CISO's Recognize Security Awareness Need

As we have known for many years a one-size-fits-all approach to security isn’t effective. This also applies to security awareness training of your users. Users are often seen as the weakest link in a corporation when it comes to security because they do not implement best practices, lose their machines, write down passwords, access files they shouldn’t, and more. After a recent round-table discussion CISOs from varying industries spoke about the issues they face and the methods they use when it comes to educating staff members about IT security.

One of the interesting points which stood out is that it is important to go to other departments within your organization for assistance in educating users. Legal departments are used for compliance, but it is the marketing and development departments which can make useful tools for users to understand the ways to maintain security and reasons behind it. The idea is to work with people who don’t necessarily understand security but actually understand how to educate people. You write the curriculum and they teach it.

All too often the IT security staff seem unapproachable to users and this creates a barrier to them being able to understand and listen to the lessons being taught. The recommendation remains that if you involve other departments and varying titles, users will find someone they do feel comfortable approaching. Your users are who has access to corporate data and they need to be made aware that this is a big responsibility which rests with them.

Although there are third-party providers of security awareness training, many CISOs are hesitant to bring them in to help with educating users. This is often shied away from because the fear is not receiving personalized training but more general training which is not specific to your corporation  In order to choose the best security awareness agency to help with your user training it is best to look for one who delivers a custom training method based on your needs…not a one-size-fits-all approach. Read More…

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

Are We Going Towards a World Without Passwords?

Looking at major movements in the infosec space, such as Google moving towards partnering with Yuibco for a hardware two-factor authentication solution, makes you wonder if we are moving towards a world without passwords. The basic understanding has become that passwords for the most part just don’t work and are susceptible to hacking and are sources of potential risks and cost. Interestingly enough, according to the Atlantic Wire, that after surveying multiple experts and analysts the future is not password free but actually still relies on them for security.

Supported by related articles in the news the findings were pointing more towards passwords being added to. Increasing the number of authentication barriers that a user would have to go through to access an application would increase. For example, looking back at Google and their two-step authentication as now being a suggested minimum for security of a Gmail account. Or how about having a computer that recognizes you based on your behavior? These options are coming to the forefront as data breach numbers increase.

Even more popular it seems is the use of mobile devices to aid in the authentication. Becoming the new “hardware token” mobile phones are now being used to identify the user beyond just their password. An example given in the article is a seamless integration between the login screen and the device. Once a user enters in their username an app launches on the mobile device and has you choose to push the green or the red button.

Of course these methods also have their faults with the main one being user frustrations. Users were already strung out by trying to remember their passwords to multiple applications. Although multi-factor authentication eliminates the need to remember the password in some cases, it still implements further steps and disruption to a user’s routine. The ideal situation would be to implement two-factor authentication which is transparent to the user while being able to block unwanted access. Read More…

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

Stronger authentication without end-user benefits?

A recent discussion on LinkedIn started by a PortalGuard team member got some great comments relevant to PortalGuard…

Discussion: Stronger authentication without end-user benefits?

I have heard that many companies view two-factor authentication as a burden to end-users and seem reluctant to move beyond username/password security. What may be interesting to these companies is that stronger authentication initiatives can be coupled with a sign-on benefits to achieve both security as well as usability enhancements. I’m wondering if it is a matter of a change in perspective? Could security professionals get more traction on security projects, that are desperately needed, if usability benefits (e.g. SSO) were more the focus of the business case when promoting these types of projects to senior management? Comments?

 Comment #1: It is absolutely true when introducing strong authentication, usability is hurt. I am sure we need to look into more usability enhanced security measure in two-factor authentication. but two-factor authentication itself looks stronger than password/chip pin security.

Comment #2: …your thoughts are interesting. But if SSO and multi-factor authentication are often coupled, I’m not sure the motivation are to boost strong authentication adoption. It’s more that SSO comes with its own security problems. Once authentication is gained, access to a wide range of applications is granted. The impact of a breach is thus potentially greater.

To minimize the risk (for in our field everything is risk related), one of the measures that has to be adopted is a stronger primary authentication. But it’s only one factor and it does not solve all the problems. Suppose I’m logged and have to go to the bathroom, if I forgot to lock my computer, anyone can gain access to all the applications covered by the SSO.

So we often leave critical applications out of the SSO system, and require a strong authentication to those applications. I’m not saying it completely defeats the benefits of SSO, but it can seriously undermine them.

