Security Technology Comparison
Today, IT managers have a host of security management technologies available to them. While all these products have their advantages, if the incorrect technology is chosen and the solution is too complex to manage, then the computer network and data may actually be less secure than before. IT may be lulled into a false sense of security when end-user compromises security with work-arounds designed for their convenience. Therefore, some of the key considerations before implementing any network security are:
• End-user’s convenience
• Back end infrastructure modifications
• Value of the data being protected
• Ongoing support and maintenance
• Budget and
• Size of organization
Read this white paper to find out how Access Smart’s Smartcard-based Password Manager stacks up against other security technology products.
When is a Password like a Cypher Key – Part 1
Part 1 of the “Passwords are Secure” series. My stance on passwords is well known – “Passwords are secure, people managing them aren’t.” To a computer, a key is a series of zeroes and ones used to authenticate knowledge of a secret to complete a requested task. To a computer, a password is a series of zeroes and ones used to authenticate knowledge of a secret to complete a requested task. Wait a minute; both a password and a key are the same thing? Yes, they are … to a computer. I will go even one-step further in saying that if a password is securely generated and at least 32-characters long (256-bits), it is a symmetric key. To add a little controversy, all keys are glorified passwords.
The news has been abuzz this year about the different companies having their password database breached and stolen leaving billions of people’s online accounts at risk. Reading these articles, you might conclude that passwords are not a viable security protocol. But in reality, all these breaches are the fault of very weak network security and monitoring. Passwords, along with other data files, are the victims of inadequate security. Bruce Schneier once said, “Security is easy to design poorly, but difficult to design correctly.” Weak passwords are a user management issue. Stolen passwords are an IT management issue.
The Similarity of Passwords to Symmetric Keys – Part 2
Part 2 of the “Passwords are Secure” series. In a world of ever increasing cyber-attacks, IT invests massive amounts of time, energy and money to secure corporate networks and data. Because there are no silver bullets, many different security technologies attempt to address each potential threat. With so many different vulnerability points, the first line of defense must be trusted authentication.
This report does not compare the operational functions or benefits of cyphers versus passwords. They are very different. Rather, it analyzes an important cryptographic component that the security industry goes to great lengths in time, energy, and money to protect – the keys. When cracking passwords becomes as difficult as cracking keys, then passwords will be secure.
Certificate Authentication is Vulnerable – Part 3
Part 3 of the “Passwords are Secure” series. When it comes to security implementations, there is a big difference between the theoretical and the practical. In the theoretical world all algorithms work flawlessly, there are no infrastructure vulnerabilities, and security protects against every attack. However, in the real world new variables frequently raise their ugly head from places never anticipated. The realization that Certificate Authorities (CA), certificates, and private keys can be compromised rocks the basic foundation of information security. Once the key is compromised, like a password, cybersecurity goes out the window. That’s because IT cannot differentiate between a hacker and a legitimate employee if the correct credentials are presented. When cracking passwords becomes as difficult as cracking keys, then passwords will be secure.
Password Manager – Wikipedia Re-print
A password manager is software that helps a user organize passwords and PIN codes. The software typically has a local database or a file that holds the encrypted password data for secure logon onto computers, networks, web sites and application data files. Many password managers also work as a form filler, thus they fill the user and password data automatically into forms. These are implemented using a browser extension, smart card application or USB stick application that communicates to the browser
Recently I had the opportunity to update Wikipedia’s listing for “Password Manager”. While many others have also contributed over time to this entry, I wanted to do a simple PDF reprint of this topic to help inform others about the advantages and disadvantages of a password manager system. While I don’t know who else has contributed to the writing of this entry in Wikipedia, I want to thank and acknowledge their contributions.
Can Contactless Smartcards Support PKI? Fact or Fiction
“It is cheap and easy to design a high security system poorly. It is expensive and hard to design a security system to protect against every possible attack. It requires forethought and insight to design a useful security system at a high degree of trustworthiness and at an affordable price”.
