|
|
| The Gong, January 2005 |
| published by Illinois Fire Chiefs Association |
|
| Secure or Vulnerable?
|
| Your Identity is the Key ™
|
| Guy R. Martino, Vice President |
| Biometric Technology Solutions, LLC |
| guy.martino@biometrictechnologysolutions.com |
|
| The fall issue of The Gong contained an article by Illinois Secretary of State Jesse White, which began, "Identity theft is one of the fastest growing crimes in the United States." The article goes on to assess a loss by consumers of more than $400 million in 2003.
|
|
|
What the article did not address, however, is the loss to corporations, institutions and government bodies from identity theft that results in unlawful access to buildings that house physical assets and IT networks that house mission-critical, digital assets or the costs associated with trying to secure those buildings and networks against intrusion.
|
|
|
Simply stated, identity theft is the unlawful acquisition of an individual's personal information by someone who uses that information to assume the identity of his or her victim for personal gain or to cause harm.
|
|
|
What's at risk?
|
|
For most businesses, potential threats include:
|
|
-
Subversive attacks, in which an intruder manipulates the system into non-legitimate activities, like transferring money.
-
Disruptive attacks, which compromise business data and/or systems and interrupts activity.
-
Privacy attacks, in which outside individuals gain access to private information.
-
Physical attacks, in which outsiders gain access to a building and cause harm to property or people or steal assets.
|
|
Because identity theft has become so pervasive, corporations and institutions are faced with three major, but separate security issues: physical access control, time & attendance control and logical access control, but all rely upon a common task…identity and access management.
|
|
|
Identity and Access Management
|
|
The fire service uses a triangle to explain fire. Heat + Fuel + Oxygen = Fire. Remove any element and the triangle collapses and the fire dies. Security can be
described in much the same way. Identity Manage-ment + Access Management = Security. Compromise either and security fails.
|
|
|
Traditionally, there have been only two methods by which identity and access have been controlled, 1) what one knows and 2) what one has. If you know something that only you are supposed to know, like your mother's maiden name, a four-digit personal identification number (PIN), or a secret password, then you must be who you say your are. If you have something that only you are supposed to possess, like an office key, car key, ATM card, swipe card or token, then you must be the valid owner.
|
|
|
It's not what you know that counts
|
|
As illogical as this seems in today's world, these two methodologies continue to be the methods of choice for many organizations, though banks have made the process more robust by implementing a two-challenge protocol. Anyone using an ATM card is required to know his or her four-digit PIN and to have his or her ATM card. Yet, as robust as this security challenge appears, it is frequently compromised when an ATM card is lost or stolen. Not only because a four digit PIN is relatively easy to guess, but also because many people write their PIN number on the back of their card or have actually shared their PIN number with the person that has stolen their card.
|
|
|
In most security breaches, whether physical or logical, it is the human factor that enables the breach to occur. In fact, according to CERT/CC1 80% of all network security breaches result from a password that has been stolen or shared. Passwords are the weakest link!
|
|
-
Password weaknesses are well known and easily exploited. Passwords that are based on simple words that users can easily remember are also easy for hackers to guess. Simple password cracking programs can find many whole word passwords quickly.
-
As passwords become more complex or increase in number, users tend to write them down.
-
Passwords are subject to social engineering attacks. Four out of five employees surveyed by the security company, PentaSafe Security Technologies, said that they would give their passwords to someone else within the company if asked. A persuasive outside caller is often able to extract passwords over the phone.
-
To avoid remembering many passwords, people often use the same password across many systems, including unsecured websites where passwords may be sent in a clear text format. A single password, once cracked, may open many doors.
-
Some e-mail viruses send password information back to the originator of the virus.
|
|
The main threats to security include outsiders who gain access by impersonating authorized users and legitimate users who impersonate other users with different authorization levels.
|
|
|
The underlying problem with passwords is that humans aren't perfect. They cannot be relied upon to maintain a strong password process that is highly rules based while other more "job-related" processes compete for their attention. Putting the onus of password protection on the employee is a certain path to failure. The less convenient security is, the more likely it is to be bypassed by a user. Yet, because user authentication is the gateway to your data center infrastructure, the potential risks associated with security breaches are significant. Your information system is only as secure as your least responsible user.
|
|
|
Passwords that contain many and various kinds of characters are harder to crack. They are also harder to remember. As a result, passwords have evolved into pass phrases, containing a mixture of upper and lowercase letters, symbols and numbers. Instead of using a pet's name, "Fido", as a password, it is safer to use a pass phrase like, "My2DogsAreNamedFido&Spot".
|
|
|
Organizations routinely create and manage user identities and access privileges across 25 or more individual applications and systems, forcing users to remember upwards of 20 company passwords. But not every password administrator within the company embraces the same password convention. Some company passwords are restricted in length while some are restricted in case. Some company password conventions require a password change quarterly while some require a change monthly. These disparities add to the robust character of the security convention. If all passwords were the same, one password failure would be sufficient to compromise the security on every system be sufficient to compromise the security on every system to which that user has access.
