The use of multiple accounts, to handle separation of roles and responsibilities for a single person, has resulted in the increased use of special characters in usernames. However, it's important to note that the use of creative account naming conventions can create additional issues. Although Microsoft allows the use of some special characters in a username, there are definitely gotchas worth being aware of. Microsoft supports the use of special characters in user names with the exception of:
, : ; | = + ? < > * and “.
Let's take a closer look at the issues:
Q: Are user names going to be passed in the query string of a URL?
A: The ampersand and hash/pound characters will need to be replaced with %26 and %23, respectively.
Q: Are user names going to be passed to an XML-based web service?
A: The ampersand character needs special attention and must be replaced with the string ‘&'.
Q: Are user names going to be placed in SQL database queries?
A: The underscore and percent characters require special handling. In SQL database queries, the underscore and percent characters are used as wildcard characters in pattern strings. Before processing a database query, the underscore and percent characters need to be escaped.
Q: Are user names being placed in LDAP directory queries?
A: The back-slash, forward-slash, asterisk and hash/pound symbols, and leading or trailing required spaces, must be escaped with a back-slash. The back-slash is the escape character, the forward-slash indicates the following pair of characters is a hex formatted byte, the asterisk and hash/pound characters are wild cards in directory searches. In addition, for directory pathnames, the comma must also be escaped with a back-slash.
Q: Are X.509 certificates being requested?
A: The carrot, ampersand, hyphen, right brace, and left brace characters require special handling. When comparing the user name in the certificate request and the requesting user name, the escaped characters in the user name from the certificate request must be replaced with their corresponding special character (e.g. %5E with ^).
In conclusion, it probably makes better sense to avoid the special characters that are particularly problematic (,), &, %, {, and } . By using special characters, organizations may be creating new problems rather than solving existing ones.
At long last, one is no longer beholden to DropBox or hacking away on command line with rsync for a convenient cloud file storage and synchronization service!
While DropBox is a great service, it's not free past 2GB and it's also prone to security flaws. Simply put, when you give your data to a 3rd party service you increase your risk of compromise.
Owncloud is not quite as easy to setup as DropBox, but given their consistent development it wont be long. In the mean time follow the steps below to achieve a proprietary DropBox service hosted by you (or a friend).
1. Download and Install ownCloud file server / storage on your Apache or windows server (very simple to setup).
2. Find a webDav client that syncs to a local folder. On Mac CyberDuck works great, and it's also available on Windows. Android has a few webDav apps, as does iPhone.
3. CyberDuck or the like wont run in the background so either create a startup script to get it going, do it manually, or wait until the ownCloud Desktop plugin is released.
4. As a bonus, the web interface to ownCloud includes a media player (and I imagine a video player might be forthcomning), giving one the ability to carry their media library with them.
Enjoy!
On October 13th the Corporate Finance division of the Securities and Exchange Commission (SEC) quietly released a document, CF Disclosure Guidance: Topic No. 2[1], on the web that has the potential to make a major impact on the way that corporations look at cyber-security.
Although the document is not a rule, it is guidance; it can be, and in many cases it is, argued in a court of law that failure to follow guidance may result in liability.
A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur.
While registrants should provide disclosure tailored to their particular circumstances and avoid generic “boilerplate” disclosure, we reiterate that the federal securities laws do not require disclosure that itself would compromise a registrant's cybersecurity.
The premise of the document is that investors have the right to know the risk associated with investing in a company. If the company is the subject of a significant cyber-incident, internal or external, then the investors should be made aware of the facts so that they may properly evaluate the risk associated with investing in the company. At the moment some companies tend to hide cyber-incidents and therefore are denying investors full disclosure of risk.
What this means for example is that if a company is attacked you must disclose it. Unless disclosing it will further compromise the company (at this point I can see the lawyers lining up for a food fest).
Registrants should address cybersecurity risks and cyber incidents in their MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant's results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.
If one or more cyber incidents materially affect a registrant's products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant's “Description of Business.”7 In determining whether to include disclosure, registrants should consider the impact on each of their reportable segments.
As an example, if information related to a business transaction was stolen and access to the information enabled a third party to undercut a deal then the shareholders have lost value as a result of the theft. Failure to disclose this could result in shareholder lawsuits.
Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures. To the extent cyber incidents pose a risk to a registrant's ability to record, process, summarize, and report information that is required to be disclosed in Commission filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective.
I see this document as providing a wake-up call to the boards of public companies that they need to take cyber-security seriously. This in turn is going to focus C-level management on the topic, and it will trickle down from there
With the release of this document the SEC has taken concern for cyber-security out of the IT realm and placed it firmly in the financial realm. It is now no longer an issue of technology; it has become one of liability and compliance.
How long will it be before we see a section on cyber-security in the Annual Report?
The key from a Dexa Systems perspective is that cyber-security is a key component of the framework that is used to develop prioritised IT infrastructure strategies for the corporation.
On October 13th the Corporate Finance division of the Securities and Exchange Commission (SEC) quietly released a document[1] on the web that has the potential to make a major impact on the way that corporations look at cyber-security.
Although the document is not a rule, it is guidance; it can be, and in many cases it is, argued in a court of law that failure to follow guidance may result in liability.
A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur.
While registrants should provide disclosure tailored to their particular circumstances and avoid generic “boilerplate” disclosure, we reiterate that the federal securities laws do not require disclosure that itself would compromise a registrant's cybersecurity
The premise of the document is that investors have the right to know the risk associated with investing in a company. If the company is attacked then the investors should be made aware of the facts so that they may properly evaluate the risk associated with investing in the company. At the moment some companies tend to hide attacks and therefore are denying investors full disclosure of risk.
What this means for example is that if a company is attacked you must disclose it. Unless disclosing it will further compromise the company (at this point I can see the lawyers lining up for a food fest).
Registrants should address cybersecurity risks and cyber incidents in their MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant's results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.
If one or more cyber incidents materially affect a registrant's products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant's “Description of Business.”7 In determining whether to include disclosure, registrants should consider the impact on each of their reportable segments.
As an example, if information related to a business transaction was stolen and access to the information enabled a third party to undercut a deal then the shareholders have lost value as a result of the theft. Failure to disclose this could result in shareholder lawsuits.
Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures. To the extent cyber incidents pose a risk to a registrant's ability to record, process, summarize, and report information that is required to be disclosed in Commission filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective.
I see this document as providing a wake-up call to the boards of public companies that they need to take cyber-security seriously. This in turn is going to focus C-level management on the topic, and it will trickle down from there
With the release of this document the SEC has taken concern for cyber-security out of the IT realm and placed it firmly in the financial realm. It is now no longer an issue of technology, it has become one of liability and compliance.
How long will it be before we see a section on cyber-security in the Annual Report?
The key from a Dexa Systems perspective is that cyber-security is a key component of the framework that is used to develop prioritised IT infrastructure strategies for the corporation.
Traditional IT Security Assessments are based on concepts of a network that are fifteen to twenty years old. The vast majority focus on the Device and Network Transport layers, this approach is no longer sufficient to develop an IT Security Profile
The advanced persistent threats (APT) and targeted attacks that we face today exploit more than IT technology vulnerabilities. Attacks are implemented using techniques such as social engineering to make the initial breach of the corporation; this is often the result of a failure in process, not of technology. Successful targeted attacks require knowledge of internal systems often gained through initial access to documentation or social engineering. By the time an attack is mounted the attackers will have performed reconnaissance and other intelligence gathering activities, and will often have very detailed knowledge about the IT infrastructure.
There are two orthogonal stacks in an IT ecosystem: Implementation or Doing and Parametric or Directing.
A full security assessment covers all aspects of security that impact on an IT ecosystem and its supporting services. The full assessment uses a layered matrix of targeted assessments; each layer of the matrix interacts with the adjoining layers and therefore a security assessment must look at all layers and their interactions. The output of a full IT security assessment is a profile that describes the current state of a company's IT security.
Implementation Stack
Applications are how people interact with their data, make decisions and run their business. The way that applications interact with the corporate IT ecosystem impacts the security profile of the corporation.
The Infrastructure Services layer provides services such as authentication and authorisation that manage and control the IT ecosystem. This layer defines the type of network, and is the layer that people interact with when they ‘logon' to the network.
