In fight to improve authentication, no one is home at DHS

Agency's report cites compromised-password threat but mitigation advice barely acknowledges best defense against most common, costly attack
Written by John Fontana, Contributor

New years typically bring new resolutions, but the Department of Homeland Security unfortunately doesn't have much new to say about battling networking's worst security construct, the password.

A report on malicious Russian cyber activity, labeled GRIZZLY STEPPE, concludes with security recommendations for network administrators that are akin to bringing a 14.4-baud modem to a cyber fight.

While the DHS's Joint Analysis Report (JAR) howls about compromised passwords as a major security threat, it uses only a whimper on what has become the most effective defense for those threats, multi-factor authentication (MFA).

In fact, the report's recommendations focus more on improving password policies rather than using MFA to block attacks like phishing, or eliminating passwords all together.

"It's 2017, there is no such thing as a 'secure' password anymore," said Jeremy Grant, managing director at the Chertoff Group, a global advisory firm focused on security and risk management. Grant has been working on solving problems with passwords for some time. He was the original head of the National Strategy for Trusted Identities in Cyberspace (NSTIC), which began in 2011, and was the senior executive advisor for identity management at the National Institute of Standards and Technology (NIST).

"Passwords have been proven to be the ultimate combination of awful security and awful usability. So let's stop pretending that there is a way to make single-factor, password-based systems secure, and instead focus on advising people to use something better," Grant said of the report.

For example, none of the reports "Top Seven Mitigation Strategies" would have saved Clinton campaign chairman John Podesta from having his email credentials phished. But multi-factor authentication could have.

This is the second new year in the past three years DHS has come under scrutiny for its cybersecurity work. In Jan. 2015, it was roasted in a Federal report called "A Review of the Department of Homeland Security's Missions and Performance" that concluded DHS's cybersecurity practices and programs were so bad that the agency fails at even the basics of computer security and is "unlikely" able to protect both citizens and government from attacks.

In addition, the recent DHS recommendations do not align with strong authentication conclusions made in other parts of the U.S. government, notably White House recommendations to prioritize strong authentication, NIST guidance on MFA for thwarting password-based attacks, and even guidance from other DHS efforts.

The DHS runs the Continuous Diagnostics and Mitigation (CDM) program, which focuses on fortifying the cybersecurity of government networks and systems, and has made government agency adoption of MFA a priority.

Also, last month the Commission on Enhancing National Cybersecurity, a non-partisan commission established by the White House to make recommendations on cybersecurity to president-elect Donald Trump, made strong authentication a top priority in its report and called out by name the FIDO Alliance and its standardized strong authentication protocols.

There may be other factors at work that resulted in the weak recommendations in this particular DHS report, but it's best for governments, enterprises and private-citizens to be on the same page in regards to removing passwords as a security boundary. There are plenty of bad actors out there willing to steal one or even one billion passwords to use in executing other more targeted and lucrative attacks.

"There's no shortage of good guidance from the U.S. government to draw from - so why are they putting out outdated guidance best suited to guarding against state-of-the-art attacks from 2007," said Grant.

Editorial standards