Archive for the ‘2 Factor Authentication’ Category

In today’s mobile workforce, millions of organizations are put at risk due to faulty or unsecure remote access connections. To rectify their security concerns and overcome the complexities of managing large-scale VPN rollouts, NCP engineering has released a new version of its Secure Enterprise Management (SEM) system.

The software provides unparalleled security with the new NCP Advanced Authentication, which enables powerful Two-Factor Authentication with a One-Time Password that users receive via SMS from the NCP Advanced Authentication Connector. This eliminates the need for enterprises to use other third-party solutions, instead enabling Two-Factor Authentication with only a mobile feature phone or smartphone.

On top of this, the SEM system offers a single point of network administration to control companies’ entire IPsec and SSL VPN networks, as well as full Network Access Control (NAC) management. It also supports the broadest range of end device platforms, including Windows 8/7/Vista/XP, Windows Mobile/Phone, Android, Mac OS X, Mac iOS, BlackBerry, Symbian and Linux.

 To learn more about today’s announcement, you can read the full release here.


Screenshot of the Advanced Authentication

By Joe Schembri 

Last week, I provided a quick summary of identification and authentication. Continuing with this, today I’ll dive into why these factors are so critical for remote access solutions.

Why Identification and Authentication Are Important to Secure Remote Access Connections

With remote access, users are not under LAN administrative control, which exposes the network to increased security risks. By providing remote access, the internal network can be more vulnerable to security breaches. Since remote access is mainly dependent on the public Internet, identification and authentication are critical to properly secure internal networks against threats such as unauthorized access by verifying all users who attempt to access secured data.

Strengthening Security with User ID/Password Combinations

Although user ID/password combinations aren’t the strongest type of identification and authentication, they are the most common. If a company must use this as a security strategy, here are a few tips to improve security:

  • Limit the number of allowed login attempts before locking the user out of the system.
  • Enforce strong passwords, requiring at least eight characters with a combination of letters, numbers, and special characters. Remember, longer passwords take more time to crack so the more characters the better.
  • Require users to change their password periodically — 90 days may suffice for regular users but administrators should be more frequent such as 30 days.
  • Prohibit the use of names and words found in a dictionary as passwords.

Ease of Use Promotes Compliance

Allowing users to connect remotely has been around for some time now because it can provide a host of benefits in our increasingly mobile workforce. However, companies should always make sure to provide adequate security to protect data and systems. In addition, every effort should be made to make security provisions as easy to use and maintain as possible since users tend to circumvent measures that are too burdensome or difficult.

Joe Schembri has over 10 years of IT and IT security experience and currently works with Villanova University’s online cyber security training programs, including the CISSP training prep program. 

By Joe Schembri 

I recently wrote about what should be included on a  remote access security checklist. A reader, very aptly, asked why identification and authentication were not on the list. I’d like to take a moment to address this – and retroactively amend my prior list to include identification and authentication. Here’s a basic overview of what identification and authentication entails.

As we know, companies today are increasingly turning to remote workforces or allowing telecommute options for existing staff. As the number of offsite staff increases, companies must provide remote access in order to optimize workflow and efficiency. Of course, along with the benefits of remote access come additional security risks that companies must take appropriate measures to guard against. This is where identification and authentication become crucial to managing access and keeping the corporate network protected.


In order to be authorized to access a specific system or set of data, users typically must supply some sort of identification to prove that they are who they say they are. Identification can be any type of machine-readable name, such as user ID and email address.


Once a user supplies their identification, a remote access system must then authenticate the identification in order to determine whether or not the user is authorized. Authentication is simply a process that verifies the identity of a user and the validity of their identification credentials.

There are three types of authentication:

  • What users know – includes passwords, PINs, and answers to security questions.
  • What users have – includes ID cards, keys, and badges.
  • What users are – includes retinal scans, fingerprints, and other biometrics.

User ID and password combinations are the most frequently used type of identification and authentication for remote access. Once the system authenticates users, it then determines their specific level of authorization and the content they are allowed to access. Ideally, the level of authentication should increase along with the sensitivity of the data being accessed.

Now that we have the very high-level basics out of the way, I’ll dive deeper into how to strengthen identification and authentication methods in part two.

Joe Schembri has over 10 years of IT and IT security experience and currently works with Villanova University’s online cyber security training programs, including the CISSP training prep program. 

We recently participated in pretty interesting webcast from G+ (a community of academics and entrepreneurs sponsored by the Gerson Lehrman Group – not Google +).  The webcast was on the topic of security vs. privacy, with Dr. Tim Gibson, assistant director of cyber systems at Draper Labs, talking about the state of authentication in the Internet and how – as industry – we can improve authentication credentials. So naturally, we wanted to share nuggets from this conversation with all of you.  Here are the main topics and what we learned.

IP Addresses can’t identify users

  • We use IP addresses to identify the user, the machine, and the routing indicator. The problem with this is, having an IP address only gives you the region and the provider.
  • Bottom line: IP addresses are pretty useless when trying to identify people.

Why do we still use IP addresses?

  • It’s not feasible to eliminate the IP addressing scheme and start from scratch.
  • But providing attribution is not practical with just an IP address.

What has changed since IP was designed?

  • Memory and processing power are much cheaper.
  • Overhead is manageable with flow managing devices for high data rates and QoS.

How can we enable attribution and network control?

  • Users authenticate themselves to their communications or computing device. For example, Joe Smith, NCP engineering, <digital signature>, <public key>, true machine IP and port, true machine name.
  • A local network device is programmed with the organization it represents. For example, NCP engineering, city, state, country, street. <digital signature>, <public key>.
  • When a user makes a connection request, a sending device combines all the identity data in the new connection request, and a control device at the receiving end decides whether it wants to accept the connection.
  • There should be protected places on the Internet—gated communities—where you have to show credentials to enter.

How can we protect privacy?

  • Users must be allowed to “opt out” of the authentication scheme.

What do you think of this security vs. privacy debate? Do you agree with rethinking IP addresses or that in the future, there should be protected “gated” communities on the Internet? Weigh in.

We’ve said it before and we’ll say it again – disgruntled, former employees pose a major risk to your network. If you’ve been following the headlines this week, you know why we’re bringing this up again.

A former IT employee at Gucci was charged with remotely taking over the haute-couture company’s computers, shutting down servers, and deleting emails, the Wall Street Journal reported yesterday. According to the WSJ, here’s what’s happened:

Sam Chihlung Yun, 34 years old, allegedly created an account in the name of a fictional employee and used it to access the company’s network after he was fired in May 2010, prosecutors said. He allegedly caused more than $200,000 in diminished productivity, as well as remediation costs, prosecutors said.

Now Mr. Yun is being charged with a 50-count indictment for unauthorized use of a computer, unlawful duplication of computer-related material, among other charges. So, how did he do it? InformationWeek is reporting that Yun created a VPN token in the name of a fictional employee, then when he was fired he used this USB-based token to gain remote access. In the aftermath of Yun’s attack in November, Gucci staff were not able to access any documents, files, or materials saved anywhere on its network.

Frightening, right? So what can you do? Review your user log carefully and often – if you spot a red flag, investigate. Also, make sure all former employees are completely provisioned off the network and reset all the passwords and access rights following their departure.

Gucci was lucky enough to catch and prosecute its culprit — but the fashion giant would have been luckier if it had stopped the breach before it even happened.