Tuesday, February 24, 2009

QCESC Awards Ceremony

From the QCESC Awards Banquet on Friday. I am receiving the Sr. Scientist of the Year award from Pat Barnes, QCESC President. (2/20/2009)

Monday, February 23, 2009

Why Should I Use 2-Factor Authentication?

If you want to protect your sensitive data, and it's exposed to the Internet, you have to choose between multi-factor authentication (MFA) and a basic password. On your internal network you may have additional safeguards in place to keep the bad guys out, but when you have data exposed to the Internet, it should be protected. This means you protect it with tools like encryption when it is at rest, in transit and you strongly authenticate users when they access it. You really only want people who are authorized to be able to log on and see that stuff.

Single-factor authentication would include using a password or PIN to log onto a web application, or your Windows domain when you get to work in the morning, for example. For many users this is quite adequate. If someone steals your password and the worst they can do is screw up your data or see your email and this doesn't put your company at risk, then your company may do fine with a simple "90-day" policy for changing your password. Two-factor authentication would add another requirement in addition to your password or pin (something you know), such as a piece of hardware (something you have: a key fob or card) or a biometric (something you are: a fingerprint or iris scan). Traditionally, two-factor authentication is implemented by having both basic logon credentials (username/password) and a hardware token that generates a unique code every 60 seconds, that is somehow synchronized with a server on the other end. These two layers of security then are much more effective at only allowing the people you want to connect.

Do not fool yourself into thinking that adding a pin or a second password is really strong authentication. In that case, you are really just using two "things you know", and these can be captured by keystroke loggers if you type them into a kiosk at the airport that has been compromised. What you really want for MFA is more than one layer of authentication that relies on a different secure method of entry.

Two-factor authentication (TFA) is also important for non-repudiation. This means, if you have a good way of verifying that the person is who they say they are when you give them the a key fob, then you have a high degree of confidence that transactions using TFA can be trusted.

Let’s face it, passwords suck. They are somewhat convenient, but unless they are overly complex (requiring you to write them down or keep them someplace electronically) and changed frequently (which leads again to forgetting them, and higher help desk costs), they are not a major hurdle for a motivated individual. One-factor authentication is, however, “what we’re stuck with” until we have some ubiquitous second factor easily added on, which means card readers, USB, biometric readers, etc. These have to be ubiquitous if we want a single solution for everybody. Otherwise, it is often prohibitively expensive for companies to bear the burden of deploying readers, and it is difficult to convince managers that people should carry a “second-factor”. But, passwords still suck.

[*Unless we are simply IT managers and not really security-minded professionals who want to really do something legitimate to keep out the bad guys, in which case pins and pictures and passwords are usually adequate to keep you out of jail. They don’t really protect your data well.]

I’ve done extensive research into what is out there, and (again, since there is no industry standard solution built-into all hardware) there is no one-size-fits-all solution. However, if your company has sensitive data they want to protect, regardless of what Uncle Sam is “making” you do, it should be protected better than simply with a basic password. Of course, this comes down to a risk analysis, and the cost of the solution has to be compared to the cost of exposing the data. Also, you need to look at how people use your solution. If they are going to write a pin on the back of a token and pass it around, or if your vetting process sucks, then the results will also be poor.

The online banking sites that use additional layers of “what you know” may do somewhat better than just having a simple password. By that, I mean if they don’t just use a second pin or password, and ask specific questions or use a complicated picture scheme like http://myvidoop.com, then for many casual attacks this is better than just a password. However, if you have a collaboration tool exposed to the Internet, and you allow 20,000 internal employees to access it, and it contains sensitive data, you have to expect that SOME of the employees will be coming from exploited computers with keystroke loggers and perhaps even screen capture trojans that will totally subvert these kinds of 1-factor solutions. Once they have access from ANY employee’s account, they may have the ability to view a LOT of compartmentalized data or sensitive conversations.

Giving someone a poorly vetted, or potentially exportable cert is also not a great solution, because to really have PKI in use you need to properly vet the certificate for each user and each machine for that user and it is unwieldy and expensive to deploy and manage.

