feature

9

collectively form a security bedrock thatallows business to be conducted.However, the technology used in thissecurity platform does not map onto theInternet. Business needs security, so muchso that it cannot exist without it.

Security does not so much protect busi-ness as allow it to exist in the first place. Ifreal online business is to be a reality, thenit has to be underpinned by a robust andeffective security platform.

This security platform can be made upof a combination of security technology,standards and legislation. The three ofthese combined must be able to mitigatesufficient risk to make the medium of theInternet profitable for business.

Given the thousands of published cracksand hacks and the almost complete lack ofcriminal convictions, one would be forgivenfor thinking that legislation is simply not aneffective means of protecting online busi-ness. To make matters worse, the damagecaused by computer crime is out of all pro-portion when compared to the light sen-tences that are handed out. Regularly, itwould seem, that millions of pounds worthof damage is punished with a small fine anda suspended sentence. This is obviously notan environment conducive to business. Inthe absence of appropriate government leg-islation and enforcement, business must be

armed to defend themselves through theassurance of reputable security technologyand standards.

Organizations that are using theInternet today have deployed securitytechnologies that address the inherentlack of security in the medium. Firewallshave been deployed to prevent intrudersaccessing the internal network. Anti-virussoftware has been installed to protectagainst a wealth of malicious code.Companies that conduct low-value trans-actions use a technology know as SecureSockets Layer (SSL), which is the stan-dard method for securing the transfer ofsensitive information over the Web, forexample credit card numbers.

However the real business Internetrequires much more sophisticated securi-ty — security that does more that justprotect your existing business, but securi-ty that allows you to do business.

So where do standards fit in? The wholepurpose of a security standard is to createa set of rules for the implementation ofsecurity technology that works in an openand secure fashion. A business could goabout creating their own implementa-tions of security technologies, howeverthese invariably fail.

Even simple security technologies areeasily broken, unless all of the possible

security holes are addressed. It is whollyunreasonable to expect that a new imple-mentation will have addressed all of theissues that hundreds or thousands ofexperts have analysed during the years ofthe creation of the relevant standard.

What we have to recognize is that secu-rity standards are just one part of a secureonline business. The technology that isdeployed must match the risks associatedwith the business e.g. are passwords suffi-cient for proving someone’s identity, orare smartcards, biometrics or digital cer-tificates required?

Effective policies and procedure need tobe put in place and whatever legislationneeds to be enforced. Training and a secu-rity culture amongst your staff are vital astime and time again it is proven that theeasiest away to get around a security sys-tem is through the weakest link, the user.

So are security standards the new legis-lation? The answer to this has to be no.However, they are a valuable part of pro-tecting yourself and your business in theabsence of adequate legislation andenforcement. As the use of the Internetfor business increases and the govern-ments of the world recognize its econom-ic significance, the legislation they createand the effort they put into enforcing thislegislation will also increase.

Back of the diary, post-its shoved underkeyboards, backs of monitors, stuffed inwallets, top right hand desk drawer(favourite), undersides of the telephone,back of the hand or across the knuckles?

And, oh yes — in the PDA? Well that’s allof us then.

We have all been guilty of passwordabuse. We mean to commit our PINs andpasswords to memory but in reality

scribble them down on scraps of paper,which we produce like old shopping lists,penciled in and indecipherable.

When questioned about our securityawareness in several recent surveys, weshamefacedly owned up to all sorts ofmisuse. No doubt with an inward wrysmile, one in seven of us has even admit-ted to that most elementary faux pas ofall: of storing our PIN number togetherwith our credit card!

Unfortunately, our casual treatment ofour personal credit card pins has seeped intothe workplace. Which office assistant hasn’tbeen at the end of the telephone searchingfeverishly when the boss calls in having lostthe password to his laptop, only to end upcalling up his wife or that acknowledged ITexpert, his hyper-active five-year-old forenlightenment? Why does the very ethos of

Truffles — Myth orStrategic Plan?Sniffing out some bizarre and inspired ways of motivatingpeople to remember their passwords.

Jackie Groves, Utimaco Safeware Ltd.

Pay attention please! Today’s test is all about passwords. Hands up anyone who hasever stored their password or PIN number in any of the following ‘secure’ places?

january.qxd 12/19/01 8:57 AM Page 9 (Black plate)

feature

password control have such a negative effecton us? Is our apparent indifference to thewhole problem just a mixture of inertia andignorance or the fear of Big Brother stylecoercion?

Why abuse passwords?Although passwords have been around fora considerable time and have traditionallyaccessed just about every no-go area, theyare still viewed with suspicion by peoplewho perceive them as a time-consuminghindrance when they want to accessinformation or places quickly and easily.This makes implementing password poli-cies into organizations so difficult toadministrate and enforce.

