Heroes of two-factor authentication, or as "walking in other people's shoes"

Probably I will say a commonplace, but people are very strange (and IT people are doubly). They are keenly interested in marketing innovations and are eager to introduce them, but at the same time indifferently bypassed by technologies that can actually protect their companies from real harm.

Take for example the technology of two-factor authentication (2FA). An attacker can easily spy and / or steal ordinary passwords ( which happens very often ), and then log in with the rights of a legitimate user. And the user himself most likely will not guess about the fact of the password being stolen before the onset of unpleasant (and sometimes very serious) consequences.

And this is despite the fact that the fact that the use of two-factor authentication methods will greatly reduce the likelihood of some serious consequences, or even completely protect against them, is not a revelation to anyone.

Under the cut, we will tell you how you tried to present yourself in the place of decision-makers about the implementation of 2FA in the organization, and understood how to interest them.

For those who want a little theory:



So, there is a two-factor authentication technology that can effectively protect users from password theft and, as a result, their employers from information loss and other security problems at minimal cost (monetary and temporary).

But for some reason, this technology has been introduced only in a relatively small number of the most protected and advanced companies in the field of information security. What are the others waiting for? Do not fear for the security of your IT infrastructure or do not consider the threat serious? Or can you be sure that the introduction of additional security measures will lead to a deterioration in the working conditions of users and / or a decrease in their efficiency?

To understand this, we decided to refer to the old proven method- to come up with characters who should be responsible for the implementation of 2FA, and in the process of describing their behavioral profiles, try to get into their skin (or as the Americans say - be like in their shoes ). If this method works for designing new products, then why not be just as effective in analyzing the reasons for (not) using time-tested technology?

We created four characters: two directors and two heads of IT departments for two companies - large and medium. And for each of them they wrote their own history. Here is the first one.

Fedor

Company

The Refinery FlyTek, part of the large oil holding FlyOil. In total, the refinery employs more than 3 thousand people, but about a thousand are connected with computer technology. These are both auxiliary units (managers, accounting, logistics, sales service, marketing) and production workers working with ACS TP (automated process control systems - production of petroleum products) through terminals on Microsoft Windows.

Position

Head of IT department. Manages a team of 10 people.

What is responsible

For the performance of the IT infrastructure of the enterprise. Roughly speaking, so that no one complains about anything.

1. Fedor knows that low IT skills of employees can lead to failures on their PCs. He organized a technical support service that works with such minor issues.
2. Fedor knows that the equipment is aging and can refuse, making the work of an employee, department or the entire plant impossible. Therefore, he organized a reserve fund in case of replacement and prescribed emergency replacement policies - the procedure and those responsible.
3. Fedor knows that hacker attacks, hardware failures, fires, floods, etc., may be damaged by data. He organized the creation of backup copies of data and prescribed data recovery policy in case of failure.
4. Fedor knows that failures occur in the server software, which can jeopardize the work of the office or production. Therefore, he uses the methods of online diagnostics of malfunctions and prescribed policies to restore the server software.
5. Fedor is afraid of viruses. He knows that they can infect the computers of employees or the ICS system. Therefore, he purchased and installed anti-virus software and set up its regular update.
6. Fedor is afraid of network hackers, so he uses intrusion detection and prevention tools and other network defenses.

What is common in these six points? Fedor understands that if something happens in the framework of the above, they will ask him. Sometimes for the cause (viruses, if they will be distributed without any control over the network), sometimes for the consequences (lack of backup copies during recovery).

What does not answer

1. For the fact that although it has a source of IT, it falls into the area of ​​responsibility of other managers. For example, if the terminal of the ACS operator breaks down, then Fedor is responsible for this. If the operator of the automated process control system enters the wrong command, then it will be the problems of the production workers. At their request, Fedor can give the command to modify the software of the automated process control system so that it recognizes the wrong commands and does not let them execute. But TK will be written by production workers, Fedor will be only an intermediary and responsible for the implementation and trouble-free operation. An example that is closer to the topic under consideration is that if an employee legally possessing rights to work in an IT infrastructure of an enterprise tries to use them for destructive actions or wants to use corporate information for personal purposes, Fedor will respond only if more rights have been given. what is necessary for the employee at the moment to perform his duties. Otherwise it will be a problem of the security service and the immediate supervisor of the employee.
2. For the implementation of risks taken by management. It is impossible or too expensive to defend against everything. If management decides, for example, that the complete loss of servers due to a fire or flood is impossible due to the location or protection of the server, then no money will be allocated for backup servers. And in case of problems, the responsibility will be borne by the management.

