Authentication Adaptability: Survival is Key

September 2, 2010 by Chief Content Writer · Comment
Filed under: Authentication Trends, General Information, PortalGuard, Uncategorized, compliance 

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.” – Charles Darwin

As Charles Darwin has put it so eloquently, facing change by adapting to it is how you survive. This can easily be translated over to authentication and the principles behind strengthening authentication to adapt to changing circumstances.

The idea is that change is inevitable and businesses will be weeded out by their ability to adapt. With authentication and security this is an ongoing challenge facing businesses in the form of regulatory compliance, authentication trends and ever increasing attacks.

Although this is primarily experienced across most industries it is an ever pressing issue on the financial, insurance and healthcare industries. These industries are heavily regulated and thus subject to constant compliance requirements. Also they are huge carriers of personal information and data making them huge targets for evolving attacks and identity theft.

Some of the more prevalent attacks include:

An adaptation example, in the financial industry, has been the popularity and increasing use of online banking. Although it is extremely convenient for the end-users, the question is how will the financial industry adapt their authentication to protect users’ extremely sensitive data out on the internet?

In order to adapt financial institutions follow the FFIEC guidelines, implement multi-factor authentication and stronger authentication such as one-time passwords. The financial industry is required to have a high level of data protection and therefore is leading the way in authentication and security. By reviewing vulnerable industries it is a great way to understand where to set the bar for your required level of data protection.

Tags: , , , , , , , , , , , , , , , , , ,

PortalGuard Climbs the SharePoint Summit

April 26, 2010 by Kimberly Johnson · Comment
Filed under: PortalGuard, SharePoint Authentication 

Climb the Sharepoint Summit

Come join PortalGuard by PistolStar, Inc. at the SharePointPro Virtual Conference, Climbing the Sharepoint Summit. No need to leave your office, just join us online to ask us any questions you like May 20th 9:00am-4:00pm EST. The best part is that registration is open to anyone and free!

Come see if PortalGuard is right for your company! See how you can meet or exceed your security objectives, including:

  • Stronger Authentication
  • Reducing Risk - both financial and security
  • Enhance compliance with both security and industry standards
  • Deliver effective password policies
  • Implement Best Practices

And Many More…

Conference Website & Information

PortalGuard Homepage

Tags: , , , , , , , ,

Layoffs: Studies Say There Are Threats to Data

August 4, 2009 by Kimberly Johnson · Comment
Filed under: Data Security, General Information 

Recently in Insurance Buyers’ News, a direct mail newsletter, came to our office and included a serious article that businesses should be considering today. Unfortunately with layoffs still occurring, the numbers of disgruntled employees is rising, which poses a threat to a company’s data.

“Layoffs Increase Data Breach Risks”, discusses a recent example with a systems administrator. He demanded money and references, or else he would attack the servers. Although he was caught and prosecuted, the damage that could have been done would have been a serious cost to the company.

Studies are beginning to show that employees are not planning on taking just their pens when they leave, but also vital information. The question of course becomes, how are you going to protect your data? It is important to be prepared, especially if there is a possibility of layoffs in the near future.

We recommend a few key tactics to protecting your company from the potential threat:

Many laid off employees have been found to still be able to access their old accounts, even after the layoff occurred. Treating employees with respect is a way to make these hard times smoother, but protecting your data, and current employees is key.

 

Tags: , , , , , ,

Announcing PortalGuard: Stronger authentication and enhanced security and compliance for SharePoint and WebSphere

July 14, 2009 by Chief Content Writer · Comment
Filed under: Authentication Security, SharePoint Authentication, WebSphere Portal Authentication 

Today, we announced the latest product addition to the PistolStar family — PortalGuard — which provides authentication security, access control and self-service password features for Microsoft SharePoint and IBM WebSphere and WebSphere Portal. Check out the press release.

Tags: , , , , , , , , ,

Security Focus Starts Inside

June 22, 2009 by Chief Content Writer · Comment
Filed under: Authentication Security, Data Security, IT Security, Kerberos Authentication 

It is the insiders (i.e. your company’s employees) and not the outside hackers that represent the greatest threat to your information assets. And, their unauthorized access to supposedly protected data can surprisingly be accidental as much as it can be intentional. This reveals that most organizations have not taken sufficient measures to prevent insider access and attacks and ensure that internal security, particularly access control, is adequately addressed.

