Filed under: Authentication Security, Authentication Trends, Data Security, General Information, IT Security, password security, Research, Security Awareness
According to the results of a survey conducted by Lieberman Software at the RSA Conference in February, 73.3% of IT security professionals are unwilling to believe that they’re companies are prepared for a cyber attack if it were to occur within six months.
Their lack of faith in their infrastructure is not unjustified, however, as cyber attacks have been shown to be adapting as fast, if not faster than the efforts put forth by those that exist to stop them. CEO of Lieberman Software Philip Lieberman had describes:
“While vendors of conventional security products — like firewalls and anti-virus — are constantly updating their tools to reactively protect against the latest threats, hackers are looking for flaws and engineering new attacks to exploit them. The reality is that 100 percent protection is nearly impossible to achieve, but there are still best practices for securing access to critical systems and data that many organizations tend to ignore.”
What’s more, is that the same survey indicated that 81.4% of IT security staff don’t believe employees are carrying out the proper practices that IT departments have put into place, and even that 38.3% have themselves witnessed colleagues accessing information that should be confidential to them.
The real kicker? The survey also recognized that 32.3% of those organizations don’t enforce default password changes at all – allowing the same password to be used to access company sensitive hardware and applications indefinitely.
It would seem that the majority of the 250 IT Professionals surveyed are anticipating data breaches, all while a third of them aren’t enforcing the most basic of security policies.
Filed under: Data Security, General Information, IT Security, Research, Security Attacks, Security Awareness
The NIST (National Institute of Standards and Technology) agrees, and their newly revised catalog of IT security controls provides a framework for just that: a wider range of flexibility for administrators with which to protect their information systems. Specifically, this new set of controls, in a proactive approach rather than the typical reactive, focuses particularly on the systems themselves, and not the cyber threat.
Their latest publication “Security and Privacy Controls for Federal information Systems and Organizations”, having undergone its fourth revision, also promises to take into consideration the evolving state of IT Securities as recently as the past two years. This time around its goal is to spread awareness that security starts with what we already control, rather than retrospectively trying to control the attacks against our systems.
Ron Ross, the FISMA implementation lead at NIST had the following to say: “We need to stop wringing our hands about the threat…It’s not going away. We’ve got to be in control of the things we can control.”
By employing a bottom-up approach and thereby designing hardware and software to be more security aware, NIST appears to be aiming to redesign IT Security such that it’s innately more adaptable to the evolving threat environment; with security being applied less as an after thought than today’s standards.
NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations Revision 4
Filed under: Authentication Security, Authentication Trends, Data Security, General Information, password security, Research, Security Attacks, Security Awareness
As presented in an article by the Homeland Security News Wire last week, evidence has shown that it’s not just big businesses we’ve come to expect should be concerned with being the targets of cyber attacks, but small and medium business as well.
In particular, the 2013 Information Security Breaches Survey taken in the U.K shows that the number of security breaches on small businesses increased by more than 10 percent over the previous year, bringing the full figure to 87 percent of all small businesses in the U.K having experienced security breaches. In the same survey, large organizations are reported to remain very high risk, with 93 percent of all large businesses having suffered breaches.
Hopefully the data in these reports will do well in expanding awareness of Information Security, and the importance in applying good security practices to sensitive data within any company, big or small.
Filed under: Authentication Security, Biometrics, PortalGuard, Security Awareness, Single Sign-on (SSO), Two-factor Authentication
There seems to be a constant struggle between keeping your company’s data safe and maximizing the productivity and satisfaction of your employees. There are enough security systems out there to find one that will lock your data down very securely… the problem is you don’t want to make it so secure that even your own employees can’t access the data. On the flip side, if employees are not challenged when they access data, this means would-be bad guys will also not be challenged. So the trick is to find a security product that will allow the officers of the company to sleep well at night, but also permit the employees to be as productive as possible during the day.
What is security? Security is a mechanism put in place to only allow the appropriate people access to what is being requested. You have a key to the front door of your house which you use to enter your home if the door is locked. No one else can get into your home through the front door without the key. Passwords are used the same way for computers, applications, web sites and files. Similar to how your key can get into the wrong hands and subject your home to an unwanted invasion, passwords can be guessed or learned by cyber criminals and give them access to your online valuables. So to further secure your home, you can add additional locks with different keys. An intruder now would have to acquire more than one key to easily break into your home. For computers, we have two factor authentication which means in addition to something you know (password), you will also be required to have possession of a device such as a key fob or cell phone. Additional restraints can be put on access by also requiring something that physically identifies you as you, such as a fingerprint or retina scan. You can see how increased security can make it more difficult for the right people to access what is being protected which brings us to usability.
