A deluge of compliance requirements have inundated organizations, which obligate information security officers to protect; sensitive personal and corporate data from theft; critical data from theft and corruption; medical and health data from theft, surveillance, and destruction.
Fundamental to these security and privacy imperatives is the ability of an organization to restrict control of access to only those individuals with the need and permission to see and change the data in question. Access should be predicated upon the ability to conclusively and positively identify an individual or entity requesting access to data, while being able to deny access to everyone and to everything else.
In my May 4 blog, Forensic Identification Using Skin Bacteria, I discussed this idea. This may or may not come to pass in the future, but it did emphasize the on-going, if somewhat imaginative research, in user identification. A more down to earth and currently available means of verifying identity is two-factor authentication or 2FA.
2FA has been around for a long time and has undergone major improvements. Now the banking industry has adopted it for the magnetic cards we use for credit and debit transactions – a pin number – which is something we know. Smart cards provide the ability to deny or permit the use of any transaction based upon the electronic identification of a card. The card is generically known as a token or something we have that is unique to us.
2FA is critical for some organizational applications and many organizations have the technical capability and financial resources to implement two-factor or even strong authentication.
However, in my opinion, the issue of 2FA is particularly important for individuals doing remote access to their business or personal computers, the reason being that individuals may not have the technical expertise or financial resources to ensure their remote communication sessions are indeed secure.
For example, I see many laptop users at public hot-spots hammering away, presumably over WiFi . (Or why else would they be at a hot-spot?) We know those networks are not secure and, therefore, the users are subject to any number of man-in-the-middle and covert surveillance attacks.
Users may think their sessions are safe as the WiFi access service announces that once a user has paid for the service, their sessions will be encrypted. However, the log-on portion of the payment transaction is wide open!
Or even worse. Many users implement all manner of RDP remote connections to their systems. I have seen numerable instances where identification and authentication by single password is done in the open. Even though the RDP session may be implemented via an unusual port number, there is still the possibility of monitoring the port activity and gaining access to the authentication data.
This problem is exacerbated by using the same user name and password for both an RDP session and for system login.
In my opinion, the bottom line is that all users of remote communication should implement some form of two-factor authentication, especially when using any or a combination of RDP, VPN, Bluetooth, WiFi, and wireless broadband.
My guiding principle for remote communication is that if I perform an unencrypted remote login to a system, then everybody on the Internet just saw my authentication credentials.
Have a secure week.
Ron Lepofsky, CISSP, B.A.SC. (mech eng)
President,
ERE Information Security and Privacy Auditors
http://www.ere-security.ca
Tags: Identity Theft, Information Security, Internet Security, IT Security, Privacy, Security
Valuable info. Lucky me I found your site by accident, I bookmarked it.