— Tom Austin
The misconception is that contactless smartcards with symmetric encryption is part of a Public Key Infrastructure (PKI) system. The thought is that a card stores an AES or 3DES encrypted digital signature or certificate as a secure, unique individual identifier. That signature is then passed to the reader where it decrypts it to reveal the true signature. To a die-hard security and smartcard person, like me, the hairs on the back of my neck start to stand on end when I hear this claim.
You Think Passwords are Secure
To gain access to the company’s computer, network or cloud accounts all that’s needed is a legitimate user name and password. IT may have a security policy regarding password strength that employees are suppose to follow, but just how secure really are their passwords, and how much protection does the policy really offer? Here’s a simple test.
Do employees implement one or more of the following common password management practices? · Use a simple password based on a name, word, or date that can easily be remembered. · Use a password that is very identifiable to that person, such as a kid’s name with birth date, home town with zip code, and so on. · Try to be clever and spell a child’s name backwards. · Use the same password everywhere and for everything. · Write the passwords down somewhere such as in or on a notebook, piece of paper, white board, sticky notes, PDA, or whatever else happens to be handy. · Have a Word or Excel document or some other data file called “passwords” that’s stored in a compute or smartphone. · Have told a co-worker, assistant or spouses a passwords so they could multi task. · Keep the same password for years, or recycle a series of the same ones. · Use the Web site’s name as a password. · Use the word “password” as a password.
If you answer “yes” to any one of these common password management practices, you company is at risk of being a victim of a data breach that leads to Privacy Laws violations.
Dealing with online identity theft
Identity crimes involve two victims: a company and an individual. Identity crimes also involve two criminal acts: identity theft – the act of stealing someone’s personal information, and identity fraud – the act of falsely using someone elses identity to commit felonies. Companies, universities, and organizations are the primary victims of identity theft, whereas individuals are the victims of identity fraud. Although the costs of identity theft to a company and to an individual are different, a successful attack is devastating and traumatic to both.
The State and Federal Identity Theft and Privacy Protection Laws now require companies, agencies, and organizations of all sizes to protect all personal information they store and report to all their customers, employees, and vendors whenever a breach occurs. The financial ramifications on a company having a security breach can be substantial to their present and future business. In some cases, companies have had to close down their businesses because the financial costs of a security breach were overwhelming.
The crimes committed using another person’s identity range from credit card fraud to serious felonies. Typically, the victim is unaware that their identity has been stolen and is being used for criminal acts. The victim usually finds out at the most inopportune time: while applying for a home mortgage, being harassed by aggressive bill collectors, or being arrested. Identity fraud takes an emotional, financial, and time-consuming toll on its victims.
Taking a look at identity fraud
Family and friends know the most about you. They know your nickname, the schools you attended, your birthday, your kids’ names, your maiden name, and a whole bunch of other personal information you may use for your passwords. Typically, a home computer is accessed by other family members. Unless you set up unique User Accounts with individual rights and privileges, every- one on that computer has full access to everything you do.
Many online accounts and Web sites require a user name and password to prevent unauthorized access. If you make the logon to the accounts easier by saving all the passwords within Windows Internet Explorer for automatic logon, agree to the Web site’s option to “Remember my logon,” and/or have notes by your computer with all the passwords written down then you put yourself at even higher risks. By doing so, what stops another family member.
Safeguarding your identity
You don’t have to be paranoid about being an identity-theft victim or protecting yourself. Using commonsense and asking yourself whether you should or shouldn’t tell a stranger a piece of personal information will protect you from 80% of the attacks. As for the other 20%, you just want to make it difficult enough to deter the thief so that he or she looks elsewhere.
A lot of information is presented throughout this and my other white papers about the importance of generating strong passwords, securely managing all your passwords, and the need for convenience when keeping your personal or corporate less safe. Here are some key points to remember.
Recovery After Identity Theft
I hope you never have to go through the anguish of being a victim of identity theft or identity fraud. If, however, you suspect or discover that you are a victim, remember the first rule: Don’t panic, don’t get angry, and don’t let your emotions get the better of you. Losing your self-esteem and your self-control is yet another way
The following tools and discussion points will help you to know where to start and how to best manage your recovery.