What is information security? Information security is the concept that only the right people can get the right data at the right time through the right channels.

The best security solution is something you have in conjunction with something you know. Passwords alone aren't the answer. Smart cards alone aren't the answer. Biometrics alone won't do it either. Consider each of these technologies (in a LAN setting) by themselves:

Passwords

In most situations, a password is the weakest, worst form of security available. Unfortunately, it's also the most easy to deploy and involves the smallest capital investment (making it very appealing to management). Your passwords are only as secure as your users. Scary concept, eh? Take it to the bank: your users will be the most likely downfall of your security solution (password or otherwise). I can't count the number of times I've found passwords taped to monitors, on slips of paper "hidden" under a keyboard, or on a brightly colored paper strip innocuously serving as a bookmark.

That being said, passwords do provide one part of a solid security equation—the password is (hopefully) something only the user knows—a combination of characters that should only have significance to them. If a user's name is Mark Smith, then using mark as a password should stand out as a glaringly obvious security problem. But passwords such as msmith or substitutions such as m@rksm1th should raise flags as well. Though password length increases the time it takes to perform a substitution dictionary attack, a successful password compromise can be accomplished in a few hours with fast computer or two and some basic software.

A better solution to this password problem would be a mnemonic pass phrase. A simple mnemonic pass phrase construction technique is to come up with a phrase or a sentence and then take the first (or last) letter of each word in the phrase and put them together to make up the password. Chances are pretty good that combination of characters won't be something easily found in a dictionary.

Let's take the phrase Mark Smith is the fifth child out of six children as an example. If you take the first letter of each of those words, you end up with MSitfcoosc, which is much less likely to be found in a dictionary attack than marksmith. To make the task of cracking this password even harder, you can perform a simple substitution of numerals or special characters for letters. One such change that I would find easy to remember yet hard to guess would be to substitute "5" for "fifth" and "6" for "six" in our pass phrase. Performing that change would yield MSit5coo6c.

One more mutation could involve a “special” character, such as a punctuation mark. If we prepend an exclamation point to the password, it becomes !Msit5coo6c, a nearly impossible password for an attacker to randomly guess, and a very difficult password for a dictionary attack to crack. This is not to say that a brute force attack will not succeed. It will just take a much longer period of time (days or weeks as compared to hours).

Password frequency change policies are, at least in concept, great. However, what you generally end up with is numerically incrementing passwords, such as mark1, mark2, mark3, and so on. Thus, if a hacker knows that one time a user's password was mark15, he may be able to guess the password by sequentially incrementing the numerals.

Smart Cards / Smart Chips

Smart cards and smart chips are a reasonably inexpensive way to deploy a much more restrictive security policy than passwords alone. Smart cards can fulfill both requirements for a good security model. They are a physical device (something you have) that usually require a PIN (Personal Identification Number) or password (something you know) to become activated. Although some early smart cards didn't have any sort of password authentication, passwords are now standard on nearly every variety. A smart card is basically a credit card-sized security appliance with an embedded microchip (smart chip) that carriers a token or certificate identifying who you are.

In some financial institutions, a user is required to insert a a smart card into a reader before a logon ever takes place. Once the card has been inserted, the user is prompted for a password or PIN. Once that data has been entered, the user is logged onto the system. Pretty smooth, eh? Except for the days that your users lose their cards, leave them on the table, or send them through the dryer. Then it can get a little messy.

Advanced operating systems, such as Windows 2000, can take full advantage of smart cards and actually deny a user access to the system without their card. Using Group Policy, a Windows 2000 administrator can set up restrictions like "Administrators must use smart cards to log on to domain controllers" or "users can use either smart cards or type in a password to not use a smart card. Other great policies that can be implemented are that workstations can be automatically locked upon removal or a smart card or users are physically logged out at the removal of a smart card.

Once again, smart cards can be either a great tool or a support nightmare. You really have to be willing to work with clients if they're having problems getting used to the idea that they need to treat their computer like an ATM and stick a card in every time they want to use it.

RSA Security takes a slightly differnet approach with their SecurID(r) cards. The cards receive a random number via satellite every minute or so. The random number is displayed on an LCD screen on the card. Users type in that token number (or seed, as it's sometimes called) in conjunction with a PIN that only they know to receive access to a system.

Biometrics

Biometric security solutions are becoming a hot topic of discussion. This is a very fundamental part of the security model--it's not only something you have, but something you ARE. This technology is very promising, and has some security benefits over a security device such as a smart card. Using biometrics, you don't have to worry about a smart card falling into the wrong hands or the user leaving it at home. It's very hard to leave a finger or an eye or a voice at home or on the baggage claim conveyer belt.

Some people are already claiming that biometrics are the panacea of security problems. Retina-scanner this, thumbprint-scanner that, voice-reader so-and-so, geometric face analyzer, and so on. While it seems inherently secure, biometrics still have their security drawbacks. Hearken back to the days of 1993 and the movie "Demolition Man." In this movie, Simon Phoenix (played by Wesley Snipes) defeats a retina scanner security system by simply cutting out the eye of a guard and holding it up to the scanner. It sounds gross but plausible. The SANS institute will tell you that you can't do that and that biometric devices can tell determine whether or not your submission is "live," but the technology's not there yet.

For example, Tsutomu Matsumoto used gelatin to create fake fingers and successfully fool about 80% of the fingerprint scanners he tested. Slides from his presentation can be found here or you can request a copy of his paper by sending an email to tsutomu@mlab.jks.ynu.ac.jp. Be sure to request the document, "Impact of Artificial Gummy Fingers on Fingerprint Systems," Proceedings of SPIE Vol. #4677, Optical Security and Counterfeit Deterrence Techniques IV, 2002.

There has been a lot of internet rumoring about ATMs in European countries using fingerprint scanners as authentication mechanisms and would-be thieves running around with knives and bags full of bloody fingers. It may sound hokey, but I don't think that considering where we are with the technology now, that's not an impossibility. The point begging to made is, if fingerprint scanners can't tell the difference between a gummy bear and a finger, how will they be able to tell whether or not a finger is attached to a body?

Gummy fingers and metacarpal thieves aside, biometrics does have a place in a secure computing environment, if not now, then in the near future. It could very well complement some other form of security, such as a written or spoken password or a keycard. Better yet, maybe a biometric smart card that only works if the owner is holding it. So many possibilities.

Back to Planet Earth

Now, most of us work for companies that don't have that kind of disposable income. Even in the wake of 9/11, surveys report that spending for security is only rising a scant 5%, according to a recent survey by the Gartner Group. In comparison, voice/data convergence is up 19%. So, with ever-increasing security demands and flatlined spending, what is a network administrator or engineer to do?

Read on. » I might have some information you can use.

previous 1 2 3 4 next