#securechat September 15: Password Security

Share

Thank you to everyone who joined #securechat this week as we discussed password security. The discussion questions guiding our chat were:

• Q1: What are some of your tricks for creating memorable passwords?
• Q2: Do you have a schema for passwords based on the type of site, or how secure you want that login to be?
• Q3: How do you feel about sites with length, special character & other requirements?
• Q4: How do you remember your passwords? Do you use Single-Sign-On? Post-It notes?
• Q5: What password "rules" are most important to keep? (changed from "What password 'rules' do you break?")

Join us next week as we discuss Cryptography in Your Daily Life. You may be surprised at how much cryptography impacts everything you do. Also, learn helpful hints for taking advantage of it and making your evryday activities more secure. 

#securechat Transcript: September 15

	jenatsafenet If your password is "Password", you need to join us in 5 minutes.
	SafeNetInc Welcome! It's time for this week's #securechat for pros in social media, IT security, and those who just want to learn more.

Let's do it in the Cloud! A Video Interview with Michelle Nerlinger

Share

Michelle Nerlinger talks about SafeNet's software monetization solutions for cloud providers, part of the latest campaign she calls "Let's do it in the cloud!" Visit www.sentinelcloud.com for more information on software monetization for cloud-based software and applications.

Also - we still need your "SaaS" tshirt photos! Post them on our Facebook page: www.facebook.com/SafeNetInc. 

#Securechat September 8: Knowledge-based Authentication

Share

Thanks again to everyone who participated in this week's #securechat Twitter chat. This week we discussed knowledge-based authentication (answering "secret" questions to verify your identity). If you missed the chat, or want to revisit some of the links and ideas posted, the full transcript is below. Make sure you mark your calendar for next week's chat on Password Security.  Thursday 2pm EST/ 11am CST/ 8pm Central European time.  

The five questions guiding the discussion were:

• To reset your password, do you have to answer security questions? Do you remember your answers?
• What do you do if you’re asked a security question with no answer? (e.g. brother’s middle name, but you’re an only child)
• Do you think companies ever ask questions that are too personal or inappropriate?
• What are some tips and tricks you have for keeping that information secure?
• What advice would you give for companies who use security questions? Trash it? Change it? Keep as is?

#securechat Transcript - September 8, 2011

   SafeNetInc

Welcome! It's time for this week's #securechat for pros in social media, IT security, and those who just want to learn more

  SafeNetInc

The format is an open discussion around 5 questions asked by the moderator (me).

  CherylAtSafeNet

RT @safenetinc: Welcome! It's time for this week's #securechat for pros in social media, IT security, and those who just want to learn more

  SafeNetInc

This month, our focus is on Knowledge-based authentication – is it effective? Q1 coming up!

Knowledge-Based Authentication: a false sense of security

Share

 Whether it's a self-service system for network password resets or logging into a banking website, chances are you're familiar with Knowledge-Based Authentication (KBA). This type of authentication asks you questions, and if you answer them correctly, the system lets you in, or lets you reset your password, or lets you transfer $50,000 to an account in the Cayman Islands.

via data-protection.safenet-inc.com

Most organizations rely on some sort of PIN, Q&A or two-factor authentication beyond simple username and password. But are they really that much better? This week's #securechat focuses on Q&A, or Knowledge-based authentication, where users verify their identity by answering questions "only" they know. But with the prevalence of social media, the widespread dissemination of information and a basic lack of privacy, are facts about your life really that secure?
Here's Paul Ardoin's (@paulardoin) take on Knowledge-based authentication. Join #securechat Thursday at 2pm EST to discuss ways you can make you login more secure.

#securechat Transcript: Security in Social Media

Share

Thanks to everyone who joined yesterday's #securechat Twitter chat, where we discussed security and privacy in social media.  For anyone who missed it, the complete transcript is below. Join us next week as we discuss knowledge-based authentication (aka answering questions "only" you know to verify your identity), why it's no more than a false sense of security, and what you can do to make your accounts truly secure.

 

 

SafeNetInc

Welcome! It's time for this week's #securechat for pros in social media, IT security, and those who just want to learn more.