So let’s keep in mind that while multi-factor authentication strengthens security, SSO generally lowers it. Their combination is sometimes positive and sometimes negative, depending on the context.

Now, this is the (somewhat) objective view. The most interesting part of your post is that security professional have to focus on usability benefits, whatever they are, to promote their projects to management. SSO is one aspect. More user friendly multi-factor authentication is another aspect.

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

Alerts – Complex Event Processing

What is one of an IT department’s biggest challenges? One might say it is knowing the unknown. How can an IT administrator possibly keep track of all the activity on their network? Search through logs and logs of authentication and access data trying to find malicious activity or understand how a network is being used? What a nightmare trying to find a needle in a haystack like that, but someone has to watch out for these kinds of things. Wouldn’t you like to be automatically notified if a device that you have deemed malicious has attempted or even gained access to your environment?

Introducing Complex Event Processing (CEP) can help with this daunting challenge. Simply put, CEP continuously gathers network activity data and massages it in different ways to identify incidents that an Administrator would want to know about. The incidents can illuminate erratic behavior or information used to understand how your network is being used.

The process starts with the collection of many data points or events from different places such as the time of day, physical location in the world, how secure the network is they are coming in from and the device being used. For example, I’m sure you would want to know if an attempt to access your network came in at 2am your time, from a Café on the other side of the world using a tablet? Keeping track of additional events such as password reset attempts, account lockouts and user notification messages in addition to the time, place and device provides tremendous possibilities for telling stories about the activity you are not aware of on your network.

Now that the data collection is in place, we can discuss the manipulation of the data to discover interesting incidents that should be brought to your attention. The CEP happens inside a rule engine which has the intelligence to apply the gathered data against a pre-determined set of rules. This is the massaging part mentioned earlier. The rules are statements that have variables which get populated from the processing of the data. Rules are run at set intervals and are designed to analyze recorded data and find patterns or events that someone should know about. If a rule is plugged in with a set of data that makes it true, an incident worth alerting about has been found. A simple example of a rule is to check the login name of all logins and compare that name to “jadams”. Among all the data that is collected are the login names for each user. The rule is run one time for each login name recorded and if the login name is “jadams” send an email alert to the proper person.

Rule Template:

  • Send alert if [account] is equal to “jadams”.
  • Substituting the [account] variable for each user that has logged in would yield this:
  • Send alert if “wspikes” is equal to “jadams”. Evaluates to false, no alert
  • Send alert if “jadams” is equal to “jadams”. Evaluates to true, send alert
  • Send alert if “ijames” is equal to “jadams”. Evaluates to false, no alert

In addition to variable substitution, the rule engine can also perform calculations such as counting the number of times a user has attempted a password reset. The rule engine also keeps track of the times for each password reset. With this information, a more complex rule can be implemented.

Rule Template:

  • Send alert if [account] has had 3 password resets in 5 minutes.
  • Substituting the [account] variable for each user that has logged in would yield this:
  • Send alert if “wjain” has had 3 password resets in 5 minutes.
  • Calculation would be 2 password resets in 10 minutes. False, no alert.
  • Send alert if “lknight” has had 3 password resets in 5 minutes.
  • Calculation would be 3 password resets in 10 minutes. False, no alert.
  • Send alert if “abarry” has had 3 password resets in 5 minutes.
  • Calculation would be 4 password resets in 4 minutes. True, send alert.

Here are more examples of rules that would be used to detect malicious activity:

  • Send an alert when a user logs in with a “risk score” 1 lower than 75.
  • Send an alert if “jsnow” logs into the URL: “accounting.records.int” between the hours from 6pm to 6am.
  • Send an alert if server “bandit” has been accessed with a risk score lower than 85.
  • Send an alert if the device with MAC address “0a:41:f3:76:89:29” has been used to login.
  • Send an alert if URL: “top.secret.int” has been accessed by anyone.

The following rule examples are more informational and are designed to let you know the unknown:

  • Send an alert if the message “access denied” has been seen 100 times in 24 hours.
  • Send an alert if any challenge question has been used less than 15 times.
  • Send an alert if any login session has been open longer than 10 hours.
  • Send an alert if a login to URL: jumping.jack.flash.com has occurred without HTTPS
  • Send an alert if any account is logged into more than 1 site at a time.
  • Send an alert if any account is logged into outside of 8am to 6pm Mon through Fri.
  • Send an alert if any account has been logged into for more than 14,400 seconds
  • • Send an alert if a password reset is attempted between 7pm and 6am Mon thru Fri or any time Sat and Sun.
  • • Send an alert if 3 password change attempts are made within 60 seconds
  • • Send an alert if any account has been locked out.

