Quantifying the Costs of Hacking

As we continually become more interconnected and more and more of our daily lives become ever intertwined with the internet, cloud based computing and our online presence becomes almost as important as our real life persona, it’s important to remember the darker side all this convenience and connectivity brings.

Hacking, phishing, and man-in-the-middle attacks have become far more sophisticated and commonplace. Data, specifically personal data, has become the new black market currency on the internet. Gone are the days when we just had to worry about shredding old bank statements and bills (although still a good practice). Here to stay are the days when we need to fully understand and appreciate the risks that having all this interconnected convenience represents.

In 2011, a single instance of hacking on Sony’s Play Station cost the company more than $170 million. By comparison, in 2005 Google lost $500,000 due to various hacking events. As more and more data moves to the cloud, and as we buy more goods, services and do our banking online the rising cost of risk over time becomes very clear.

Industry experts like Richard Power who is the editorial director of the Computer Security Institute, estimate that depending on the company and severity of the incident, a single instance of hacking can cost anywhere between $.5M to $7M per day for companies. Full Article…

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

Security Frameworks: Helping Developers Secure Applications

After just releasing our new Developers’ Resources on the PortalGuard website, I wanted to share with you this article discussing how important it is to leverage secure frameworks when developing an application. Many times developers have all intentions of including security measures, but it falls to the wayside and goes unfinished. Although there are source code scanners on the market to scan the application, these can be cumbersome and require hours of training for the developers. With these types of scanners in place friction is also caused between development and the security team, as continued revisions are required.

To combat this it is best to leverage existing security frameworks and avoid having to “reinvent the wheel”. This allows developers to implement authentication and authorization without worrying about security. Many of the available APIs on the market are already scanned and tested for security and any vulnerabilities, such as SQL code injection. The key to picking the correct framework according to Dan Cornell, an application security consultant, is “you’ve got to make sure it’s consumable by [the developers] and not make their job harder. Security folks are often focused on correctness, and developers more on getting the job done in a limited time. To the degree security folks can make easy for developers to do the right thing, it pays real dividends.” Learn More

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

2012: A Year When Data Breaches Grow…and Grow More Serious

Throughout the year we have been reporting on and mentioning the major data breaches which have been happening across multiple industries effecting some of the largest corporations of today. Reports are still continually coming out, such as this article, which mentions that not only are there more attacks but they are growing in severity. There is the ever growing trend that as our computers and technical world becomes more sophisticated so does the hackers’ attacks.  It was interesting to read that 98% of breaches are from external agents, with only 4% coming from employees and most coming of the external attacks coming from the use of malware. Based on Verizon’s Data Breach Investigations Report series it seems that organizations are implementing high levels of security in some areas but neglecting other vulnerabilities. This is especially true in the popular target market of SMBs who have the same sensitive data as enterprise corporations but lack the funding and staff to secure it. The final suggestion made in this presentation is to achieve an essential level of security across the organization, then look to more critical areas where it needs to be increased. Learn More

Spoofing Biometrics – Fingerprint reader

Efforts are made to attack all authentication types including attacks against biometrics. Attacks are usually focused on the sensor itself using various methods. If you’re not sure what spoofing is — it’s a way in which an attacker can provide a fake biometric sample to convince the sensor it’s legitimate.

There are several ways in which this is done. For instance, fingerprints are left behind on many objects people touch. You can lift the prints using CSI techniques. The print could then be transferred to a silicon replica of a finger. There are cases where the oil from the finger is left behind on the sensor which you could trigger the authentication. There are also published cases when a finger is forcibly used or even severed.

The good thing is these cases are rare and requires physical access to the sensor so any remote attacks using fingerprint sensors are more secure than just using conventional passwords.

Check back, there is more to come on behavior biometrics and spoofing facial recognition.

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

One Time Passwords Explained

In the evolution of passwords, One Time Passwords (OTPs) have become an important part of the authentication world. An OTP is just that, a password that can only be used once. Not allowing the password to be used a second time completely eliminates the possibility for an attacker to successfully use the password. The downside to OTP technology is that the proper user must be supplied with the OTP before each use. Using OTPs is not as easy as standard passwords, but the increased security outweighs the increased usability factor.

So, what are the options for getting an OTP to a user? Here are some of the options:

1. OTP via SMS
2. OTP via phone call
3. OTP via email
4. OTP via printed paper
5. OTP via Transparent Token
6. OTP via Hardware Token

OTP via SMS

During the authentication process to a resource protected by OTP security, an OTP will be sent to a pre-registered cell phone number for the user. Once the user receives the OTP it is entered into the login form and the user is authenticated. There is the possibility that the OTP might get hung up during the transmission. For this reason, there might be an additional link on the login screen that gives the user the option of requesting the OTP again. This re-request can include receiving the OTP via a different medium.

