Yes, that is the question. Unfortunately, there is a difference between compliance and security, in terms of Information Security. MSI was recently approached with a simple question concerning multi-factor authentication and what the regulations really are (or will be, for those bodies of legislation that are a little behind the power curve). A quick perusal of several different pieces of regulatory guidance (i.e…NCUA 748 and the FFIEC Handbooks) indicate that, while they each call for the use of multi-factor authentication for high-risk transactions involving access to customer information or the movement of funds to other parties, there is very little guidance that dictates the level or complexity of the proposed authentication scheme.  One “attempt” at guidance says that where a risk assessment has indicated that single-factor authentication is inadequate, financial institutions should implement multi-factor authentication, layered security, or other controls reasonably calculated to mitigate those risks.  What in the world does that mean?  To me, that means that a financial institution, given a third party risk assessment has been completed, can decide to use some implementation of authentication that may not be the most secure, as long as “they” believe it to be reasonable enough.

I currently bank with a financial institution that only requires a username and a password (at least 6 characters, one capital letter, and no special characters allowed) for me to log in to the online banking site and have unfettered access to my account. To me, this is an outrage!  Granted, I can change banks.  Unfortunately, I don’t believe there are very many options that offer a more secure authentication scheme.

At MSI, we set about to try and define our stance on multi-factor authentication and whether simply complying with the regulations is going far enough to secure that precious “member data”. We were asked if, instead of implementing a multi-factor authentication scheme, would a solution that requires the use of a password and a security question (much like the age old “mother’s maiden name” question) would put a financial institution into compliance.  The short answer….yes.  The long answer…depends if the financial institution “believes” it does.  MSI’s answer….not even close.

In these types of situations (where regulatory guidance is too “willy-nilly” to enforce a secure solution) organizations should look to industry standard’s best practices for guidance and implement the secure multi-factor authentication scheme that will go much further in protecting customer data.

Multi-factor authentication is meant to be difficult to circumvent.  It requires the customer to be able to offer AT LEAST 2 of 3 possible forms of proof of identity.  Those forms are (in no certain order):

1. Something you know (password, PIN)
2. Something you have (ATM Card, Token, Smart Card)
3. Something you are (Biometrics…fingerprint, hand print, retinal scan)

While ATM’s have been using multi-factor authentication schemes since the beginning of time (at least for those Laguna Beach watchers in our audience), financial institutions continue to leave the most critical of vulnerabilities unchecked.  That’s the vulnerability of an attacker exploiting the inability of a customer to keep their passwords to themselves. If those same financial institutions took that leap to offer a more secure authentication scheme, I believe the market would reward them handsomely.  They’d get my money, as measly as the balance may be.

The moral of the story is that multi-factor authentication is meant to be difficult for all parties involved.  Sure, all I hear is that security departments don’t want to hinder their customer’s or their employee’s ability to perform their work by requiring a difficult authentication scheme.  That’s the biggest complaint that surrounds multi-factor authentication. However, if it’s easy for your customers to use, it’s probably pretty darn easy for an attacker to use as well.

While the current regulations give many financial institutions a “cop-out” when deciding whether or not to implement a multi-factor authentication scheme, it should not mean that the bottom line should always be the deciding factor when protecting your customer’s personal information. Industry standard’s best practices should drive this moral dilemma. A risk assessment, performed by a qualified third party, may indicate that the risk doesn’t require a tough authentication scheme.  I have to wonder if that risk assessment bothered to contact any or all of the 10’s of thousands of people who have fallen victim to fraud or identity crimes because of poor authentication requirements?

As we’ve pointed out in a few previous posts the basics of infosec have not changed, and neither has the primary threat, the users of the network. Building a solid foundation of compliance to your security policies is fundemental. So how do get your users to invest in and live out your company security policies and procedures? How do you encourage them to be vigilant about security?

The best way to get people motivated is, as Neil pointed out to model good behavior yourself. But it shouldn’t stop there, you should always look for another person to encourage and teach in the ways of good security practices. And of course you should encourage them to find their own disciple. Ideally this kind of thing should be going on at a managerial and team leader level. I’ve found that people will generally rise to the level of leadership that is presented to them. You should be striving to build a culture where users invested in security and know that those around them are as well.

