Countering Cyber Terrorism
by Tim Dunn - Identity Management Business Unit at BMC Software - Monday, 20 March 2006.
Still using that tired and worn out password to log onto your PC? Is your motherís maiden name still the main prompt you use to log on and check your credit card statement? Worried that the PIN number you use to access your online banking is the same PIN youíve given the children to access the Sky Digibox? You should be. The fact is that as individuals, we are not doing enough to guarantee user authentication. And if you think thatís bad, the situation in organisations is even worse.

Most organizationsófrom multinational corporates to small businessesóstill exclusively rely on the user name and password as a mechanism to control the way employees, contractors, partners and customers gain access to corporate information assets. The result being that these organisations are exposing themselves to cyber terrorism, which includes everyone from the most malevolent terrorist to the basement hacker. Their aim: to sit on your doorstep and undermine and destroy the fabric of your organisation.

Threats against passwords are increasing as they are perceived as the more vulnerable security aspect of IT infrastructures and are therefore inadequate in securing an IT system.

So why isnít more being done to overcome the cyber terrorism threat? After all, following the terrorist attacks in New York and London, Governments are being especially diligent in its duties to combat everyday terrorist threatsóso why isnít business doing more?

One of the main reasons we are in this maelstrom is thatóuntil nowótechnology has been a barrier to cost-effective and practical user authentication. Solutions in the market today are both prohibitively expensive and take too long to deploy and manage. The second reason is complacency. Many organisations do not perceive there to be a real threat. Corporate governance regulations, such as Sarbanes-Oxley, are starting to have an impact, but there remains a lack of urgency.

Some organizations have taken the matter into their own hands and simply made passwords longer, or require employees to change them more frequently. This is not a good idea as the employee will just forget the password or write the password down, therefore compromising security in a different way,

Almost 90 percent of organizations today still rely on user name and password for user authentication. The result is that they have very little control over who has access to their systems, the degree of access people have, and who gives the approval for that access. A few organisations have reached the second phase of user authentication: they know whoís coming in and what they are accessing, because the organisation has controls over authentication. But, itís a reactive policy. They can only report on what the intruder or innocent user has seen. Nothing more, nothing less.

Centralised, Best Practice Identity Management

So what is the solution? To effectively combat the very real threat of cyber terrorism in the business community, each and every organization needs to adopt a centralised, best practice approach to the way identities and access privileges are managed. In other words, the proactive, real-time monitoring of every aspect of user authentication. It represents good governance. For example, when a new finance employee joins the organisation, they should be denied access privileges to both the creation and payment of invoices. There should be an enforcement policy in place which means they need to seek approval prior to this privilege being accepted.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th