Posts Tagged ‘authentication’

The proliferation of social networking and the acceleration of personal devices for corporate use can be a boon for remote workers. Unfortunately, this increase in systems and cross-platform networks can also be a huge opportunity for cybercriminals looking to launch targeted attacks.

In 2012, the sophistication of mobile malware intensified, damaging individuals, businesses and governments alike, revealing one of the year’s top security trends: that the traditional combination of username and password is not a strong enough security barrier.

With this in mind, the following security experts share their thoughts on why more secure authentication methods are needed in 2013:

“The fact is that passwords, as a security technology, are reaching the end of their useful life. Moving to a world where alternative authentication systems are the norm is incredibly difficult, and as a consequence we are entering into a period of time when we are going to have to continue to rely on a security control that doesn’t work. Encouraging users to pick longer passphrases, and proactively auditing networks for weak passwords are steps that can be helpful during this time. Increasingly, we are going to see attackers entering networks with legitimate access credentials without ever having to fire an exploit that would trigger an intrusion detection system. We need to be prepared for this type of attack activity.” Tom Cross, director of security research at Lancope 

“Nine out of 10 intrusions involved compromised identities or authentication systems, so enterprises need to make sure they have a sound process for creating, managing and monitoring user accounts and credentials for all of their systems, devices and networks.”Wade Baker, Verizon RISK Team

“The password-only security model is dead. Here’s why: Easily downloadable tools today can be used to crack a simple four- or five-character password in only a few minutes…Next year, we are likely to see an increase in businesses implementing some form of two-factor authentication for their employees and customers. This will consist of a Web-based login that will require a user password along with a secondary password that will either arrive through a user’s mobile device or a standalone security token. While it is true the recently discovered botnet Zitmo cracked two-factor authentication on Android devices and RSA’s SecurID security token (hacked in 2011), this type of one-two punch is still the most effective method for securing online activities.” –  FortiGuard Labs’ 2013 threat predictions, Fortinet

What do you think? Will authentication attacks, including stolen usernames and passwords, continue to plague network security?

As indicated by your feedback in several of our polls, and as highlighted at Interop New York, more and more users are opting to access their company network via various devices. Of all the devices involved in the BYOD movement, Apple iOS products are some of the most popular. In response to this demand, the NCP Secure Enterprise VPN Server now integrates with Apple’s iOS, so IT administrators can perform certificate-based authentication to control network access of iPhones and iPads.

So, how does this work? Apple’s mobile device management (MDM) distributes various certificates to all authorized iOS devicies. When users establish VPN tunnels from their devices, the NCP Secure Enterprise VPN Server uses these certificates to determine what type of device the user is accessing the network with. This enables network administrators to, for example, allow a Mac OS X notebook full access rights, while limiting iOS devices to partial access to the central network. Also, users are unable to decipher or manipulate the certificates, significantly reducing the risk of certifications being duplicated for unauthorized devices. Security is, after all, one of the biggest concerns associated with BYOD.

Ultimately, with its iOS secure authentication, NCP enables IT administrators to use certificates to control assignment rights on these end devices – without interfering with the user-determined username and passwords. Want to view the entire, official announcement? Check it out here.

Government Computer NewsNIST spells out baseline security requirements for next-gen mobile devices
CSOElection sabotage: A threat much older than hacked e-voting
InformationWeekMalware Tools Get Smarter To Nab Financial Data
SearchSecurity – Remote access Trojan evades detection using mouse functions

By Joe Schembri 

I recently wrote about what should be included on a  remote access security checklist. A reader, very aptly, asked why identification and authentication were not on the list. I’d like to take a moment to address this – and retroactively amend my prior list to include identification and authentication. Here’s a basic overview of what identification and authentication entails.

As we know, companies today are increasingly turning to remote workforces or allowing telecommute options for existing staff. As the number of offsite staff increases, companies must provide remote access in order to optimize workflow and efficiency. Of course, along with the benefits of remote access come additional security risks that companies must take appropriate measures to guard against. This is where identification and authentication become crucial to managing access and keeping the corporate network protected.

Identification

In order to be authorized to access a specific system or set of data, users typically must supply some sort of identification to prove that they are who they say they are. Identification can be any type of machine-readable name, such as user ID and email address.

Authentication

Once a user supplies their identification, a remote access system must then authenticate the identification in order to determine whether or not the user is authorized. Authentication is simply a process that verifies the identity of a user and the validity of their identification credentials.

There are three types of authentication:

  • What users know – includes passwords, PINs, and answers to security questions.
  • What users have – includes ID cards, keys, and badges.
  • What users are – includes retinal scans, fingerprints, and other biometrics.

User ID and password combinations are the most frequently used type of identification and authentication for remote access. Once the system authenticates users, it then determines their specific level of authorization and the content they are allowed to access. Ideally, the level of authentication should increase along with the sensitivity of the data being accessed.

Now that we have the very high-level basics out of the way, I’ll dive deeper into how to strengthen identification and authentication methods in part two.

Joe Schembri has over 10 years of IT and IT security experience and currently works with Villanova University’s online cyber security training programs, including the CISSP training prep program. 

We recently participated in pretty interesting webcast from G+ (a community of academics and entrepreneurs sponsored by the Gerson Lehrman Group – not Google +).  The webcast was on the topic of security vs. privacy, with Dr. Tim Gibson, assistant director of cyber systems at Draper Labs, talking about the state of authentication in the Internet and how – as industry – we can improve authentication credentials. So naturally, we wanted to share nuggets from this conversation with all of you.  Here are the main topics and what we learned.

IP Addresses can’t identify users

  • We use IP addresses to identify the user, the machine, and the routing indicator. The problem with this is, having an IP address only gives you the region and the provider.
  • Bottom line: IP addresses are pretty useless when trying to identify people.

Why do we still use IP addresses?

  • It’s not feasible to eliminate the IP addressing scheme and start from scratch.
  • But providing attribution is not practical with just an IP address.

What has changed since IP was designed?

  • Memory and processing power are much cheaper.
  • Overhead is manageable with flow managing devices for high data rates and QoS.

How can we enable attribution and network control?

  • Users authenticate themselves to their communications or computing device. For example, Joe Smith, NCP engineering, <digital signature>, <public key>, true machine IP and port, true machine name.
  • A local network device is programmed with the organization it represents. For example, NCP engineering, city, state, country, street. <digital signature>, <public key>.
  • When a user makes a connection request, a sending device combines all the identity data in the new connection request, and a control device at the receiving end decides whether it wants to accept the connection.
  • There should be protected places on the Internet—gated communities—where you have to show credentials to enter.

How can we protect privacy?

  • Users must be allowed to “opt out” of the authentication scheme.

What do you think of this security vs. privacy debate? Do you agree with rethinking IP addresses or that in the future, there should be protected “gated” communities on the Internet? Weigh in.