Most of you have heard about the breach at RSA, in which SecurID token authentication implementation data was stolen.
In case you did not heard about it, click in the following link, prior to continue reading.
http://news.cnet.com/8301-27080_3-20044775-245.html
As we, as Security Professionals must design and implement identity management and authentication policies as part of our job, I believe that now, many of us need to rethink our proposed solutions.
Our main objective should be:
How to create a more resilient authentication framework?
First of all... We need to realize and accept three facts
1) Any authentication system that is 100% compromised as a result of the RSA breach is totally flawed from scratch.
2) We all learned that, but for a lot of reasons (funding, politics, restritions, time constraints) many Security Professionals lack in implement authentication and authorization methods on their security design. Time to rethink it too.
3) Old standards needs to die. Things like the usual password strength requirements don't work any more. We're living in the Internet era. Those requirements could work in the Client-Server LAN model, but not on the web.
Rather than simple password dictionary/complexity stuff, we must design our systems looking for new standards.
So, we need to look for modern authentications schemes like the ones based on entropy algorithms or really start to consider biometrics as part of our daily multi-factor authentication policies (today it's common to buy a regular notebook that comes with a biometric device embedded) but it's hard to see it deployed on enterprises as part of the authentication policy.
And, more than authentication...Authorization must be enforced.
Least privilege
Hard to maintain, yes.
But the fail to keep it can result in issues like the ones we're seeing now.
I believe we need to adjust our thinking about what authentication means once again and how to secure and enforce it once again.
Including the countermeasures.
Best Regards
Some additional interesting links:
http://www.nsslabs.com/research/analytical-brief-rsa-breach.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0322
http://www.codenamewindows.com/?tag=windows-8-modern-authentication-technology
http://www.lysator.liu.se/~jc/mthesis/
http://www.limited-entropy.com/dnie-device-auth
I belive second factor authentication is vital and biometric methods of security are the best solutions. There is a promising new cyber security software out that uses keystroke dynamics as a second factor. It recognizes your personal typing rhythm. Even if a hacker were to have your credentials, the software would detect that it was not you and deny access into your system. I was able to test some of this software and its ingenious. I discovered it at http://www.authenware.com/.
Reply
Posted by: Secure4me | 10 June 2011 at 10:02 AM
I'm not too tech savvy which is precisely why I am so weary about entering my information on any site regardless of how trusted it is. One security measure that I really like is one used by Chase online banking. They ask you to choose a primary/ home computer (and they keep that IP address in file). If you try to log into your account from any other computer it will ask you to verify your identity by sending you an authentication code to your e-mail on file or as a text to the cell phone number on file that must be entered on before they log you in. So, agreed. New measures have to be implemented other than password strength.
Posted by: Preventing Identity Theft | 14 June 2011 at 11:21 AM