The Financial Industry - Courts Try to Prove Reasonable Security

September 3, 2010 by Chief Content Writer · Comment
Filed under: Authentication Security, Data Security, General Information, IT Security, Security Attacks, Uncategorized 

$1,901,269 is how much attackers were able to wire out of Experi-Metal’s Comerica bank account in the span of three hours. This was a phishing attack that cause damage to Experi-Metal Inc. (EMI)’s financial assets and raised the questions of liability and “What is reasonable security?”

The continuing court case is attempting to answer that question. Looking at the facts, although Comerica was putting authentication policies in place, such as using secure token technology, there was still a user created gap which allowed for the attackers to gain access. An attack only needs access to happen.

Although Comerica was able to recover all of the funds but $560,000 EMI is still pressing charges, saying that Comerica exposed EMI’s users to the phishing attack. Comerica is of course implying that any EMI employee responsible for financial transactions should have caught on that the phishing site was a scam.

The decision has still not been made in the favor of either company in terms of liability. Although the contracts originally signed by the two companies will favor Comerica Bank, the fact that the banking industry demands stronger authentication and therefore Comerica has easier access to advanced technologies does not look good for them. It will be interesting to see how the case progresses in mid-November.

BankInfoSecurity.com: to read and have a copy of the full article - Click Here

Tags: , , , , , , , , , ,

Authentication Adaptability: Survival is Key

September 2, 2010 by Chief Content Writer · Comment
Filed under: Authentication Trends, General Information, PortalGuard, Uncategorized, compliance 

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.” – Charles Darwin

As Charles Darwin has put it so eloquently, facing change by adapting to it is how you survive. This can easily be translated over to authentication and the principles behind strengthening authentication to adapt to changing circumstances.

The idea is that change is inevitable and businesses will be weeded out by their ability to adapt. With authentication and security this is an ongoing challenge facing businesses in the form of regulatory compliance, authentication trends and ever increasing attacks.

Although this is primarily experienced across most industries it is an ever pressing issue on the financial, insurance and healthcare industries. These industries are heavily regulated and thus subject to constant compliance requirements. Also they are huge carriers of personal information and data making them huge targets for evolving attacks and identity theft.

Some of the more prevalent attacks include:

An adaptation example, in the financial industry, has been the popularity and increasing use of online banking. Although it is extremely convenient for the end-users, the question is how will the financial industry adapt their authentication to protect users’ extremely sensitive data out on the internet?

In order to adapt financial institutions follow the FFIEC guidelines, implement multi-factor authentication and stronger authentication such as one-time passwords. The financial industry is required to have a high level of data protection and therefore is leading the way in authentication and security. By reviewing vulnerable industries it is a great way to understand where to set the bar for your required level of data protection.

Tags: , , , , , , , , , , , , , , , , , ,

PortalGuard has Great Success at the 2010 SharePointPro Summit & Expo

March 29, 2010 by Kimberly Johnson · Comment
Filed under: General Information, PortalGuard, SharePoint Authentication, SharePointPro Summit & Expo, Uncategorized 

Thanks for Stopping By!

We first would like to extend a thank you out to those of you who stopped by our booth at the SharePointPro Summit this year. It was fascinating to hear about how SharePoint authentication and security is being handled, what specific requirements you are looking for, and how PortalGuard or Tailored Authentication could help you with your SharePoint security needs.

If you did not have a chance to see us at the show, then we encourage you to visit PortalGuard.com, to see how PortalGuard is the solution for meeting and exceeding your security objectives. PortalGuard is supported on multiple platforms including Microsoft SharePoint/IIS, IBM Websphere/Websphere Portal, and Lotus Domino.

PortalGuard:

PortalGuard is an authentication and security solution that allows end-users to securely authenticate and manage their portal login credentials directly from a Web browser, while providing administrators with functionality to meet or exceed their security objectives. With PortalGuard, administrators can implement best practices for ensuring stronger and consistently secure authentication. Learn More…

Extensible Authentication Framework:

Many of our customers implement our standard Password Power Plug-ins - the authentication software framework offers robust functionality and feature-rich security, access control, and password management.

But for those customers who have a unique user base, organizational complexities, specific security and compliance requirements or multiple and diverse applications, our expert professional services and development team will develop a solution adapted to their environment and delivered within the framework of our standard Password Power software product, including ongoing technical support. Learn More…

The Booth
Mark and Kim Representing PortalGuard at the Booth
What Are Your Specific Requirements?