Strengthening authentication and making passwords stronger should be paramount when implementing an authentication, password management or identity management system. However, security is often secondary to usability among the project’s goals. The focus of password management is on improving the user experience and reducing the number of passwords as well as centralizing passwords to ease the IT staff’s burden of managing multiple, disparate accounts. But, by placing less emphasis on the security aspects of authentication, organizations place their assets at risk. Yes, productivity is improved for end-users and IT staffers to the point of achieving a respectable ROI. Nevertheless, with the rise in data theft, particularly during the economic downturn, if even the most robust authentication solution has inadequate security features, it cannot deliver enough ROI to cover the potential cost of a successful hacking event.

Companies can easily and cost-effectively strengthen authentication and passwords while protecting access to sensitive data. Here are some possible approaches:

  • Incorporate password security functionality such as password strength validation, password expiration intervals, password frequency limits, and strike-out limits by person, group and hierarchy
  • Integrate the Kerberos authentication protocol with Active Directory authentication to mutually authenticate the user and the server to which they are attempting access — and without transmitting passwords.
  • Require users to respond to a set of pre-configured challenge questions, as well as enter their username and password. Multiple challenge question/response functionality is easy to set-up and allows quick access.
  • Implement real-time monitoring and alert functionality to obtain knowledge on user login activity.

Benefits can include:

  • Ensuring passwords and access-related features meet compliance requirements
  • Enabling secure access to applications and databases
  • Enforcing password policies
  • Ensuring passwords and access-related features meet compliance requirements
  • Achieiving greater oversight of user login and authentication behavior
  • Increasing the overall efficiency of authentication and password management
  • Maintaining security overall

For more ideas, as well as to learn more about the above, contact Mark Cochran, a PistolStar authentication expert.

Tags: , , , , , , , ,

Addressing Challenges with Challenge Questions

May 26, 2009 by Chief Content Writer · Comment
Filed under: Authentication Security, IT Security 

Did you happen to see the article that ran last Monday (May 18) on MIT Technology Review online entitled “Are Your ‘Secret Questions’ Too Easily Answered?” We read this with great interest, mainly because we believe that the proper use of challenge questions as back-up authentication can definitely make your authentication process more robust. HOWEVER, implementing challenge questions without a defined strategy will certainly generate and increase security risks.

Requiring that users resetting passwords answer only a single challenge question — not to mention one that had been selected from the typical short list of generic questions such as “What is your favorite city?” and “What is your favorite sports team?” — makes it just too easy for potential hackers to guess the answer and gain access to sensitive and private information. Such questions have a limited number of possible answers, allowing the guessing game to be that much more easy. Even with more personal yet general questions such as “Where did you go to high school?” or “What is your dog’s name?”, someone with very little knowledge of the user can make a pretty good guess.

That is why, as part of the stronger authentication capabilities we offer our customers, we provide multiple challenge question functionality for password recovery/reset that allows IT security administrators to create 10 questions that users provide answers to at the initial set-up. These questions can be as secure as the administrators want to make them. Then, the administrators can configure whether users are asked to respond to three, five or more randomly selected questions from the list to perform the password reset. For administrators who need assistance creating challenge questions that will not have common answers yet will be easy for users to remember, our professional services team is equipped with ideas.

As Stuart Schechter, the Microsoft researcher quoted in the article points out, “Back-up authentication schemes should have two important characteristics. They should be reliable, allowing a legitimate user to gain access to his or her account, and they should be secure, preventing unauthorized users from gaining access.” Our multiple challenge question functionality possesses both.

Tags: , , , ,

Strengthening Authentication to Adapt to Changing Circumstances

December 10, 2008 by Chief Content Writer · Comment
Filed under: Authentication Security 

The growing number of enterprise applications, an increasing need for globally-based users to access systems, and employees working 24/7 in remote locations has created the security challenges that IT administrators are seeing in today’s corporate environment:

  • Ensuring only authorized individuals have access to specific data and systems
  • Diminishing the risk of data exposure and network attacks
  • Corporate mandates to employ security best practices
  • Increased government and industry standards for data and IT security
  • Multiple passwords for end-users to remember (and forget or lose)
  • Increased number of unique password stores and sets of password policies to manage

Securing the authentication process is a major step toward securing the enterprise, however you want to ensure the process maintains end-user productivity, avoids increasing Help Desk calls and incorporates best practices such as stronger authentication, login restrictions and password security rules. So, what would be the right solution for securing authentication? The “right solution” should possess the following characteristics:

  • Be appropriate for the level of risk posed by your IT environment;
  • Scalability to accommodate growth;
  • Interoperability with existing systems and future plans;
  • Auditing and reporting capabilities; and
  • Adequacy in light of changing risks, such as the evolving sophistication of compromise techniques.

We’ll have more on this subject in later posts, but please tell us if there are any characteristics that should be added to this list.

Tags: , , , , , , , , , ,