Re: [fw-wiz] Stanford break in
From: Vin McLellan (vin_at_theworld.com)
Date: 04/23/04
- Previous message: Carric Dooley: "RE: [fw-wiz] Stanford break in"
- Maybe in reply to: Chuck Vose: "[fw-wiz] Stanford break in"
- Next in thread: Melson, Paul: "RE: [fw-wiz] Stanford break in"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Fri, 23 Apr 2004 04:53:08 -0400
Paul Robertson <paul@compuwar.net> preached:
>User education does not work. Every study I've seen over the last 15
>years says users and passwords will fail. A large percentage of them will
>hand them over for chocolate (saw that just this week)- and they *will*
>write down the ones they need to remember. Perhaps not the first time,
>but they will. user education will fail in some percentage of the
>population, and as an attacker, if I get one, I can get more. As an
>attacker, I can always get one. That's why Secure-ID continues to be
>expensive- it fixes that problem better than the alternatives. That's why
>Secure-ID isn't that popular, that problem doesn't need that level of
>fixing...
It is estimated that today no more than 5 percent of all corporate
IT users carry an assigned two-factor personal authentication device.
Yet, with the emerging compliance requirements for operation risk
management and regulatory demands for greater assurance in corporate IT
audit and record-keeping, some might say that strong authentication is just
coming into its own as the marketplace evolves.
Internal pressures for more security and more granular IT audit
have often been sidetracked in the competition for corporate budgets -- in
part, because it is so often difficult to prove the relative
risk-management benefits of existing security expenditures, let alone
justify new expenditures. Compliance requirements, by contrast, are
external pressures that are not so easily shuffled aside or redefined as
absurd -- and they, rather than internal corporate security advocates, seem
to set the pace for InfoSec today.
Who has escaped the regulatory sweep?
Certainly in the US, compliance requirements have boosted demand
for more trustworthy access control and audit and defined a wide variety of
expansive new markets for all suppliers of strong
authentication. Liability has been redefined by HIPAA, Sarbanes-Oxley,
OFAC, and even The Patriot Act. The financial services industry has been
roiled by Graham-Leach-Bliley and the Fair Credit Reporting Act. HIPAA
standards imposed, often for the first time, security and privacy standards
over health-care information sharing; NCLB now regulates the collection
and use of student info. As the Basel II accord matures and becomes a
standard, new operational risk standards will have to be factored into
financial services -- and as financial services adapt to those requirement,
they will likely force vast cultural changes in access, audit, and
reporting systems. Change not only among banks, but also in the corporate
entities they finance.
The cost of strong authentication mechanisms, in all their
variety, become insignificant in such a context, perhaps as routine as the
provision of an available keyboard for corporate employees. I don't know
what will happen with biometrics, and I can't predict the pace at which we
will adopt PKI and smartcards -- but token-based authentication from a
variety of vendors will remain, as you implied, a tried and trusted
technology. Microsoft's recent endorsement of the SecurID for native
Windows authentication, online and off-line, is -- I suspect -- more a
response to a trend MS sees in market demand than a product of Mr. Gate's
newfound fascination with a 15 year-old technology.
Inside Microsoft, after all, employees use smartcards;-)
I've been intrigued, in this discussion, at the lack of reference
to the evolving Identity and Access Managment (I&AM) paradigm that has led
to a suite of new web-services products from IBM, Sun, MS, RSA, Netegrity,
Oblix. As proprietary networks have become more porous -- through no fault
of the poor firewall admins -- isn't it inevitable that the market will
demand not only strong authentication, but also a vastly more expansive set
of utilities for managing SSO, and authorization and audit in much more
granular formats, With web-based portals, AAA richer in depth as well as
breadth?
>Frankly, "strong" passwords just need to be non-obvious, as they're really
>only good at stopping casual attackers at keyboards. If I get the
>hashes,then I will win, if I'm Abe, I win faster, but winning happens in
>almost any case.
That might fly where the CSO is a second-rate citizen in the
C-Circle, but it won't suffice where there are imposing regulatory demands
for audit and accountability, with penalties that reach up into the corner
office and perhaps even the Boardroom.
Nice to see that the years haven't mellowed the intellectual vigor
of this forum. I have a bias toward RSA, which has tossed me consulting
assignments off and on for 15 years, so please discount my comments
appropriately.
Suerte,
_Vin
----------------------------------------------------
Vin McLellan + The Privacy Guild + <vin@theworld.com>
22 Beacon St., Chelsea, MA 02150-2672 USA
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Carric Dooley: "RE: [fw-wiz] Stanford break in"
- Maybe in reply to: Chuck Vose: "[fw-wiz] Stanford break in"
- Next in thread: Melson, Paul: "RE: [fw-wiz] Stanford break in"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
