Using Challenge Questions to the Best of Their Ability

In the beginning there was the password and life was good.  Eventually people started to forget their passwords and needed help from another person.  Everyone likes to help out their fellow person, but when many people are asking several times a day, this reduces the production of the helper and becomes costly for the company.  Nowadays, companies have a mechanism in place to allow users to perform their own password resets – Self Service Password Management.  One of the methods is to have users answer one or more “challenge questions” before they forget their password.  The next time they forget the password the user can authenticate with one or more of the “challenge questions” in lieu of the password.  Once authenticated with the correct answers to the question(s) a new password can be set and no one except the end user was involved in the process.

Challenge questions and answers can also be used to authenticate a user, either on their own or in combination with the password.

Just like passwords, the answers you choose really should be carefully selected.  A proper answer to a challenge question is one that the user won’t easily forget and a “bad guy” won’t be able to determine through research or guessing.

“Never use any of the following for passwords or password reset challenge answers

  • common words, dictionary words, phone numbers, sequences of numbers
  • name of family member, favorite color, drink, song, performer, pet name, car brand, any information that is publicly available: Think Facebook, LinkedIn, Twitter “ 1


“The Question and Answer Challenge is an easy way to help combat spam from both bots and humans. For bots you can just create a question that a computer would have trouble understanding. For humans you can create a question that may be unique to your community’s subject matter that most people might not immediately know. Keep in mind a spammer isn’t going to bother searching for the answer: they will just move on.” 2

Administrators can help facilitate proper answers by asking the right question(s).  The answers to questions should not be easily researched, for example:  “What was your favorite present as a kid?”  It wouldn’t take an intruder long to run through a list of the more popular children’s toys.

“Most websites that register users, use some form of security questions. But my experience is few websites use GOOD security questions. Reality is, there are no GOOD security questions, but these ideas present the best that is available.

Good security questions have four common characteristics. The answer to a good security question:

  1. cannot be easily guessed or researched (safe),
  2. doesn’t change over time (stable),
  3. is memorable,
  4. is definitive or simple.

It’s difficult to create questions that meet all four characteristics which means that some questions are good, some fair, and the remaining are poor.

The most important characteristic of a good security question is security – it does not compromise the very thing it is trying to protect. A good security question would have answers that are not easy to guess or decipher and thus block unauthorized access to the account.

Good security questions meet a number of specific requirements and have high entropy. In general, this means that the number of possible answers is very high and that the probability of selecting any one specific answer is very low. When you create high entropy-based questions, only the authorized user is likely to provide the correct answers.

  • The answer cannot be found through research (mother’s maiden name, birth date, first or last name, social security number, phone number, address, pet’s name)
  • The question has many possible answers where the probability of guessing the correct answer is low
  • Answers are unlikely to be known by others such as a family member, close friend, relative, ex-spouse, or significant other.

Bad examples:

  • What is your address?
  • What is your phone number?
  • What is your mother’s maiden name?

Good examples:

  • What was your dream job as a child?
  • What is the first name of the boy or girl that you first kissed?

A good security question will not work for all people and most good questions still have some flaws. Therefore, it is best to offer 2-3 sets of questions (more if data is more sensitive) with a variety of questions. I recommend offering 15 questions in each of three sets. You would need to eliminate the selected question from the first question for the subsequent question groups.”3
Additional concerns around choosing a secure answer to a challenge question include:

1.      Limited available questions

2.      User information readily available on social websites

3.      Hard to guess, but easy to remember answers

There is a limited pool of secret questions that most Knowledge-Based Authentication systems use and many of the questions have a limited amount of potential responses, such as “What is your favorite color?” If someone researches you and discovers the answers for your questions, they could gain unauthorized access to your account.

The ability for someone to guess the response to a user’s secret question has greatly increased due to the large volume of information available on the Internet. This was demonstrated during the recent presidential campaign, when one of the candidate’s email accounts was hacked into. The attacker was able to do so by conducting a minimal amount of research about the candidate using information found on the Internet to answer the secret questions and get the password for the email account.

