As the baby boomers hit retirement age, a new cohort of employees will arrive for work at every government in Canada. IT security managers can make some assumptions about the new crop. They are already knowledgeable about computers, the Internet, cellular telephones and PDAs. They have smoothly integrated technology into every aspect of their lives. They will expect the same high level of speed, flexibility and utility they have in their personal systems. Most importantly, they will devote their greatest ingenuity to defeating any IT security system that they perceive as slow and clumsy.
One of IT security’s biggest headaches, authenticating users to a network, appears to be the simplest. The common solution is a password, the first of the three factors of authentication: Something you know, something you have and something you are. The system issues or accepts a password. The user obeys some simple rules and never writes it down, never shares it and never gives it to someone over the telephone, no matter how plausible they sound. On the system administrator side, they make sure that the passwords are changed regularly and they reach a certain level of complexity. This is where the headache starts.
Imagine two graphs. On the first, we can see that the simpler a password is, the easier it is to defeat. In a matter of seconds, a basic hackers’ program can guess a password based on the name of a pet or a family member. As you add levels of complexity in the form of upper case letters and numbers, the password becomes much more resistant to brute force attacks. Good.
Which brings us to graph number two, which shows that as soon as you ask users to memorize more complex passwords, they begin to defeat the system by writing them down. Bad.
As Michael Vlugt of Ottawa-based CRYPTOCard Inc. said, “If the organization has complex passwords, the users will look at ways to reduce the management of them. Individuals aren’t meant to manage passwords. As soon as it becomes complex, they don’t want anything to do with it. ”
A study by Microsoft Corp. estimates that more than half of all password thefts take place within organizations. Users make it easy by leaving passwords on sticky notes within easy reach, or sharing them with a colleague. If it’s hard to remember your own password, you are more likely to write down someone else’s. If you want all of someone’s passwords, get access to their terminal and search for “passwords.doc” or “passwords.txt.” Companies that recycle electronic equipment often find laptops with passwords taped to them and cellular telephones with passwords in the speed dial list under – what else – “password.”
We know that the overwhelming majority of IT security incidents are “inside jobs.” They do not originate with outside attacks but with employees and contractors who are already inside the gates. Whether it is the new hire downloading and installing pirated software, or the jealous executive e-mailing himself personnel evaluations from an unguarded open terminal, the answer to many problems lies more in dealing with the people inside than the threats outside.
Writing down passwords is a people problem. The solution may be people-friendly technology. Token-based two-factor authentication is a proven technology and the costs are coming down. In spy novels, the “one-time pad” is a staple, because it almost guarantees absolute security. If the agent sending an encrypted message from the field and the spymasters decoding it at headquarters have the same one-time pad, a sequence of random text, the communication is virtually unbreakable. The drawback, of course, is the need to make sure the field agent always has a supply of one-time pads.
In the IT security world, the token takes the place of the one-time pad. When issued, a sequence of passcodes is installed on a USB flash drive, calculator-like keypad or keychain fob. When users log on, they press a button to see the next passcode in the sequence and enter it along with a PIN number. Using their PIN number demonstrates something they know, one factor of authentication, and entering the correct passcode tells the system they do indeed possess a second factor of authentication, something they have. Token-based two-factor authentication means that each password is unique. If someone steals a login name and password by “shoulder-surfing,” that password will never be used again.
As with any technology, managers need to look at the end-to-end costs of two-factor authentication, not just the sticker price for the initial roll-out. And like any technology, there is a standards battle under way, with no moral high ground. Industry leaders want the stamp of approval while smaller players want their distinct competitive advantage chiselled in stone.
Even if the implementation of two-factor authentication does not appear to be a distinct possibility on the organizational radar now, security managers should start strategically planning for it in architecture decisions now. Decisions about enhanced security are, in the polite phrase, “incident-driven.” Systems that aren’t demonstrably broken never get repaired. But breakdowns, especially publicly visible ones, call for a quick response. Managers might want to have their purchase orders ready for that opportunity. 064197
Richard Bray ([email protected]) is an Ottawa-based freelance journalist specializing in high technology and security issues.