Saturday, January 26, 2013

Passwords are never enough...

Passwords date back to the ancient cities of Babylon, when the Roman Army used "watchwords" to identify friendly soldiers...

In 431BC, Greece declared war against Sparta and the Peloponnesian War ensued, by 415 BC, Athens dispatched a massive force to attack Syracuse, Sicily. The Greeks landed with some 5,000 troops. Syracusae, seemed certain to fall, but the attack failed disastrously.

A chaotic nighttime battle took place. Greek forces were scattered, while attempting to regroup they began calling out their watchword. Their foe, the Syracusans, picked up on the "watchword" and passed it through their ranks, infiltrated the Greek troops and destroyed the entire army.

The Peloponnesian War reshaped the ancient Greek world. Athens fell and Sparta was established as the leading power of Greece. The economic costs of the war were felt all across Greece; poverty became widespread in the Peloponnese, while Athens found itself completely devastated, and never regained its pre-war prosperity.
To put this story into context, the concept of a password is 2,444 years old. Yet they are still used today,  as the primary means of identifying you as "friendly" and providing access to your data.
You might have personally experienced this same ruse, through a hacked account or stolen password. Companies on the other hand, like Athens, can be financially crippled by such attacks.

So who's to blame? Who invented the computer password?

52 years ago, researchers at MIT developed the computer password, to secure users files and time-share privileges on the CTSS computer.
In the mid-1960s, researchers at the Massachusetts Institute of Technology, built a massive Compatible Time-Sharing System (CTSS) computer.

The passwords used were small and easy to store, given the very limited storage space at the time.

In 1962, one of the researchers looking for a way to increase his time allocation, simply printed out all of the passwords stored in the system. Each researcher was allocated a quota of 4 hours per week, but that wasn't enough time to complete complex research simulations. Using different usernames and passwords allowed them to gain more time to complete complex operations.

MIT researchers, didn’t really care too much about security. CTSS subsequently became one of the first computer systems to be hacked. In 1966, a software bug garbled the systems welcome message and master password file, anyone who logged in was presented with the entire list of usernames and passwords.

What are the consequences of poor password security?

A famous example, is that of technology journalist, Mat Honan. Who's digital life, was completely erased in the space of just one hour.

"First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook."

So how do we defend ourselves against such attacks?

4,000 years ago man invented the lock, it secured elements of the Khorsabad Palace in Egypt.
The oldest known lock was found by archeologists in the Khorsabad palace ruins near Nineveh. The lock was estimated to be 4,000 years old. It was a forerunner to a pin tumbler type of lock, and a common Egyptian lock for the time. This lock worked using a large wooden bolt to secure a door, which had a slot with several holes in its upper surface. The holes were filled with wooden pegs that prevented the bolt from being opened.

How can you protect yourself and your organizations?

At Khorsabad Palace, multiple layers of defense protected the citizens; city walls, gates, locks and guards.

When it comes to protecting your organization, a layered approach to information security will provided, the best defense against an attack.

Some layers of defense include: 

Two-factor Authentication
Thinking about the failures of the "password" system, RSA, the security division of EMC, developed two-factor authentication systems. Revolutionising the way a friend or foe could be identified.

By requesting a password (something you know) and a token code (something you have), this provides two factors of authentication. Two-factor overcomes the issues associated with compromised passwords, as the foe would still lack the "something you have" code to be identified.

What would this have meant to the Greeks in the Battle for Syracuse? A victory. Even if the Syracusans had the Greek password, they would have failed the of 2nd factor authentication, the request of the soldiers individual token code, leading to an immediate recognition that they had been infiltrated by their foe.

RSA Authentication Manager Express, takes things to the next-level with two-factor authentication, that offers on-demand SMS tokens and Risk-Based authentication. Seamlessly deployed for SSL VPNs, Web Portals and Citrix/VMware thin-clients, without the provisioning process traditionally associated with two-factor hardware or software tokens.

