I decided to build upon (or steal, however you see it) the idea with ‘26 Short Topics about Security.’  Yes, I’m a Simpsons fan (22 Short Films About Springfield) and got some inspiration.  This blog series is actually an altered version of a presentation I did a few months back that I always thought of turning into a blog series.  The idea is that there is so much going on with Security in so many different places that I figured it might be good to cover 26 of those over the next few weeks.  Not too technically heavy or all encompassing but definitely areas of concern for IT.  So, then – let’s get on with it!

First, Security (and not just Information Technology) is all about Risk and Threats.  There’s a whole industry based on Risk Management, Risk Assessment, Risk Mitigation, Risk Analysis and so on.  Risks, in my view, are based on actions that we (you/I) either take or don’t take while Threats are actions (or attacks) coming from other entities.  We take risks while we try to reduce threats.  ‘That’s a risky move you’re making’ and  ‘don’t you threaten me.’   Certainly they are intertwined.  What’s the risk if I don’t respond to this threat?  The 12ft shark might threaten my life if I risk swimming with it.  We deal with risks & threats every day and make quick decisions if it is worth it – you get it.  But this is just the set up (think slides 2-3). 

[Theme song]

We begin with Authentication. Authentication has never been more important to users, corporations and web applications at large.  We’ve been confirming our digital identity against user stores for a while, particularly in our work domain environment & financial web applications.  Just about all the ‘my.public/portal’ sites that offer any sort of customization requires us to enter a username and password and much of today’s malware is targeted toward capturing someone’s credentials.  Once someone gets a hold of your ‘secret,’ they can pretend they are you and access information that only you should be viewing.  In the physical world, a doorman or ticket agent can check a photo ID against your real face and determine if you are who you say you are and hopefully, you’re the only one with that laminated picture.  In the digital world, all the system can go on is whether or not you know the stored secret so it’s important to keep those in the vault and not taped to the top of your laptop.  Plenty has been written about the security implications of ‘Forgotten Password,’ ‘Email password,’ and ‘Password Hint’ retrieval so won’t get into that but Alan Murphy does a have an interesting blog on ‘How to create strong, dynamic passwords.’

Strong Passwords (requiring letters, numbers, caps, special characters, rotation, etc), Two-factor auth (additional password or token) and OTP (one-time passwords) are all ways that IT can enhance their authentication scheme.  Biometrics (thumb print, iris, facial, voice, keystroke, etc) were supposed to be somewhat mainstream by now and can help in determining a user’s authenticity but can be very cost restrictive.  Fingerprint is appearing on many notebooks now and even the keystroke style, which is probably one of the least costly, isn’t completely solid since if I break my finger, the admin can revert to text password or lessen the sensitivity.  I’ve seen ‘What if I’m drink,’ as part of keystroke vendor questions. I understand that alcohol can influence my typing style but does my employer really want a sloshed, uninhibited employee accessing sensitive info?  There are also authentication systems that use pictures and shapes.  Instead of remembering a set of characters, you remember a shape and whatever the random numbers that comprise that shape is your OTP.  Or you do remember a set number password but the numbers appear in different locations every time.  There are also virtual keyboards where you ‘type’ your password by mouse clicking on a little keyboard screen on the log on page.

Oh, there are many ways.

SSO (single sign-on) and Federation take focus in many IT departments.  SSO allows users to log in to a system once and then be able to navigate (gain access) to the other related but independent systems.  For instance, a user would log in (or authenticate against a domain) to their corporate intranet and one of the links available might be a salesforce.com application.  Typically, the user would have to re-enter their credentials, but SSO passes identity (usually cached) which allows access without the additional UN/PW entries.  Federation is essentially trust between networks or domains and can be a part of a SSO solution.  Federated trust is usually a system, server or network trust between two businesses or private systems.  The user probably doesn’t have full reign but can access specific resources on their partner’s network.  With SSO it is usually just the user’s info that is passed to each system, with Federation, the entire (or groups of) infrastructure is trusted.  SAML, Kerberos and WS-Trust/WS-Federation services are all enablers of federation.  SSO can be achieved thru a host of vendors but things like Kerberos, smartcards and client certificates can all play a role.  For public web applications, especially social media sites OpenID is becoming a method for users to ‘claim’ they are themselves at various web portals.  There’s still some hesitancy for enterprise IT to adopt but many web facing applications support OpenID.  Many portals that do support OpenID, however, are reluctant to be that ‘3rd party vouch,’ especially if it’s for a competing portal.

That’s it, nothing groundbreaking just a point in time pertaining to Security topics.  To give you a little taste of what’s next [sung to the tune of GREASE]: BREACH is the word, is the word, is the word that you heard, to the tune of $6.6 Mil, per-r-r-Breach.

ps