March 2002 Mfg.Trust

Mfg.Trust is a monthly feature of the
            NCMS InfraGard Manufacturing Industry Association
                        Infrastructure assurance for manufacturers
                                    Powered by NCMS

This month - Industrial Strength Authentication
Solving the Password Insecurity Dilemma

Accompanying Resource Page for this Story 

Editor’s Preface:

The proliferation of easy-to-use tools that crack password protected network applications is quickly dismantling the enterprise security plan. A few years ago, enterprises could ignore these threats because their networks were isolated from the rest of the world. Now, however, networks are increasingly interconnected, and weak passwords have become the chief means of gaining unauthorized access for both insiders and outsiders. The ubiquity of password-protected applications in this environment creates serious threats to security that must be addressed. And they are expertly addressed, this month, by guest author Bob Forbes.

Bob Forbes, featured "Netrepreneur" in CIO magazine, is an Authentor Founder, Executive Vice President, and Board Member since its inception in September 1998. This month's resources page provides more about Bob, as well as showing you where to find best practices for cost-effectively mitigating these threats.

Authentication systems are not just used at work. We hope you find these resources useful both in your personal and business lives. Aware and educated private citizens are also aware and educated employees!

            John Sheridan (johns@ncms.org)

INDUSTRIAL STRENGTH AUTHENTICATION

Solving the Password Insecurity Dilemma

The Internet continues to revolutionize industry by enabling companies to share enormous amounts of information with a wider, distributed user base. New information partnerships enable creative synergies at all levels of business, signifying an exciting time of growth and change. And, in this new business environment, to the nimble go the spoils.

However, increased openness also means increased risk. Threats to corporate data security loom perilous. According to a February 2001 report from Meridien Research, the total annual cost of online security violations will increase from $1.6 billion worldwide in 2000 to $15.5 billion in 2005. And IT departments are being forced to respond to these threats. An October 2001 JP Morgan and Computerworld survey reports IT security spending will surge 43% in 2002 alone.

Knowing the user is key to a company's ability to protect its valuable information assets and assure that distribution of crucial data is secure. It is vital that a company authenticate users from the moment they attempt to log into a system and throughout the entire length of time that the user attempts to access data. Weak passwords-the way most people access their networks today- no longer provide sufficient authentication protection to meet current threats.

Why Now?

The proliferation of easy-to-use tools that crack password-protected network applications is quickly dismantling the enterprise security plan. Passwords have become one of the weakest links in most security schemes. A few years ago, companies could ignore these threats because their networks were isolated from the rest of the world. Now, however, networks are interconnected, and tools for breaking passwords are freely available over the Internet, allowing for more and more unauthorized access to valuable information resources.

The two most advanced developments in this area are L0phtcrack and Pwdump3, easily obtainable software applications designed to use dictionary models and other analysis to evaluate password security. Bottom line: Both are effective against password encryption, both break passwords, and hackers use both extensively.

How Can Passwords Be Made More Secure?

The level of security provided by password systems is directly related to the difficulty of guessing, observing, sniffing, stealing or otherwise obtaining the user's password. But password security is generally in the hands of the computer user. I saw a great line of wisdom last year that summed up the fundamentals of user password security: "Passwords are like underwear: don't share them, hide them under your keyboard, or hang them from your monitor. Above all, change them frequently".

Information systems ("IS") administrators can help users ratify this wisdom by implementing specific password policies that can be tailored to a company's specific needs. Best practices include:

• Prohibit the use of names, initials, birthdays and holidays
• Prohibit the use of words from any language
• Keep the password length to a minimum of 7 characters
• Include a mix of lower-case, upper-case, numeric and punctuation
• Require that passwords expire every 30-90 days
• Require that accounts lock out after 3 to 5 failed attempts

Of course, the success of any password policy will be directly related to an organization's vigilance in monitoring and enforcing the policy. But password policy administration is often a nightmare, with lost passwords, password resets, insecure transfer of private information, and overall increased user-account management. Further, users aren't likely to memorize alphanumeric character strings that are reset monthly, which means many users circumvent the policy. And, no amount of password complexity or IS diligence will prevail in the face of users who leave their ever-changing passwords on Post-it® notes on their desks.

Finally, having strong passwords and a strong password policy is only the first line of defense against those whose mission it is to break passwords, and have access to the latest technological advances.

