17 April 2015

Would your employees sell their company passwords?

We have too many passwords, it is tough to remember all of them, they are not as secure as we would hope (regardless of how ‘strong’ they are) and it costs IT helpdesks a small fortune to handle the constant stream of reset requests. These are all familiar pain-points of the password, but if a new survey is to be believed it would seem that organisations need to watch their back, as one in seven employees are willing to sell their passwords for as little as $150.

This was the finding of a global survey conducted by the identity management company SailPoint earlier this year. This says two things to me, the first is that organisations need to better educate their employees as to the ramifications of a security breech, as I am sure many people are naïve to what a determined criminal can accomplish with one single password. Secondly, if people could be tempted to disclose their password for such a relatively small sum of money, we as security professionals need to take a close look at how we can remove the temptation.

It is often said that the human factor is often the weakest link in the security chain. So clearly, the most obvious way to stop corporate passwords being sold is to remove the need for people to have them in the first place. After all if you don’t have it you can’t sell it! You may say “Easier said than done” but in truth it is simple.

The ubiquity of passwords has for too long made IT departments and security professionals wary of replacing them. This is coupled with the fact that the available alternatives, such as biometrics, have been accompanied by hefty price tags, challenging roll outs and resource intense management. However, new solutions such as PINgrid are taking the elements of password-based security that work well and replacing those that don’t.

So, if you are an employee you still login using a passcode, but it is a one-time-code generated from a pattern that you have memorised within a simple grid (either displayed on-screen, or via an app on a mobile device). Of course an employee could sell their pattern but it would be worthless as the digits within it are never repeated in the same sequence. Therefore, they would also have to sell their device along with it and I don’t know anyone who would be willing to be parted from their phones (whether their own device or a corporate owned one) for a few minutes let alone sell it (apps intact) to a total stranger! 

Author: Alissa Lang, Winfrasoft

18 March 2015

Why I Want To Bank on My Brain and not Biometrics

In an article published today by Infosecurity Magazine, Alissa Lang from Winfrasoft explains how many banks are moving away from passwords by introducing or trialing biometrics. However, Alissa puts forward a strong arguement that they do not have a place in authenticating customers, stating "I want to use my brain when I bank, and not a biometric."

You can read the full story at: http://www.infosecurity-magazine.com/opinions/why-i-want-to-bank-on-my-brain-and/

3 March 2015

The Importance of SME Security in the Supply Chain

In Europe two out of every three employees are employed by SME organisations. However, when the topic of security and cybercrime is being discussed you would be forgiven for thinking that these businesses are in the minority, as the media (and to a large extent the vendors) focus on larger and wealthier enterprises.

It would be fair to say that for the majority of SMEs security issues do not feature heavily in their day-to-day thinking. After all, they are focused on running their revenue generating operations and why would they worry about issues that seemingly only ever happen to the ‘big boys’? And even if they do appreciate the risks, few have the time to keep abreast of the latest threat landscape and ways to safeguard against them.

The problem is however that cybersecurity is very much an issue for SMEs and the impact can be devastating. For one of those large organisations that hit the headlines it can inflict harm on their brand reputation if not managed correctly and it can cost many millions of pounds to resolve, as well as impacting the bottom line, but by and large they have the resources and infrastructure to bounce back. For a vulnerable SME a basic ransomware attack could spell the end of their business.

Of course, some of these attacks on high profile organisations are targeted, and the owner of an SME may counter with the question ‘Why would a cybercriminal be interested in me?’ To answer that question take a moment to think like a criminal. They specialise in finding weak links. Some, will be opportunistic and see an open door, or window, with a wallet left on the table unguarded.  Meanwhile, others will be far more calculated in their approach. Your business may not be the ultimate target but you may present the ‘open window’ through which they can get access to the organisation that is tempting them with a big score! You are just collateral damage. What is more, that organisation you are supplying certainly won’t thank you. 

Going after the weak link in the supply chain isn’t new (you may recall the now famous Lockheed Martin incident back in 2011). For this reason supply chain security has moved up the ICT agenda for large enterprises. So, for those SMEs who can demonstrate that they will not be the weak link, it could well be the point of difference that determines winning a major contract and losing out to a competitor.

Most SMEs do have a basic level of protection, but for many the only time it is mentioned is when the annual renewal of the anti-virus software comes around.

In today’s world of multiple always on, always connected devices it is the password that provides the first line of defence. Get hold of a password and all too often the cybercriminal has the keys to the candy store – confidential information, contracts and contacts, passwords and access to systems, and in some instances that can include third parties!

The challenge for an SME and especially those on the larger side of the spectrum is being able to manage passwords adequately. When someone creates a password they do so because they think they will remember it, not because they think it will be secure. Enforce more complex or so called ‘strong’ passwords and the cost of constant reset requests will go up. Worse still so does the likelihood that they will be written down on a Post-It note and stuck on the side of a monitor (insider attacks can and do happen). Ask them to change their passwords frequently and it will inevitably be a variation on the same theme so DavidSmith1! becomes DavidSmith2!

Large security conscious organisations (and I stress that not all of them are) invest in additional layers of security, such as key-ring tokens and even biometrics, but they introduce complexity, are expensive, are resource intensive to manage and out of reach for most SMEs. What is more, many of them will revert back to password-based authentication if they fail! However, thankfully there is a new breed of innovative and affordable software-based solutions on the market that can give small and large organisations alike the same calibre of first-line defence, replacing passwords without massive change, closing what has until now been an easy door to walk through for the determined cybercriminal.