Education is, of course, paramount as users must know about the policies to be able to abide by them. Finding ways to educate users without drudgery can be challenging. Using the mentoring model is an excellent way to spread good security practices, it allows for a level of non-threatening accountability. Another idea is to use contests to reinforce training sessions. I’ve seen some security administrators set aside a few hundred dollars of their security budget to use as prize money throughout the year. use prizes of five to ten dollars to motivate their people to be on the look out for and report suspicious or unknown people in their buildings. The effort has greatly improved employees’ awareness of their surroundings and the benefits easily surpass the minimal cash investment by the company.

Tomorrow, Tuesday 11/07/06, is election day in the US, so don’t forget to vote. The polls are open in most states before and after work, so take a few minutes and let your voice count.

PS – In some states, Ohio included, make sure you remember to bring your ID in order to vote. Check with your local election officials for requirements.

What can you say? It doesn’t get more serious than when the CEO is the source of the threat to the organization’s assets.

In this story, CEO of MSP … Arrested a CEO is being charged with identity theft on a large scale. In this era of corporate governance and high penalties for abuse of one’s position, this will be one case to watch.

The story is via VAR Business and is pretty interesting. It is an excellent example of how identity theft from insiders has become “all the rage” in attacker circles.

Follow this one as it goes into trial. It promises to lay some groundwork for further prosecution of insider thieves to come.

I have talked to many organizations in the last few months that are all wrapped up in deploying new security technologies and making elaborate plans for securing their organization. The problem is many of these same organizations have yet to get the basics right.

It does little good for you to invest in new IPS technologies, encryption widgets, automatic defensive packet switches, uber biometric scanners and other gadgets if your employees simply give out their passwords when asked, continue to click on email attachments that are suspicious and throw away scraps of paper with the keys to the kingdom on them. As in Neil’s earlier post, some users just continue to be the weakest link.

How can IPS help you if you can’t keep your systems patched? Maybe it could be used to stop some attacks, but without omnipresent visibility, it won’t truly defend you, just give you a false sense of security. That’s the problem with relying on technology and gadgets to secure your organization, without the other components of policy/processes that are strong and awareness that is effective, you might as well throw your money out the window instead of buying some new whiz-bang piece of hardware or software that the vendors say will solve your problems.

The basics of infosec haven’t really changed. You still need a set of policies and processes that explain how the organization operates, how you will secure and handle data and how your users are to act. They need awareness training on these processes and policies so that they know how to act, how to handle data and what you expect them to do when something bad happens. THEN, you need technology to enforce the rules, audit for “bad stuff” and protect you against users who make poor choices. That truly is the role of effective security tools.

So, before you invest in the next overreaching security vendor “silver bullet”, take a moment and ask whether or not those same dollars could be better used in helping your organization do the basics better. If the answer is yes, then quietly excuse yourself from the presentation, go back to your office and implement a plan to assist with the root of the problem. Otherwise, buy away, keep looking for point solutions and keep wondering why your users are still throwing passwords in the dumpster…

As with a chain, so also with security: it only takes one weak link to cause a catastrophic Information Security Incident that leads to the theft of confidential customer data, loss of reputation and/or money.

Your company could have a bulletproof security policy on paper, but if no one in your organization is putting it into practice, or if a few people are cutting corners to save time, then that puts everyone at risk. A Kevlar vest does you no good against attackers unless you wear it.

So ask yourself: Am I the weakest link in my organization’s security? If not, how can I strengthen the other links through educating them? See if any of these apply to you or those around you, and strengthen the security chain against attackers.

• Do you throw away business documents without shredding them?
• Do you keep all your passwords in an unencrypted file called Passwords.doc in your My Documents folder or on your Desktop?
• Do you hide your passwords on a post-it note under your keyboard, under a coffee mug, on the wall, or anywhere for that matter?
• Do you use the same password for absolutely everything and never change it? Or if you do change it, do you only change a single digit?
• Do you open any attachment or follow any link that comes in your email inbox?

