Securing Online Accounts

Executive Summary

Regardless of the purpose of the account, however, all types include the need for both authentication and authorization.

Authentication is the process of proving who you say you are to a system.  Authorization is the process of the system granting you the rights to use that system.  Taken together, they provide access to online accounts and in theory only allow the authorized user to access their account.

Identifying users via an account ID and password is the most common user authentication and authorization scheme in use today.  The password is a string of characters that serves to authenticate the user by making them provide something they know.  However, this scheme is also one of the weakest given how poor passwords are often selected, used and managed.

For better or worse, passwords do not appear to be going away any time soon.  They continue to exist and proliferate as they balance user convenience with some resemblance of security for a wide range of software applications.

According to most reports, the average consumer has between 25 to 30 online accounts they utilize on a regular basis – all of which require some type of password.  It is quite unreasonable to expect each of those to be unique and to follow the various strong password rules implemented at multiple websites.  Moreover, often lost in these discussions is that whoever is running the online account for the organization in question bears responsibility to properly store and manage user passwords.

So what can be done?

Let’s try to look behind the monitor and uncover what is going on in a world full of online accounts featuring single-factor authentication schemes centered on user names and account passwords.

• What are the best password protection mechanisms?
• What are effective techniques a user can implement?
• What is on the horizon to replace passwords?

These and other questions have a significant impact on whether a specific account will be cracked exposing a user to various illegal credential exploitation activities such as Identity Theft.

Generating Security Metrics for Analysis

Executive Summary

Detecting and responding to cyber security threats is an extensive challenge for all IT organizations regardless of their industry.

Simply put, protecting all the valuable online assets of an organization is difficult even with the multitude of modern controls available. Physical security concepts have built up and matured over literally thousands of years, whereas the digital realm has only existed since dawn of the computer age in the 1940s and 1950s.

Organizations need to not only protect the assets; the business process workflows that produce the valuable assets must also be protected.  For example the intelligence Community needs to protect not only the products of analysis and the products produced, but also the sources of the data – where the raw data originates from.  These sources must be protected as a supply chain must be – any injections of inaccurate information in the process can lead to an analysis product that is fundamentally flawed.

Security metrics can be used to determine and monitor the source of information – that it came from reputable or trusted individuals and can also support subsequent manipulation of that data to produce intelligence products.  Data marking helps differentiate the value or worth of specific data items and serves to focus protection efforts.

The utilization of purposely built and maintained security metrics provides insight to malicious activities.  If baselines defining normal operations can be established, it becomes easier to detect malware or rootkits that may have penetrated network defenses allowing attackers to carry out a range of malicious activities.

Creating this ‘fingerprinting’ of IT operations requires an extensive array of sensors which produce copious amounts of data which in turn supports algorithms to dissect that data and then automation to provide aggregated alerts for more detailed analysis.

Visualization of these vast quantities of raw data facilitates human analysis of suspicious events.  As operational insights mature, these alerts can be continually updated leading to the ‘holy grail’ of cyber security – Continuous Diagnostics and Mitigation (CDM).  The Department of Homeland Security is developing that program for Federal organizations, but all companies can benefit from creating an infrastructure that uses their specific data to operate in a similar manner.

Detect and Deter: Playing Defense Against Insider Threat

Executive Summary

In cyber security, threats abound, system vulnerabilities are numerous and news of data breaches are as common as thunderstorms in summer. And yet, in this environment struggling to balance risk and privacy, the insider threat is particularly pernicious.

Insiders are individuals trusted to protect organizational secrets and intellectual property. As insiders, they are typically given privileged access and account privileges to carry out their position responsibilities. Since they have the greatest access, they also pose the greatest risk. Abuse of their privilege, most often for financial gain, can be as damaging to your organization as it is difficult to uncover.

What cuts to the bone in these situations is the violation of trust. Individuals have typically passed a background check or, over time, have proven themselves worthy of special trust; then that trust is tossed away.

As a general rule, people – not the underlying technology – are the biggest security problem organizations face. Individuals are human and therefore make errors with corporate data, forget security rules, overlook organizational policies and expose protected data. These actions can be either accidental or intentional. Both result in data exposures but malicious activity usually carries greater negative impact.

Two incidents highlight the extreme amount of damage that can be caused when insiders go rogue. In 2010, Pvt. Chelsea Manning leaked 251,000 classified and sensitive-but-unclassified diplomatic cables. These cables described in detail events which took place in 274 embassies over a 44-year period.  Many unguarded conversations on nuclear disarmament, the war on terror and sensitive interactions with foreign countries were disclosed, causing harm and embarrassment.

There were also documents such as military logs and videos of military hardware. In total, the disclosure to WikiLeaks exceeded 720,000 documents. Manning received a sentence of 35 years in prison for his actions.

In 2013, NSA contractor Edward Snowden stole an unknown quantity of documents; more than 100,000 were leaked to journalists. The volume could be substantially larger since Snowden had access to over one million documents in the course of his duty. Whatever the actual number, it is dwarfed by the sensitivity of information he conveyed to foreign sources. This is the very definition of abuse of privilege conducted by a trusted insider.

Gen. Keith Alexander, former director of the National Security Agency and former commander of US Cyber Command, identified successfully mitigating insider threat as the No. 1 lesson to be taken from the Snowden incident.

So can insiders like these be stopped? Determined adversaries who have privileged access and understand the internal security controls in place will always be the most difficult cyber security challenge.

One approach is to redefine success and reframe the expected outcome.  After all, a security incident is not a data breach until data actually leaves an organization. This point is often missed by decision makers. Simply because malware of some sort is discovered inside protected network boundary walls, does not mean organizational assets have been compromised. An investigation may be warranted, and a subsequent forensic analysis may be conducted, but not all security incidents lead to a data breach.

A successful mitigation approach requires attention to all three of these aspects: people, process and technology. Consider:

  • Having a security policy – but not following it – may lead to data breaches
  • Having great people – but not monitoring their actions – may lead to data breaches
  • Having the latest cyber software vendor tools in place – but not regularly analyzing the resulting alerts – may lead to data breaches

Organizational focus is often centered on line items contained in a budget such as firewalls, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Budget items can be simple to identify and quantify, but perimeter defense hardware and software systems such as these typically do not offer much protection against an adversary already inside network borders.