A Common Sense Approach to Securitysecurenvoy 28/09/2011, Archive
It’s never been so precarious out there in the big wide world of the web! The past few months have been a lesson for us all. So can we apply what we do in the physical world, to the virtual world, so that we don’t fall foul of the next big breach?
We’ve all heard about the foolish man who built his house on the sand. According to the biblical parable, “the rain came down, the streams rose, and the winds blew and beat against that house, and it fell with a great crash.”
The same is true for your online security. If the very foundations on which it all sits aren’t secure, like the house on the sand, it will all fall down with a big crash. A firewall and anti-virus software should be considered the very minimum if everything that’s built on top is to stand strong for long.
Sticking with the house theme, once upon a time our neighbourhoods were so safe that people could leave their doors unlocked. Unfortunately, those times are no-more! Most of us have dead locks, chains and bolts, backed up by an alarm.
In the digital world, we need to apply the same principles as we do with our own homes, by locking up, to stop intruders entering.
A password on a PC (often referred to as single factor authentication) is the equivalent of a basic lock – only slightly better than nothing. Instead it should be strengthened with an additional authentication layer. An authentication token, a bit like an electronic key, is used to prove someone’s identity electronically (as in the case of an employee trying to access the corporate network). There are two types of token – hardware-based i.e. a physical token and software based, such as an SMS-based token received on a mobile phone - often described as a tokenless two-factor-authentication (2FA) system.
Activate the Alarm
An alarm is a great deterrent but is only useful when switched on. Otherwise you might as well save yourself some money and attach a dummy box to the wall.
The same principle applies to your computer. If it’s turned on, and authenticated to the network, the ‘alarm’ is effectively deactivated. Anyone who happens upon your device will have carte blanche to any applications and systems you’ve logged in to.
Hide the Keys
I assume you wouldn’t walk away, leaving your car with the key in the ignition and expect it to still be there when you get back.
So don’t leave your security token in your lap top bag because when that goes missing who ever finds it also has the key to make it work.
Changing the Locks
In the physical world, if you happen to lose your keys, a repercussion is that you’ll change the locks.
In the virtual world this is equally true. Both hardware and software tokens can be disabled from the server end once the device has been reported missing. While we’re raising this point, it’s also worth considering which token is likely to be reported missing first - a piece of plastic that is only used for remote access or their mobile phone that is very personal to them and frequently used? I know which one I’d back!
Risk Based Security
Something that’s increasing in popularity, is organisations that determine the level of security it employs dependant on what it is they’re protecting, and where they’re working - referred to as 1½ factor authentication. For example if working from home or in the office then additional security is deemed unnecessary while working in a coffee shop requires authentication.
However, this is akin to locking the doors if you leave the house after 6pm and only using the alarm on a Wednesday if the cat is out.
Changing security procedures for the user is a risky strategy, and it can leave the organisation failing its compliance obligations.
Despite the new gadgets and available technology, common sense will always remain your best defence.