What is usability? Usability defines how easy or difficult it is to use something. Ideally, the easiest way to get into your home is to just twist the knob and walk right in. This would be considered very usable and in fact completely tip the scale to the usability side and leave nothing on the security side. Having to open five locks with 5 different keys would be much more secure, but very time consuming and possibly frustrating if you can’t remember which key fits which lock.
So by now you might be getting an image in your head of an old fashioned balance scale that is dipping back and forth, depending on how secure or usable a system is.
One method for having a secure and usable system is to require 2 Factor authentication, but automate the 2nd factor. For instance, a browser add-on would have a mechanism for creating a security token that only it and the requested server will know how to process. After the user enters their password when getting into the site, the browser will send the security token on the user’s behalf. The user is happy because they only need to provide a password and the security officer is also happy because 2 factors are needed to access the site.
Single Sign On (SSO) can also be employed to balance the security and usability scale. A user logs into an authentication server and is presented with a security token. The other sites that the user then accesses do not prompt for additional logins because the security token is automatically delivered to the servers and the servers know how to process the token to authenticate the user.
Some environments may not be well suited for balancing security and usability and have to require very strong authentication before gaining access. You’ve watched the scenes in the movies where three different people have to be in the same room with their physical keys and passwords in order to launch an end of the world nuclear attack. But on the other hand you wouldn’t put any security on a public park where people can exercise and relax.
The balance point (or lack thereof) between security and usability is not going to be the same for everyone. The goal is to understand what is being protected and how secure it has to remain. Then the appropriate security mechanisms can be put in place.
Here are additional resources on this topic:
Filed under: Data Security, IT Security, Research, Security Awareness
The US Census takes place every 5 years, with the last occurring in 2008. According to it, there were nearly 89,000 US companies with between 100-500 employees (link) which we’ll refer to as the Small-to-Medium Business (SMB) market. Many of these companies offer valuable services to their customers and are typically able to secure annual profits. However, looking at these companies’ expenditures would reveal that a bare minimum is spent on IT security and infrastructure. Wendy Nather refers to them as companies below the “Security Poverty Line” (link). Mike Rothman depicts it as a “Security No-Man’s Land” (link). No matter how it’s described, it is not an envious place to be.
Companies that have prioritized security spending and have the capital available are the “haves”. They have approved annual budgets for IT security and are heavily targeted by security vendors. Security spending is a necessity for them due to either compliance requirements or the realization that data breaches would severely damage their bottom line. They are being proactive to limit exposure and risk to a decidedly “present” threat.
On the flip side of the coin are companies that either do not have the budget for security spending or do not yet see a need for it. This is a dangerous zone to exist because malicious parties see them as low-hanging fruit that can be exploited with minimal effort. Why attack a stronghold replete with an alligator-infested moat, constantly-manned watchtowers and heavily fortified keep when the local merchant can be easily overrun by a simple “smash and grab”? Some black hat hackers are primarily interested in reputation and bragging rights, but profit is the most common motivator of professional hackers.
These businesses may appear completely solvent with a tidy balance sheet, but the true imbalance of inadequate internal security is a sully undercurrent. What this typically means to the company itself is that they don’t have someone or something to:
- Verify current network architecture – When “Availability” trumps “Security”, the potential for gaping security holes is a constant specter
- Look at security logs – Not knowing if any admin accounts were struck out or if a surge in network traffic occurred the previous night
- Check for security patches – “0-day” hacks (link) become “any-day” hacks!
This type of company could either be primed for an attack by a moderately skilled hacker or already be an unwitting victim of one. Unfortunately, their staff is too busy fighting day-to-day operational fires to know.
The customers of companies fitting this profile are also at risk. Their account or credit card information is a standard target of professional hackers. Most users tend to re-use their passwords across multiple websites, so even if the company doesn’t contain any data that can be directly leveraged, it could be used to attack their other, higher value accounts. Leaving “company A” for “company B” upon news that the former was had a security breach becomes an easier decision for inconvenienced end users.
One of the major causes of this stratification is that so many solutions are priced for enterprise/Fortune 1000 companies. The largest typically require exorbitant consulting hours for initial setup and configuration in addition to hefty annual support contracts. However, mature, independently certified products with reasonable pricing are available. These require minimal effort to install and maintain and can help enforce “best practices” security to move the company’s “low hanging fruit” further up the tree, out of reach of garden variety fraudsters.
Please see our companion portalguard.com website for further details.
