jump to navigation

Security 101; Authentication December 27, 2011

Posted by Chris Mark in InfoSec & Privacy.
Tags: , , , , ,
add a comment

Recently I found myself in a discussion with a person about a particular feature of payment cards.  When I started discussing the concept of authentication the look on the other persons face told me that I was discussing a completely foreign subject.

While this is not a dissertation on security authentication is a vital component of information security and fraud prevention within the payment card industry and security, in general.  For this reason, it is important to have an understanding of the concept and how it applies to our daily lives.

Authentication is described on wikipedia as:the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true”.

There are three generally accepted factors of authentication.  1) something you know (like a password), 2) something you are (biometrics like fingerprints or iris scans), and 3) something you have (like a token).  Each of these factors alone have some value and may be sufficient to demonstrate with an appropriate degree of confidence that you are the person who is authorized to access the resource.  The degree of assurance necessary and thus the degree of required authentication is predicated upon the sensitivity of the object to which you require access.  More sensitive requires greater assurance and therefore more rigorous authentication.

Access control is defined as the combination of authorization and authentication.  Authorization is simply the approval to access a particular resource.  Consider a work environment where you are required to use a badge reader to enter the building.  As an employee you are authorized to enter the building.  To ensure that it is truly you (the authorized party) entering the building you need to provide some evidence that you are who you say you are.  In many cases, the authentication mechanism is a proximity card that is waved and the door opens.   The proximity card is a token and would be considerd as a single factor of authentication- “something you have.”.

When you get to your desk you need to access your work computer.  As an employee, you are authorized to access your email, and certain applications.  To log into the system you enter a user name (the system knows the person who owns this username is authorized to access certain resources) and then you enter your password.  This password (something you know) is a single factor of authentication that tells the system with some degree of confidence that you are the person that matches the username.

In both of these examples the astute reader has likely identified the vulnerability of single factor authentication.  In the first example a thief may have stolen the badge and may be masquarading as the legitimate user.  In the second example a person may have shared their password with another of the password may have been stolen in which case an ‘unauthorized’ person could also masquarade as a legitimate, authorized user.  When it is necessary to have an increased level of assurance that the authorized person is indeed the one accessing the resource, two factors of authentication can be used.  For the solution to truly be considered two–factor authentication it requires two of the three types of factors to be used simultaneously.  In high security areas it is common to see two factor authentication used.

Consider an example where you bank online.  Due to the sensitive nature of your account (and FFIEC regulations) the bank wants to have assurance that only the authorized account holder is accessing the account.  Since the bank website is accessed over the internet the bank is limited in their ability to confirm the identity of the user.  A password alone is not sufficient as a password can be stolen or shared.  In this scenario a bank would use a second factor of authentication.  While it does not guarantee that the person using the authentication mechanism is the authorized user it provide a much greater level of assurance than a password alone.

Payment cards possess a number of authentication mechanisms.  The objective is to authenticate the transaction or user and reduce the incidence of fraud.  In card not present transactions such as ecommerce purchases the CVV2 number is often used to authenticate the card.  Since the number is only printed on the card and it is against card brand rules (PCI DSS) to store the CVV2, the assumption is that if someone can input the CVV2 they are in possession of a valid card.  Unfortunately, it is this fact that makes CVV2 such a valuable target for data thieves.  More robust authentication mechanisms include 3DSecure (Verified by Visa, MasterCard Secure Code), EMV (Europay, MasterCard, Visa) and the PIN used in debit transactions.  While each of these technologies increase the level of assurnace that the authorized user is making a legitimate transaction it does not guarantee such.

Authorization is a critical component to any information security or fraud prevention system.  Understanding the basics fo authentication can help users better manage the security of their payment cards.

(Guest Post) “Is Privacy Possible?” December 26, 2011

Posted by Chris Mark in Laws and Leglslation, Piracy & Maritime Security.
Tags: , , , , ,
add a comment

There is a lot of discussion lately about the right to privacy online.  Specifically, discussion has centered around two concepts of late – 1) the “do not track” concept and 2) the right to be forgotten. While there is significant debate about what these concepts mean, I think it’s interesting to take a look at the notion of privacy in today’s world.  What does it really mean to have privacy?  Is it possible to have privacy or are these policies and plans simply the act of closing the barn door after the horse has gotten out?

The fact of the matter is that privacy, at best, is a nebulous concept.  The amount of data that is available on any given individual, irrespective of social media, is plentiful to say the least.  Even before the advent of Facebook, MySpace, LinkedIn and other sharing sites, the information available on individuals was mind-boggling.  Over the last decade or more, a number of laws have been established to prevent the sharing and selling of information about individuals.  The Federal Trade Commission has been actively involved in pursuing violators and enforcing these privacy protection standards.  The “enforcement actions” in which the FTC has been involved range from companies selling customer  lists to those whose networks have been breached resulting in the loss of customer data. For a list of enforcement actions, visit the FTC website.