The key differentiator is the Risk Based Authentication engine, which differentiates and authenticates users based on their device (what they have) and behavioral profiles (what they do). RSA has many years of experience delivering this technology to over 250 million users in on-line banking applications, and has now adapted it for use in the enterprise.

Security Analytics
A revolutionary way to look at the security of an organisation. Security Analytics (formerly NetWitness) is a network security monitoring platform that provides organisations with situational awareness of everything happening on the network, to solve a wide range of information-security challenges.

Visualize application and user content in a revolutionary way, with powerful analytics enabling the security professional to zoom in and out of collected traffic using body gestures, fingers on a multi-touch device. If the thought of standing around the office monitoring security with body gestures puts you off, it will work with any traditional mouse.

Drill down with Tom Cruise, Minority Report like visualization, to see network traffic and events, as they transpired over the course of time. Try the live Visualization demo at:

  • Achieve Pervasive Visibility: Obtain situational awareness into the content of all network traffic and discrete behaviour of entities operating across the network.
  • Detect Advanced Threats: Identify insider threats, zero-day exploits and targeted malware, advanced persistent threats, fraud, espionage, data exfiltration, and continuous monitoring of security controls.
  • Obtain Actionable Intelligence: Perform real-time, free-form contextual analysis of network and log data captured and reconstructed by the NetWitness network security monitoring platform.
  • Increase Security Operations Center Agility: Leverage the scalability and powerful analytics of the NetWitness platform to automate processes, reduce incident time, and adapt to changing threats.

Governance, Risk & Compliance Systems
Build an efficient, collaborative enterprise governance, risk, and compliance (eGRC) program across IT, finance, operations, and legal domains. With Archer eGRC modules, you can manage risks, demonstrate compliance, and automate business processes.

  • Building Your GRC Program: Archer enterprise governance, risk, and compliance allows you to manage the lifecycle of corporate policies, assess and respond to risks, and report compliance with internal controls and regulatory requirements across your enterprise.
  • Tailoring GRC: Enable business users to configure Archer eGRC according to your organization’s unique governance, risk, and compliance processes through point-and-click configuration—no custom code required.
  • Expanding Your GRC Program: Easily create new solutions with the Archer eGRC platform or download applications created by risk and compliance experts from Archer eGRC Exchange.
  • Using GRC Content Library: Take advantage of RSA’s comprehensive knowledge base of eGRC content which includes premapped policies, control standards, procedures, authoritative sources, and assessment questions.
  • Reporting and Dashboards: Gain a current view of your eGRC activities through Archer reports and dashboards, which provide users at every level with the information they need to complete tasks and make informed decisions.

Data Loss Prevention
Data Loss Prevention (DLP) systems provide a policy-based approach to securing data in data centers, networks and end points, enabling organizations to discover and classify their sensitive data, educate end users, ensure data is handled appropriately, and report on risk reduction and progress towards policy objectives.

The RSA DLP Suite reduces the total cost of ownership with high scalability, automated data protection services, and the most extensive data policy and classification library available in the industry. Improve security by protecting the tenant’s confidential data, such as intellectual property, product roadmaps, and company financials. Facilitate compliance by securing customer records and other sensitive data as required by regulations and standards.

Data Loss Prevention Networks
Data Loss Prevention (DLP) networks identify and enforce policies for sensitive data transmitted through corporate e-mail (SMTP), webmail, instant messaging, FTP, web based tools (HTTP or HTTPS), and generic TCP/IP protocols.

Key Features
  • Depth of policy and classification library increases ROI by eliminating the need to fine tune policies and helping organizations realize the value of their DLP deployment more quickly.
  • Comprehensive support for numerous protocols dramatically reduces risk exposure.
  • Retention of end user actions logs helps administrators simplify the compliance process.
  • Numerous automatic and manual remediation options allow organizations to customize policy responses based on varying levels of risk.
  • RSA DLP Network provides deep visibility into network policy violations by sender, recipient and content type.