Filed under: Authentication Security, Data Security, password security, Two-factor Authentication
A member of the PistolStar team shares his personal story on the dangers of Facebook, and the benefits of enhanced security two-factor login:
If you haven’t been under a rock for the past few years, you are well aware of the ever popular Facebook web site where friends and foes of many races and generations get together to share information. Yes, I said friends and foes. All good things must have their evil side and Facebook is no exception. You may have a close friend and have trusted them with your Facebook credentials. Friends don’t always stay friends and sometimes they even turn nasty toward one another.
Take for example this true story of my daughter (Jill) and one of her classmates (Sara). At one point, they were close and of course, without our consent, my daughter shared her Facebook password with the young lady. There were a number of “drama” occurrences for one reason or another between the two High School Freshman, which eventually drove them apart. However, they still had mutual friends in common and my daughter’s ex-friend still wanted to be friends. Jill was smart enough at this point to change her Facebook password.
Now we introduce a young couple, Sandy and Tim, that are having relationship problems and of course Jill and Sara are involved. Jill is interested in Tim and Tim is interested back. Jill and Tim have private conversations with one another over Facebook.
Sara has been trying to get Jill to speak with her so they can make up, but Jill has smartened up and doesn’t want to have anything to do with Sara. Out of desperation Sara is able to guess Jill’s Facebook password, probably because the password wasn’t much different than the one she knew to begin with. Sara finds the private conversations and reveals them to Sandy.
Fortunately for Jill, Sandy does not have anything against her and she had called it off with Tim anyway. What could have been a very tough incident, peacefully calmed itself down, but the damage had been done. Jill’s Facebook account was hacked by a Freshman student.
Since that time, we have enabled Two Factor Authentication through Facebook. 2FA is a two-step authentication process where the user must know their username and password AND also have their own cell phone that a One Time Password is sent to. This is something you know and something you have. Should Sara guess the new password again, she will not be able to get in unless she has my daughter’s phone and the passcode for the phone.
This link explains nicely how to enable 2FA on Facebook: link
You might be wondering what happened to Sara. She more or less broke the law by accessing Jill’s personal communications. You will be happy to hear that Jill reported Sara to Facebook and Facebook sent back confirmation to Jill that Sara’s own Facebook account had been terminated.
(The facts are true, but all names in the story were changed to protect the innocent.)
Filed under: Authentication Security, Authentication Trends, Multi-factor Authentication, password security, Security Attacks, Security Awareness, Two-factor Authentication, Uncategorized
In extension to our post last week stating that Apple is the latest to join in a trend that’s having more and more of the presently most influential companies adding enhanced security in the form of two-factor login to their accounts, we follow up this week with yet another. Twitter will be joining the likes of Apple, Google, Facebook and Microsoft as they begin rolling out the feature in a short, but unspecified time from now.
It appears as though Twitter has had this project underway since at least early February, when they had posted a job position for the project. It is likely no coincidence that the service had suffered a hacking attack in which 250,000 account passwords were compromised just the week before the job posting. When just yesterday the Associated Press had also suffered a compromised account, in which bogus messages were tweeted, the need for the enhanced security is especially evident.
Source: The Wired
Source: Ars Technica
Filed under: Authentication Security, Authentication Trends, Portable Device Security, PortalGuard, Two-factor Authentication
A number of Two Step and Two Factor authentication methods exist today to help further secure our valuable digital resources. As secure as they are, they can cause “ease of use” issues which then puts the onerous on the end user. Using security questions is limited by how well you can answer the questions so others can’t guess them but at the same time, make it easy for you to remember. Security questions get forgotten more times than people would like to admit. Instead of remembering answers to questions, we can implement the use of hard tokens that generate One Time Passwords. But we still need to remember to bring the token with us or not leave it behind to get lost. Some tokens require batteries which leave them vulnerable to losing power at the most inopportune time. Cell phones improve on this because remembering to bring your cell phone with you and keeping it charged is akin to remembering to breathe for most people. But deep in the middle of a large building will prohibit cell service and prevent the OTP being delivered to the phone. On the other hand, you may have cell service, but be traveling abroad and the roaming fees will sting your wallet. Printed OTPs are convenient; they don’t need to be memorized and can stay safely tucked into your wallet, but you can run the risk of running out of OTPs before you get a chance to print more.
Consider a solution that uses your cell phone or mobile device, but doesn’t require memorizing anything or connectivity to the outside world. Many organizations and online sites have implemented “Mobile Authenticator Apps” to provide the 2nd factor of authentication. An application designed to generate an OTP that the authenticating service will honor is installed on your mobile device. Once configured, all that is required to generate an OTP is to have possession of the device and remember to keep it charged.