 

 

mlgunther

#securechat in 3...2....1....http://ow.ly/6iZqy #securechat

 

 

SafeNetInc

The format is an open discussion around 4 questions asked by the moderator (that's me).

 

 

SafeNetInc

This week, our focus is on security and privacy in #social media. Feel free to introduce yourself & jump in the conversation.

 

 

MackCollier

If you are worried about phishing DMs or security on Facebook or Google Plus, you'll want to jump in #securechat NOW!

#Securechat September 1: How to Protect Social Media

Share

#securechat is a weekly Twitter chat that discusses trends, policies, mandates, and new technology affecting the security industry. The next one will be Thursday, September 1st at 2pm EST/ 11am PST. We're talking about Social Media Privacy and Security: How do you protect your profiles? Follow @SafeNetInc and#securechat to join the conversation.

What’s a Twitter chat?

Twitter “chats” are really just an informal gathering of people tweeting at an appointed time using the same #hashtag. You don’t have to “join” anywhere, just send a tweet that includes the text #securechat, and those following along will see it.

To participate, you’ll want to use something other than the Twitter Web site. One of the best isTweetChat. Sign in with your twitter account, enter #securechat into the hashtag search, and all the tweets from the discussion will automatically populate your list. When you send a tweet in TweetChat, it automatically adds the #securechat hashtag.

For more information on Twitter chats and other tools you can use, you may want to read this post from TwitTip.

So be sure to mark you calendar to join us each Thursday at 2pm EST/ 11am PST. If you have any specific questions (or ideas for future chat topics), just let us know in the comments. Or, feel free to contact us on Twitter at @SafeNetInc. Looking forward to the chance to engage with you each week!

 

How to Prevent Man-in-the-Middle Attacks

Share

Man in the Middle is not a new concern. But the tactics being used, and the technology available to thwart them, are constantly evolving. In an article by eSecurity Planet, Tsion Gonen, VP Products and Marketing joins a slew of security experts to provide insight into the new dangers of MitM attacks, as well as what you can do to prevent them. Excerpts below. Read the full article at eSecurity Planet. 

"An 'out-of-band' authentication method can validate the integrity of a specific transaction itself and such are quickly becoming an imperative because they can better circumvent MITB attacks by confirming the transaction through means other than the customer's PC and browser, said Tsion Gonen.

"This ensures that only the person in possession of the transaction security device can receive details of the transaction and approve it. These types of security solutions will become increasingly important over the next few years as advances in mobile technology are making online transactions a mainstay of global commerce."

For larger networks, Gregory Perry, CEO of GoVirtual Education, recommends the following:

• The effective use of port security on Ethernet switches
• Enabling port authentication such as 802.1x on Ethernet switches 
• ARP cache monitoring software at both at the NMS, Ethernet switch, and individual host(s) level
• Host-based intrusion detection and prevention agents that are configured with Layer-2 signatures and alarming
• The use of hardcoded static ARP entries for mission critical gateway and server assets
• Application-level encryption methods such as SSL with PKI-mandated certificate signing policies
• Transport-level encryption methods such as IPSEC and SSL with PKI-mandated certificate signing policies
• The use of multiple factor authentication methods for both network and application-level access
• The use of one time password (OTP) hardware tokens for network and application access

 

How to Prevent APT on Your Company? Encrypt, says CEO Chris Fedde

Share

Earlier this month, SafeNet CEO Chris Fedde sat down with GovInfoSecurity.com's Eric Chabrow to discuss encryption in the current era. In his opinion, encryption is a company's best line of defense against Advanced Persistent Threats. 

In the interview, Fedde discusses:

•  How encryption has evolved and is being used differently today than a few years ago.
• Why, despite the recent rash of publicity surrounding website hacks, many organizations don't know they've been breached.
• How encryption can keep the most sensitive data securely stored on a public cloud, including classified military secrets.

You can read the full interview transcript at GovInfoSecurity.com. Selected portions below:

CHABROW: What do you hear from customers and others for reasons why organizations don't fully use encryption?