The devices that physically host the applications and processes used to run the business are where people interact with their IT environment. This is an area of rapidly changing technologies, vulnerabilities and threats that require increasing levels of security awareness at all levels of the corporation.
The network transport connects all the layers together; these are the switches, routers and firewalls that are typically regarded as the physical network and the network protocols that move information between devices. This is the layer that devices interact with when they plug in to the network.
Too often IT security assessments focus only on one of these areas. So doing a full IT security assessment requires more focus on diagnosing where all your vulnerabilities are and not just the obvious ones.
Parametric Stack
Documentation covers all layers of the stack; implementing a highly secured application on the network is not effective if the documentation that describes it is stored in an unprotected repository.
Processes and Procedures are often a step child of security; it's like having a house with high security locks and alarm systems but the alarm is not turned on and the doors are not locked when it is empty. Dexa looks at the processes and procedures that relate to security, security vulnerabilities and the governance models that ensure that the processes and procedures are followed.
Governance defines the mechanisms which ensure that processes and procedures are followed and the penalties to be applied if they are not followed.
Phishing attacks are not new. That term has been used for some time to describe an attempt to gather electronic information from an innocent user. Perhaps the most common form of this attack requests information or contains a link that leads the user to a false site or executes hidden code on the machine of the unsuspecting user.
However a new technique for phishing has emerged. Dubbed “spear phishing,” it targets specific individuals or groups to gather information. The FBI documented spear phishing attacks in early 2009[1], and since then the frequency, complexity, and motives behind spear phishing have grown more sophisticated and dangerous.
Like fishing, the phishing attack casts a line in the water, lots of them actually, hoping that some user will nibble on the bait. In other words, emails are sent to hundreds or thousands of users indiscriminately, hoping that a few will provide the requested information or click on the embedded link. Spear phishing, however, is much more targeted – emails are sent to a more discrete target group, such as employees of a certain organization, those with accounts at a certain email site, or a group based on some common criteria. This allows the attacker to construct the “bait” email with a great deal more care, one that looks like a valid email that the user has seen before.
There was a time when phishing attacks were avoidable just by remembering to never provide confidential information requested by email. Now, simply clicking on an embedded link can give the attacker all he or she needs to compromise you, steal your identity, or “own” your machine. The landscape has definitely changed.
The objectives are changing, too. And this makes spear phishing that much more dangerous. It's not just a credit card number or account password that the attackers are looking for these days, though for most of us, that would be bad enough. No, the newer spear phishing attacks have other motives. They will plant keystroke loggers, bot program, and now, even solicit an accomplice. That's right; the latest attacks are looking for a sympathetic insider to “join” the band of criminals attacking your enterprise.
As criminals become more sophisticated, users and security professionals must become more cautious and diligent to avoid becoming a victim. Here are a few of the practices that will reduce our susceptibility to a spear phishing attack.
1. Verify first. If you think the email may be a legitimate request, call the institution. Look up the number yourself and never rely on number or links provided in an email. Remember, legitimate institutions will never request personal information by way of email.
2. Enter the address yourself. Never follow a link included in an email. Instead type a known good address in your browser and make sure the address you are typing is really the correct one for that institution.
3. Include phishing in your awareness program. Make sure users know the signs and how to watch for them.
4. Keep up to date. Ensure that your security program includes a process for keeping browser and antimalware applications up to date.
5. Step up passive monitoring. Keep an eye on suspicious web access.
The Anti-Phishing Working Group (APWG), http://www.antiphishing.org/ has a number of other suggestions to help avoid becoming a phishing victim. Check them out today, and remember, in the cyber realm, nothing is quite what it seems.
What are the Chances?
In a complex world made up of complex phenomena, ever stop to consider what the difference is between decision-making and luck? Decision-making is not easy, yet all great leaders exemplify this quality. CEOs, Politicians, and Army Generals all seem to make quick and seemingly brilliant choices between two tough options. The right decision leads to success and the wrong to ignominy.
But what if brilliant decision making is increasingly indistinguishable from luck? If the average human mind strains to remember 7-10 digit phone numbers, how can it properly assess security, organizational, human resource, legal, and regulatory risk in a globalized and highly connected world?