Two-factor hardware and software tokens, or out-of-band solutions like SMS/call-back phone solutions are all good, but seldom will one solution fit well for all your use cases. Many people hate using hardware tokens. Not everyone has a phone, or may have reception, etc. when they need it – but, more and more people do have at least a personal cell phone and SMS is becoming much more reliable than it used to be in the US (it was good in Europe way before in the US). You can come up with a whole infrastructure, and provide people choices if you want, but that may be more expensive and harder to manage, while providing more flexibility and usability for the end-users.

What I am considering seriously as an intermediate offering is something that is more like “1-factor + controls”. You may consider evaluating the RSA "behavioral solution" which uses the same methodology they use with many banks to audit user activity and when it becomes more suspicious than some threshold you set, it will trigger some out of band confirmation that is strong, like an SMS message or so on. This behavioral software allows most users to just use one-factor, the password, but when it sees a user logging in from two different countries at the same time, logging on at times that are unusual for that user, etc. it will raise the authentication bar, so to speak. I am not sure if this will prove to be a good intermediate method, but I am hoping it will and won’t also prove to be too expensive.

I would personally love to just tell all our employees and partners to go out to Verisign and buy a $20 VIP card that will let them authenticate to a number of federated sites like eBay and PayPal. I suspect that people will routinely carry second-factor authenticators in the future, like a card or fob – unless something like reliable biometric readers, or card readers become ubiquitous from the hardware vendors. (Barring some mandate, I don’t see that happening.)

Other alternatives include telling your business owners that they can’t put anything sensitive on external facing sites, etc. If this is self-policed by the data-owner, it will probably not work well. I am seeing some companies moving to a DLP solution, but that can be darned expensive and it requires that you have a strict data classification policy. Another alternative is more passive, which is running eDiscovery tools to find sensitive data and then remove it from those sites. However, if removing all sensitive data is going to break your ability to collaborate or have transactions, you really need 2-factor authentication and a fairly good vetting method.

To be frank, while many companies require their suppliers and employees using remote access to use strong authentication of some sort, they aren’t good about enforcing a rule that sensitive data not be exposed to the Internet. In the case that the data is high profile, like PCI data or engineering drawings, the business is going to do a pretty good job about putting that behind existing 2-factor protected standard access solutions. Other stuff like speculative discussions, potentially sensitive data files, collaboration tools like SharePoint are much less policed and based on my experience with how compartmentalized data can be exploited from my years with the government, I suspect that this is fodder for the industrial spy, even though it may not be a blueprint or contract.

I “think” the behavioral monitoring tools might be a good intermediate solution, but I have more work to do before I will say that for certain. These other (picture/passphrase/etc) solutions are exploitable unless they incorporate properly vetted certificates or some kind of two-factor authentication. There is just no substitute for 2-factor, and there probably won’t be. That means you either roll-out new hardware (tokens/cards), or use an out-of-band solution that leverages already deployed hardware (like cell phones or company laptops) or force people to buy into a federated solution (i.e. Verisign). Even the behavioral tools are not a panacea, as they ratchet up to actual 2-factor when people are not acting in a pre-determined “normal” way. But, they may be seen as single-factor for a majority of users who always transact business the same way.

That’s my best take on the subject. If the customer data is not truly sensitive, and business owners prefer to use some method of obscuring the data with a proprietary schema and/or encryption, or some other method, that may also work for programmatic transactions. I've seen this done between data processing devices and backend (non-web) apps running on special ports, with no special level of authentication. But, I don’t see how this would work if individuals have to log onto a web app. The devil’s in the details.

Please, Put Down The Mustard...

It seems my old boss found a bit of notoriety, while visiting the Quad Cities this past week. [Article Link]

Jeff Botkin was the manager who hired me at John Deere ten years ago. He moved to Denver about a year later, and went to work as a security manager at AT&T. He stopped by to visit us at the office, and we had a few beers during his trip to visit family in the area a week ago. On his way home, he decided to take two 8-ounce jars of the world-famous Boetje's Mustard in his carry-on luggage. TSA screeners quickly sequestered him, and confiscated this "dangerous contraband". I suppose it only makes sens, when you consider how dangerous mustard can be. If he perhaps found a way to get the mustard through the steel-reinforced door protecting the cockpit, and into the eyes of the pilot and co-pilot, they may have been very irritated and this may have lead to the luggage shifting in-flight.

