Day: July 29, 2018

How do you prove you are you? In the physical world, we have birth certificates and driver’s licenses to prove we are who we say we are. Yet this question becomes more difficult when you are trying prove yourself to a computer system. Thankfully, Multi-Factor Authentication (MFA) can help in a variety of ways.

MFA is a method of authorizing a user’s claimed identity and granting that user access to a system. MFA is achieved after a user has provided two or more factors to an authenticating mechanism, such as something the user knows, has, or is. MFA factors can be derived from any of the three.

A common example of a factor would be your username and password. Both are a form of something you know. Stemming from MFA is Two-Factor Authentication (2FA). This is an MFA protocol that requires a user to present a unique factor from two separate mechanisms, as often comes into play with an ATM card. You are only able to use your ATM card if 1) you have the card, and 2) you know the PIN associated with the card.

Finally, we have Two-Step Authentication (2SA). Two types of 2SA are a disconnected token (such as hard tokens and Keyfobs), and a soft token, which is an application that will generate a unique number combination. While both serve the same function, each has its own advantages and disadvantages. For instance, hard tokens cannot be duplicated. However hard tokens are costly to acquire and have to be physically handed to each and every user, creating an administrative burden. Soft tokens, on the other hand, can be widely disseminated, ensuring the likelihood that it is an authorized user requesting access to the system. Yet soft tokens are more susceptible to outside attacks than a hard token.

Whether you use a soft or hard token, you are still limiting the application to either a physical device that a user must always retain and not lose, or an app on a person’s phone. Both tokens can be lost, eaten by the family dog, broken, or otherwise rendered useless. What then? You can use something you have, something you know, and more importantly, something you are. Biometrics, the use of physical characteristics, such as an eye scan, fingerprint readers, and facial recognition, can potentially eliminate passwords, thus removing the password recovery requirement, a key vulnerability of MFA/2FA/2SA. Biometrics are instant, require no keys, and are unique to each individual.

While biometrics seem promising, there are some potential challenges. If a user relies on facial recognition software and gets a tattoo or a facial injury, will that prevent him or her from using the feature? Some users may have damaged fingerprints, rendering that option useless. Further, the use of biometrics implies that every user has a smartphone or tool capable of reading and comparing the data to a table for reference and approval.

Be it hard or soft token, or biometrics, each MFA option has its benefits and its costs. Which one you or your company choose will be based on the size of your company, the scope of users requiring a token, and what level of risk your company is willing to accept.

Cory Missimore, Assistant Manager, Information Security Compliance, Bloomberg BNA

[ISACA Now Blog]

Security departments have their hands full. The first half of my career was government-centric, and we always seemed to be the “no” team, eliminating most initiatives before they started. The risks were often found to outweigh the benefits, and unless there was a very strong executive sponsor, say the CEO or Sector President, the ideas would be shelved.

More recently, as a response to the security “no” team, IT staff started several “Shadow IT” projects. People began using cloud computing systems and pay-as-you-go strategies on a corporate credit card to quickly develop and roll-out projects before anyone in security could get a word in.

These “beg forgiveness” aspects hamstrung security on several projects, especially if a data leakage incident occurred or breach was in progress. What’s more, we weren’t unique in seeing shadow projects. These projects increasingly become the norm as IT staff looking to move initiatives forward come up against cybersecurity professionals hell-bent on maintaining security and, who know that in the event of a breach, heads could easily roll. Most likely theirs.

Tired of being seen as the “no” team? Here are three ideas that could reshape the value of security to your company as a whole:

Demonstrate Trust

Trust messages needs to come from outside of the department, even if it’s ghostwritten or created internally. Be it the CTO, CFO or CEO, there needs to be a bit of understanding that risk comes in many forms, and the Security Department takes all of those into account before approving or denying projects.

Many compliance frameworks have an HR or training domain, and some security departments successfully use this for mandatory training for topics like phishing. When a non-infosec colleague clicks on a fake attack, the trust point may be reiterated with a reminder of example fines and the costs. Breach notifications or PCI violations aren’t cheap after all.

Show Security as a Business Enabler

Share a couple of department wins, where the security team found involvement early in the process and added value to the program deployed. Look for examples like oAuth or Single Sign On (SSO) simplifying a portal’s usage or a project where business continuity planning or encryption helped pass an acceptance audit.

Demonstrating that security builds team success and is no longer the “no” department pays dividends.

Provide Educational Incentives

Lastly, extend the educational aspect beyond testing for ignorance. See if your organization offers reimbursement or even bonuses for security certifications, and stand-up internal lunch-and-learn or video conference preparation sessions. If your organization doesn’t provide an across-the-board financial incentive, maybe fund a raffle for five of the folks who pass the test to receive a spot bonus.

Hopefully, you’ll find these as an opportunity to impress upon the rest of the corporation the importance of the CISO’s office. There’s a long history of “no;” without efforts on the infosec staff’s part, that image will linger well past its truth.

Jon-Michael C. Brook, Principal at Guide Holdings, LLC, has 20 years of experience in information security with such organizations as Raytheon, Northrop Grumman, Booz Allen Hamilton, Optiv Security and Symantec. He is co-chair of CSA’s Top Threats Working Group and the Cloud Broker Working Group, and contributor to several additional working groups. Brook is a Certified Certificate of Cloud Security Knowledge+ (CCSK+) trainer and Cloud Controls Matrix (CCM) reviewer and trainer.

[Cloud Security Alliance Blog]

Security Congress is less than three months away! This year’s biggest and best cybersecurity conference will be held in New Orleans, Louisiana from October 8-10. Attending this year’s event can earn you as many as 46 CPEs for the year. To make sure you get the most out of #ISC2Congress, here are five things to do before you get to NOLA:

1. Register for workshops

Reserved seating workshops are new to Security Congress this year. We will have five workshops available throughout the conference that require a registration. If you’ve already signed up for Security Congress, great! You can login to your registration and add them to your schedule. If not, hurry! Only 60 seats will be available in each workshop and most are close to full already. Security Congress workshop session numbers are 3010, 3011, 3012, 3013, 3014 and 3015 and can be found in the online agenda.

2. Make cybersecurity personal

The Center for Cyber Safety and Education is hosting their annual orientation session to fill you in on the latest with the Garfield program, as well as other opportunities to engage with your community. The session kicks off Tuesday aka “Center Day” at Security Congress, which will be capped off with the Center Celebration on a riverboat cruise down the Mississippi River. The cruise is a separately ticketed event, but space is extremely limited on the Creole Queen. Make sure you save your spot soon for dinner, jazz and southern hospitality!

3. Write your questions for Town Hall

Monday afternoon will include an (ISC)² Town Hall meeting open to both members and non-members. Management and Board of Directors members will be on the panel to talk about future developments, as well as answer your questions about membership, certification and more. You can submit your questions to congress@isc2.org or ask in person.

4. Expand your network

Meet fellow Security Congress attendees online on the (ISC)² Community Security Congress board. You can chat with speakers, find out about upcoming webinars and earn a badge for registering for the conference. When you get to Security Congress, you’ll already know your fellow attendees and can celebrate a successful few days of learning and development at the closing event: “A Night in NOLA” Networking Night at Mardi Gras World.

5. Leave room for swag in your bag

It’s not a conference without seemingly limitless swag! You can plan out your swag collection route with this Exhibit Hall map. Sponsors from the top cybersecurity training, product and software companies will be on hand to load you up with knowledge on their latest developments – plus probably a fidget spinner or two.

[(ISC)² Blog]