Today we have a guest editorial from Andy Warren as Steve is out of town. This editorial was originally published on 21 Apr 2015.
We put a lot of effort into security. We require strong passwords, we require frequent password changes, and more often than we used to we add two-factor/multi-factor authentication to the mix. That’s on top of the firewalls, proxies, and the VPN, and maybe intrusion detection and some others too. We know that malware is a constant threat and so we put a lot of effort into vulnerability scans and virus scans. You might argue we need to do more, or do some stuff differently, but we are at least trying to block the most common attack types.
What about the less common attacks though? Imagine a made-for-TV scenario where a sysadmin goes out for lunch and a stranger sits down across from them and asks for their domain admin password. Laughable right? Unless they show evidence of a real threat, perhaps to a family member. Imagine that’s you at lunch, what do you do? Short of national security it’s a no brainer, you give them the password. Then what?
All manner of bad things. One would guess they would immediately create a new login for themselves and plant one or more pieces of malware, at least one of which would be dormant for a while. They take what they can find, or they vandalize, or both. Would we know such an attack was in progress? Or do we find out only once you break free, do your best Die Hard moves to rescue the hostages, and call in to the NOC to have your account shut down? Shutting down the account is the obvious move once the attack is known, but it’s no guarantee that the attack stops – it’s just a miserable scenario.
That makes me wonder if it’s time to borrow an idea from the world of physical security – duress codes. Many alarm systems are configured so that if the duress code is entered the alarm appears to be deactivated but still signals the monitoring center. We could do the same thing for the passwords for key personnel, letting them configure a second password that would be a minor variation of the first – maybe one letter switched from lower to upper case. When activated not only could it send the secret alert, it could activate additional defensive measures – perhaps imposing a bandwidth policy to slow the attacker down and limit what they can steal, or activating additional logging, or with more effort sandboxing them so that the changes they try can’t reach the real domain.
The real challenge is trusting what the response will be if you use the duress code. If it’s going to lock your account immediately you might decide to not use it to protect the hostages.