Consider this: for every 1,000 random investments in security or organizational strategies, at least 1 will be amazingly profitable, mostly by sheer luck. This was the subject of Nassim Taleb's follow up to the Black Swan, Fooled by Randomness: The Hidden Role of Chance in the Markets and Life.
How then can we make informed and intelligent decisions? Other than divine intervention, the best answer is to rely on mathematical and statistical models along with computer simulation to help forecast, predict and control risk.
Scientists use mathematical and computational models to design rockets, build super tankers, and optimize traffic flow through our cities. Why would IT and Security managers do any differently to manage the extremely complex and dynamic systems of networks, firewalls, and access policies which comprise an IT infrastructure?
We should all be asking “What are the chances?” But instead of the usual meaning, i.e. “the chances are so small it won't happen,” we need to realistically assess the data and let the numbers speak for themselves. Let's assess the probability and consequence of a weak access policy, a faulty server, or an organized attack. Let's take a painstaking look at what happens if the CEO's unencrypted laptop is stolen and the plans to a billion dollar merger are released to the general public.
The probability might truly be so small as to appear negligible. But isn't it funny how those tiny chances, when multiplied by millions of dollars, always seem to work themselves out into headline news?
Why bother?
Another day and another story about a new cyber threat. It sounds worse each time - defenses that don't defend and employees that are just trying to do their job and allowing malware into the system, yet we don't seem to feel the pain. It's easy to get complacent, after all, how bad can it get?
Imagine the police discovering that a local gang managed to collect copies of keys to all the houses in the neighborhood and used them discreetly – a TV here, a bike there, a necklace somewhere else. It doesn't seem that bad. But one day, you suddenly find that the gang has taken over your house, they’ve changed the locks and you can't get in. As far-fetched as that seems, it's a very real possibility in the cyber world.
Some threats are just annoying - loss of a personal computer here, loss of some data there. But these minor annoyances mask much larger, more sinister and highly disruptive threats, including loss of control of your network, loss of access to your data and the inability to conduct your business. Sony lost their network for almost a month. Can it get worse than that? A truly disruptive threat could possibly knockout a company's IT capability so that devices like personal computers, network components like switches and accounts are rendered useless.
It's easy to live with the annoyances that come from cyber threats. The problem is that there are some deeply disruptive threats that can incapacitate a company for a considerable time. Don't let that company be yours. It's time to take action.
The IMF is the latest in a growing list of high-profile names that are the subject of APT. It begs the question – what's the solution? Disconnection is no longer a viable answer for most organizations. Certainly we should think about what needs to be connected and available anytime, anywhere and what does not necessitate immediate access. We expect remote access to everything from corporate information to personal purchasing options, with this type of lifestyle and associated demands only increasing. The challenge is how to get ahead of the curve with technology that is reasonably secure and non-intrusive.
A standard set of mutual authentication requirements should be developed for online transactions, remote access, or for any system that has access to personal information. For real mutual authentication to work, it must involve a trusted authority at a national and possibly even an international level. The system could work like our current passport and visa system used for physical travel to other countries. Certainly this is an imperfect analogy due to the issues with forgery in the current system. How many consumers will pay more to use a site that offers true PKI-based mutual authentication?
The next part of mutual authentication is the client computing device. This presents more of a problem because so many client machines have been compromised. So how do you ensure that the client is who they say they are? A secure token can be provided to the user, serving as a tamper proof identifier. In cases of high value transactions this could also have a small sandbox with a secure browser. For those opposed to additional hardware, a mobile phone can be used as a security device with the proper protections in place. In cases where anonymity is an issue, there are ways to accomplish this level of security and protect the identity of the user.
Of course and unfortunately, mutual authentication will not solve the problems of known exploits in un-patched systems. The fact of the matter is, many organizations do not patch their systems in a timely fashion, despite the existence of global security organizations that produce alerts and list patch recommendations. Vendors provide security patches that never get applied due to a lack of enforceable policies regarding how patches are tested and applied. Any change to an operational system entails risk.
The battle will continue because fundamentally, anything a man can make a man can break. While there is a benefit to governments and international organizations providing legislation and policy examples, it is still ultimately up to companies and individuals to determine how to implement policies to better secure the Internet. I am afraid that legislation, while well-intended, will be about as effective as moral laws are in curbing behavior that some view as unacceptable. Until each individual understands their responsibility, security will continue to be a huge issue.