But, password misuse is a serious busi-ness. Password breaches are one of themost under-rated threats in the world ofIT security. Forgotten passwords accountfor the highest instance of helpdesk calls;research into the subject gives the figureat around 30–50%, but some financecompanies admit that for them it is evenhigher — a staggering 90%.

The constant problem of having torefresh passwords for several thousandworldwide users puts a huge economicstrain on organizations and is a time-wast-ing nightmare for IT departments. Banksand financial institutions, who are obligedto constantly change passwords, are particu-larly affected. Establishments such as policedepartments, who operate around the clockfrom remote sites, have to spend consider-able resources ensuring reset passwords areissued to the correct individual, somethingthat can’t just be done by telephone.

Add to this the devastation of lost con-fidential data, sabotaged networks anddamaged company reputations and youstart to realize the scale of the problem.

Bad choicesBack to the test. Do you recognize yourpassword as one of the following: yourpartner’s, pet’s or mother-in-law’s name,your middle name spelt backwards ortranslated into French, your telephonenumber or date of birth transposed?

When surveyed we have revealed we aremost likely to use our own name, nick-name, the name of a celebrity or a mem-ber of our favourite football team, andthat is when we can be bothered to thinkone up at all. Some passwords consistmerely of one-letter or blank spaces.

So unconcerned are we, that most ofthe time we grab the first name thatcomes into our heads.

There has never been a time when ITsecurity is so prominent. Tune into newsprogrammes or open up newspapers anyday of the week to find headlines flashingup the latest in security breaches:• Benefit frauds;• Email transgressions;• Public hacking;• Calls for identity cards for immigration

control;• Security breaches within Microsoft and

other software; are typical of the stories taking up col-

umn inches. As more and more companies rely upon

electronic transactions to replace paperdocuments, the demand for trust, integri-ty and confidentiality has never beengreater. Whether we are protecting ourcompany information, guarding againstsystem sabotage or sending confidentialinformation across the Internet, we canno longer hope to outwit the sophisticat-ed hacker by opting for the so called easyto crack ‘weak’ password, i.e. one that isless than eight characters in length andeasily guessable.

The very familiarity of our habits andlifestyle puts us at risk from unprincipledco-workers or associates who might wantto launch an attack upon our personalinformation. How can we expect to pro-tect the sanctity of the company databasefrom revenge attacks by disgruntledworkers — who might just have beensacked or made redundant — with thatgeneric of all passwords – PASSWORD?

The problem is that we are far tootrusting and gullible. Employees andhelpdesks are known to offer up pass-words as eagerly as children bribed withsweets when asked for them by imposters.

Take the shocking example of mis-placed trust demonstrated when an IT

security contractor was sent in to a highprofile finance company to repair a com-puter network damaged as a result of aflood. The worker describes how he wasprovided with all kinds of confidentialinformation within minutes of his arrival,including access to all users’ emailaccounts. Incredibly, the company hadmade no security checks either before hearrived or when he left. The potentialsecurity risk to that organization can onlybe imagined.

HumanityA glut of recent surveys informs us thatthe greatest threat is likely to come frominside companies where there are poorpassword policies and controls, fraud,misuse and abuse, but how far is it downto ignorance and stupidity? The higherthe levels of IT security now required toprotect our sensitive data, the moredemands are made upon us.

How many of us can actually commit apossible 50 random combinations tomemory? For those of us who are lessthan numerate, dyslexic or just clutteredwith domestic trivia, it is almost impossi-ble for us to remember the strings ofnumbers necessary to thwart the relentlesshacker.

The more characters used in a pass-word, the harder it is to guess, but also thegreater the temptation to write it down.

One suggestion is to force people tochange their password at least everythree months; anything more arbitraryhas us baying for blood, as was discov-ered by a major high street bank whichtried the experiment of persuadingonline bank users to change their pass-words on a monthly basis as a deterrentagainst fraud. Users who only accessedtheir Internet banking details occasion-ally became so resistant that the proce-dure was dropped.

This experiment highlights the waycompanies sometimes have to balancesecurity needs with commercial consider-ations, weighing up potential loss of busi-ness due to consumer attitudes against theconstant threat of security breaches and

10

january.qxd 12/19/01 8:57 AM Page 10 (Black plate)

feature

fraud. Happily, in this case, the bank hasfound no evidence of increased fraud.