Seriously, don't we all see that whether it's the faux security paraded about by TSA or the cover-your-ass responses that managers invent when responding to SOX audits, it is clear that people need to create and document "some" processes, regardless of their efficacy? During audits and reviews, the silly rules should be weeded out and caught, but they often aren't. TSA rules are a perfect example of rules that are simply there to serve as window dressing. They are rules that may not agree with your common sense, but they give the impression that important people are doing a lot to protect you, and thus it instills some false sense of confidence in the general flying public, and in turn politicians get re-elected, and budgets get passed at the taxpayer's expense, and very few of the rules actually do much to prevent terrorists from getting on planes. They mostly cause inconvenience and keep people from flying with nail clippers and mustard jars. The actual solution to keeping terrorists off planes is much more complex than you can fit on an airport placard, and usually they involve background checks and intelligence that is invisible to the public - an invisible solution is no good, they need SOMETHING to prop up so people know their hard-earned tax-dollars are going to good use - thus the STUPID, POINTLESS TSA rules that keep only the most inept and careless criminals off airplanes, and through their inconveniencing of us, the American travellers, they fulfil their purpose and allow us to fly from city to city, knowing that the guy next to us doesn't have explosives in their shoes, or really spicy mustard in their backpack.

Friday, February 20, 2009

The 47th Annual QCESC Engineers Week Banquet

Tonight is the 47th Annual QCESC Engineers Week Banquet (http://www.qcesc.org/banquet.htm) being held in conjunction with the Henry Farnum Dinner this year. We should have a couple hundred attendees for a talk on the completion of lock and dam 15 at Rock Island, on the Mississippi River. In addition, the Quad Cities Engineering and Science Council will be presenting Jr./Sr. Scientist and Engineer of the Year awards, a Lifetime Achievement award and student scholarships. QCESC is composed of a number of area engineering and science organizations, including the IEEE section that I was chair of last year.

If you decide to come at the last minute, we should have a couple extra places saved, and there may be snow tonight which will lead to some no-shows. Please DO COME if you have an interest. It will be a wonderful presentation, and the banquet is served by the Radisson in downtown Davenport. An excellent event, for only $40.

The award recipients already know who they are, and their biographies will be published in the brochure, so I'm not revealing too much prematurely to share that I've been selected as the Sr. Scientist of the Year. It is an honor to know that the community values engineering and science, and is willing to promote activities like this.

Wednesday, February 11, 2009

Teaching in 2009

Is it common for security professionals to have their (corporate) day job, and teach/write/speak in their spare time? I have my teaching schedule pretty well laid out for 2009. I will be teaching astronomy (16-week, 4 credit) in the Spring and Fall semesters for Scott Community College, and shorter Summer semester courses for SCC and St. Ambrose. The St. Ambrose course is 8 nights over 8 weeks, starting at the beginning of May, for 3 credits.

In addition, I am in discussions with a company in India to design two graduate security courses for an online university. The titles are, "Information Security Challenges and Solutions (3 sem. cr.)" and "Information Security Governance (3 sem. cr.)". If the timeline and price is agreeable, I may start on those yet this month.

Besides teaching, I will be giving an hour talk at the "Springfield Infragard Conference" on March 13th, in Springfield, Illinois on the topic of "Security, Privacy and Cloud Computing". (Yet to be written.) So, I should be kept pretty busy through the summer at least, which is a consolation since my company has decided to cut back on travel this year, and I won't be attending the 2009 RSA Conference in San Francisco. That's an excellent conference, and I will miss it, but I do plan on attending Black Hat Briefings in Las Vegas, in early August. I will be on a pre-conference panel, and I'll pay my own way if I have to.