Friday, January 24, 2020
Security+ Topic - Penetration Testing Authorization
Wednesday, January 15, 2020
Security+ Topic - Dictionary Cryptographic Attack
If we stick with only alpha-numeric passwords from 2019 on the Wikipedia list, these simple passwords are crazy easy to defeat. password, iloveyou, admin, lovely, welcome, princess, and dragon top their list. If these are the top of the list then we can only imagine what other words are commonly used but are not used quite enough to make the list. Granted there are other mitigation techniques to this type of attack such as a limit on the number of attempts, source of login restriction, or up-to-day blacklists to name a few. This still doesn’t excuse the use of extremely weak passwords based on the dictionary.
I’ve posted in the past about tools you could use which have dictionaries built in and are able to speed through them in their attempts to log into the account. On top of that, rainbow tables already include most (if not all) of the dictionary and can match a simple dictionary password extremely fast. In reality we have to take into considerations the default password on customer devices such as DSL Modems, Cable Modems, SoHo Routers, and switches to name a few. These are most likely the biggest culprit of these easy dictionary passwords. Still when you weed out those from the list, there are plenty of other simple dictionary passwords that are in use.
What is really boils down to is the fight in regards to “ease of use” vs “secure environment”. Why do people use simple dictionary passwords? They are simple to use. I’ve seen a meme that says “I changed all my passwords to incorrect so whenever I forget it will tell me that my password is incorrect”. There is always some truth in every joke and this joke really has application to why a dictionary attack works. Just last week I went to log into a bank and couldn’t remember my password. I tried to reset it but it told me that I couldn’t re-use a password that I previously used. What happened is that I was forced to change my password so many times that I didn’t even know my own password and was forced to use a password I never remember. Hence the introduction of simple passwords brought from frustration.
End users will almost always use the most simple password that they can come up with. If their favorite childhood book is “The Cow Jumped Over the Moon” and they have a fond memory of it, their password is now “thecowjumpedoverthemoon”. The point that I would like taken away from this is to make sure and use a secure password that will be much less vulnerable to a dictionary attack while still maintaining ease of use. Enforce a password policy that lets the user have a password they can remember such as “thec0wjump$dOVERthem00n” without making your organization vulnerable to a dictionary attack. Aka, not that password.
Tuesday, January 14, 2020
Security+ Topic - Always On VPN
The next question to address for this is what is Microsoft Always On VPN? Historically Microsoft had the DirectAccess remote access process and the Always On VPN is a recreation and improvement on that secure access process. As the name implies, this technology is always running in the background and does not require the user to manually connect. One exception to the rule is if the user is required to enter two-factor authentication as part of the VPN access. When the user is connected via the Always On VPN solution, it is just like they are at their company workplace and able to work on their data or applications as if they were on-site.
When looking at the required items for getting this up and running, it looks similar to the historic DirectAccess setup. As part of evolution of products though, there are many more benefits that the Always On VPN provides such as traffic filtering, granular restriction of network resources via administration controls, working with non-domain workstations and servers, as well as integration with Azure Active Directory. Even further into the benefits is something that most IT administrators will already be familiar with such as where the user is connecting from, the health of the end device, and credential authorizations.
There are a few nuts and bolts to take into consideration of implementing the Always On VPN solution. The process it not yet turn-key but hopefully we will get closer to that goal in the future. The upside of implementing Always On VPN is that most of the underlying components for setup are already in most company setups. The connected components are as follows:
Domain Controllers
DNS Servers
Network Policy Server (NPS)
Certificate Authority Server (CA)
Routing and Remote Access Server
Part of the implementation is that Always On VPN uses Mobile Device Management which provides for flexibility including System Center Configuration Manager, Intune, and other third party platforms. These combined with the multi-factor authentication make for a strong processes in either granting access or denying access.
To further mitigate risk and help control the access, Azure is able to detects sign-in risks based on the behavior of the sign-in request and potentially even blocking a user if warranted. If the location of connection is deemed less secure, there may be a need to prove identity prior to finalizing connection. There is also the ability to restrict access to only corporate-owned and managed devices.
Using Microsoft Always On VPN makes securing the end user and more as seamless as possible. While there is a bit of setup to take on, the benefits are huge. Bringing in a swath of options such as non-enterprise licenses end devices and non-domain joined nodes, Always On VPN is a great option for VPN implementation.