Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home Strong Authentication
Strong Authentication

Significant Increase in Botnet Attacks in 2010

Information Week sites a new report that states there was a 654% increase in botnet victims in 2010!

The botnet market is both growing and consolidating. The top 10 botnets of 2010 -- based on total number of PCs compromised -- began the year with 22% market share, but grew to account for 57% of all botnet infections by the end of the year. Meanwhile, in the same timeframe, the number of unique botnet victims grew by 654%.

Much of this is the result of readily available botnet building toolkits. These crimeware toolkits such as MPack, Neosploit, Zeus, Nukesploit P4ck, and Phoenix compete with each other on the black market according to the Symantec Report on Attack Toolkits and Malicious Websites. Prewritten code allows those with limited skills to "to customize, deploy, and automate widespread attacks, such as command-and-control (C&C) server administration tools. As with a majority of malicious code in the threat landscape, attack kits are typically used to enable the theft of sensitive information or to convert compromised computers into a network of zombie bots (botnet) in order to mount additional attacks."



California's SB 1411 - Regulating Online Identities

California's new law SB-1411, calls for criminal penalities for impersonating someone online:

"any person who knowingly and without consent credibly impersonates another actual person through or on an Internet Web site or by other electronic means, as specified, for purposes of harming, intimidating, threatening, or defrauding another person is guilty of a misdemeanor." 

Source: ZDNet: Analysis: California's Online Impersonation Law, Effective January 1


What is Projected for Identity Management in 2011

Dave Kearns at Network World takes a look at what folks are discussing for Identity Management in 2011. Some highlights include:

  • New round of M & A activity as large non-IAM vendors seek identity technologies to add to their core services
  • Cyber criminals target the extended enterprise - trusted partners and vendors that have access to valued data
  • Need for increased focus on threats from inside an organization (48% of data breaches in 2010 according to Secret Service report)
  • Perception of IAM as cloud service will shift from cloud barrier to cloud enabler.

Security vs. Usability: And the Winner Is?

There has been and will continue to be a significant tension between security and user convenience. Everyone wants their systems to be more secure. I have never heard anyone say they want their systems to be less secure. But what tradeoffs will they make to provide that security. When it comes  to decision time the concern over user convenience / usability and security comes to the forefront, and security frequently ends up on the short end of the stick. Why?

The answer is simple. Security is provided to keep people off of a system, specifically those people who are not authorized to access them. But on the other side of the coin the systems were put into service, at significant effort and expense, to help a business grow. Whether we are talking about back end management and support systems or front end customer facing ecommerce systems, they do not serve their purpose if it is too difficult for users to access them. Therefore, in the majority of cases user convenience trumps security, as usability and access to systems and services is of primary importance. As a well known CEO said, “I do not want to trade $1 of fraud for $1 of customer support.”

"Where Do Security Policies Come From?"  by Dinei Florencio and Cormac Herley touches on this issue. The study sought to examine whether the strength of password policies was directly related to the security requirements of a site (size of site, number of users, value of assets protected, frequency of attacks) . They conclude:

"Our analysis suggests that strong-policy sites do not have greater security needs. Rather, it appears that they are better insulated from the consequences of imposing poor usability decisions on their users. For commercial retailers like Amazon, and advertising supported sites like Facebook, every login event is a revenue opportunity. Anything that interferes with usability affects the business directly. At government sites and universities every login event is, at best, neutral, or, at worst, a cost. The consequences of poor usability decisions are less direct. That simple difference in incentives turns out to be a better predictor of password policy than any security requirement. This in turn suggests that some of stronger policies are needlessly complex: they cause considerable inconvenience for negligible security improvement."

Florencio and Herley clearly articulate the need for understanding the tradeoff between security and convenience in their conclusion. However, they also note that it is difficult to determine if you have the security - convenience tradeoff correct, or if decisionmakers are "imposing considerable inconvenience for marginal benefit."


Business Value of Versatile Authentication

Martin Kuppinger clearly articulates the business value of versatile authentication (support for different authentication methods).

The business value is easy to describe: Reusing existing strong authentication technologies for more use cases makes things cheaper. Being able to use expensive very strong authentication where required but relying on other, cheaper, and appropriate technologies in other use cases reduces costs. Logistics for reused strong authentication technology is cheaper. All use cases, including external users like customers and suppliers, can be supported.

Overall, supporting versatile authentication is more and more a standard feature and the “versatility” of platforms for authentication is, from my point of view, an important point when selecting vendors. Hard-coding strong authentication into applications doesn’t really make sense anymore.


Page 7 of 12