that needs to be available to a few staff members with predictable telecommuting arrangements, but something that can be and should be available to a variety of workers in many situations.  In addition to providing convenience and increased productivity, telework is also an important part of corporate business continuity and disaster recovery plans.

However, letting workers access sensitive systems and data from unpredictable locations and, potentially, using uncontrolled devices raises a host of privacy and security concerns.  Organizations remain accountable for data protection whether their data resides behind corporate firewalls or in the cloud, and regardless of the method by which the data is accessed.  Analyzing potential attack vectors related to remote access, identifying vulnerabilities, and implementing solutions to minimize risk of compromise is an essential part of securing systems and networks.  The threats and potential vulnerabilities involving credentials used to access corporate networks and view or transact business with corporate data need to be addressed along with more traditional defense assessments. 

Tracking who has access to organizational networks, systems and data—and being able to prove this in a way that is difficult or impossible to repudiate—is an important component of operating a secure computing environment.  Yet, in spite of repeated news coverage about the ease with which usernames and passwords are compromised, many organizations continue to rely on this type of credential for remote access, even when systems and data are strategically important to the company or involve sensitive personal information of employees and customers.  Weak authentication credentials are a significant security vulnerability even when enterprises require transactions to be conducted over an encrypted connection, and even if they permit users to access the corporate network only from company-issued “locked down” devices.

The problem is that once the enterprise accepts a user’s login credentials, the rights and privileges associated with those credentials allow the user to see data and to perform transactions with that data to the extent of his or her privileges in the system.  This data may include personal data such as web mail, personal health records, or tax data. If the remote access is afforded to those with higher level privileges like healthcare providers, tax preparers, or employees within the enterprise, they would have access to an even broader data set.  Fraudsters may get only gibberish by eavesdropping on an encrypted transmission, and they may only get encrypted gibberish if they manage to get through enterprise “back-door” defenses, but if they steal or guess user credentials, they arrive at the front door with the key that allows them enter an account, view its unencrypted contents and perform transactions with the data.

In many cases, fraudsters do not really care whose account they hijack as long as they can get into a system and then use that entry to give themselves more rights and privileges.  Since fraudsters would be using legitimate credentials, organizations may not even know that their systems or networks have been compromised because they think that only legitimate users have gained access.  The problem is made worse by the fact that many people use the same username and password (often a publicly available or easily guessable e-mail address) over and over, making it easier for themselves to remember their login credentials and making is very easy for someone to compromise several accounts without additional effort.

Usernames and passwords can be attacked through multiple vectors.  These credentials can be stolen by installing malware on the user’s device, such as key loggers that snoop on user data entry and then send the information to thieves, or Trojans that facilitate man-in-the-middle attacks.  Malware is now so common and so sophisticated that users are often advised not to access their bank accounts or sensitive systems from public computers.  Another attack vector on usernames and passwords is phishing or smishing, i.e., sending an email or text message (SMS) that directs a user to a fraudulent web site and tricks him into entering credentials.  Once the thief has the credentials, however they may have been obtained, he has the ability to enter networks or systems through the front door.

To mitigate the weakness of usernames and passwords, some companies have adopted strong two-factor authentication.  In addition to requiring a username and password (something a user knows), strong authentication involves the use of a token (something a user has) or a biometric (something a user is). When two-factor authentication is used, stealing a username and password is not sufficient to gain access without also stealing and entering the second factor passcode within its limited validity period.  There are many modalities for providing this second factor passcode, and these vary in convenience and usability for the user and expense for the enterprise.  Having multiple approaches to two-factor authentication permits the enterprise to maintain network security in a variety of circumstances, even ones as unpredictable as disasters that strike without warning.  For example, the use of a smartcard may be fine when someone is working from an office computer with a card reader, but would not work for remote access from an Internet café.  A number-generating token would work with any computer, but only if the individual has that token at the time he or she requires access.  Receiving a passcode via SMS is convenient and does not require the individual to carry around anything other than his cell phone, but it does require cell reception. 

Technology is available that permits on-the-fly selection among multiple modalities for receiving a second factor authenticator.  This kind of versatility in a single, integrated platform allows organizations and their employees to derive maximum benefit from telework while maintain security of their networks, systems, and data.