How can we fix it?So, how are the much-tormented heads ofIT security attempting to get around theproblem? How do you enforce securitystandards and impress the principle of secu-rity upon employees? Despite the part newtechnology can play in strengthening secu-rity, the emphasis finally comes down toindividuals and their motivation to complyand to take the matter seriously.

Security managers concede that theirstaff are generally receptive to the impor-tance for security, but that doesn’t stopthem moaning about the quantity ofpasswords they have to remember. It is aquestion of creating a balance betweenthe sophisticated security levels neededand acceptability within the workplace.

All the technology in the world will beineffective without the goodwill to use it.Workers within a police department wererecently discovered taping smart cardtokens into their readers rather than putup with the bother of removing themevery time they had to log off from theirsystems! As one IT security manager says:“We have all learned by bitter experienceto remember our car and house keys. Weneed to educate our staff to treat the mat-ter of security in the workplace just asseriously as they would in their ownhomes. They wouldn’t dream of leavingtheir front doors unlocked.”

In some cases, the threat has become soserious that companies have adopted ahard line of enforcement. One particularorganization has resorted to extreme tac-tics, where workers are urged by postersand signs around the office, to accost any-one who appears not to be wearing a secu-rity pass. The slightly menacing image ofoffice workers “rugby tackling” innocentvisitors, mistaken for intruders, only addsfuel to the existing Orwellian perceptionof password control.

Banking organizations talk of “strin-gent” password controls to solve the con-stant problem of refreshing passwords forlarge and remotely distributed

organizations, which demand huge cen-tral support systems. Their IT securitymanagers have become so fed up theyadmitted to operating a “name and shamepolicy” where they nose out the culpritsand publish their names. To their credit,they do claim to use the information in apositive way to attempt to ascertain learn-ing and/or systems needs.

Sugar coatingThen there is the carrot rather than stickapproach. Staff are encouraged to take anactive role in company security policy, tocomment on areas where they feel securi-ty could be improved, or even reduced ifthey feel it has become ‘over the top’.

Organizing educational seminars andcomputer based training with rewards fortheir participation is one way of keepingemployees up to date and motivated.“Anything which encourages staff to beaware of their security related responsibil-ities has to be a good thing” is the attitudeof one security consultant.

However, ‘rewarding’ employees forkeeping on their toes, seductive as it is,could have the opposite and de-motivat-ing effect if carried too far. Incentive cam-paigns to spot security breaches offeringjoke type rewards such as T-shirts and cal-culators are harmless enough but the pos-sible knock-on effects could bedisquieting. Offering stronger incentiveslike a dinner for two or theatre tickets for‘shopping’ fellow colleagues who are surf-ing the Internet or making too many per-sonal emails could lead to all kinds ofexploitation.

All that seems far into the future.According to Richard Hansen, practicedirector Europe of @stake, the concept ofnice juicy ‘truffles’ is still a bit of a securi-ty myth. He comments “We are begin-ning to see some companies turn towardsincentivizing employees who spot errorsthat might put sensitive data at risk.However, there are few companies whooffer monetary bonuses. Instead, themost common gifts are mouse mats andposters which serve as both a reward and asecurity reminder”.

IdeasThe problem of jogging memories has ITpersonnel putting their heads togetherand coming up with some fascinatingschemes to keep employees alert. A highstreet bank has adopted a matrix systemof numbers containing hidden codes; amajor UK computer company usesrolodexes with security information writ-ten on the first page. A global mail servicecompany provides employees with small‘toys’ and gadgets, one example being theorigami cube, which carries security num-bers as prompts and stands on employee’sdesks. Such gimmicks might seem quitebizarre, but they not only do the job, theyalso serve as a much-needed reminder ofthe importance of security.

Others simply rely upon the kinds ofaide-memoire that we all used as spottyteenagers when swotting up for examssuch as mnemonics and acronyms —‘neither a borrower nor a lender be’,becomes NaBnaLB! or jingles of the ‘ahorse, a horse, my kingdom for a horse’variety. It is quite amazing what can beachieved with a bit of imagination andcreative flair.

Phrases can mean something personalto the user instead of single words or pat-terns of letters of the kind that make upso-called vanity plates, for example ‘toolate again’ becomes ‘2L8again’. Such gam-bits can be very effective, so long as thewords don’t spell out the latest populardance tune or words likely to appear inthe hacker’s dictionary. Mixing upper andlower case with punctuation letters andnumerals e.g. ‘* for 0’ and ‘! for I’ have allbeen used.

The most successful passwords are oneswhich are made up of long, seeminglyrandom characters, that have significancefor the user but are obscure enough tooutsmart the hacker.