For those of you with a vested interest in cyber security, you probably have already read about the recent RSA hack at EMC, which exposed client data and potentially reduced the effectiveness of SecurID tokens. (http://www.engadget.com/2011/03/18/rsa-hacked-data-exposed-that-could-reduce-the-effectiveness-o/) Pretty embarrassing and ironic, coming from a security giant. The more important questions to consider here are why? And how?
The RSA technology employs the One Time Password (OTP) approach to strong authentication. Let's take a closer look at the difference between the use of OTP and Smart Cards.
The RSA secure ID tokens use the time synchronous method to produce an OTP. The RSA mechanism consists of a back-end authentication server called RSA Authentication Manager (or ACE Server) and a client hardwaretoken that displays a unique OTP every 30 to 60 seconds.The client token is factory-encoded with a unique 128 bit seed and built-in clock. For this time synchronous OTP mechanism to work, theseed for each client token is loaded into the RSA authentication manger and the clocks between the server and tokens are synchronized. When a user tries to authenticate by entering the OTP displayed in the token, the RSA Authentication manager computes the OTP for that instance of time to authenticate the user.
Now, let's go back to what happened at EMC. The unknown variable in the situation, or at least the unrevealed variable, is the nature of the data that was stolen. If the stolen data is related to the seeds that are associated with the tokens, then this is a pretty dire and serious situation, as several soft tokens are readily available that can generate the OTP given that they have the client and server seed. In this scenario, the only protection available to the users with the compromisedseed is the PIN\password that is also required during the authentication process.However, this negates the two-factor authentication approach, making the company's security, well, less secure. Also, some customers don't need to append the pin\password to the OTP, leaving them completely vulnerable and exposed by such a situation. In this case, the only solution would be to replace the client hardware tokens - both expensive and time-consuming.
So what's the real solution? The Smart Card - a more secure two-factor authentication mechanism based on Public Key Infrastructure (PKI) authentication. The PKI authentication mechanism is based on asymmetric key encryption consisting of a public/private key pair and provides the added benefits of email encryption, digital signatures, encrypted file systems (EFS), web authentication and encryption (SSL).
As the name implies, the private key is known only to the user and is used to encrypt data that can only be decrypted by the corresponding public key, published to everyone in the organization. The private key is generated on the smart card and never leaves the smart card, making it useful for non-repudiation.A trusted certificate authority issues and publishes the public keys in the form of digital certificates, which also cannot be forged. The only way a PKI system can be compromised is if the certificate authority is compromised, which even in the worst case scenario, is much easier and less expensive to fix since existing smart cards can be used and a new set of certificates can be issued within a matter of hours.
Now contrast this scenario with the OTP security breach, which might takemillions of dollars and multiple weeks to resolve. What would you call the smarter solution?
categorized under: Credential Mechanisms, Cyber Fraud, Cyber Security, Identity Credentials, Security PasswordsEMC's Security Division was recently hacked – a rather significant event in the cyber security world. The makers of the commonly used RSA technology issued a rare and surprising public letter announcing that they were hacked, and that, as a result, security for some of their user's security might also be compromised. (http://www.rsa.com/node.aspx?id=3872). But while RSA is trying to downplay this, this presents a huge problem for both EMC and their clients.
But what's of more interest is what EMC doesn't talk about in their note. We know the attackers were after the cryptographic algorithms that are used to randomize the RSA 2-factor identification one-pass tokens. We also know that the attackers were in there for many months, typical of today's APT-style attacks. I wonder if this attack is one of several attacks that are a precursor to something bigger. With the RSA cryptographic algorithms, a motivated attacker could bypass the security in a remote-access system secured by RSA technology - which begs the question – what is the attacker really after?
Strong Authentication Myths Debunked – Part 2
In comparing strong authentication methods, what are some key areas to look at in determining which one offers the best security, usability and price trade off? First thing to consider is, do you want to eliminate username and password for all users? If this is the case, then you need a solution that supports desktop/network login, VPN access and application access.
