This is a continuation from
last week's blog:
One best practice that should be exercised is the adoption of a secure by design standard. Many environments and applications of the past have a design plan focused on accessibility. However, as we discussed earlier, confidentiality and integrity must also be strong influences on how an environment is designed, implemented, and maintained. The case study of Apple’s iCloud is a perfect example for secure by design. While it may look like a failure of the end users to secure their personal accounts on the user’s end, Apple certainly has some responsibility for weak security design. Many account management scripts used today are guilty of the same issue. However, more advanced scripts today use strict password requirements. This means that an account cannot be created or have its password changed without the new password meeting complexity requirements. These could include the password being a certain length, using special characters and numbers, or using a combination of these. For example, Microsoft uses a policy that passwords must meet 3 of the 5 complexity requirements. The five requirement categories that are provided are:
· Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
· Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
· Base 10 digits (0 through 9)
· Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
· Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
Using these security requirements can largely improve the strength of a password and decrease the risk of the password being guessed of victim of an attack known as “brute force.” Brute force software tries every possible combination of numbers and letters to continue guessing a password until access is granted to an account. Using an average computer, Table 1 shows how long it might take the software to crack a password dependent on the number of characters in that password (See Table 1). The table ranges from a 5 character lowercase password being cracked in 12 seconds to a 14 character “all character” password taking 154 billion millennia to crack. This shows that having a larger variety of characters as well as a larger quantity of characters in a password helps protect accounts against brute force attacks.
Another form of brute forcing is called a dictionary attack. This attack is conducted similarly, except it uses words that are found in a password dictionary which is defined by the author of the software. This can also be used to guess common changes from letters to numbers (myp@55w0rd), include common phrases or quotes (takesonetoknowone), and use words that are commonly abbreviated or misspelled (ntmypsswrd). Another way to counter brute force attacks is for the account management software to limit the number of times that an account’s password can be invalid. For example, if the brute force software starts its attack by guessing some of the most common passwords such as “password”, “12345678”, and “qwerty”, the account management software will prompt with a “Too many invalid logons. Please wait one minute and try again.” A timed waiting period such as the example provided can make the brute force software much slower than it was designed for. If the lockout is 1 minute for every 3 invalid attempts, the brute force software would only be able to make 180 attempts per hour as opposed to attempting up to 350 billion attempts per second as is the case with a Linux-based GPU cluster demonstrated by Stricture Consulting Group in 2012. This security feature can be modified in multiple ways including increasing the duration of lockout for each additional lockout or permanently locking the user out until they verify their identity and change the password completely.
The example of the celebrity photograph data breach could have been negated through better security practices from both sides of the coin. Apple did not have adequate password requirements or lockout requirements in place to counter brute force attacks. By following best security practices, Apple could have avoided the negative publicity to both their company and the celebrities affected. However, the celebrities whose accounts were compromised also could have used stronger passwords without requirements being strictly enforced by Apple. Through proper security education, each end user could have protected the privacy of the data that was stored in Apple’s iCloud environment.
Another practice that can greatly improve the security and privacy of data in cloud environments is the deployment and utilization of active monitoring solutions. Active monitoring is conducted by having a team of professional personnel available during all hours of the week to review intrusion detection and prevention hits as well as security anomalies that are identified by technical systems. A baseline should be set by monitoring normal activity on the network for an extended period of time. The average activities and processes conducted on the network should be used as a baseline, which should then be used to compare against future daily activities conducted on the network. Once a statistical anomaly from the baseline is identified, the on-staff personnel should be able to look further into why there was a change from the normal level of activity. An anomaly that Apple may have been able to identify with this type of deployment was seeing an increased quantity of account recovery and failed login attempts for the time period when many of the celebrity accounts were compromised. However, even if there were no significant anomalies that could have been recognized at the time, there are still other best practices that could have assisted in preventing the situation.
Ethical hackers are often contractors who are hired to break into a company’s network in any way possible to steal data that the company didn’t know were vulnerable to attack. The field of ethical hacking is daunting to many companies because this gives the hired third party knowledge of the company’s network infrastructure and its weaknesses. However, organizations must realize that it is much safer and less of a risk to the business to have hired help penetrate their network defenses rather than a hacker who might sell sensitive intellectual property to a competing organization. Through the use of ethical hackers conducting penetration tests, Apple could have identified the security vulnerability that allowed attackers to brute force iCloud accounts.
One last method that Apple could have utilized to defend against the attacks on their customers’ accounts is two-step authentication. Two-step authentication is a method of logging into a user account using multiple passwords. After logging into an account with a static username and password, a second password is randomly generated and required to grant access to the system. The two most common methods of doing so are through the use of a key fob or text message password generators. A key fob is either a hardware or software device that is synced with a server to retrieve a password that is randomly generated every 30 or 60 seconds. In this case, the password is always viewable by the user with the fob. The other method for two-step authentication is through a text message password that is automatically sent to a verified cell phone after a successful login using the designated static user credentials. This password is not always viewable, but also only changes each time a user requests login from a new computer, so in these ways is considered more secure. In the Apple iCloud security breach, this would negate attackers from gaining access to user accounts without having physical access to either the target’s phone or key fob.
The United States government estimates that its spending on cloud computing will surpass $7 billion by the year 2015 (Kaufman, 2009). This investment shows that there is certainly a future in cloud computing, but if security issues continue to exist, it will be difficult to create a strong business model around the technology. Businesses have to be able to assure potential consumers that data stored on the cloud storage environment is going to remain safe. Once information is moved onto the Internet, there will always be a way to access it. If the value of the data being stored on the cloud is high enough, there will often be a threat agent that targets the now-accessible data. If the entire cloud computing industry doesn’t implement best practices for security, cloud service provider system breaches will continue. This will result in an aversion against the use of cloud services, and slowly kill off the industry as a whole.