One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 452707 |
| Date de publication | 2017-12-19 14:00:00 (vue: 2017-12-19 14:00:00) |
| Titre | My Password Pal |
| Texte |
“Sorry pal, my password is Spring2017. Deal with it.”
Someone said those words to me the other day. As an InfoSec professional, I’ve have grown accustomed to this type of indignant proclamation. My jaw no longer drops to the table anymore when I hear folks speaking this way, but I still have trouble stifling an audible sigh.
As usual, when confronted with this reality, I experience the usual stages of information security grief. Why don’t they get it? Where have we gone wrong? Should we give up? Who still uses the phrase “Deal with it?”
Fortunately, the statement made by my password “pal” was in the context of getting set up with a Multi-factor login system. I have been a strong supporter of Two-Factor authentication for a long time. I even took the bold step to predict that at least one social media platform would force 2FA on all their subscribers this year. So far, this has not happened, and even though no one is forcing 2FA upon their subscribers, it seems to be getting some attention and adoption in many corporate settings.
In fact, a new regulation in New York is prescribing multi-factor for all remote logins unless the CISO has approved in writing the use of reasonably equivalent or more secure access controls. What is the meaning of a “reasonably equivalent control”? In InfoSec, we call those “compensating controls”. These controls were introduced in the first version of the Payment Card Industry Data Security Standards (PCI DSS).
The standard definition of compensating controls consists of 4 parts:
Compensating controls MUST:
Meet the intent and rigor of the original control.
Provide a similar level of defense as the original requirement.
Be “above and beyond” other requirements.
Be commensurate with the additional risk imposed by not adhering to the original requirement.
That is a tall order to fill, and it seems much more difficult than instituting a 2FA solution.
There are so many multi-factor options out there today; one has to wonder why people aren’t jumping on board with these systems? 2FA isn’t limited only to corporate systems. Some tools that folks can use on their personal accounts are free, such as some of the “authenticator” applications offered by some vendors. Some services such as Twitter, and at least one security organization (EC-Council), are still using text-based two-step verification, and we know that isn’t perfect, but it is still better than no security.
A 2FA system eases the sting of bad passwords considerably. Now when someone tells me “that’s my password pal, deal with it”, I no longer have to sigh. While my internal cynic may respond in kind “well now you have 2FA, so YOU deal with it, Sparky”, I am comforted, however slightly, that an attacker has to jump one more hurdle before he can log into the account of mister “Spring2017”.
  |
| Envoyé | Oui |
| Condensat | “above “compensating “deal “reasonably “sorry “that’s “well as while 2fa access account accounts accustomed additional adhering adoption all anymore applications approved are aren’t attacker attention audible authentication bad based been before better beyond” board bold but call can card ciso comforted commensurate compensating confronted considerably consists context control control” controls controls” corporate council cynic data day deal defense definition difficult don’t drops dss eases equivalent even experience fact factor far fill first folks force forcing fortunately free get getting give gone grief grown happened has have hear however hurdle i’ve imposed indignant industry information infosec instituting intent internal introduced isn’t it” jaw jump jumping kind know least level limited log login logins long longer made many may meaning media meet mister more much multi must: new not now offered one only options order organization original other out pal parts: password passwords payment pci people perfect personal phrase platform predict prescribing proclamation professional provide reality reasonably regulation remote requirement requirements respond rigor risk said secure security seems services set settings should sigh similar slightly social solution some someone sparky” speaking spring2017 stages standard standards statement step stifling sting strong subscribers such supporter system systems table tall tells text than these those though time today; took tools trouble twitter two type unless upon use uses using usual vendors verification version way what when where who why wonder words would writing wrong year york |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.