With the correct rule set for your environment you can become much more aware of important events taking place on your network. Over time, the rule set can be adjusted to mature into a solid force to help maintain the integrity and efficiency of your systems. Let the rules and rule engine do the nitty-gritty work so you can spend your time on more productive assignments, not to mention getting a better night sleep resting assured that your network is being policed.

1 Risk score is based on what time they are logging in, where they are logging in from, what kind of network they are logging in on and the device they are using. Logging in on a company issued PC from the corporate office between 9 to 5 on the company LAN would be a score higher than 75. Logging in from a tablet while at a café at 10pm would be a score lower than 75.

Data Breach Investigations Report – Great Data!

One of the better reports of the year Verizon’s Data Breach Investigations Report (DBIR) really sheds some light on the outlook on data breaches in the previous year and what trends we are seeing. This should also help you determine what security precautions are going to be necessary as we start a new year.

Overall in 2012 there were 855 incidents of corporate theft with 174 million records being compromised. 98% of those came from outside hackers mostly using hacking methods to break in. One of the more amazing statistics is that 97% of these breaches were completely avoidable if the organizations had implemented stronger methods for controlling risk. The report goes into the demographics and industries of the companies targeted. Do you think you’re  a target? It is important to know if you are in a targeted industry and therefore need to implement stronger authentication solutions.

This report is just full of useful insights including:

  • Percentages of attacks coming from external, internal or partner agents
  • Motives of external agents for attacking
  • Which methods of hacking were the most popular over the last seven years
  • The functionality of the malware which performed the breach
  • And much more….

One that we found especially interesting was the percentage of breaches executed using a specific hacking method. It was astonishing to see that many of the methods are ones which can be prevented with the right authentication solution. To see that guessable credentials makes up 55% of the breaches and stolen login credentials coming in second at 40%, it is amazing to think why two-factor authentication is not deployed more often? Read More…

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

 

Implementing Stronger Authentication Without Impacting Usability and Flexibility

Enterprises typically have various requirements for authentication, based on the individual or groups of users who are entering their systems and using the numerous applications available. The type of application a user is accessing also dictates the authentication requirements. Financial, human resources and other applications that store confidential information or sensitive files and records require stronger authentication than typically needed, mainly to ensure regulatory compliance. In those cases, multi-factor authentication — using “something you know” (a password) and leveraging “something you have” (typically a token) — is probably the best approach for guaranteeing that only authorized users access restricted applications and that sensitive information is protected.

When requiring multi-factor authentication, enabling usability for the users is critical, as they need to gain easy access to the information and files that are required to do their jobs in order to maintain productivity. Also, allowing the organization the flexibility of configuring authentication is necessary for helping them meet the various security requirements of their numerous applications and address the access control needs with different users. However, usability and flexibility with multi-factor authentication have not always been possible. Despite this, companies know that requiring only a password, especially with web-based applications, is insufficient, as passwords are easy to exploit and steal. An authentication solution using two distinct authentication factors is what will help eliminate their concerns with the security of access based on a single, knowledge-based factor.

The optimal two-factor authentication solution offers usability and flexibility as well as security, enabling end-users to achieve uncomplicated access and providing organizations with authentication controls — all while reducing risk. Usability is achieved by using a One-Time Password (OTP) obtained via a laptop, mobile phone or other device the user has, along with another password or username to accomplish two-factor authentication. Flexibility is obtained by allowing the authentication factors to be configurable based on the organization’s employees, applications and needs.

The OTP in this two-factor authentication scenario would validate both the user AND the device they are using. This tokenless approach leverages a device the user already has rather than requiring them to possess a separate hardware-based OTP-generating token for authentication, thereby increasing user adoption. The user’s device acts as the “token” or “something the user has” when unlocked by the user’s successful login to it. The time-based OTP is generated on a configurable interval and could be implemented as a toolbar in the user’s web browser. The OTP is totally transparent, as it has no interface and does not require additional processes.

The optimal two-factor authentication solution would give organizations the flexibility to configure the length, expiration and format of the OTP and how it is delivered to the user. OTP delivery options include email, printer, transparent token or via SMS, as no gateway is required. Transparent tokens could be made up of several types of parameters, such as a random number, a device serial number and/or Active Directory identifiers, which are encrypted.