If you would like to learn more about how to safeguard your supply chain visit: www.pingrid.com

Author: Steven Hope, CEO of Winfrasoft

18 February 2015

Would you use Touch ID for your mobile banking?

You will likely have seem the news that RBS and Nat West are planning to use Apple's Touch ID. On the face of it would seem to make perfect sense to make use of this latest innovation in smartphone technology, however in my opinion Touch ID for banking is not a good idea. 

Firstly, when this technology was launched it was hacked within days and with relative ease, and that was not a big surprise. After all, it simply isn’t commercially viable to place high-quality biometrics technology on a mass-market consumer device costing a few hundred pounds.

I myself am an iPhone user and stopped using Touch ID when I challenged a friend over dinner to get access to my device. It wasn’t until I got home later in the evening that I realised he had succeeded in changing some of my settings.

We do need to move away from passwords and what they are replaced with must strike a balance between delivering security and usability if they are going to become ubiquitous. For me whilst this latest news from RBS and Nat West is great headlines grabber but is ultimately they latest gimmick on the biometrics bandwagon.

21 January 2015

Would you give your password to a stranger with a camera?

We have been saying for years that one of the biggest problems password security (if you can call it that) is that every time you use it, you give away your secret, meaning it is no longer a secret and no longer secure! 

This week the Mirror has published online a video taken from the Jimmy Kimmel show in the US that, whilst very amusing, hits home with a very strong message - passwords are simply not secure. 

Author: Alissa Lang, Winfrasoft

3 November 2014

Winfrasoft To Reassess How Assets And Information Can Be Secured At Info-Crime Summit In London

Winfrasoft will be helping more than 200 heads of security to move away from password-based protection at the Info-Crime Summit The company behind the award-winning PINgrid is sponsoring and participating in the event which takes place in London on 25th and 26th November.

CEO of Winfrasoft, Steven Hope will host a 40 minute boardroom session which will open with a brief history of the password, a candid review of what passwords are good and bad for, a discussion around the inherent flaws of password protection in today’s world and practical measures that can be taken to solve them. Hope states: 

“Archaic password-based systems underpin most of today’s authentication and often it is the only line of defence. Now is the time to reassess how assets and information are secured from the ground up, with the help of the latest technology innovations.”

Winfrasoft is a FIDO Alliance member, Microsoft Certified partner in Security & Identity and embedded systems, and contributing member of OATH, so is ideally placed to provide information security professionals attending the Info-Crime Summit with the information and tools needed, in order to respond to the surge in dissatisfaction and disillusionment surrounding password-based authentication.

The company will also being demonstrating its award-winning PINgrid authentication solution. It uses a 6x6 number grid that can be presented to the user on-screen, or on their smart device via an app. The user simply creates a memorable pattern (from a possible 2.1 billion different combinations) and then each time they wish to logon to a site protected by PINgrid they use this pattern to extract a one-time code (OTC) from the numbers on the grid. Furthermore, as PINgrid is kept separate from the login screen it safeguards against keylogging, screen scrapping, fingerprint smudges and shoulder surfing.

For more information about the Info-Crime Summit visit: http://www.info-crime.com/

28 October 2014

Passing Comment on Passwords (Part Four)

A recent article in The Telegraph reported that this year 110 million pieces of data have already been illegally sold, representing a 300 percent rise since 2012. This data mostly consists of login credentials, essentially meaning username and password details.

Of course, the same advice is wheeled out, encouraging everyone to be more diligent and to change passwords more frequently. But personally, I do not have a free evening every two weeks that I can dedicate to changing every password on every online account I have! Meanwhile, Facebook is busy scouring the web to try and find out if our details have been compromised. But I would prefer it if efforts were focused on stopping it happen in the first place.

Asking people to regularly change passwords just isn’t feasible and we should have learnt by now that the majority of us just won’t do it. Even, if everyone did change their passwords regularly at best it would possibly reduce the ‘quality’ of the data being bought and sold.

Speaking at the Information Security Solutions Europe (ISSE) conference in Brussels last week the Head of European Cybercrime Centre (EC3), Troels Oerting, commented that most of the people who go online do not have a clue what they are getting in to and someone needs to protect them. Meanwhile, the former Cyber-Security Coordinator of the Obama Administration, Howard Schmidt, advised that we need better security to have less victims, but this makes it harder for people to do their jobs.

A recurring theme at the conference was the fact that still cybercrime has the potential to deliver high profit and at low risk of being caught, especially as much of it is conducted across national borders. So, all the while login credentials are easy pickings there is no reason to expect this to change. The positive feedback I can report is that there is much consensus among security professionals that we must move away from passwords, with recognition for initiatives such as the FIDO Alliance (of which Winfrasoft is a member) that is  working to balance improved security with user convenience. So, now the debate has moved on to how to achieve it.

 Adding layers of security is one approach and this week Google has been introducing its new security key, which is essentially a hard-token for 2FA. However, I suspect it won’t be on many peoples Christmas lists for two reasons. The first is that it is a token and that means I will need to carry it around with the other tokens I already have on my key ring. The second issue I have is that is it a USB and neither my smartphone or my tablet (the two devices that I tend to use the most for going online) have USB ports.

I agree that adding layers of complexity is important to thwart cybercriminals but if you make it more complex for the user then you end up with paralysis. So, as smartphones and tablets have become ubiquitous it is these devices that I strongly believe hold the key (as opposed to the key ring token!). Placing the token on to these devices adds convenience, as you always have it with you. Then, if you remove the need for the user to remember password and the requirement for the organisation to store it, in my book you have a winning solution.

To find out how this works in practice take a look at PINgrid: www.pingrid.com

Author: Alissa Lang, Winfrasoft