FEDDE: I would say there are a couple of different answers to that. One is people can be unaware of the threat. It really is surprising. People see other hacks. There have been high-level breaches ever since T.J.Maxx, WikiLeaks and Sony, and people still don't recognize that it applies to them too. Part of that also is these advanced threats are very quiet. Their whole goal is to steal information silently so that the person losing information is unaware of it. 

.......

CHABROW: So in other words, they may be under certain requirements to encrypt financial information such as credit card numbers, but they may not be under the same kind of rules to encrypt birth dates, addresses or email addresses.

FEDDE: Right now the PCI requirements require you to actually encrypt certain information, like credit card information. Once you've been forced to encrypt... that's actually the best learning tool because then people start to use encryption because they have to realize that not only do I have credit card information to protect, I have intellectual property to protect, personal information on my employees to protect. 

Continue reading "Encryption in the Age of Advanced Persistent Threats" 

Using Strong Authentication Methods—but for Transaction Integrity Instead!

Share

 
In the not-so-distant past, strong authentication was a critical security requirement to identify users coming into systems. In 2005, banks and other financial institutions, who were using plain ol’ usernames and fixed passwords to authenticate both corporate and consumer users, started worrying about phishing scams.

Soon after, strong authentication methods were implemented in many use cases. Sometimes this is one-time passwords, sometimes it’s digital certificates, sometimes it’s picture representations.

These authentication methods have previously been associated with authenticating the user for the duration of the session—but today’s attacks can circumvent user authentication by hijacking the session, and money transfers can be made that the user didn’t authorize—even in a legitimately authenticated session. So, financial companies can no longer rely on user authentication as their only line of defense.

Now financial companies must verify both the user identity AND the transaction. Even if a user has been authenticated, high-value transactions have to be validated as well.

Fortunately, financial institutions can leverage similar approaches that they’ve historically used for user authentication, including challenge-response and digital signatures. Here’s are a few approaches , traditionally used for strong authentication, that can now be used for verifying transactions:

• Challenge-response. In this example, a user would initiate a transaction on a bank’s online portal. Before executing the transaction, the bank could then prompt the user to submit such personal information as the spouse’s maiden name or father’s middle name. If the information submitted matches the bank’s records, the transaction would be carried out. (The fact that this uses personal information, which could be obtained by a hacker viewing the user’s Facebook page or other social engineering attack, means that this is most appropriate for lower-value transactions.)
• Out of band (OOB). Here’s an example of the OOB process for transaction validation: When a customer initiates an e-banking transaction, a text message or phone call containing a one-time password is sent to the customer’s mobile phone number. The customer must then provide that password on the website in order to complete the transaction. Even during a session hijack, the attacker doesn’t have access to the mobile phone, so the fraud won’t be completed. (Even better, the legitimate user will be alerted that someone is messing with the session.)
• Digital signature. With digital signatures, when a user views an e-banking transaction, it initiates a signing process by prompting the user for a token or PIN credential. Once the credential has been submitted, it is sent to a trusted certificate authority for validation. Finally, the recipient would view the signed transaction.

#Securechat August 2011 Transcript: How to Secure Data in the Cloud

Share

Thank you to everyone who participated or listened in on #securechat, the peer Twitter discussion of everything IT security. This month’s focus was navigating data security in the cloud. Our four discussion questions were:

Q1. How are you deciding what data to move to the cloud?

Q2. What experts are you following for cloud advice, esp for cloud security?

Q3. How are you approaching shared risk/liability w/ your cloud provider, including contracts?

Q4. What threat use cases most concern you for cloud deployments?

Join us next month on Thursday, September 1^st. If you have suggestions for topics, please post a comment here on the blog, or send us a message at @SafeNetInc.

#securechat Twitter Chat
August 4, 2011 2-3pm EST/ 11-noon PST

SafeNetInc Welcome! It's time for this month's #securechat for pros in IT security (and those who want to learn more).

SafeNetInc The format is an open discussion around 4 questions asked by the moderator (that's me).

SafeNetInc This month, our focus is on navigating data security in the #cloud. Q1 coming up!