HTTP Uh-oh! Look at the URL

When it comes to security awareness it is key to provide your employees with quick tips to use throughout their daily routine to help them be more security aware. One of the first that is easy to implement and have employees get in the habit of is taking a look at the URL before they type in credentials.

Many times there are misleading URLs and false websites created for the sole purpose of tricking your end-users and stealing their credentials. To an untrained eye it is easy to be fooled.

(Click Photo to Enlarge)

So the tip to give employees is to make sure to look for HTTPS in any URL where they are entering in credentials or accessing sensitive data. HTTP Secure (HTTPS) layers Hypertext Transfer Protocol on an encrypted SSL/TLS to ensure that information sent to the server is secure. This differs from the basic HTTP URLs which are not secure or encrypted and are subject to “man-in-the-middle” and “eavesdropping” attacks.

By users getting in the habit of looking for the more secure HTTPS you are more likely to prevent them from distributing valuable data over the network. This is a very strong method used best for financial transactions and internal portals.

Learn More:
PortalGuard – secure authentication
Wikipedia – explanation of HTTPS
Image Source: http://www.informatics.indiana.edu/markus/documents/security-education.pdf

The First Line of Defense is Your Employees

Many organizations overlook security awareness as an integral part of their security policies and success in preventing attacks. The fact is that it is your employees who hold the guardianship over your critical assets. By implementing security awareness training you can create the first line of defense against security breaches.

Although employees are conscientious of security requirements, their busy day opens up opportunities to put security on the “back burner”. Without the IT management implementing a strict security awareness training program employees are not as likely to pay attention to authentication best practices. Unfortunately as many IT managers/directors know implementing such a program can be very difficult.

One way to overcome the issues and hurdles in implementing such a program is to provide your employees with quick tips and authentication best practices to empower them to be more aware. These emphasized security tips can help employees throughout their day and better understand the risks associated with being unaware.

For more information on employee security awareness and implementing a training program please take a look at the following articles:

TechRepublic.com

SC Magazine.com

ComputerWorld.com

Federal Computer Week.com

Unprecedented Customer Support

Recently PistolStar went on-site with a current prospect to help with the implementation of the Password Power 8 Notes ID Plug-in. PistolStar’s technical team helped deploy multiple seats of the Notes ID Plug-in which will enable the prospect to:

– Authenticate users against Active Directory
– One password for user to remember
– Uniform AD password policies for security/compliance
– Reduce Help Desk calls and shorten length with just AD password reset
– Achieve true Single Sign-On Seamless real-time access after forgotten password

And much more….

Below you can take a look at our Senior Software Engineer, Larry Conroy, providing support to the IT staff on premise. Overall PistolStar’s goal is to provide unprecedented support to our prospects and customers. Whether it is over the phone or on-site all cases are handled with care to make sure that an exact fit with the customer’s requirements is created.

Homegrown Solutions – Yikes!

With ever increasing demands for specific security and authentication functionality the issue that many organizations are facing is the ability to find a solution that provides an exact fit with their requirements.

Due to this issue many corporations, especially at the enterprise level, are footing the bill to develop these solutions in-house. Although this can provide the exact fit that you are looking for, a homegrown solution is not something that PistolStar recommends. By implementing a homegrown solution it is easy to run into the following issues:

  • Higher upfront costs in development and testing time/resources
  • More lead-time required – deployment schedule must be pushed out
  • Run into all the pitfalls and bugs yourself – impacts user adoption and satisfaction
  • Workforce/expertise attrition – what if your developers leave?
  • Ongoing maintenance demands and costs

With such complications being present homegrown solutions really open up the floodgates to security holes and unknown issues. By stepping out of your area of expertise and running across the bugs yourself, you have the potential to expose and open up a much larger and more dangerous “can of worms”.

Your end-users are also a concern when choosing to buy or build. By making your employees the “test bunnies” you are in danger of greatly reducing usability, productivity and employee adoption rates. Also your end-users are not always the best measure of success. When implementing a homegrown solution, it is when something is wrong that you are most likely to hear a large uproar from you users, but this gives you no direct insight into the functionality or parts of the solution which they really enjoy.

