User Authentication, When Is It Necessary?

An interesting situation was discussed recently between my significant other and me, in regard to when user authentication is necessary and when is it prohibitive.  This discussion arose after her recently starting work at a private hospital.  She had been doing her nursing clinical at a local Veteran Affairs (VA) hospital prior to starting this new job. 

She was telling me how she liked her new job and how she liked the way they have it set up for her to log in to do her charting versus at the VA hospital.  At the private hospital she works a twelve and a half hour shift, when she began her shift she has a RFID badge that she has to carry with her at all times.  This badge is used when she needs to access different areas and departments within the hospital as well as when she logs into any computer terminal. 

When starts her day she inserts her badge into a computer terminal to clock in and access any updates she needs to know to start her day.  Once she inserts her card, she enters in her username and password to authenticate, at which point she is authenticated to use the systems for thirteen hours.  From that point on, she only needs to insert her badge to access charting and other necessary systems to do her job. 

This is different than the VA hospital as she also had a badge that allowed her into different areas into the hospital and was also required to access computer terminals.  The key difference is that she was required to login with her username and password every time she accessed the system. 

To many this would seem like a more secure method to authenticate and would be the better solution for the company; however I am not so sure.  This is due to looking beyond just the way the system is designed to work, but how the system is actually used. 

One difference is that it requires more time of the staff to spend logging into systems as there is a terminal for every room at the VA hospital.  Each room usually only houses one to four patients at a time and nursing staff are usually responsible to interact with over two dozen patients, not including when they are required to help out in another department or area throughout their shift.  On general, staff interacts with about thirty to forty patients in a twelve hour shift and access over fifteen different terminals.  This leads to a lot of time spent just logging in and out of terminals. 

            On top of the added time and because users are so dependant on logging in many times a shift, some users have begun writing their credentials down to facilitate faster logins.  This is to say that it is a direct violation of company and security policy, but it is happening more frequently none the less.  To me this defeats the purpose of requiring the login every time as the badge is still required to login and if they are writing it down (usually on the top of their badge) the only way to login to a system is to duplicate or steal a badge.  This is no less secure than logging in once and using the badge as a single login method after the initial login. 

Also with having a timeout of thirteen hours at the private hospital, it additionally prevents use of a stolen badge, as they are not allowed to log back into the system for at least twelve hours.  Whereas, at the VA hospital, there is no logout period, so if they have a badge with the credentials written on them, they have access to the system.  This allows for someone to steal a badge from a user after their shift and use it, whereas the badge at the private hospital would be invalid for twelve hours, meaning the only way to meaningfully use it, would be to steal it from a staff member during their shift, on hospital grounds. 

One thing that is often overlooked in security is functionality.  It is not only our job to minimize possible risk from our organizations, but it is also our job to ensure that our security measures have the least amount of impact to the users as possible.  Again, this was an interesting conversation that I thought I would share, and I hope it gives you something to think about.

Untangle, a Nice Little Open-Source Firewall.

I am sure a few of you have heard of Untangle, it's the open-source firewall software that you can use to take an old pc and turn it into a nice little firewall for your home or small business.  For those of you that have not, check out www.untangle.com, to find this product, it basically takes a P4 or newer processor 1-4 GB of RAM, two NICs, and about an 80 GB HDD.  With it, you can turn an older pc into your own firewall, with a large assortment of modules both free and for a premium, that includes Antivirus, web monitoring, web filtering, WAN failover, and many, many more features.

The reason I bring this up is as our children get older, you start to worry a little more about what they can access, as well as what access can someone outside get in your home.  This can provide a free, minus the cost of the pc, option for you to consider installing.  This is not for the completely technically illiterate; you do need to have some networking knowledge, not so much for setup and installation, but for troubleshooting.  I have seen a few who get a little overzealous in locking down what websites can be accessed only to find out they have a hard time getting to legitimate ones.  However, in my experience, I have seen overwhelming success in installing and maintaining this system in small businesses and homes. 

This product comes in a Lite form that comes with the free services installed, which their support comes in the form of a knowledge base on the website.  However you can purchase varying additional features which come with the software venders support, based on which package you would like, or even in a la carte format.  This product is fairly simple to use and is far less technical and costly compared to products such as the SonicWall TZ series.  So, for those of you looking to add a little security without breaking the bank, I would suggest giving the Untangle firewall a chance, if you have a spare pc laying around, you could test it out without any cost other than your own time.  Again, this is not something you will want to install in an enterprise setting, but for a home, church, library, or small business, it may be worth your time to look into.

