Cyber Access Control | MFA Enterprise Password Management | Access Smart

Archive for Password Management,

Biometric Fanatics Missing the MFA Point When They Kill Passwords

Why do biometric fanatics want to “Kill Passwords?”

Kill passwords want solve cyber crime. It will make it worse.

When biometric fanatics evangelize “Kill Passwords!” in favor of biometrics they create a false security narrative. Replacing one form of Single Factor Authentication (SFA) with an alternate form of Single Factor Authentication adds nothing. It simply trades one factor for another. The whole security argument against any Single Factor Authentication is that the hacker only needs one piece of information to break in.

While biometric fanatics like to tout the weaknesses found in knowledge based authentication, (and I readily admit there are some), there are also a number of inherent weaknesses in biometrics. In this series of short blog posts, I will outline those weaknesses. My ultimate goal is for the reader to understand that if we go down the “either/or” cybersecurity path in choosing biometrics over passwords, everyone loses. The smart and secure cybersecurity solution is the “and” path, also known as Multi-Factor Authentication (MFA). Read More→

Cybersecurity NAICS Codes Maybe Coming Soon

Government CybersecurityCybersecurity NAICS Codes Lobbying

On February 9, 2016 President Obama announced that $19B should be placed in the 2017 budget for cybersecurity. Being a Cybersecurity SMB this seemed like a dream come true, but having already been on the GSA Schedule for almost two-years, my phone has not been ringing off the hook with Government interest. So I asked around and found out that many agencies did not know how to find cybersecurity products.

That same month, February 2016, I started a grassroots lobbying campaign to help government agencies find and acquire cyber security products and services. My idea seemed simple, have NAICS, SIN, and SIC procurement codes assigned specifically to cybersecurity products and services. Well, I might have achieved success. Here is the sequence of resent events.

On Feb. 27, 2016, I wrote the following letter to Senator Tom Carper (DE) as wells as many other Senators, Congressmen, Congresswomen, agency leaders, and even President Obama. I also posted articles in LinkedIn, and asked help from companies like Microsoft through their Voices for Innovations group. Here is a sample of one such letter:

Dear Senator Carper,
As the Ranking Member of Homeland Security and Government Affairs, I want to discuss President Obama’s February 9, 2016 announcement regarding Cybersecurity National Action Plan (CNAP). I appreciate that his vision includes both the immediate need to plug holes in the current infrastructure as well as a long term strategy which moves us away from the Band-Aid approach and toward keeping our nation and its people strong and secure.

As a California Certified Small Business owner who offers a multi-factor authentication (MFA) product already on the GSA Schedule, I have an important concern. Currently, there are no NAICS codes for cybersecurity products on the GSA Schedule. This makes it difficult for government agencies and departments to find, let alone implement, the products he is mandating.

One federal agency, (agency’s name removed per their request for security reasons), has evaluated, purchased and successfully implemented our multi-factor authentication password manager to protect their 700 high value servers. Our product, Power LogOn, saved them both money and implementation time because it works with their existing PIV ID badge, creating both high level MFA cybersecurity and convenience. They put Power LogOn through a rigorous evaluation process during which it acquired a FIPS 140-2 verification from an independent NIST laboratory (InfoGard) and a NIST FIPS 201 waiver.

My problem is that the agency cannot tell any other agency about our product because they will be seen as promoting a vendor. It’s a daunting task for a small company to have to start from scratch with every agency and department when the proper placement of our services on a dedicated NAICS code for Multi-Factor Authentication Cybersecurity would allow agencies and departments to easily find and implement the products and services outlined in the CNAP. This would help all companies to be easily identified for cybersecurity products and services on the GSA Schedule, not just me.

President Obama stated that Multi-Factor Authentication will be central to our new National Cybersecurity Awareness Campaign. As the large corporations in this country now scramble to create products to serve that purpose, my business has a 10-year track record of excellent performance and customer satisfaction with agencies and industries including…Government, hospitals, medical offices, education, insurance companies, law enforcement, county governments, Native American Tribal Nations, and more.

