Page 53 - Cyber Warnings
P. 53
Single Sign-On
Single Sign-On (SSO) is another effective countermeasure. With SSO, a session and user
authentication service permits a user to use one set of login credentials (e.g., name and
password) to access multiple applications. It is easy to set up and manage. There are many
third-party products, including Microsoft Active Directory Federated Service (ADFS) that work
well. They balance out the tradeoff between ease of access for the end user and tight,
documented security for the auditors and internal security team.
With SSO, mandated password changes are easy. You only have to change the password in
one place to update if for every application that supports SSO. You don’t have to go into every
system and individual application. Managing multiple passwords, and having to remember them
for every system, causes a great deal of user frustration and password-related errors.
Because SSO is authentication by a trusted server within the company network, third-party
applications like GTreasury do not have to make their own determination that a given user’s
credentials are valid. Then, third parties can use the same trusted source that the company is
using for its users’ identification and validation.
Multi-Factor Authentication
Multi-factor Authentication (MFA) combines “something you know” – a password – with
“something you have.” The “something you have” portion might be a physical token with a
distinct, encrypted security code. It might also be a message sent to a mobile phone or a laptop
computer. Even if some hacker penetrates your network and steals your password, he can’t
make off with the goods unless he also gets hold of the other authenticating factor.
MFA does not just need to be on login. It could also come into play at any functional point of
using an application – such as approving a payment.
The Dyre Wolf guys scored despite MFA because they succeeded in getting both pieces of the
puzzle. With faked phone calls and spoofed web sites, they tricked the victims into revealing or
entering essential information like security codes or passwords. Again, this shows that no
technology is foolproof if humans mishandle it. It also shows the need to layer security, rather
than to rely on any one method or solution component.
Mobility And The Cloud
If you do a good job of restricting administrator rights, of managing identities and passwords,
and of implementing two-factor authentication, you’re showing that you’re serious about cyber-
security. Your auditors will approve; so too should your lawyers and law-enforcement
authorities.
Data breaches are a real threat nowadays, even for companies that are diligent about security.
If your company’s systems are breached, your legal liability may be much less if you have
followed a strategy of defense-in-depth than if you were oblivious to best security practices. In
the event of the latter, there could be additional or punitive damages assessed.
53 Cyber Warnings E-Magazine – March 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