Offsite Storage, Is the Pipe Too Small for the Tank?

One key issue I deal with often is how business class bandwidth has not grown nearly as fast as needed.  Many companies have realized how important it is to have data stored in many locations in case of a disaster; however, getting the data there is the hard part. 

How are you supposed to move 10 GB of incremental backups daily from one location to another and still have enough bandwidth to handle day to day operations?  This is a question I have had to answer many times, unfortunately the answer usually isn't get a bigger pipe.  It has become financially very difficult for small to medium sized businesses to purchase large dedicated bandwidth lines, gone are the days of having just a T1 line.  Larger bandwidth lines become far more expensive for business versus consumers, $50 a month will get the average home user 10-20 Gbs speeds, however if you are a business and need steady thorough put, you will spend hundreds a month and get a fraction of the bandwidth. 

So how do you work within the confines that you have?  Well first off, if you access to and can afford it, get it!  You have no excuse if you have the means and the resources to make it happen.  If not, then learn to live within your means, such as cutting back on the amount of data being transferred.  I have seen it time and time again where a company will keep running daily backups on servers that data on them rarely changes.  The key is get what you need, not what you can take. 

Also ensure that the backup schedule will accommodate for the load, if too much is trying to get pushed, it’s just going to bottleneck and if it doesn't catch up, then what good is off siting your backups if it never gets there.  Always plan for failures, do not load up your bandwidth so that if a failure happens there is not a chance for it to catch up.  I have seen it too many times where someone takes out a calculator and starts adding up bandwidth usage based on a small window of information.  If you do not give yourself breathing room you will regret it.

Another option is to minimize unnecessary traffic, I know everyone loves to stream music or radio stations all day, but seriously that's what your iPod is for.  I suggest first sending out a request for users to minimize traffic, before you start cutting things out, it will go a long way for moral, and you never know, you may get lucky and enough people will stop keeping it under control.  I know that is a very unlikely senerio, but it could happen, right? 

You want to realistically try to make the most of what you can afford, and do so while giving your company a little breathing room for errors and growth.  And the final advice that I can give is to hope and pray that soon rather than later bandwidth will catch up to the usage that users and companies require to survive. 

Blocking Social Networking Sites, Is It a Security Threat or a Productivity Threat?

In the September 30th InfoSecurity article, they state that 72% of surveyed businesses block social networking sites.  These begs the question, are they truly worried about the security threat aspect of social networking sites, such as Facebook and Twitter, or are they more concerned with the perceived loss in productivity.

Personally I believe they should be concerned with both but I don't believe blocking access is the answer.  Obviously, with the high number of malicious code working their way through social networking sites, businesses should be concerned, but I believe they should not block access, but focus on ensuring that their systems are safeguarded against the potential threats. 

Anti-Virus protection is pretty obvious, an IDS or IPS would also be a good suggestion as well.  In addition, employee education should also be a focus, as most malicious code found on popular sites requires some interaction by the user.  Focusing on educating the end-user, will help lessen the risk of incident, as well as help secure the organization.

I do not believe that blocking these sites will protect the company, as any knowledgeable security professional will tell you, if you block something that people want access to, they will find a way to get it.  In finding a way to get it, they may damage important systems, inadvertently, to do it or open holes to allow greater threats into the organization.

In addition, I believe blocking social networking sites is not going to last very long, as businesses see more and more opportunity to increase recognition and customer base. 

 

Insider threat larger in financial sector and by end users? Really???

I was reading a few articles today and noticed a reoccurring theme; insiders are involved with data breaches happen more frequently in the financial sector.  I had been reviewing the 2011 Data Breach Investigations Report from Verizon and noticed that even though insider breaches had dropped from 48% to 17% in 2010 to 2011, they were still increasing in the number of incidents.  The difference was not a decrease of insider breaches but a huge increase in external breaches. 