There are only two types of credentials that are directly supported by Microsoft for XP, Vista, Windows 2003, Windows 7 and Server 2008. The first is username and password. The second is smart card. All other methods are not first class citizens and will require a custom GINA or credential provider for authentication. This means OTP or biometrics requires additional software installation on all end user computers. This also means that you still are really using passwords for authentication to the Windows infrastructure. In most cases, this also involves adding an additional server to perform the authentication using the additional credential like an OTP or a fingerprint. Then that server unlocks the password for authentication to Active Directory.
Now some may argue that PKI requires an additional server, but Microsoft already has a Certificate Authority in their server operating systems. Some identity management companies including Dexa Systems provide a Certificate Authority with their appliance. For PKI, the CA is only involved with certificate management and not directly for authentication. In the case of an OTP server, which might be based on RADIUS, every authentication request must go through this server. This means the OTP or biometric server must be scaled for high volumes of traffic and should be configured for high availability so that the authentication process is not interrupted. The server must also support password synchronization so that when the system requires a change in the account password, the stored password will be correctly updated.
Another key consideration is authentication to non-Windows platforms, Windows terminal services and VPN. A few years ago most of this was a real challenge for smart cards, and OTP systems clearly had the lead. That is no longer true. There are PAM modules, reader drivers and smart cards that can utilize the same credentials as Windows authentication. These modules are available for Mac OSX and most Linux distributions. The same is true for terminal services authentication starting with Windows Server 2003, smart cards have been considered first class citizens. In most cases, the drivers are already installed on the server platform so that no additional components need to be installed.
The situation with VPN access has evolved as well. In the past, only full IPSec based VPN solutions supported smart card login. These required full clients, and for the most part, were painful to configure. Those wanting to avoid a full client were driven to OTP as the only truly viable solution. Today most clientless (SSL) and client based VPN solutions support smart cards for authentication. In a Windows 2008 Server and Windows 7 Direct Access environment, an even stronger case for smart cards can be made. This new technology from Microsoft allows a transparent secure connection to be made from a remote client machine to a Microsoft domain. In this model the user does nothing more than log onto their machine as they normally would. Then the machine establishes a secure connection to the domain without additional interaction with the user. To ensure that the client, server and user are who they claim to be, mutual authentication using certificates is required. The security of the connection can be enhanced by having the user credentials on a smart card.
This post is starting to get long so I will save more details about the benefits of smart cards for the next installment. I will also discuss more about application authentication and some of the realities around Single-Sign-On (SSO).
TPM - a well kept secret for strong authentication
What if a secure storage device for authentication factors was already in your PC? In most cases, there is. It is the not-commonly known Trusted Platform Module (TPM). It is in most business-class laptops, except Macs. TPM stores cryptographic keys that can protect issued digital certificates, and can perform secure cryptographic functions such as trusted startup, random number generation, and digital signatures. TPM is FIPS 140-2 certified. If you're considering strengthening your authentication processes and mechanisms, learning more about TPM will add another option worth taking into account.
TPMs introduce a lower cost authentication alternative with strong enterprise and system integrity. When using the TPM to protect digital certificates, there is no need for new hardware (e.g. smart cards, tokens, or smart card readers). The TPM ensures known devices on the network and known software on devices. A private key is placed on the TPM by the manufacturer, which never leaves the tamper-resistant hardware. The public key can be used to authenticate the machine identity to authenticate to a VPN or wireless access point. To ensure only known software is running on a device, the boot sequence of the operating system is modified to produce trusted measurement log which can be validated with TPM register values. If the measurement log is validated, the TPM restricts access (e.g. access to encrypted data and to cryptographic functions).
Not all is perfect in the TPM world. Certificate portability, user administration, certificate protection level, and password authentication are some of the challenges TPM users face.
TPM can be found in many or most business PCs, but are neither well known nor popularly used. With the need and popularity of strong authentication rising, TPM introduces an alternative to strong authentication worth considering.
Strong Authentication Myths Debunked – Part 1
For years and years I have heard that something better than username and password are needed for authentication. Yet not much has changed when solutions are presented to people, the response is that it costs too much or that it is too complex. Many solutions have been offered: One-Time Password (OTP), Biometrics, PKI with certificates and keys on the disk, PKI with certificates and keys on Smart Cards, PKI with keys on the TPM and certificates on the disk. There are other variations of these approaches I will not try and cover all possible approaches in this blog. In this and my coming blogs I will take a deeper dive into each approach and assess the security, usability and cost trade offs for each one of the approaches. You may say that I am biased towards smart cards and in some cases I am. I also recognize that there is no one size fits all solution for corporations.