These are basic security mistakes that could lead to you becoming your organization’s weakest security link. Avoid these habits like the plague, and make sure none of your coworkers are doing this either. Read your company’s security policy, and follow it. Educate and implement.

Here are a few steps you can take to strengthen your security today:

• Install encryption software and use it to encrypt your Passwords.doc
• Use password-generating software like Personal Security Assistant to make totally random passwords.
• Utilize the shredder so that document reassembly will be a nightmare.
• If you don’t know who sent you an email, then don’t run the binary!!
• Store important files in an encrypted hard drive if the security policy allows it.

Don’t allow yourself to become the weakest link.

As we blogged about earlier in the week, core processing systems continue to be a focus for security teams. This week has seen additional new issues in HP-UX, Oracle problems and issues in various other related applications. Please take a moment and look through your patch levels and ensure your core systems are up to snuff.

In other news, PHP vulnerabilities are continuing to soar. Attackers are very focused on PHP problems, new vulnerabilities and exploiting vulnerable systems. PHP-based systems should be reviewed on an ongoing basis with bleeding edge updated tools to help guard against problems. Security issues with PHP have been identified in thousands of PHP applications, PHP language use and even some of the tenets of the language itself. While groups are working to educate users of PHP and harden the underlying code around the language, PHP is likely a risky undertaking for most businesses to be considering today. It is surely powerful, efficient and easy to use, but many organizations have outlawed it, claiming it is simply too insecure for “prime time” web applications.

As an aside, BT Group has announced an acquisition of Counterpane. Congrats go out to Bruce and team for their hard work. BT has gotten a strong visionary out of the deal, and with the likes of Marcus Ranum and other talented folks on staff, look for some great things from them in the future.

Looks like there are quite a few issues emerging with various systems and components that many banks and such use for their core processing. The last few weeks have seen issues in Oracle, MySQL, AIX, of course Windows and various supporting tools and services.

Given the importance of core processing availability to most financial institutions, many are hesitant to patch their production systems associated with these critical functions. However, just the opposite should be true. These systems should be among the first patched to various vulnerabilities – of course – once a patch has been properly tested and vetted in their backup, lab or QA environment (they all have those, right?).

Certainly, increased pressure on patching these systems is coming from legal compliance and regulatory requirements, but financial organizations should ensure that they have an action plan for maintaining the patching and security of these systems – regardless of, and in light of, their criticality to the life of the organization. Taking a “wait and see” or “it’s working so don’t mess with it” approach could be a severely damaging error on the part of IT and management.

Core processing vulnerabilities are going to continue to emerge and present themselves as critical issues. Getting a process for managing them put into place is an excellent idea, the sooner the better.

I just wanted to post this pointer to another article of mine that ITWorld is running. This one is an explanation of some ideas of different approaches to doing security testing of applications.

If you are considering app testing, and want to get an overview of pent testing, code review and hybrid processes, this is probably a good start. You can then dig deeper into the mechanisms and such via sites like OWASP, SANS, etc.

You can find the article here.

My column at security.itworld.com is now running an article I wrote about the key ideas behind risk assessment, and the top three things that organizations need to know when they are considering risk assessments.

You can find it here.

I especially think that more organizations need to remember point number two, which is that the risk assessment must address the business goals of the organization and provide them with a real vision of how to proceed in the future to reduce their risk. So many “risk assessments” I have seen in the last 18 months seem to be little more than vulnerability assessments with some tiny bits of policy review and analysis wrapped around them.

Organizations need to get a better understanding of existing methodologies for risk assessment in order to make smarter selections in terms of vendor offerings. I think too many organizations are making their selection based on price and many times, as in life, “you get what you pay for.”

Make sure when vendors talk to you about risk assessment that you get to see sample reports, that you feel that the assessment is at a high enough level to give you real vision and value and that the results are not just findings, but real-world strategies and tactics for today and tomorrow. Otherwise, you are likely going to get much less value for your investment, and much less return on what can be an exteremely powerful tool for the future of your organization.