|
|
|
As password conventions become more robust, the need to support users grows. This increases costs and adds considerable burden to the IT help desk staff. Several industry analysts claim that it takes up to 28 hours to set up a single user account. Gartner Group, a well-respected industry analyst, has said that 15% of IT budgets or approximately $200 - $350 per employee per year is wasted on password support. Strong passwords result in more help desk calls for forgotten or expired passwords, in addition to increasing employee downtime. Today, a password request help desk call costs a company between $30 and $60 and accounts for up to 45% of calls received by the help desk.
|
|
|
Yet, enterprises of every type and size are increasingly adopting an e-business infrastructure as the primary platform for conducting business. As a result, there has been a significant increase in access requirements, resulting from a growing number and type of users, and access methods. In order to increase and strengthen strategic relationships while lowering costs, businesses are opening their information assets to customers, partners, suppliers and employees and inadvertently exposing their organizations to significant risk.
|
|
|
Eliminate vulnerable, password-based systems
|
|
Unfortunately, these same organizations find them-selves struggling and often failing to manage user identities, and access rights in a way that serves both their business goals and their security requirements. The fundamental problem is a decentralized approach to user management and security, which was first developed 40 years ago, coupled with an escalating and variable cost of password support. In other words, businesses are relying on people instead of technology to safeguard their business.
|
|
|
Your Identity is the Key™
|
|
Biometric authentication strategies avoid many of these security flaws. In particular, they are less susceptible to human error. A biometric, such as a fingerprint or retinal scan, cannot be guessed or shared and the user doesn't have to think up a "strong" fingerprint, so the security of the metric doesn't depend on human effort. People can't "forget" their fingerprints - eliminating a common source of help desk calls. Biometric keys are not susceptible to social engineering attacks and cannot be shared or stolen.
|
|
|
Because biometrics uses a physical characteristic, instead of something to be remembered or carried around, it is convenient for users and less susceptible to misuse than other user-dependent authentication measures.
|
|
|
According to Bill Gates in a past issue of PC Week, "Biometrics technologies -- those that use human characteristics such as fingerprint, voice and face recognition -- will be the most important IT innovations of the next several years". More recently, at a Microsoft IT Forum in Copenhagen, which was an event covered by CNET News, he said, "Passwords will soon be a thing of the past, replaced by biometric and smart-card technology. A major problem for identity systems is the weakness of passwords."
|
|
|
Tomorrow's security…today!
|
|
Time/Attendance Management: Biometric devices are used to authenticate an employee's identity, track when they signed in and out, prevent buddy punching and confirm who is on site at any given time. Used when employees must account for their time and presence, it lowers the costs of record keeping and improves efficiencies. When companies are 100% certain that an individual is who he or she says he or she is, they can be 100% certain of that person's attendance record.
|
|
|
Physical Access Security Management: Biometric devices are used to authenticate an individual's identity and are capable of controlling electronic door locks to prevent access to anyone that is not authorized to have access. When used with a web camera, this solution also has the ability to snapshot or monitor in real time who has opened the door and who has walked through.
|
|
|
Network Access/Logical Access Security: Biometric devices are used to authenticate an employee's identity and permit access to the network infrastructure. Companies achieve single sign on functionality at a fraction of the cost of password-based conventions.
|
|
|
Though improved security is a result of deploying a biometric identity management and access control solution, many companies are looking for solutions that also lower their operating costs. When an employee is terminated, as an example, there is no longer a need to change the locks. Simply deactivate that employee. If specified groups of people have their access restricted to a single door, simply write a rule in the system to deny them access except through the approved door. If an employee does not have the authority to look at payroll records, simply create a challenge at the payroll record access point that can only be answered by a biometric.As in all biometric identity management solutions, a person never needs to know their logon name or password and no longer carries a key. Cost reductions are realized by the elimination of the need for the company to support outdated, user-dependent methodologies.
|
|
|
What's the cost?
|
|
In today's economy, every new solution considered must deliver a measurable return on investment and significantly impact operating cost-reduction programs consistent with good business strategies. It is pointless to implement a new solution that does not contribute to lowered costs or improved productivity.
|
|
|
Biometric technology has been shown to lower the costs associated with security management by thirty-five to sixty-five percent.
|
|
|
Biometric solutions enable companies, institutions and government agencies to anticipate potential breach points and enhance or "fine-tune" the systems and policies that govern their security practices and procedures while lowering the on-going and escalating costs associated with password management systems. Biometric solutions deliver a more restrictive threat model than passwords and remove the burden of security from the users and the staff that support them. Your biometric is more unique to you than any password and it cannot be shared, lost or stolen.
|
|
|
Today, your signature serves to identify you in the world of paper-based transactions. Biometrics offers the same level of convenience, with added security and ensured privacy, which is necessary and expected in a world of digital transactions and interactions.
|
|
|
Learn More
|
|
If you'd like to learn more about biometrics, identity management, access control or other security-related issues or would like to receive a free white paper on network security, please contact the author.
|
|
|
Guy R. Martino is Vice President of Biometric Technology Solutions, LLC, a technology integrator of biometric solutions used in physical access security, logical access security for networks and storage and time & attendance management. He can be reached at 630-231-5544 or
|
| guy.martino@btsllc.net |
|
|
1 CERT® Coordination Center (CERT/CC) is a center of Internet security expertise located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.
|
|