Users need to be aware that there is a tremendous amount of information available about them, not only through Internet search engines, but also social networking profiles and other sources.

As with the design of a regular password, the responses to secret questions should be something that is hard to guess, but easy to remember. Users are encouraged to not provide the technically correct response to the question. Similar to developing a strong password, the response to a secret question is in effect a password and thus should have the same protections. The use of a combination of upper and lower case letters, special characters and numbers is recommended. There are many ways to obfuscate your response. The key is to develop a methodology that is easy for you to remember but difficult for someone else, even someone you know, to guess. Some examples are:

  1. Begin and/or end each response with a number, capitalize a letter and use a special character. For example, the response to your mother’s maiden name of “Smith” would be “44SmitH!” OR Insert a number and special character in the middle of the word. In this example the response to your mother’s maiden name of “Smith” would be “Smi44!th.”
  2. Provide answers that do not correspond to the question, thus making it difficult for an attacker to correctly guess. For example, a user may use the name of a city as the response for “mother’s maiden name.”
  3. Use the question itself to create an easy-to-remember passphrase. By combining the main part of the question with one of your favorite catchwords, you can create a passphrase they can remember. If the question is asking for your favorite sports team, you can combine “Sports Team” from the question and combine it with a phrase from your favorite show, such as “CSI.” Their answer is, “Sports Team CSI.”
  4. Follow best practices for strong passwords when developing your responses, such as making it at least 8 characters long and using numbers, upper and lower case letters, and special characters. The answers can be different on different websites, even if the same secret question is used. Thus a hacker won’t potentially have access to other accounts if one is compromised.
  5. As with passwords, do not share the responses to your Challenge or Secret Questions, or your methodology for developing them, with anyone.

It is also advised to periodically search your name in an Internet search engine so you are aware of what information about you is freely accessible on the Internet.4

Hopefully the information presented in this article will help you to feel more confident when using challenge questions.  You may even want to double check any resources that are currently protected by challenge questions.


U.K Research Shows Cyber Security is Low Priority Among SMEs

According to research done by the U.K’s Institution of Engineering and Technology (IET), cyber security is of little concern to the majority of small to medium sized enterprises there.

The research, which surveyed 250 SME organizations, showed that 23 percent of them possessed no protection against cyber threats at all, while 30 percent believed they already had protections in place, and only 14 percent of them ranked cyber security as their ‘highest priority’, of which were also confident their organization could successfully fend off an attack.

The key here is cyber security awareness, and it would appear that many firms aren’t grasping the worsening  nature and frequency of cyber attacks on businesses today.  IET interprets the survey data this way, stating that they’re working to raise awareness on the issue among the UKs engineering and technology communities.

The threat of cyber attacks isn’t limited to the U.K of course, but is a global topic.  All SMEs would be wise to take notice.

Read More

IT Professionals Anticipating Data Breaches

According to the results of a survey conducted by Lieberman Software at the RSA Conference in February, 73.3% of IT security professionals are unwilling to believe that they’re companies are prepared for a cyber attack if it were to occur within six months.

Their lack of faith in their infrastructure is not unjustified, however, as cyber attacks have been shown to be adapting as fast, if not faster than the efforts put forth by those that exist to stop them.  CEO of Lieberman Software Philip Lieberman had describes:

“While vendors of conventional security products — like firewalls and anti-virus — are constantly updating their tools to reactively protect against the latest threats, hackers are looking for flaws and engineering new attacks to exploit them. The reality is that 100 percent protection is nearly impossible to achieve, but there are still best practices for securing access to critical systems and data that many organizations tend to ignore.”

What’s more, is that the same survey indicated that 81.4% of IT security staff don’t believe employees are carrying out the proper practices that IT departments have put into place, and even that 38.3% have themselves witnessed colleagues accessing information that should be confidential to them.

The real kicker? The survey also recognized that 32.3% of those organizations don’t enforce default password changes at all – allowing the same password to be used to access company sensitive hardware and applications indefinitely.