Overall if you are weighing your options between homegrown or buying we strongly recommend to stay away from homegrown. To replace the homegrown option, it is important to find a third-party solution that provides the flexibility of a custom solution but at an affordable price. By leveraging APIs, such as the PortalGuard API, you can utilize already existing functionality while reducing the complications of starting from scratch.

So whether you decide to use a fully homegrown solution, leverage an API or purchase a solution it is important to consider your users and organization’s requirements. Possibly a combination of all three methods could be the best way to go.

We encourage questions on homegrown solutions so please feel free to email us at pr@pistolstar.com.

What is Absolutely Necessary?

What is absolutely necessary? This is a question in regards to authentication which needs to be asked often. With severe trade-offs between usability and security it is important to understand your users and what access they have to different levels of critical data.

Many times an end-user’s usability may be compromised because they are being required to follow authentication policies which are too strong for the type of data they are accessing. By making the user jump through extra hoops to access data this can greatly slow down productivity.

Due to this issue the answer to the question is NOT a “One Size Fits All” approach. Ideally, you would want to implement a solution which takes into consideration the underlying data being protected. The key is to have an authentication solution that has the intelligence to require only what is necessary from the user and environment, to provide the appropriate level of data protection, achieving a balance between usability, security, auditing and compliance.

To achieve this is to look at the defense and depth of the authentication needed for the data. Let’s take for example the lowest level of protection. For this you might require only a username and password. When moving up to the next level more authentication is needed, such as multi-factor in the form of a personal watermark, for example when used in online banking. Finally on the highest levels of data protection the strongest authentication practices can be implemented, such as out-of-band authentication where the user would receive a one-time password on their mobile device to use along with their login credentials. This is an affordable way to implement best practices.

Overall it is important to keep not only your end-users in mind but also the underlying data that they are accessing. By implementing the same authentication for all levels of data protection you could easily lower usability and security, but with a more exact fit this can be avoided all together.

The Financial Industry – Courts Try to Prove Reasonable Security

$1,901,269 is how much attackers were able to wire out of Experi-Metal’s Comerica bank account in the span of three hours. This was a phishing attack that cause damage to Experi-Metal Inc. (EMI)’s financial assets and raised the questions of liability and “What is reasonable security?”

The continuing court case is attempting to answer that question. Looking at the facts, although Comerica was putting authentication policies in place, such as using secure token technology, there was still a user created gap which allowed for the attackers to gain access. An attack only needs access to happen.

Although Comerica was able to recover all of the funds but $560,000 EMI is still pressing charges, saying that Comerica exposed EMI’s users to the phishing attack. Comerica is of course implying that any EMI employee responsible for financial transactions should have caught on that the phishing site was a scam.

The decision has still not been made in the favor of either company in terms of liability. Although the contracts originally signed by the two companies will favor Comerica Bank, the fact that the banking industry demands stronger authentication and therefore Comerica has easier access to advanced technologies does not look good for them. It will be interesting to see how the case progresses in mid-November.

BankInfoSecurity.com: to read and have a copy of the full article – Click Here

Authentication Adaptability: Survival is Key

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.” – Charles Darwin

As Charles Darwin has put it so eloquently, facing change by adapting to it is how you survive. This can easily be translated over to authentication and the principles behind strengthening authentication to adapt to changing circumstances.

The idea is that change is inevitable and businesses will be weeded out by their ability to adapt. With authentication and security this is an ongoing challenge facing businesses in the form of regulatory compliance, authentication trends and ever increasing attacks.

Although this is primarily experienced across most industries it is an ever pressing issue on the financial, insurance and healthcare industries. These industries are heavily regulated and thus subject to constant compliance requirements. Also they are huge carriers of personal information and data making them huge targets for evolving attacks and identity theft.

Some of the more prevalent attacks include:

An adaptation example, in the financial industry, has been the popularity and increasing use of online banking. Although it is extremely convenient for the end-users, the question is how will the financial industry adapt their authentication to protect users’ extremely sensitive data out on the internet?

In order to adapt financial institutions follow the FFIEC guidelines, implement multi-factor authentication and stronger authentication such as one-time passwords. The financial industry is required to have a high level of data protection and therefore is leading the way in authentication and security. By reviewing vulnerable industries it is a great way to understand where to set the bar for your required level of data protection.