by Tony Lock

Pass up on the passed-on passwords

May 19, 20114 mins
Security Software

The securing of IT systems has never been straightforward but the increasingly sophisticated nature of the cyber threats that stalk IT systems today is putting even greater pressure on organisations to lock down systems and sensitive data.

A major question is how long it will be before the de-facto standard authentication technology — the password — has reached its sell by date.

The nature of hacking has changed significantly in recent times. Today hacking and other computer threats are operated with criminal intent to make money rather than being an ego trip or profile raising exercise.

These developments are now tightly coupled with criminals now exploiting strong social engineering elements, from a user trading a password for a bar of chocolate in railway station survey, up to sophisticated targeting of individuals.

Password vulnerable The vast majority of users still log on to their PCs with their access to enterprise systems, applications and data, via a password. This method has never been recognised as being particularly secure.

Users like to employ simple passwords or ones that anyone with a little personal knowledge or some simple password generator software could crack quickly.

Most systems can now be set to block the use of simple passwords but when this occurs users frequently complain about the complexity they have to use and often resort to writing it down on a convenient sticky note placed under the keyboard.

There are a number of other ways that a second authentication factor can be brought in to play. For example, one-time token generation devices are widely available and relatively straightforward to implement. Sending the user a onetime code to their cell phone via SMS is also on the increase.

Clearly the base-level of security needs to improve. The resources to do so are now widely available and most are reasonably reliable.

Many devices now come equipped with smart card slots or finger print scanners, either or both of which can significantly enhance the security of the device.

The important thing is that users understand why they have to put up with using a second factor to authenticate themselves.

The education of users is probably the single most effective thing any organisation can do to improve the security of its IT systems across the board.

Let users know what they can and cannot do and take the time to explain why these rules and procedures are in place.

Until such education is undertaken many users simply do not regard IT security as anything serious about which they should be concerned.

The pressures on business to improve all aspects of IT Security are now so intense and all encompassing to make the implementation of multi-factor authentication an imperative.

Each company will have to assess exactly what it has deployed, who is using which system and how they can be better secured. Audit, evaluate risks, implement solutions, educate. Then monitor processes and record.

Beyond this, it is becoming clear to more advanced organisations that even the most resilient front door locks can only be part of the package needed to ensure better security.

There are clear benefits to supplementing access controls and authentication with other monitoring tools and processes.

Activity monitoring On the premise that nothing is totally secure it is advisable that companies implement some form of post log-in user activity analysis in order to detect when abnormal work patterns occur.

Such deviations may indicate that a security breach is in progress.

It is also time to look at putting in place more sophisticated control mechanisms on the data itself, including restricting who can export data from central systems to spreadsheets and what attachments can be sent out of the company by email.

These steps require careful consideration given how dependent many business processes are on email and spreadsheets and the associated manipulation of data to provide operational insight and direction.

The time for doing nothing on passwords is coming rapidly to an end. Criminals know how to manipulate human trends to exploit weaknesses.

Tony Lock is Programme Director at Freeform Dynamics

Pic: burgundaviacc2.0