Passwords are a thing of the past

When you are in the cyber business, it's hard to escape your work. I see cyber risk everywhere. At home, when my kids would jot down passwords on scraps of paper, I talked with them about good cyber hygiene.

It has become my mission to help people -- at home and at work with federal government clients -- better understand how the world has changed. We must always protect and defend ourselves. Passwords should be a thing of past, as obsolete as the floppy disk or the dial-up modem. The cyber world has moved on, and now we need to catch up -- quickly.

Threats are no longer rogue hackers relishing the satisfaction of having infiltrated a protected network. Instead, more dangerous actors -- often sophisticated and state-sponsored cyber "terrorists" -- are persistently and quietly exploiting networks to obtain sensitive information for nefarious purposes.

The federal government, under the direction of federal CIO Tony Scott, is heading in the right direction with the focus on multifactor authentication. As part of Scott's directive, the government launched an accelerated cybersecurity sprint that required federal agencies to improve the security and resilience of their networks.

The initial focus on MFA is for privileged-user accounts, which are held by those who "have the keys to the kingdom" and can perform security-sensitive actions. Those actions include the ability to add, change and delete user accounts of all privilege levels; read, copy, change and delete any file on the system; install software, potentially including malware; and confer trust on new digital certificates and certificate authorities. Without MFA, an attacker possessing a privileged user's username and password could carry out those actions.

Adopting mandatory MFA can protect against cyberattacks because it increases the degree of difficulty for attackers by requiring more than a username and password. Requirements can include two or more types of factors, including:

1. Something you know (e.g., password or PIN).
2. Something you have (e.g., cryptographic hardware device, such as personal identity verification card or YubiKey).
3. Something you are (e.g., biometric, such as fingerprint, iris or face).

For example, PIV-enabled MFA requires the user to insert his or her PIV card (something the user has) into a card reader and enter a PIN (something the user knows) to unlock the PIV's digital certificates. The PIV card, which contains a microprocessor and memory, then participates in a cryptographic authentication process with the protected network or server. The cryptographic process cannot be duplicated by an attacker who does not possess the user's PIV and PIN.

Implementing MFA for privileged-user accounts is critical for security purposes but can be a cumbersome task that is complicated at many federal agencies by an intricate web of legacy applications. Often, those legacy systems do not offer out-of-the-box support for MFA and, as a result, are more difficult to PIV-enable.

Although challenging for many government agencies, there is a way to achieve MFA through a multi-tiered approach by:

1. Requiring PIV authentication where possible and rapidly implementing known technical solutions for environments that can support PIV.
2. Using other MFA tokens where available to eliminate remaining password-enabled accounts.
3. Determining mid- and long-term infrastructure changes required to PIV-enable all privileged-user accounts.

The use of MFA is an effective first step, yet it is only one element of a comprehensive cyber defense strategy. Other critical components include:

• Policies and procedures to govern acceptable user behavior for privileged users and establish what constitutes anomalous behavior for monitoring and detection.
• Provisioning and privilege management of access privileges associated with privileged-user accounts to make sure that assigned privileges are still necessary.
• Account activity and network firewall log monitoring to discover anomalous behavior and detect attacks in order to respond in a timely fashion.
• Strong authentication for system-to-system communications to impede an attacker's ability to access system resources.
• Encryption of sensitive data to make it unreadable by intruders.
• Session recording and auditing to log privileged access and specific actions taken during a login session.
• Incident response and recovery capabilities to minimize and repair the impacts of successful attacks and restore normal business operations.

That holistic approach is what we at Deloitte call being secure, vigilant and resilient. To reduce and repair the impacts of attacks and restore normal business operations, the approach enables authentication, monitoring, incident response and recovery capabilities.

Although only part of a holistic approach, MFA is a necessary and critical step on the way to properly protecting federal systems and networks.