I was also reading an article from InfoSecurity.com also discussing the increase in insider breaches, specifically in the financial sector, based on information from US-CERT.  I believe both articles touch on solid points.  Verizon's report found that more often are breaches conducted by end-users than from managers and CxO's, which was due to insider’s typically not needing highly elevated privileges to get to the data they are after.  Both realized that what insiders are after isn't always money but IP has become more and more common to be targeted.  I believe this is because they believe that there is more safety in stealing IP than actual account information.  I believe they think they can sell IP to competitors with less risk and a higher potential for gain, than if they attempted to liquidate company or customer accounts.  Money is a lot easier to track than IP, especially if it is a product or project that can take years to develop. 

There are many reasons that these breaches occur, but with the large percentage being end-users, this falls back on many basic security principals.  Lest privilege to start with is a very basic principal that tends to either be overlooked or if implemented, it is not enforced.  There should be on a small number of cases were an end-user has access to sensitive IP, especially IP that can be sold to a competitor for a large sum of money, access to large corporate accounts, or a large number of customer accounts and payment information without oversight.  Another highly overlooked principal is monitoring, I understand that automated monitoring systems or hiring IT staff to manually monitor can be expensive, but it can save hundreds of thousands when implemented.  However, monitoring is not good enough, you need professionals who know what to monitor.  If you do not have someone who understands what should be monitored, then who knows if you will even be monitoring the right systems or logs when a breach happens. 

Finally, change management is another principal that is not usually implemented in an effective way.  I don't know how many businesses I have dealt with that either a default password scheme that is easy to predict if the formula is known or has accounts and passwords that span many users, but if I had a nickel for everyone I dealt with, I would be driving a much nicer car.  Using a simple password formula across a network is acceptable if and only if it is the initial password upon hiring and is required to be changed on first login, but many companies do not force that.  Instead they just have the basic 90 day, four previous password policies in place, so many users keep using the same password they were originally setup with, just adding additional characters to it at the end.  This makes guessing passwords extremely easy, that is if they cannot just walk by someone's desk and find it stuck to the bottom of their keyboard.  Also having credentials that span multiple users is also an easy way for allowing a breach.  First off, with multiple users using a single set of credentials, how do you know who used the credentials in a breach if it is discovered?  Second, if multiple users are using one set of credentials, take a guess what happens if someone is let go, you guessed it, nothing.  Why, because if they already have laxed policies to allow this in the first place, I sincerely doubt they will be sure to change it if someone leaves the company. 

In any case, when you combine the fact that we have a poor economy, easy access to cashable information, and inefficient policies to prevent breaches, you have a recipe for disaster, as the financial sector is finding out the hard way.  There is nothing you can do to be 100% secure and have a functioning business, but that doesn't mean a breach has to happen or that you shouldn't be diligent in preventing it from happening.  If I have learned anything about security, it is that it is an 80/20 split, 80% policies and management, 20% technology.  However, far too many companies believe that it is the other way around, and obviously 80% technology will not cover for only having 20% polices and management.

Eating our own dog food.

This is a common term used in business to describe a company using its own products, or in this case, following their own policies. After reading many articles lately about IT staff subverting their own policies, safeguards, and common sense to get work done a little faster or easier, I decided to throw in my two cents.

I remember many instances where in a company, you would have system or network admins, complaining about users gambling online, watching videos, or using too much bandwidth streaming music on their workstations, only to find out they were using LimeWire to download music and software to their workstations or worse the company's servers. Granted this was a few years ago, when most IT staffs were small enough, you could probably get away with it. However what has not changed is the fact that it is far too common for IT and security admins and techs alike are subverting the policies they are the ones entrusted to protect.

I, like many, understand what deadlines are like, and boy do I know how tempting it is to cut corners, using domain admin credentials all the time, as opposed to just when absolutely necessary, or using backdoors to get back in from home so I don't have to come in to reboot a server. I also know how easy it is lambast the sales department for eating bandwidth, when I could just as easily be scrutinized for my internet usage when not swamped with tasks, should someone thoroughly check. However, we must remember that we are the ones they trust, we are the gate keepers, we are held to a higher standard, and thus should strive to meet it.

Security is especially dangerous for temptation, but we must eat our own dog food, we must follow the policies that we know are correct, and occasionally inconvenient. If we don’t follow our own policies, not only do we face reprimand for our actions, but we risk derailing what we have worked to accomplish.

How eager will a company be to enforce additional security policies when it knows its own IT department do not follow the ones already in place? We have to set a higher standard for ourselves, because if we break the laws that we create, how can we expect anyone else to abide by them?