But! This is true if Fedor informed management in advance about these risks. The fact is that top managers are rarely IT specialists, so they may not even assume how much bad things can happen. Therefore, if something happens that the tops were not aware of, then Fedor will be declared guilty. Therefore, he tries to warn about possible problems, but after that the responsibility for making the decision goes to the tops.

Professional worldview

Fedor has enough problems and concerns in carrying out his official duties and in defending himself against threats that he considers probable or with which he himself has come across. He also understands that manufacturers of protection systems are focused on selling their products, so they are interested in scaring as much as possible - to invent new threats and exaggerate the likelihood and significance of existing ones. Therefore, Fyodor is usually very skeptical of stories about new threats and how to solve them.

It is easier for Fyodor to believe in new threats caused by a new development of technology or by hackers opening new holes for hacking than in the long-standing threats that he could in theory face, but did not face.

When Fedor learns about the new threat in which he believes, he writes a simple protection plan against this threat, indicating what resources (people, software, hardware) will be needed for this. This plan is submitted to the tops. If the tops agree to allocate the appropriate resources, then protection against a specific threat is implemented at the refinery, But since the tops are not IT professionals, the agreement to implement the plan often depends on the proper submission of Fedor. From whether he really wants to introduce protection against this threat or wants to shift potential responsibility to the tops, if the threat and the truth turns out to be real, and a plan to prevent it will not be accepted.

Current relationship to 2FA

For all the time, Fedor never faced the serious consequences of password theft. He is ready to admit that some employees could know the passwords of others, and even secretly heard a couple of times as employees discussed their passwords. Fedor is even aware of the fact that employees transfer their passwords, do not block sessions, work from under someone else's account. But, in his opinion, this did not and would not lead to any serious leaks, much less hacking or damage. He is ready to admit that a causal relationship exists, but he wants someone to clearly show it to him. It will not consider 2FA until there is a clear precedent, or until it is forced

According to Fedor, the security service is responsible for fighting leaks (the IT department can only provide the necessary technical means). In the end, IT does not force IT to monitor the storage of paper documents and the iron keys of the office - even if IT maintains video surveillance cameras installed on the SS order.

Fedor believes that the company has policies that require employees to securely store their passwords signed by the employees themselves. And if something happens, then a specific person will be punished for his carelessness. And oversees the execution of the politician let the Security Council. Here, however, it is impossible not to notice that theory often disagrees with practice. An especially important or honored employee is not touched even if he writes a password on his forehead, and the disfranchised low-level employee doesn’t care, since he has nothing to lose. Only the use of technology can equalize everyone.

The only area where Fedor is really concerned is the security of the system administrators passwords. Because if someone harms the IT infrastructure on behalf of the sysadmin and with his extensive rights, then a serious investigation will inevitably be carried out, where not only the careless sysadmin can be appointed as guilty, but also (depending on the severity of the damage) Fedor himself.

Well, where are the conclusions? They are not there yet, because beyond the scope of this article there is a story about three more characters - the immediate superior of Fyodor, the general director of the oil refinery, as well as the head of the IT department and the owner of the logistics business. Very soon we will tell you what they think about two-factor authentication.

In the meantime, I would very much like to know what you think about 2FA - both in the form of free comments and in the form of responses to a survey. Do you think this topic is relevant? Is the threat real from your point of view? Should businesses spend money on implementing 2FA?

And by the way - did you recognize yourself in Fedor, or perhaps your boss / colleague looks like him? And maybe we were mistaken and these characters have completely different interests?