The security advice, then, is clear — wemust not to share our passwords withanyone, not even our closest friend or theIT helpdesk and never write them down.We should spend our time devising cleverphrases or acronyms to jog our memories.However well we scored in the self-test, itis plain that, left to ourselves, we are not

11

january.qxd 12/19/01 8:57 AM Page 11 (Black plate)

What resulted, though, was an unplannedhelter-skelter weekend courtesy of a totalstranger. Luckily, I was far enough downtheir address book not to receive an email,but how were they to know? They had tophone everyone in their address bookwith a warning not to open an email fromthem. This was important because manypeople in their address book would behome users, and quite inexperienced indealing with a virus attack.

Badtrans breedingThe culprit was the Worm_Badtrans.B,and, having managed to clear it from

feature

going to be able to fully comply withthese obvious security basics. As we devel-op further into the paperless society withstronger emphasis on electronic transac-tions, we will struggle to cope with thedisparate passwords needed to access sev-eral different networks. The pressure istherefore on for a fundamental change tothe whole question of password manage-ment by both employers and staff.

Thankfully, it is an area that IT securitycompanies are constantly researching.The smartcard, one of the most effectivesolutions for secure central logging onand off of systems, is hailed as a ‘magicbullet’ by many firms and employees alikebecause it never gives up its secrets. Usedas both a safe for storing data, and a con-venient mini-computer, passwords andPINs are locked within it containing allthe identification we need and can beused for logon anywhere. It can be storedaway in the pocket or wallet like a creditcard, but if it is lost it will be of no use toanyone finding it, as it cannot be accessedwithout the PIN.

Used on its own, the smart card maynot be the Holy Grail, but when com-bined with access control and authentica-tion, it is an effective means of allowingcomplex passwords to be managedthrough a single PIN number. Singlesign-on using the smartcard or token fur-ther simplifies the whole process byreducing the number of passwords need-ed to perform a range of operations.

Automatic logon gives one off identifica-tion so that entry into all networks hap-pens automatically. It makes soundsecurity sense to consolidate systemstogether under one umbrella with onePIN giving access to the lot.

Taking the security level a step furtheris biometric authentication using the fin-gerprint in place of the password or PIN.This procedure has the benefit of instantand personal identification without ushaving to cudgel our memories.

Harassed heads of IT, in particular, arewelcoming the concept of biometrics.Inured into our consciousness by theexploits of 007 and Mission Impossible,we are now finding fact imitating art andbiometrics are no longer so much thestuff of science fiction.

We are beginning to adapt to the possi-bilities of a future where our unique bod-ily characteristics triumph over our failingmemories in a way that we can be com-fortable with. After all, our physical traitsare the manner by which we recognizeour friends and families.

Fingerprint biometrics is a winningcombination, particularly when securityis required to be at the highest level, forinstance in financial or legal transactions.As an exasperated IT director comment-ed: “When the senior vice-president isincapable of remembering their pass-word, biometrics is really the onlyanswer.”

ConclusionsIf the concept of smartcards is not to every-one’s taste or companies balk at theprospect of incurring card issuance costs, aconvenient and cost-effective alternative isto access our bank accounts and confiden-tial information through the wireless net-work. This procedure is particularly neatbecause it allows us to securely login fromany location, using our own mobile phonesto generate access. It gives us the freedomto operate from any location, independentof the workplace whilst taking advantage ofone of our readily available assets — ourmobile phone is the one item we won’t for-get to carry around with us.

Such is the whimsicality of human naturethat we are probably more accepting ofrestrictions and regulations imposed uponus through IT systems than those enforcedon us by colleagues or employers, so long asthey are seen to be non intrusive. It maytake some time to change our habits but ifall we need are our smartcards and mobilephones to access our confidential informa-tion, we might at last be persuaded to forgoour scrappy post-its.

With a bit of help from IT technology,some common sense and brow beatingsecurity departments, we might finallysharpen up our attitudes to the problemof password misuse and manage to makethe lives of helpdesk staff less arduous.

Lets just hope for some truffles alongthe way to sweeten the pill!

12

New Variant Risks — AreThey Real or Perceived?Berni Dwan

My friends Teresa and John are competent and experienced computer users. Luckilythey are also fastidious and have a social conscience, and you will realize how impor-tant these attributes are in a climate of uncertainty regarding the increasing andmore frequent proliferation of newer and more damaging worm and virus variants.I received a text message on my mobile phone on Sunday saying, “If you receivedemail from us, please delete. We found a virus.” They were caught badly, openingemail from a reputable source a little too hastily. They quickly realized the implica-tions though, and pulled the plug abruptly.

january.qxd 12/19/01 8:57 AM Page 12 (Black plate)