It may be helpful at this point to try to define exactly what privacy is, particularly in this day of social media and (over) sharing.  One of the primary challenges with privacy, especially in such a connected age, is the complexity of defining it.  How can one protect or preserve something, when one can’t fully define what that something is.  Robert Post once wrote “Privacy is a value so complex, so entangled in competing and contradictory dimensions, so engorged with various and distinct meanings, that I sometimes despair whether it can be usefully addressed at all.”

The concept of privacy to which I subscribe is that “privacy as control over information,” as described by Charles Fried. Fried refines the notion of privacy as the absence of information by saying, “Privacy is not simply an absence of information about us in the minds of others; rather it is the control we have over information about ourselves.”  I like this definition for a few reasons.  First, it provides some personal accountability for the individual.  Many modern definitions of privacy place the onus of protecting that information entirely on the enterprise or company in question, as if the very act of holding consumer data is a breach of privacy.  While this definition would certainly call for some action on the part of those organizations, it also calls on the individual to be selective about the information that is made available.  The phenomenon of “facebook firings” brings this issue into stark relief.  Individuals can control the quality of information that is shared by using care with respect to what information they post on their own sites.

The other component of this definition that resonates is that of cooperation and transparency on the part of the organization toward the individual. This is an element of privacy that is present in most, if not all, of the current information privacy models.  (For reference, see OECD Guidelines on the Protection of Privacy, FTC Fair Information Practice Principles and Privacy by Design).  According to this element of privacy, the individual should have access to any of his or her personal information held by the company.  Further, the individual should have the right to correct any inaccuracies and to determine how or if that information can be shared with third parties.

This takes us back to the question posed in the title; “is privacy possible?”  The answer is still rather nebulous, but what we do know is that it relies on both the individual and the organization. This is not to say that concepts like “do not track” and “the right to be forgotten” are useless, but that we as a society have to refine our definition of what privacy is – the concept is far more complex than legislators and the media would have one believe.  Individuals must be cognizant of the information that they are sharing on public forums and how that data might be used.   Similarly, companies must be aware of the sensitivities around sharing consumer information and take appropriate steps to ensure an appropriate level of protection – in terms of policy, process, and technology.

Heather Mark

This is a guest post from my wife, the illustrious Dr. Heather Mark.  She is a frequently published and quoted expert on regulatory compliance and privacy issues.  This is a post from her personal blog which you can read here.

CyberSecurity & Piracy December 17, 2011

Posted by Chris Mark in InfoSec & Privacy, Piracy & Maritime Security, Uncategorized.
Tags: , , , , , , , , ,
add a comment

This past summer I was interviewed by Maritime Executive on the topic of CyberPiracy.  The article discussed the need for increased information assurance practices among shipping companies.  As shipping companies increasingly turn to armed guards and ships increasingly adopt BMP4, hijackings have decreased.  In response the pirates, and those who fund and support the pirates, are looking for new ways to increase their likelihood of successfully hijacking a ship while minimizing the risk to the pirates.  Increasingly, pirates are turning to high tech, and not so high tech, solutions.  It is an established fact that pirates are using information found on the AIS system as well as GPS and satellite phones to locate and coordinate attacks.  Now information is coming forward that the pirates groups are using sources within ports, and shipping companies to identify those vessels that they want to attack.  It has been reported that hackers are being employed to steal data related to cargo as well as the user of armed guards.  While this topic is too broad to discuss in a blog post, I will begin posting a series of articles on cyber security and steps shipping companies can take to minimize the risk of their data being compromised.

This past Fall, I had the opportunity to speak at Hanson Wade anti-piracy event in London.  If you have not attended a Hanson Wade event, they are very worthwhile.  I have spoken at literally scores of events over the past 10 years and few, if any, were as well organized.  The next event is scheduled for April, 2012 in Hamburg Germany.  As luck would have it they have a section on CyberSecurity.  Take a look and see if it is worth attending..

InfoSec 101: Social Engineering December 17, 2011

Posted by Chris Mark in Uncategorized.
Tags: , , , ,
add a comment

I just received a call from a friend of mine who wanted to talk about a phone call they had received.  A person with an Indian accent called their house from 999-901-3307 and explained that he worked with Microsoft and that their computer: “was infected with a number of viruses.”  He asked them to visit a few screens and verify some ‘warnings’.  He then asked them to allow him to access their computer to fix the issues.   Luckily my friends were savvy enough to hang up the phone and not provide access.  This is a classic example of what we call Social Engineering.  Many people mistakenly believe that the easiest way to ‘hack’ or compromise a computer system is through technical means.  In reality, it is often quicker and easier to simply have someone ‘invite’ the hacker into the system.  If you ever receive a call, email, letter or any other communication from someone professing to be from Microsoft or some other vendor, you are well served to hang up.  They will not call you directly, and without your request, to ask for access to your computer system.

New Domain! www.GlobalRiskInfo.com December 17, 2011

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , ,
add a comment

Starting tomorrow (Sun, Dec 18th, 2011), the blog will have a new domain.  You can find us at the current wordpress subdomain of https://maritimerisk.wordpress.com or you can simply type www.GlobalRiskInfo.com (not case sensitive).  The blog will be expanding into other areas of risk including information assurance, physical security, and financial risk.