It would seem that the majority of the 250 IT Professionals surveyed are anticipating data breaches, all while a third of them aren’t enforcing the most basic of security policies.


Read More

2013 Information Security Survey


Changing Strategies for IT Security

As cyber threats continue to evolve and become more efficient at compromising your data, so should the business strategies for IT Security to continue to protect said data.

The NIST (National Institute of Standards and Technology) agrees, and their newly revised catalog of IT security controls provides a framework for just that: a wider range of flexibility for administrators with which to protect their information systems.  Specifically, this new set of controls, in a proactive approach rather than the typical reactive, focuses particularly on the systems themselves, and not the cyber threat.

Their latest publication “Security and Privacy Controls for Federal information Systems and Organizations”, having undergone its fourth revision, also promises to take into consideration the evolving state of IT Securities as recently as the past two years.  This time around its goal is to spread awareness that security starts with what we already control, rather than retrospectively trying to control the attacks against our systems.

Ron Ross, the FISMA implementation lead at NIST had the following to say: “We need to stop wringing our hands about the threat…It’s not going away. We’ve got to be in control of the things we can control.”

By employing a bottom-up approach and thereby designing hardware and software to be more security aware, NIST appears to be aiming to redesign IT Security such that it’s innately more adaptable to the evolving threat environment; with security being applied less as an after thought than today’s standards.


Read More

NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations Revision 4

Small Business Faces Growing Threat of Cyber Attacks

As presented in an article by the Homeland Security News Wire last week, evidence has shown that it’s not just big businesses we’ve come to expect should be concerned with being the targets of cyber attacks, but small and medium business as well.

In particular, the 2013 Information Security Breaches Survey taken in the U.K shows that the number of security breaches on small businesses increased by more than 10 percent over the previous year, bringing the full figure to 87 percent of all small businesses in the U.K having experienced security breaches.  In the same survey, large organizations are reported to remain very high risk, with 93 percent of all large businesses having suffered breaches.

Hopefully the data in these reports will do well in expanding awareness of Information Security, and the importance in applying good security practices to sensitive data within any company, big or small.

Balancing Security and Usability

There seems to be a constant struggle between keeping your company’s data safe and maximizing the productivity and satisfaction of your employees.  There are enough security systems out there to find one that will lock your data down very securely… the problem is you don’t want to make it so secure that even your own employees can’t access the data.  On the flip side, if employees are not challenged when they access data, this means would-be bad guys will also not be challenged.  So the trick is to find a security product that will allow the officers of the company to sleep well at night, but also permit the employees to be as productive as possible during the day.

What is security?  Security is a mechanism put in place to only allow the appropriate people access to what is being requested.  You have a key to the front door of your house which you use to enter your home if the door is locked.  No one else can get into your home through the front door without the key.  Passwords are used the same way for computers, applications, web sites and files.  Similar to how your key can get into the wrong hands and subject your home to an unwanted invasion, passwords can be guessed or learned by cyber criminals and give them access to your online valuables.  So to further secure your home, you can add additional locks with different keys.  An intruder now would have to acquire more than one key to easily break into your home.  For computers, we have two factor authentication which means in addition to something you know (password), you will also be required to have possession of a device such as a key fob or cell phone.  Additional restraints can be put on access by also requiring something that physically identifies you as you, such as a fingerprint or retina scan.  You can see how increased security can make it more difficult for the right people to access what is being protected which brings us to usability.

What is usability?  Usability defines how easy or difficult it is to use something.  Ideally, the easiest way to get into your home is to just twist the knob and walk right in.  This would be considered very usable and in fact completely tip the scale to the usability side and leave nothing on the security side.  Having to open five locks with 5 different keys would be much more secure, but very time consuming and possibly frustrating if you can’t remember which key fits which lock.

So by now you might be getting an image in your head of an old fashioned balance scale that is dipping back and forth, depending on how secure or usable a system is.

