Friday, May 27, 2011

More on the state of IT security

In my last post I touched on the various threat vectors and some ways that might prove effective in addressing them.  Late today (5/28/2011), I learned from the MSN site more details of the level of the RSA break-in (http://www.msnbc.msn.com/id/43199200/ns/technology_and_science-security) and discovered, to my dismay, that what I had feared, but not voiced, had in fact proven true.  It appears that not only cell phone tokens were taken, but enough information to invalidate the two factor security devices that are used by many large defense corporations and also by some banks for wire transfers.

These devices provide a new password when prompted that is only valid for 60 seconds (typically) to minimize the possibility of an intruder with a valid user ID from hacking an account.  Unfortunately, we now have proof that this solution no longer provides a safe method of securing information.  We only know for sure that Lockheed Martin was hacked other contractors and banks that use this technology aren't talking at this point.

As I see it, we are left with only two high security solutions, and only one which is valid for external access.

For internal access:
  • Require simultaneous log in by two users with IDs and passwords at the same station.  One should be from the security dept and the other the user.  
  • Logs need to be kept and stations visually monitored.  This should be used for all administrative log in needs and restricted to visually monitored stations. 
  • Everyone on site should be required to carry a picture ID that can be checked on demand by security. 
  • Validation against a protected isolated security server should be required for both user IDs used at login and for the ID cards carried by all personnel.
  • All maintenance processes need to be carried out by a two man team.
For external access:
  • Use a token device (like RSA provides) in addition to Biometric checks which are verified against a copy in a protected isolated server system. 
  • A call back from security  with a series of personal information questions and answers required.  In addition. a voice comparison and stress analysis could be done. 
  • This would tighten things up a bit, but is still not a guarantee. Fingerprints can be lifted, voices recorded, et al. 

Rant time
In truth, there is no security other than eternal vigilance... and that takes money, intelligent, alert security and admins, and responsible management.  CEOs and CFOs need to hire the best (not cheapest) IT people and enough of them that they aren't sleep walking through their shifts.  It would also be a good idea to listen to them rather than to the salesman who is trying to sell them the latest, greatest solution.  You can now see where that leads.
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)