A mobile authenticator app generates a Time Based One Time Password (TOTP) – This is an OTP based on the time of day. During enrollment, the device and the authentication server both register the same moment in time. The TOTP is generated based on how much time has elapsed since the shared time value. Both client and server can now always generate the same password without having to communicate with one another during the authentication process.
Filed under: Authentication Trends, IT Security, Multi-factor Authentication, Two-factor Authentication
In a move that appears to be an attempt to catch up to its competitors Google and Facebook, Apple and Microsoft are now the latest monoliths to have introduced a two-factor authentication option for their users’ Apple IDs, and Microsoft accounts, respectively. Once again the evidence shows that we’re on our way towards a world without passwords. Multi-factor authentication is ever more trendy, and now everybody’s doing it.
Similarly to the existing two-step verification offered by Google and others, Apple and Microsoft’s added security follows suit by requiring those users whom have enabled the feature to input a special code during authentication; rather than the usual username and password, the additional factor of the password code effectively enhances the security for the account. This special code, often known as a TOTP (time-based one-time password) is typically delivered via a text message to the users cell phone, once it has been registered as a trusted device. Much like Google’s Google Authenticator mobile app, which allows users to receive the password codes via a convenient app rather than text messages, Apple offers the same convenience via their ‘Find My iPhone’ app, and Microsoft as well, through an as yet unnamed app of their own.
As with these previous methods of offering two-factor authentication however, these follow seemingly in identical footsteps, and therefore bring not only the enhanced security benefits with them, but also the headaches. Although multi-factor authentication eliminates the need to remember the password in some cases, it still implements further steps and disruption to a user’s routine. The ideal situation would be to implement two-factor authentication which is transparent to the user while being able to block unwanted access.
The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication, self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.
Subscribe to our newsletter: http://portalguard.com/contact_us.php
Filed under: Authentication Security, General Information, IT Security, PortalGuard
In this highly technical world we live in, filled with all sorts of gadgets and devices designed to keep us in touch with family, friends and business associates, the once upon a time convenience of access to the internet has become almost as necessary to some people as breathing. The internet can be accessed from your phone while in a car, from your home for pleasure or business and of course from your place of business. The access point to look out for though is accessing the internet from a public Wi-Fi hotspot. These almost too convenient access points to the World Wide Web can be found just about anywhere. Airports, dealerships, fast food restaurants and hotel rooms just to name a few.
The problem with public Wi-Fi is just that, it is public. If you are able to access the internet with your device, someone else (with less than pure intentions) can make the same access as you and if they are smart enough, peek in on what you are doing and make off with personal data of yours that you don’t want in the wrong hands. This article will discuss some of the steps and practices you can put in place to help protect yourself and your data from these internet Pirates. Please refer to our March 15th article for more details on how “bad guys” steal information using the internet: http://blog.pistolstar.us/blog/is-it-really-a-problem-when-connected-to-a-rogue-wireless-network/.
Your data should always be transmitted over a connection that encrypts the data before sending it to the intended service. Gmail has been providing this service since January of 2010. You know your data is protected if the URL has the HTTPS acronym in the beginning. The S stands for Secure Socket Layer and will ensure that your data is encrypted as it travels across the wires or through the air.
Many companies setup VPNs (Virtual Private Networks) for their employees to safely connect to the corporate network from home or while traveling. VPNs automatically encrypt all the data being exchanged between your computer and other network machines. You can also find open source VPNs available for use by individual users. If VPN is not an option for you and you must connect from a public Wi-Fi, use a Wi-Fi hotspot that charges for use and verify before paying that the connection will be secure. If VPN or a paid hotspot are not options for you, but your daily routine requires that you use public Wi-Fi, you can consider purchasing and using a wireless card as it should cost less than $10/month.
If you access the internet from your mobile device, you may be in luck. Many mobile devices have built in encryption that can easily be configured through the settings on your phone. Another good idea is to keep up with the security updates for your mobile device.
And sometimes it’s the simplest measures that keep us the safest. Just by changing your connection habits, you can save money and stay protected at the same time. Never send credit card, bank account or other sensitive information through email. If the data is not being transmitted, it cannot be compromised. Don’t connect to public or unsecured networks. Pace yourself and only perform the important transactions from home and never from a public network.
If you can learn to stay aware of what type of network you are connecting to and also have the discipline to conduct your sensitive transactions over a secure connection, you should be able to continue to enjoy the internet with little or no worries.