One method for having a secure and usable system is to require 2 Factor authentication, but automate the 2nd factor.  For instance, a browser add-on would have a mechanism for creating a security token that only it and the requested server will know how to process.  After the user enters their password when getting into the site, the browser will send the security token on the user’s behalf.  The user is happy because they only need to provide a password and the security officer is also happy because 2 factors are needed to access the site.

Single Sign On (SSO) can also be employed to balance the security and usability scale.  A user logs into an authentication server and is presented with a security token.  The other sites that the user then accesses do not prompt for additional logins because the security token is automatically delivered to the servers and the servers know how to process the token to authenticate the user.

Some environments may not be well suited for balancing security and usability and have to require very strong authentication before gaining access.  You’ve watched the scenes in the movies where three different people have to be in the same room with their physical keys and passwords in order to launch an end of the world nuclear attack.  But on the other hand you wouldn’t put any security on a public park where people can exercise and relax.

The balance point (or lack thereof) between security and usability is not going to be the same for everyone.  The goal is to understand what is being protected and how secure it has to remain.  Then the appropriate security mechanisms can be put in place.

Here are additional resources on this topic:

Subsistence Level Security Spending

The US Census takes place every 5 years, with the last occurring in 2008.  According to it, there were nearly 89,000 US companies with between 100-500 employees (link) which we’ll refer to as the Small-to-Medium Business (SMB) market.  Many of these companies offer valuable services to their customers and are typically able to secure annual profits.  However, looking at these companies’ expenditures would reveal that a bare minimum is spent on IT security and infrastructure.  Wendy Nather refers to them as companies below the “Security Poverty Line” (link).  Mike Rothman depicts it as a “Security No-Man’s Land” (link).  No matter how it’s described, it is not an envious place to be.

Companies that have prioritized security spending and have the capital available are the “haves”.  They have approved annual budgets for IT security and are heavily targeted by security vendors.  Security spending is a necessity for them due to either compliance requirements or the realization that data breaches would severely damage their bottom line.  They are being proactive to limit exposure and risk to a decidedly “present” threat.

On the flip side of the coin are companies that either do not have the budget for security spending or do not yet see a need for it.  This is a dangerous zone to exist because malicious parties see them as low-hanging fruit that can be exploited with minimal effort.  Why attack a stronghold replete with an alligator-infested moat, constantly-manned watchtowers and heavily fortified keep when the local merchant can be easily overrun by a simple “smash and grab”?  Some black hat hackers are primarily interested in reputation and bragging rights, but profit is the most common motivator of professional hackers.

These businesses may appear completely solvent with a tidy balance sheet, but the true imbalance of inadequate internal security is a sully undercurrent.  What this typically means to the company itself is that they don’t have someone or something to:

  • Verify current network architecture – When “Availability” trumps “Security”, the potential for gaping security holes is a constant specter
  • Look at security logs – Not knowing if any admin accounts were struck out or if a surge in network traffic occurred the previous night
  • Check for security patches – “0-day” hacks (link) become “any-day” hacks!

This type of company could either be primed for an attack by a moderately skilled hacker or already be an unwitting victim of one.  Unfortunately, their staff is too busy fighting day-to-day operational fires to know.

The customers of companies fitting this profile are also at risk.  Their account or credit card information is a standard target of professional hackers.  Most users tend to re-use their passwords across multiple websites, so even if the company doesn’t contain any data that can be directly leveraged, it could be used to attack their other, higher value accounts.  Leaving “company A” for “company B” upon news that the former was had a security breach becomes an easier decision for inconvenienced end users.

One of the major causes of this stratification is that so many solutions are priced for enterprise/Fortune 1000 companies.  The largest typically require exorbitant consulting hours for initial setup and configuration in addition to hefty annual support contracts.  However, mature, independently certified products with reasonable pricing are available.  These require minimal effort to install and maintain and can help enforce “best practices” security to move the company’s “low hanging fruit” further up the tree, out of reach of garden variety fraudsters.

Please see our companion website for further details.