Tags: , , , ,

Cloud Computing: The “Greener” Solution for Government

September 15, 2009 by Kimberly Johnson · Comment
Filed under: Authentication Trends, General Information, Uncategorized 

Upon visiting apps.gov, out of curiosity about what exactly cloud computing is, I came across the video showing the new plans the government has in store. Typically known as a huge overwhelming IT “creature”, the government is planning on changing their ways, in regards to IT systems.

Currently the government is riddled with 100s of systems, unique applications and environments, all across the globe. There are large IT infrastructures behind these individual systems supporting them as separate entities. What has now been looked at more closely is that some of these large systems are duplicating work that many other systems are completing as well, such as email functions.

The U.S. CIO Vivek Kundra is onboard with combining these massive infrastructures, to cut down on the serious carbon footprint they are leaving behind. With the idea of combining services and using the same infrastructure for multiple environments the government is attempting to cut down on costs.

Of course the question is will it work? The hope is that there will be less maintenance costs, less staff to maintain, and it is a greener solution. The government is showing the greatest amounts of concern with security, privacy, and procurement at the moment. Of course it is a giant system, with many legacy applications, that many are predicting will not go away.

If anything is to change it won’t be fast, and will be almost like a case study for the government to attack at all angles. The main idea that this brought up is if the government can do it, why can’t we? Although most of us are relying on external IT infrastructure, it would be interesting to see what would happen if everyone was onboard with cloud computing.

Learn More…

Apps.Gov

Tags: , , , , , , ,

Bookmarklet-based Password Managers Exposed

August 12, 2009 by Kimberly Johnson · Comment
Filed under: Data Security, General Information, IT Security, Uncategorized, password security 

Due to the number of websites a user accesses per day, and that most require authentication, it is no wonder why everyone is looking for tool to remember their passwords. Websites are using techniques such as mixing capital letters, symbols, and spaces to increase the strength of the password, and the difficulty of hacking and obtaining it.

One way that users are keeping track of these multiple credentials is with password management tools. These usually remember the password for the user, so forgetting it is not an option. Unfortunately it has been found that these tools can also decrease security and allow for a window of opportunity for hackers to come in.

In the article by Rachel Kremen, “Plugging a Password Leak: How a Simple Fix made Password Managers More Secure” the issues with password managers that use bookmarklets, to automate the login in process for the user’s websites, was exposed.  The researchers investigated six popular bookmarlet-based password managers, Verisign, MyVidoop, Clipperz, PassPack, and MashedLife. The findings were alarming.

The way that these managers work is by storing the user’s passwords to their favorite sites, on a central server. When the user visits the site again, the bookmarklet is used to see which site the user is on, and provide the credentials.

Researchers found this to be a red flag. The main question that was brought up, is how does the manager know for sure that the website it thinks the user is on, actually is? After running tests, they discovered that with a few pieces of code, the manager could be fooled and produce the credentials for the user’s website, even when not visiting the site itself.

Hackers could easily obtain the credentials for bank websites, credit cards, and other personal information. The password manager would provide the credentials, without recognizing that it is actually a hacker’s website it is providing to.

Luckily the solution was easy. With implementation and SSL, using the referrer header would make the forgery of the website difficult. The password manager services researched did take the researchers up on the suggestion, made the changes, and/or informed their users.

Imagine the losses that could occur. With everyone placing their trust in websites, it is vital to protect the information to access them. Although remembering these passwords can be challenging, so is tracking a cyber criminal who has taken your identity. With these tools it is important to understand what knowledge you are providing to them, and how it will be used. Putting your passwords in all one basket is not necessarily the best plan for secure authentication.

Tags: , , , , , , , , , , , ,

Our Admin2009 Tailored Authentication Exhibit

April 20, 2009 by Chief Content Writer · Comment
Filed under: General Information, Uncategorized 

We’re back in the office this week after spending most of last week at THE VIEW’s Admin2009 and LotusDeveloper2009, a three-day conference for Lotus software professionals at the Sheraton Boston Hotel.  This is one of the top tradeshows we exhibit at each year, and it gave us the chance to showcase our “Tailored Authentication” message.  Below are photos of our booth and PistolStar team members who were there to greet visitors and discuss and hand out info on our solutions that are tailored to fit customers’ unique requirements and environment.  Team members Craig Campbell, Larry Conroy, and Kimberly Johnson joined VP of sales, Mark Cochran, who snapped the photos.

Close-up view of Admin2009 booth
Close-up view of Admin2009 booth
Our booth at Admin2009
Our booth at Admin2009
Our booth and team members at Admin2009
Our booth and team members at Admin2009

 

Tags: , , , ,