Now to my original thought. There is a myth that is perpetuated about the cost and complexity of smart cards. The first item that scares most people off is PKI and certainly anything that involves PKI is not trivial. We as security professionals have done a lot to enforce the idea that PKI must be done a certain way to be of any value. Early PKI deployments were nightmares that were overkill for most organizations. We now have approaches to PKI that greatly simplify deployments and offer better than good enough security. What do I mean by good enough security? It enables true 2 factor authentication and replaces most if not all passwords. In addition to authentication it also enables encryption and signing. Yes some tradeoffs are made but they are not issues except for the most secure environments.
Now to smart cards. In the past, getting the right drivers for the cards and readers have been a huge issue. The new cards with mini-drivers make deployments much easier as all the necessary drivers can be downloaded as part of a Microsoft Update. While this is not a perfect solution it eliminates the majority of deployment issues. The rest of the components for card management can be deployed as zero footprint web browser controls.
What about the cost of the card and the fact that I am carrying an additional device? I agree some of the cards are overpriced. The high cost is due to more storage and faster processors. While cool these are not really needed for authentication. We are working with vendors to address that issue and offer different levels of cards that better meet the needs of customers. To the issue of carrying an additional device, that is not really true if a company is using cards for physical access or even just as a photo identity. That means everyone is already carrying a card so there is really nothing additional for them to carry. Smart cards can be phased in as old badges are replaced if a full rollout is impractical from a budgetary standpoint.
In future blogs I will explore more about the costs and benefits of different strong authentication methods. This will include some new ideas for mobile devices as well and showing how strong authentication can be cost effective and actually be more usable than current username/password solutions.
Don’t leave your enterprise exposed, protect it with a GRC-compliant security solution.
There are hundreds of identity access and authentication management and SmartCard systems integrators standing ready to support your security needs. So, how do you go about selecting the right vendor for you?
Here are a few requirements to help you select the right security partner:
1. Do you need a provider with industry-specific experience? Securing an enterprise with offshore rigs, visualization team rooms, multi-region servers, and joint ventures is an entirely different need than securing a chain of restaurants. Dexa has real-world experience in the oil and gas, utilities, healthcare, and financial services sectors – so, trust your access security to a provider that understands and can tailor the solution to your specifications.
2. Do you currently have a software control panel that allows you to manage enterprise-wide access? If your vendor is recommending several different software systems to manage your identity access to your servers, computers, and premises than rethink your strategy. There is no reason you need to self-integrate or use multiple applications.
3. Can you afford to invest a year or more to implement your credential management solution? Most vendors will plop a think polices and procedures binder the size of War and Peace in the middle of the table and tell you that it will take at least 18 months to deploy. Dexa has streamlined this process, without compromising the solution, so that you have a cost-effective identity access and authentication solution deployed in weeks.
4. Do you need world-class consultative support? Whether it is as simple as changing, adding, or revising the access level or adding multiple new access devices to your enterprise; Dexa’s support team has an average of 15 years of credential management experience, so you get the level of expertise you need – no matter what your support requirement.
5. Are you seeking to integrate security devices and software already identified or do you need a best-of-breed solution? SmartCard systems integrators and most identity access and authentication management providers work with off-the-shelf technology components and simply attach them to address your security access needs. Dexa has developed proprietary technology that addresses real-world security needs that address specific industry requirements and is continuously upgraded to meet the perpetual changes and trends in the security sector.
categorized under: Credential Mechanisms, Cyber Fraud, Identity Credentials, Security Passwords, SCADA APT
View All 
![[1]](http://www.dexasystems.com/scripts/blank.gif#_edn1){kind=link}
![[1]](http://www.dexasystems.com/scripts/blank.gif#_ednref1){kind=link}
![[1]](http://www.dexasystems.com/scripts/blank.gif#_ftn1){kind=link}
![[1]](http://www.dexasystems.com/scripts/blank.gif#_ftnref1){kind=link}