Using what is called Contextual Authentication, organizations would also have the flexibility to choose the appropriate authentication method for each user, group or application, meeting the needs of the various access scenarios that occur. For example, onsite users may only need to provide strong passwords, whereas roaming users would be required to use two-factor authentication.

Ask organizations to describe the optimal authentication solution and it would be one offering the option of increasing security with an extra layer of authentication and reducing the risk of hacker attacks by employing credentials which expire after one use. By using a tokenless two-factor approach that leverages a device the user already has, organizations would not only offer their users increased usability but ensure greater user adoption. By having the ability to configure the OTP and its delivery method based on their users, groups, applications and organizational goals, organizations would have the flexibility they need to control the level of security required for certain user access scenarios. Because one password or one factor isn’t always enough, organizations’ authentication requirements would be met and the residual benefits would go beyond stronger authentication to include a lower total cost of ownership.

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

Declaring War on Passwords

You’ll want to keep an eye out for the IEEE Security & Privacy Magazine set to be published this month as it will include Google’s point of view on all the ways that people could log into websites in the future. One of these is the use of a ring on your finger to tap to your computer which authenticates you. Overall the theme to looking for new methods of authentication is because, as the article states, “passwords are a cheap and easy way to authenticate web surfers, but they’re not secure enough for today’s internet, and they never will be”.

This cold hard fact has become apparent with the ever increasing number of attacks including the very well publicized hack of Matt Honan an editor for WIRED, whose digital identity was wiped out in the matter of an hour. One of the ideas for logging users in involves a PortalGuard partner, Yubico, with their USB cryptographic card which does not require the user to type in the one-time password, but instead automatically generates it and populates the password field.

The future Google is predicting is free of complex, hard to remember passwords and filled with easy to use small hardware devices such as Yubico’s Yubikey. This is all in attempt to avoid the hacking which as the “Epic Hack Spike” shows it only continuing to grow. Read More…

WhiteHat's Top Ten Web Hacking Techniques of 2012

A list that everyone should read is a the Top Ten Web Hacking Techniques that WhiteHat puts out yearly. It is an amazing collection of the security industries findings on the hacking capabilities which are out on the web. Having been created for the last seven years the list points out attacks on various websites, browsers, proxies, and mobile platforms. The list is a collection with the goal of choosing the top ten new and most creative web-based attacks. The list also serves another purpose, awareness.

By collecting all of these attacks in one list it allows us to be aware of what is going on in the industry. As they say knowledge is power and by exposing these techniques you may be able to look at your organization and make changes to prevent attacks you didn’t even know were possible. Below are just some of the attacks which stood out. THe list is still being compiled so that WhiteHat can choose the Top Ten, but what an intense list it is so far:

  • Parasitic Computing Using Cloud Browsers
  • Hyperlink Spoofing and the Modern Web
  • Content Smuggling
  • Blended Threats and JavaScript
  • .NET Cross Site Scripting – Request Validation Bypassing
  • How Facebook Lacked X-Frame Options and What I Did With It
  • Bruteforce of PHPSESSID
  • And Many More…

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

Protect Your Attack Surfaces – Intelligence-based Security

Picking up popularity after RSA Conference 2012, intelligence-based security is seen as the future to protecting the ever expanding attack surfaces within your organization. The IT world is changing rapidly with demands from users for more anywhere anytime access, BYOD, and remote access (refer to our previous blog post: “Trying to Secure a Global Perimeter? – Remote Workers and Access Pose a Threat”). This all poses new threats to security which must be adapted to. No longer are basic firewalls and front-end back-end server configurations going to be enough since you have a global perimeter to protect.

Predicted to become the norm in 2013, intelligence-based security is the new way to secure your organization when there is more to worry about then basic perimeters, DMZs, or firewalls. The concept of intelligence-based security started to gain traction at the RSA Conference 2012 and has only begun to pick up in popularity from there. This security no longer thinks about access points to secure but more of risk-based approaches and predictive analytics. For example, anti-virus software is now starting to detect the patterns and actions of certain malware programs.

Although most of the solutions out there are beyond most organizations’ budgets, there are more cost effective solutions coming out on the market (PortalGuard for example with its transparent user authentication). The focus however has at least switched to prevention in the majority of organizations with 80% on prevention, 15% on detection, and 5% on response. The key for organizations to stay secure is to take the risks seriously, such as mobility and cloud computing, and realize hackers are already well versed and ready to attack. Read More…