The reason the GSA Schedule is so important to your CNAP plan is that agencies will be able to find and simply purchase what they need. They will not be burdened by the time and cost of a large and cumbersome procurement bidding process. Because Power LogOn is already on the GSA Schedule, agencies can implement multi-factor authentication quickly and easily, immediately plugging any holes in their current infrastructure.

Our product takes only hours to implement because it leverages existing technologies. This means agencies can be secured immediately. Having a multi-factor authentication password manager removes the end user from the position of Network Security Administrator by removing their need (and ability) to generate, remember, type, manage or even know their passwords. This also reduces the burden on IT administrators who no longer have to waste time resetting forgotten passwords because they can now be centrally controlled. And by leveraging the government’s existing infrastructure investments, Power LogOn also saves taxpayer’s a significant amount of money.

I have been in this industry for over 25 years and I have a book coming out next month that outlines how to implement cybersecurity authentication solutions. My only other question is: How can I and my business contribute to CNAP and the vision for our nation’s cybersecurity?

Thank you for your time and consideration.
With warmest regards,

Cybersecurity Procurement Inquiry on OMB by Senator Carper:

An article in e-Commerce Times, “Feds Prep for Cybersecurity Buying Spree” on April 18, 2016 there was this sections:

Pressure on OMB

Sen. Tom Carper, D-Del., has asked the Office of Management and Budget to respond by May 8 to his concerns that federal agencies are not taking advantage of innovative cybersecurity offerings, particularly from small businesses and startups.

“From what I understand, however, flaws in the federal acquisition process can limit the tools agency network defenders can obtain.” he noted in a letter to OMB Director Shaun Donovan.

“Our discussions made it clear that, because the techniques our adversaries use against us online are always evolving, deploying innovative products and services is critical to staying ahead of the threats we face online,” Carper said, referring to a meeting he attended with small businesses.

The companies pointed out that private sector financial institutions, power companies, retailers and others “are able to quickly reap the benefits of the many new and innovative cyberdefense products put on the market each year,” he said.

“It was not clear to them that federal agencies are similarly able to rapidly acquire new and innovative cybersecurity solutions,” Carper added.

“What are agencies doing to acquire innovative cybersolutions developed by startups and other companies that have not traditionally done business with the government? How successful have agencies been in doing so? Are any agencies piloting innovative procurement processes for rapid acquisition of cybersecurity tools? What action has OMB taken, or is planning to take, to guide agencies in the rapid procurement of new and emerging cybersecurity tools?” Carper asked.

 

Cybersecurity RFI from the GSA:

Finally, on April 11, 2016, The GSA posted an RFI (Solicitation Number: QTA00DF16DPI0002) help GSA identify current offerings available, improve the visibility of those offerings, and determine gaps that need to be filled regarding Cybersecurity products and services. We replied to the RFI. Here is one of our answers to Question 3:

 3. What are the advantages and/or disadvantages of how the government currently purchases cybersecurity products and services?
Currently, there are no Schedule 70, NAICS, SIC or SIN procurement codes for cybersecurity products on the GSA Schedule. Many cybersecurity companies have to list their products under very general codes. For example, while we are listed on the GSA Schedule, the best NAICS matches the GSA office has for our cybersecurity products and services are:

• 511210 – Software Publishers,
• 334119 – Other Computer Peripheral Equipment Manufacturing, and
• 541512 – Computer Systems Design Services.

None of these are obvious cybersecurity categories. The SIC and SIN codes are no better.

Without cybersecurity procurement codes, government agencies and departments are unable to find, let alone implement, targeted products and services to help keep our Nation’s electronic data secure. Their current procedure is to do keyword searches on the GSA Schedule and hope they find something. If they don’t put in the appropriate keywords or vendors have not listed those keywords, the agency finds no match. Their only recourse is to generate expensive and time consuming RFIs, RFPs and RFQs. Cybersecurity NAICS, SIC and SIN codes would stream line the entire process, save money, and ensure fast implementations.

Without updated procurement codes, small businesses like mine are at a great disadvantage. We don’t have the ability to lobby all the agencies about our state-of-the-art solutions, so contracts are always awarded to the major primes which often are not up to speed fighting the latest hacking technology or methodology. When we contact the primes to tell them what we offer with hopes to be a supplier, they too don’t know how to classify our products to easily drop into their government bids (no codes to match against). Cybersecurity procurement codes would help to even the playing field for small businesses.

