by Andy Kemshall – SecurEnvoy CTO and co-founder – Friday, 23 September 2011.
For many years those who concerned themselves with an organization’s cyber security warned of threats, both internal and external, urging organizations to adequately protect themselves. Unfortunately the message either went unheeded, or the security measures implemented were insufficient, as we’ve seen headline after headline of victims who’ve suffered a breach. While the severity may vary, each is an example of the concerned organization’s security measures being found wanting.
And the battle has only just begun as, in recent months, security professionals have amplified the cry following attacks from DigiNotar, Anonymous and WikiLeaks – and the list goes on. Organizations need to get a grip on their borders, now, or risk losing the cyber fight and becoming another statistic.
The threats an organization faces are multifaceted. While it’s possible, and perhaps tempting, to spend millions plugging every hole the reality is it’s impractical. Instead a more common sense approach to security is required.
At the heart of the problem is that, with every breach incident, the likelihood of a user’s identity having been compromised increases. Therefore, it doesn’t matter how intrinsic the overarching security approach, it is fundamentally flawed if you fail to establish that the person gaining access is who they claim to be. For example, while a VPN provides a secure communication tunnel, if a hacker can mimic a legitimate user and use their key to open the pipe then everything traveling down it is insecure.
Physical security is common sense in a virtual world too
In the real world we regularly use Chip and Pin to make a purchase in the high street, or withdraw cash from an ATM. Quite simply this is two factor authentication in action in the real world.
Before clarifying what constitutes two factor authentication, it is probably worth stating what it is not. A password on a PC (often referred to as single factor authentication) is the equivalent of a basic lock – only slightly better than nothing. It stands to reason that two passwords – even if one is a data pattern or random characters from a memorable phrase, it is actually just two locks. Although it may slow an intruder by having another password, common sense should tell you it still isn’t adequate.
Two factor authentication, in its very basic sense, is the combination of two different elements from a choice of three:
The downside of something specific to the person, or biometrics as it’s widely referred, is hardware. A physical reader needs to be installed at each point of entry from where a user may authenticate. In today’s modern society users want to use a myriad of devices, and places, to access the corporate network – be it laptop, iphone, cyber café PC, etc. It makes the ‘specific’ element either very expensive when accommodating every possible access point or simply impractical. A further consideration, given the changing pace of technology, is whether a biometric system will be adaptable to tomorrow’s devices?
This leaves the combination of something you know and something you own as the only practical two factor authentication solution.
The keys to the vault
Something you own invariably means a security token. There are two types – hardware-based i.e. a physical token and software based, such as an SMS-based token received on a mobile phone – often described as a tokenless two-factor-authentication system.
I assume you wouldn’t walk away, leaving your car with the key in the ignition, or even glued to the outside, and expect it to still be there when you get back? Well, if security tokens are carried in the same bag as the lap top – and let’s face it a lot of people will do that, it’s effectively the same thing. If the laptop goes missing, who ever finds it also has the key to make it work – another example of how common sense can influence security practices.
From a user perspective, especially with multiple accounts spanning both work and personal aspects, if each requires a physical token then people will end up carrying around a necklace of tokens – inconvenient and cumbersome.
However, by harnessing SMS technology, organisations can utilise existing mobile technology – whether corporate or personally owned, to replicate the physical token. And there’s no reason why dozens of soft tokens can’t be carried on a single device.
Today, practically everyone has a mobile phone with many reliant on its varied functionality. The result is it is rarely forgotten and, should the user misplace the device, the loss is quickly realised and reported.
SMS also offers cost effective deployment over the costs of sending and managing physical tokens.
Futhermore, with pre-load funcationality, a new code is automatically generated when a log in attempt is made. This eliminates any concerns over SMS delays or blackspots. Moreover, the receipt of this new code acts as a further security layer as a user is notified that their username has been used to gain access to the system (whether successful or not). They can then raise an alert with the administrator to the potential threat and mitigation steps quickly instigated – simply not possible with a physical token.
Activate the alarm
An alarm is a great deterrent but is only useful when switched on – common sense really.
The same principle applies to your computer. If it’s turned on, and logged on to the network, the ‘alarm’ is effectively deactivated. Anyone who happens upon your device will have carte blanche to any applications and systems you’ve authenticated to. The damage a malicious person can cause, in a matter of moments, could have repercussions far greater than anything which may occur offline. Infact, an unscrupulous individual could potentially do more long term harm with just a few minutes access to your unmanned PC than a few hours unrestricted access to your home!
If there’s one thing I firmly believe it’s that there’s no perfect security solution and what works for one organisation will not necessarily be suitable for another. However, if you get the foundations right and apply a balanced approach that makes it difficult for malicious individuals to cause them harm. A security system can do only so much. Despite the new gadgets and available technology, common sense will always remain your best defense.