Passwords are Passé

My advice to companies on managing the risk to their systems

has been simple: Drive security through people and processes. Put an IS security

policy in place and ensure that it is communicated widely within the

organization. Help employees understand the significance of IS security and the

negative outcome of not complying with security procedures. Equip your IT

infrastructure with appropriate technologies. Review your IS security policy

regularly.

Risks related to IT networks have increased considerably

during the last five years primarily due to a paradigm shift in the burden

systems have to bear.

IS security professionals need to be empowered much more than

they are in India currently. The IT staff in an organization has IS security as

just one of the deliverables in a long list of services unlike security

professionals whose only job is to keep IT networks secure.

Organizations interacting with external networks on a regular

basis need to have a strong authentication and authorization (A and A) framework

at all levels. A and A forms the building block of a secure IT system.

Authorization framework must be built on a ‘need to know’ or a ‘need to do

basis’. Authentication techniques may include VPNs, biometrics, single sign-on

(SSO) and other such emerging technologies. But merely implementing tools is not

enough. A popular model based on military thinking put up by D E Bell and L J

LaPadula in 1976, had two basic rules: People can read data only at their level

of classification and lower; People can write data only at their level of

classification and higher. The motivation for the rules was that secrets should

never be shared with less-trusted individuals.

Attacks on systems can come from unimaginable sources and

angles, a stark similarity to physical assaults (passenger airliners in WTC and

a car bearing an MP’s authorization sticker in the December 13 attack on

Parliament).

Certifying authorities (CAs) may face a very unique ‘risk

of eavesdropping’ resulting from the emanation of electromagnetic radiation

from video display units. TEMPEST (Transient Electromagnetic Pulse Emanation

Standard), is both a specification for equipment and a term used to describe the

process for preventing compromising emanation. Unintentional emissions from a

computer system are captured and processed to reveal information about target

systems. This could vary from simply copying keystrokes or capturing images off

a monitor. An attacker using off-the-shelf equipment can watch for and retrieve

information as it is being processed, without the users being aware that a

security breach has occurred.

The solution: shielding cables and computing equipment,

placing essential computer equipment underground or in a Farady cage (an

enclosure with electrically conductive external surfaces) or using low-emission

monitors.

Things may get even more complicated in the future as we

slowly move away from password protected systems. Passwords are no longer

considered sufficiently robust. This is mainly because of carelessness on the

part of users. Neither is ‘password-protection’ considered practical anymore

as passwords continue to become longer and unwieldy. Companies are fast moving

towards using encryption techniques. Another area that is catching up is

biometrics that uses body parts for identification of users. This could involve

finger print checks or using a hardware token like a smart card or a key.

Companies must prepare to tackle the complexity of emerging

systems and the ever increasing threat to connected enterprises where

information could flow beyond corporate systems, supply chains and distribution

partners to competitors.

The author is partner, global risk management solutions

group, PriceWaterhouseCooper India