ActivIdentity Blog

Strong authentication and Smart Cards - ActivIdentity Blog

Jun 9, 2011 3:46pm by Julian Lovelock | 0 Comment

For the last twenty years enterprise system security has been based on a very simple principle. Anyone already inside the network is decent and can get to pretty much any resource just by knowing the relevant password, whereas those outside the network need strong authentication. Call it the perimeter defense model. OTP tokens for VPN authentication; static passwords to log onto the ERP system once your inside. It’s the IT equivalent to having a strong lock on the front door of your building and a weak lock on your filing cabinet. You know, the one with your genius plans for world domination. Oh, and hiding the key to the filing cabinet on the very next shelf directly across.

And yet, to be honest, for most of those 20 years this strategy was good enough for a lot of companies. There were a few cases of people breaking in through a window, (think SQL injection attack on the company website) but this was usually fixed by bolstering the perimeter defenses or installing a burglar alarm (think Intrusion Detection Systems). Anyway, fitting strong locks to every internal door and filing cabinet (think strong authentication for laptops, workstations, servers and applications) was prohibitively expensive.

So what’s changed? Actually a couple of things have changed. Firstly, there’s the ubiquitous and ominous ‘Advanced Persistent Threat’. As the name implies, this is a broad term, but the pattern is often formulaic: Research your target both at an organizational level (suppliers, IT systems, etc.) and at an individual level (place of work, boss, vacation periods). Information that we would have once considered personal and private is now shared freely on business and social networking sites. Secondly, build yourself a piece of malware tailored to the target environment. Check out your friendly not-so-local-hacker website for starter kits and helpful tips. Thirdly, attach the malware to an email (it can look as innocuous as an attached .pdf file or a link to a website that is infected with a zero day vulnerability), make it look like it’s from a trustworthy source, and send it. Ideally, give it an enticing title such as ‘2011 Recruitment Plan’. Chances are that your unwitting target will open the attachment and you will have infected the recipient’s computer. You are inside the perimeter and no amount of strong authentication could have stopped you from getting there.

Now the attackers take advantage of the misplaced trust that is afforded to users already inside the network. Weak static passwords are all that stand between them and almost any system resource on the network. From the beach head of that one compromised machine they can sniff passwords, guess passwords, brute force password files, and take advantage of the fact that most users use the same password for multiple logins. With time they will gain access to any system they want.

Hence my assertion that strong authentication at the perimeter only is no longer sufficient. Eventually a persistent thieve will find a way into the building. If the contents are valuable to you, its time to start putting strong locks on the doors to your rooms and your filing cabinets. In IT terms -- that means implementing strong authentication at the level of individual desktop, laptops, servers and applications.

The other thing that’s changed - its no longer prohibitively expensive.

Tags: Enterprise System Security - Strong Authentication - OTP tokens

Post a Comment

All fields are required.

Legal Disclaimer
Some of the individuals posting to this blog website work for ActivIdentity Corporation ("ActivIdentity"). Opinions expressed in the blog postings and in any corresponding comments are the personal opinions of the original authors, not of ActivIdentity. The blog postings are provided for informational purposes only and are not meant to be an endorsement or representation by ActivIdentity or any other party. This blog website is available to the public. ActivIdentity moderates the comments and comments will not be posted until they are approved by the moderator. ActivIdentity does not guarantee that your comments will be posted to this blog website and ActivIdentity may refuse to post any comments in its sole discretion. No information you consider confidential should be posted to this blog website. By posting comments, you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to this blog website. You release ActivIdentity from any liability related to your use of this blog website and the content on this blog website. Your use of this blog website is also subject to the terms and conditions of the ActivIdentity Legal Notice available at http://www.actividentity.com/legal/ (the "Legal Notice"). The blog postings are "materials" and any comments that you post to this blog website are "feedback," each as defined in the Legal Notice.

Subscribe to our RSS Feed

ActivIdentity Blog

Strong authentication and Smart Cards - ActivIdentity Blog

Post a Comment

Search Blog

Category

Recent Posts

Recent Comments

Blogroll

Name
Email


Please enter the text in the image above*