Government agencies need cybersecurity NOW. The outrageously expensive and time consuming solutions of the past cannot be implemented fast enough to keep pace with the onslaught from rogue cyber threats. Passwords are still widely used throughout the government and switching over to new authentications would be time consuming and costly. The government needs security today that can be implemented within a few days, and saves money. When passwords are compromised, all the expensive back end security in the world becomes instantly useless. Securing the front end or “virtual front door” is essential.

Access Smart allows government agencies to quickly add a new application to their existing PIV/CIV/CAC without re-calling, re-issuing, or re-programing the credential. That is why our product won a FIPS 201 waver. And because security is of high importance to Access Smart, Power LogOn was tested and received a FIPS 140-2 verification from the NIST independent test lab InfoGard.

Our Power LogOn product authenticates the user when the computer is first turned on, before the operating system fully boots-up. Power LogOn continues to authenticate the user during computer usage: when requesting logon onto a website, application, network, or cloud. This extra layer of security protects data while enhancing the user’s convenience. Making passwords convenient for the user insures they will not (or cannot) circumvent security for convenience.

Cybersecurity Scores One for the Little Guys!

How much I and my lobbying actually played into these events its anyone’s guess. Granted, I like to think I had a part. While I could not have been successful in my lobbying campaign without the assistance of a lot of people both known and unknown, I feel like I chalked one up for us little guys in helping the U.S. Government.

Finally, the real winners are the many business whose products will now be visible to the Government and Government Primes because cybersecurity products and services will become easier for agencies to identify and procure off the GSA Schedule.

 

Password Managers – Not all the same

Know your Password Manager

enterprise password managerLast week the cybersecurity industry was a buzz about the Boston-based company LogMeIn, Inc purchasing LastPass for $125M. In the different news articles some interesting facts were quoted:

  1.  Only 10 percent of knowledge workers today use a password manager
  2.  Only 37 percent of survey participants use passwords that contain both letters and numbers
  3.  Nearly 64 percent of people who use the Internet deploy the same password for most websites
  4.  Nearly 80 percent of cloud-based services and apps have monitored, sensitive or private information
  5.  35 percent intend to adopt a password manager in the next 12 months

While these are staggering statistics, it’s the last one I want to address. That’s because not all password managers are the same. You need to understand the differences before you deploy. Read More→

Power LogOn® now supports Microsoft Azure

Access Smart® Improves Cybersecurity With Power LogOn.

Girl with Power LogOn in office button(190x190)LADERA RANCH, CA.  June 15, 2015 – Access Smart, LLC today announced that the Power LogOn software now supports Microsoft Azure.  Power LogOn adds an extra layer of cybersecurity during the initial logon process to Azure.  Azure provides Power LogOn customers with an efficient cloud solution, keeping data available with improved security.

Because cybersecurity needs to start before the firewall, Access Smart complements Azure by adding on a security-enhanced password manager.  To access the power of Azure, employees don’t need to type in their user name and password. The greatest security threat to any company is the employee managed user names and passwords. By removing this cybersecurity vulnerability, Power LogOn puts the control of sensitive data back in the hands of IT professionals. Read More→

Power LogOn – The Stepping-Stone to PKI

Power LogOn Helps Migrate Companies to PKI Adoption.

Power LogOn Complements PKIIn my many blogs, videos and whitepapers, I discuss how passwords are secure, but their management isn’t. Frequently, cybersecurity specialists believe that I’m pitting my Power LogOn solution against a PKI solution. That is not my intent. In reality, Power LogOn is a stepping-stone to PKI adoption.

This is not a contest of one technology being better than another, but rather matching the right technology to the environmental requirements. For example, what’s the difference between a Ferrari and a Jeep? Both are automobiles, they have engines, tires, seats, etc., and both will get you from point A to B on any paved road. However, you would never take your Ferrari off-roading in the Utah desert, nor would you drive a banged-up jeep to the red carpet at the Oscars. Implementation is about matching the correct vehicle to the environmental requirements. IT must also match the correct cyber authentication solution to the company’s requirements. Read More→