Monday, 18 February 2008

Have you been mis-sold security?

Information security does not need to be complicated in order to be robust, nor does simplicity equate to an inferior defence. So, have you been mis-sold security?

A lot of the hyperbole stemming from many info security vendors suggests that, in order to be secure, you’ll need to re-mortgage your company premises to upgrade to the biggest, shiniest IT security infrastructure. The simple fact of the matter is that securing business-critical information, be it customer details, financial records or strategic data, boils down to one thing – access.

Aside from the technological argument, an equally important consideration to make when strengthening IT security is cost. Because IT security has no measurable ROI, with cost justifications made instead on the ability to avoid losing money or damaging reputation, prudence is desirable when making a security investment. I for one would argue that almost all security threats could be averted with only three things; antivirus software, a firewall and some form of two-factor authentication, the latter being the most critical because if you can retain control over access you are, by default, secure.

This is why the continued use of static passwords as the last bastion of information security, and the final word in determining user privileges and administrator access, represents a significant weakness to business defences. More companies are adopting or improving ICT process, specifically by providing remote access services to help them realise operational and competitive efficiencies for their business or to meet flexible working practice regulations, This is particularly important for SMEs, which account for over 99% of all UK companies and are the real growth area for remote access services. These changes mean that companies are opening more doors to their data and so the threat posed by malicious individuals and organised criminal gangs grows exponentially. They have access to the tools and intellect needed to launch brute-force attacks, create and disseminate key loggers, as well as myriad other password cracking or harvesting methods, to which static passwords represent merely a speed bump, not a roadblock.

For this reason, the cliché that “a chain is only as strong as its weakest link” is synonymous with budget-sapping IT security projects. Relying on an archaic access control mechanism not only goes against any best practice considerations, but also is downright foolhardy. As is often the case, the financial sector realised this fact early on, particularly on the retail banking side of things, and is now adopting strong two-factor authentication (2FA). This is visible in the form of both the ubiquitous Chip&PIN, and issuing one-time-password generators to online banking customers.

With 2FA the one-time passwords, generated every single time a user needs to log in, quash any attempts made by a hacker or unauthorised user to gain access to networks, applications and vital business information as they can’t be gleaned via a keylogger and can never be guessed due to their incoherent nature.

The reason that any security measures, no matter how elaborate and innovative, are prone to failure is because they are still reliant on those easy to crack, often predictable, strings of characters. To illustrate this point it is worth taking a trip back in time to the 1950’s, when there were just five computers in operation. Aside from being protected by all manner of physical defences, should a potential saboteur get through; they would be faced with the prospect of having to guess a password. Back then this was an effective and innovative line of defence.

However, as time advances so too does the actual and perceived threat. With the advent of firearms, the sword and spear became obsolete as an army’s only tool for defence. To keep ahead of the online arms race we too need to discard untenable security measures to avoid having to learn from our mistakes.


Copyright 2009 Jason Hart. Powered by Blogger Blogger Templates create by Deluxe Templates. WP by Masterplan