Posted by:
admin
15 years, 11 months ago
There's a great article over on ComputerWord: Security Manager's Journal: Eyeing risks while cutting spending. There some great points there. I will respond to one:
The next cuts are in the form of SecurID tokens. Until now, our company has issued the hard (key fob) tokens. There are currently more than 5,000 tokens deployed worldwide. These tokens have batteries that last only a few years, and then new tokens are needed.
With software tokens, we can eliminate the need for those hardware replacements and the cost of shipping fobs to our users around the world. They are easier to deploy, and there aren't any batteries.
The drawback is the threat of keystroke-capture programs. Since the physical tokens are separate from the computers, they're not susceptible to keystroke capture being used to obtain a user's PIN.
It's a risk we're going to have to take, and we may be able to get users to enter their PINs by pointing their mice to on-screen number pads, which would mitigate the keystroke-capture threat. An added benefit is that the software tokens can be used on mobile devices.
This is clearly a big win. Of the items listed, dropping your hardware tokens has got to be the biggest savings. I know that WiKID's locked tokens have anti-keystrokc logging capabilities, so I would assume that others have it too. I think this risk is best tackled by requiring users to either use corporate laptops only or to require wireless tokens.
Additionally, if you are using an SSL/Browser-based VPN such as Whale or Juniper, you can further reduce risks by using mutual https authentication. This would reduce the risk of a network-based MITM attack, which is increasingly likely thanks to all the wi-fi networks and unpatched DNS servers.
It seems that a lot of companies just bought the big brand names when times were good. It's not surprising, since most security people are not incented to optimize their spending, only threatened with punishment for a breach. Now, there seems to be far more companies looking for less expensive two-factor authentication.
Share on Twitter Share on FacebookRecent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)