OTP via phone call

For users that might not have cell phones while they are working or they work in an environment that has limited cell phone service, having the OTP arrive on a land line with a programmed voice reciting the password is an excellent option. During the login process, the user answers their ringing phone and is read the OTP. The voice call will have the option of repeating the OTP if necessary.

OTP via email

If phone service is not an option or an additional OTP delivery method is desired, an OTP can be sent to an email address. This feature has the limitation that a user must have access to their email so it might not be the best option for a user logging into their client machine. However, for accessing applications once logged into their PC, it works very well.

OTP via printed paper

Printed OTPs are a number of OTPs that are printed to a piece of paper that an end user can carry with them. The OTPs never expire, but once used they are no longer valid. This option is very useful when a user does not have access to any phones or email. The OTPs on the piece of paper are going to have to be very carefully guarded though.

OTP via Transparent Token

This is a unique offering to many solutions in the market. A transparent token offers a way to perform multi-factor authentication by both validating the user -AND- the device they’re using. The workstation itself acts as the “token” or rather “something the user has” when unlocked by the user’s successful login to it. After installation and a one-time, automated enrollment, a client-side browser add-on automatically generates a Time-based One-time Password (TOTP) on a configurable interval and sets the value as a session-based cookie.  This cookie is created for only specific websites and is encrypted using public-key cryptography to ensure only the server can decrypt it.  The one-time enrollment data is created independently for each user and is securely stored in the user’s workstation profile.  This ensures the data follows the user as they log into different workstations and allows multiple users to share the same workstation provided they have separate login accounts. This is an excellent form of Transparent User Authentication where it has no user interface and does not impose additional processes or steps on end-users.

OTP via Hardware Token

Although hardware or proprietary tokens have started to fall out of favor due to high cost and maintenance, they have still proven themselves as a viable option holding the largest market share and installed base in the two-factor authentication market. Hardware tokens are physical devices which provide the OTP with or without requiring the user to type it in. Some common forms of hardware tokens include USB tokens, connected tokens, tokens with a display or disconnected tokens, and smart cards.

In addition to being secure and useful on their own, OTPs can be employed with other authentication methods to provide Two Factor Authentication (2FA). 2FA consists of something the user knows and something they have. They can know a password and have a cell phone that can receive an OTP via text.
If you are looking to increase your security without incurring too much overhead or struggle for your users, you might want to consider OTPs.

For more information please visit: http://portalguard.com/two-factor_authentication.html
###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

PortalGuard SSPM Awarded – Download Available

Just wanted to quickly announce before the holiday that PortalGuard’s Self-service Password Management (SSPM) has been getting recognized on various download sites. Two have gone ahead to award the download with 5 star and safety awards. Below is a link to our previous blog post with the description and link to the download for you to check out SSPM that is supported on both the web and desktop.

Safe Self-service Password Management filePortalGuard Self-service Password Management: 5 Star by FreshShare

http://blog.pistolstar.us/blog/new-download-self-service-password-management/ 

What to do After a Targeted Attack

Here’s an excellent resource article for any of you whose organizations have been victim to a targeted IT security attack. With data breaches on the rise, such attacks can cost an organization money and business. For example as mentioned in the article, Coca Cola was victim to a hack during an important acquisition which leaked information about the deal possibly causing them to lose it.

Two papers are referenced from Bloomberg and  Georgia’s CERT Institiute which are designed to help organizations understand what steps to take after a targeted attack such as “blocking command and control servers, cooperating with security companies to add proper detection mechanisms in IDS devices, cooperating with various law enforcement agencies, contacting abuse teams at hosting providers to get those servers offline, and obtaining log files for analysis”. Read More

While it is good to know what to do after the attack, I’d like to pose the question of why not take a proactive approach to protecting your organization?

Human Aspects of Information Security

Human aspects of information security are increasingly an important aspect of security as the user can assist in helping with countermeasures, the solution, rather than being part of the problem.

The phrase ‘security is only as strong as the weakest link’ highlights that too often the weakness turns out to be human-related.

Whether lack of awareness and/or complexities of configuration; the user is inevitably the single most cause of security breaches. Because threats are coming from everywhere — you can’t rely on the user to make the right decision.

From a human interface perspective, authentication technologies are one of the few security controls that users have no choice in utilizing. Issues resulting from poor password use are common; tokens are misplaced and using biometric results in swiping too quickly.

Attempts to improve the situation include password reminders or mechanisms to reset a forgotten password.  Replying on cognitive-based knowledge in order to reset a password further exacerbates the need for users to remember appropriate answers. The answers themselves become a source for weakness as there are only so many possible answers.

It’s necessary to seek other approaches that incorporate better human interaction or remove the necessity for the user to interact. Transparent User Authentication is one way to achieve this goal.

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169