Friday, 6 March 2015

Quick Guide to Software Security


Security has been a priority for companies for many years now and with so many high profile companies being hacked, it's no wonder. With brute force, dictionary and rainbow table attacks the amount of time it takes to crack a password is frighteningly quick. This guide discusses some of the methods to crack and what can be done to protect your systems against security threats.

 

How is the hacking done?

With massive parallel general purpose graphics processing password cracking and rainbow tables, it's possible for hackers to produce more than 500,00,000 passwords per second, even with low end hardware. Depending on the software, rainbow tables can be used to crack 14 character alphanumeric passwords in about 160 seconds. Faster than how long my daughter takes to unlock my iPhone pass code!

Rainbow tables achieve this by comparing a password database to a table of all possible encryption keys. This requires a large amount of memory, and memory is cheap. With hardware improving a password doesn't stand a chance. Over and above these techniques social engineering still remains a big threat, all the encryption and strong passwords in the world don't mean a thing when the user gives out their password. Phishing tactics are getting better and are very effective, with false emails and forged websites they trick an alarming amount of people into giving up their passwords.


What are the options?

Basically it boils down to single factor or multi-factor/two-factor authentication (2FA). Single factor authentication secures a system through only one category of credentials, for example a login and a password. 2FA is where a user's credentials are made up of two independent factors.





Single Factor

There are challenges with attempting to secure your system with a password. The most common one being that users either don't understand how to make a strong and memorable password or underestimate the need for security.

The extra rules that are necessary to make passwords strong often result in users forgetting them or having problems which results in needing password resets, which often rely on help desks (see costs). Single factor does have its advantages though, it's cost-effective, easier to manage and less things can go wrong.

There are some things that can be done in order to make it more effective though, namely:

  • Passwords need to be long enough (minimum of 8 characters), include a mixture of letters, numbers and be case-sensitive. A password meter is recommended and has been proven to help.
  • Passwords could be partially inputted, for example character 3, 5 & 7 of the password
  • Passwords should be stored in the database in an encrypted format and then the software can verify them via a decryption key
  • Where possible the login and password can be locked down by 1 or more IP addresses (although that effectively becomes 2FA)
  • Users need to be educated on how to protect themselves and their passwords




2FA

As mentioned before, 2FA is where a users credentials are made up of two independent factors, such as:

  • Something that the user knows (PIN, password, questions, etc...)
  • Something that the user possesses (key fob token, mobile phone, smartcard, etc...)
  • Biometric data (fingerprint, iris, voiceprint, etc...)

Obviously some of the above options are going to be more suitable than others and there is a cost implication with each of these. I would like to briefly discuss the more popular options in order to give a better understanding and also because it is unlikely that a company will protect their CRM system with an iris scan. Horses for courses.

Hardware tokens are the most prevalent, most commonly implemented with a user being given a key fob that is combined with a password. The key fob displays a pseudo-random number that changes periodically and the user inputs this number to prove that they have the token. The server that is authenticating the user must also have a copy of the each key fob's 'seed record', the algorithm used and the correct time and then in turn can authenticate the user. The key fob itself contains this algorithm and the 'seed record' and generates the number that is verified by the server. There are different options to the key fob such as USB stick based solutions, for example YubiKey, which is being used Google, Facebook and the US Department of Defense. With such high profile customers and a cost starting from $18 per user it is understandable why it is so popular.

Software tokens are on the rise, the key fob functionality has been replicated for the Smartphone and been in use since the year 2000. The technology is exactly the same as that in use with the hardware version, however instead of needing an additional fob an app on the Smartphone is used. Different software apps are available for smartphone's as well, products like Toopher can verify where the user (or their Smartphone) is physically located and the first time a user tries to login from a new location, they must be given permission to do so via the app. The pricing starts at $1 per month per user.

Another effective way to authenticate a user with the aid of their mobile phone is by sending them a code via text message, this code would change with every request and would expire. This is a relatively simple and cost-effective solution, with companies providing text message capabilities from a couple of pence for each message.




Parting Thoughts

There are many solutions to deal with an ever-increasing challenge that we all have to address in one manner or another. You don't need a machine gun to kill a mosquito though, don't know if that is a saying, it should be, but taking into account the various factors that influence your security requirements is key, so to speak.

The factors would be how sensitive the information is, what would be the repercussions if the system was hacked (customer confidence, regulations, etc...), the user particulars (number of, location, etc...) and costs.




George Toursoulopoulos is a technology specialist and CEO of Synetec, one of the UK’s leading providers of bespoke software solutions.

No comments:

Post a Comment