Traditional Alternatives to Password

Due to the inherent problems associated with passwords, businesses are exploring more secure alternatives, many of which are typically based on deploying and maintaining some additional piece of software and/or hardware for each user. Traditional technologies include digital certificates, tokens, smart cards and biometric readers. These technologies can provide much greater security than passwords, and hardware-based systems, in particular, create a physical (and in the case of biometrics - physiological) link between a user and authentication on a network.

Despite the enhanced levels of security they provide, these technologies also come at high costs. While prices for these technologies have come down significantly in recent years, they still hover in the $20 to $200 range per user. Further, PKI certificates often represent a dramatic, and expensive, restructuring of application infrastructure, and hardware associated with tokens, smart cards and biometrics can be broken, damaged or lost by users.

These technologies are also costly due to the complexity of enterprise-wide deployment. Different units of a company often have different security needs. As a result, the implementation of multiple password alternatives can create a tangle of competing systems that require resource intensive custom programming efforts.

Recent Technologies Promise to Help

Recently, there has been an emergence of new security technologies that aim to address these complicated authentication issues. Behavior profiling, in particular, offers a method to significantly increase the confidence level of conventional passwords while providing a cost-efficient alternative to traditional user software and hardware based approaches.

Simply put, behavior software tracks details - such as habitual time of transaction, frequency of access, typical usage pattern, user origin, role within the company, and others - to build and maintain a dynamic "profile" that represents each user's normal behavior. Once the profile is defined, software compares a user's current attempt to access the network against a historical record of his or her previous attempts.

Behavior profiling has its limitations. It works well in conjunction with other methods in situations where a user repeatedly accesses a network. It needs about 10 logons to "learn" about the user. So, it might be just the right tool for workers who access their business networks, but not very useful for consumer applications.

Behavior is generally implemented in "intelligent" (e.g. artificial intelligence) software applications, much like those used by credit card companies to detect deviant and fraudulent transaction behavior. When using behavior profiling for authentication, users continue to log in with their user-name and password for normal use. However, when risks are detected, users are required to provide additional evidence (both user defined and administrator defined) that they are who they claim to be, from employee information to personal information enrolled by a user (dog's favorite food, least favorite color, etc.)

From a security standpoint, behavior is very difficult to reproduce, hack or steal. It exists in the background, out of the user's knowledge or control, so there is no chance a "Post-it ® Pirate" could steal it. Duplicating behavior requires a potential hacker to perform extensive system monitoring to learn a target's individual and unique habits.

From a deployment standpoint, behavior profiling makes use of information that already occurs on the network, doesn't require special software or hardware on each user's computer, and can provide enough reduction in risk to allow IS administrators to implement more user friendly password policies (fewer restrictions, shorter length, longer period between resets, etc.). Companies can "tune" a behavior profiling system - matching the risk with the strictness of the business process.

Conclusion

The increased and very real threat of data crime necessitates higher security for many networks that previously seemed safe. Controlling who is on your network - i.e., authenticating their identity - is the foundation for doing business securely in the digital world.

Strengthening password security should be viewed as a major milestone in the company's overall security program. Basic precautions can help reduce risks to password weaknesses. However, lack of user buy in and the rapid growth of sophisticated hacking tools may make any measure taken short-lived.

Certificates, tokens, smart cards, and biometrics can be very effective, but it is becoming increasingly difficult to convince check writers of the inherent return on these technologies, relative to other IT priorities. In these instances, organizations must secure their passwords accordingly and do the best job they can with available resources. Integrating technologies such as behavior profiling that strengthen security and leverage existing infrastructure has become a promising way to solve the password insecurity dilemma.

Links:

Password Protection 101, NIPC 
http://www.nipc.gov/publications/nipcpub/password.htm and 
http://trust.ncms.org/password101.htm

Information Security Magazine, Security for the CXO: Stronger Passwords Aren’t

Lavigne, Dru. "Cracking Passwords to Enhance Security." The O’Reilly Network. 24 Jan. 2001.

McGraw, Gary and Viega, John. Protecting passwords: Part 1, IBM, August 2000 

McGraw, Gary and Viega, John. Protecting passwords: Part 2, IBM, September 2000

These Authentor-related links were inserted by NCMS:

http://www.authentor.com

Information Security Magazine, Smart Path 2.2 Product Review

If you liked Mfg.Trust, please forward it to a colleague in your company!

For questions, comments, or for NCMS Alliance Partners to request their own FREE subscription to Mfg.Trust, send e-mail to johns@ncms.org

To unsubscribe please send a blank e-mail message to listmanager@ncms.org with the subject line "unsubscribe mfgtrust".