Strong Authentication isn't for the future, it's all about now.

I recently read an article by one of my favourite reporters in high tech; Ashley Carman from SC Magazine, wherein she was discussing the USA Governments 'Cyber Security Sprint' initiative.

I genuinely had to read the piece twice before I could comprehend the madness that I was reading, not because I disagreed with Ashley’s narrative, but because the data and stats that were being expressed were mind-boggling. You can read the piece HERE and see all the data laid out in front of you but the key point for me was that something as simple as true two-form factor strong authentication has not been fully adopted in a central government body.

I understand that 100% of anything is difficult, improbable even, but to be jogging along at 33% coverage when tokens, key cards and dongles have been available for well over 10 years and widely used in the private sector for at least two thirds of that time is staggering.

Most of the banks I have worked with offer free tokens to normal consumers that require the “something you have and something you know” adage to access your current account, make transfers etc. In this instance for someone who is likely going to transfer fifty bucks, five pounds or twenty Euros for an online transaction, a train ticket or the latest kindle book download using a token to secure that transaction makes sense to me and is prudent.

I can't imagine many companies - even a one or two man band - wanting access to their hard earned cash and only requiring a pets name or the town they grew up in as the only question before making unauthorised withdrawals start to occur! All of those people and businesses have embraced strong authentication across multiple vectors of their daily life, not only accessing bank accounts but also entering and leaving buildings, controlling network access availability and much more.

So why do we hear about local and central governments still having unsecured, unencrypted easy to access systems, files, folders, PC’s and more. Particularly, when the solution to this issue is not only simple to employ but no longer costs the earth and near integrates with your entire world at the flick of a switch or press of a button.

Thank you for the interesting (and worrying article) Ashley and please catch up US Government, lead by example and “sprint” towards where you should already be.

For more information on how Strong Authentication could benefit you or your organisation you can always take 10 minutes to respond to AssessMy Strong Authentication HERE. As a reward AssessMy and HID Global will send you a bespoke executive report identifying your Authentication operational strengths and weaknesses to help you 'get to great'.

Cyber Security for the Future: What can we learn from academia?

The true value of academic life passed me by when I was at school and especially during my university years, to the point where I could have missed that whole period out from my life and I would be in a similar position and role as I am now (without being able to read or write but otherwise similar).

Today, many more courses are vocational in a way that means that students who have a good idea as to the employment direction they wish to go in can accelerate those opportunities in ways that 30 years ago were just not possible. Universities that were previously the crème de la crème for English Language, Physics, Veterinary sciences or History now additionally offer International Business, Game design and Cyber Security.

One of the more complex aspects of a CIO or CISO’s work life is keeping ahead of the hackers, criminals and disgruntled employees and out of the front page of the Wall Street Journal or Financial Times. Nothing kills a stock valuation faster than the loss of 1.2million customer’s details. This is something that will keep a security admin up at night and companies spend significant funds on solutions, consultancy and services to make sure the likelihood of this ever happening to them is limited and yet it still does.

A quick review of the latest Stanford University Cyber Security course shows the degree of complexity that students are learning about today to defend against those attacks in the future and it makes for interesting reading. Cryptography, National Security, Operating Systems and Bitcoin encryption are just a few of the topics on the syllabus however any course of this ilk is structured, planned and in many ways static for at least a year or more, giving the folks on the other side of the fence, who may well have started on a course similar to this, can range and explore every corner of the web for the latest and scariest Cyber Threats which can then be adapted and morphed into what ever imaginative daemon their skills will allow them to create.So where does that leave the CISO? Best practice is effectively out the window, systems have to evolve, technologies innovate and experiences need to be shared. The Cloud security market has exploded in the past 24 months with a multitude of security companies taking shared experience and knowledge from multiple customers globally and comparing and contrasting those scenarios to reduce the overall impact any specific Cyber Attack can create. The largest system integrators have an even greater advantage because not only do they see the pure data but they also engage and communicate with those customers on a daily basis, learning and sharing those best practices while creating case studies and disaster recovery plans for customers who have been or are going through the latest threats so that the next clients will learn from all that experience.

The combination of true Academic excellence and a defined learning process interacting and merging with past masters who have literally 1000’s of hours of joint experience make vendors like Intel Security, Kaspersky lab, Trend Micro, Symantec and Sophos the go-to contacts for businesses of all shapes and sizes to ensure they don’t end up on the front page of their national press.

To discover your Cyber Security unknowns in the comfort of your own office with a cup of coffee, take just 10 minutes to complete AssessMy Cyber Security HERE. Your response is secure and you will see instantly anonymised benchmarking information and a high level of your key Cyber Security operational strengths and weaknesses. As an additional reward Dimension Data will also send you a bespoke Cyber Security executive report indicating the areas you should be focusing on today to limit your own threat of attack. Don’t wait for tomorrow, do what you can do today.

Mothers go offline due to DDoS

On the evening of Tuesday the 11th of August the inconceivable happened: Mumsnet was taken offline be it only for hours by an apparently disgruntled father @dadsecurity by a Distributed Denial of Service attack or “DDoS” attack.

The response to this attack was two-fold. Firstly, Mumsnet service provider increased the bandwidth and sever capacity to cope with the attack and, in a seemingly related secondary threat, @dadsecurity resorted to a swatting attack normally reserved for the very rich and famous where the police are told a violent, armed incident is occurring at the address of the target and police rush round to apprehend the suspects in full body armour while armed to the teeth which is what occurred at the Mumsnet founder’s house.

The reason for these incidents and underlying motivation is something that will no doubt become clear over the coming weeks and months, most probably in court when @dadsecurity will be unceremoniously unveiled as will surely happen. The fact that an unhappy member of the public can effectively remove the target of his hatred from the web in this instance mumsnet by deploying a home grown or purchased DDoS attack is certainly concerning.

These stories are becoming more and more regular as the ability to create these DDoS storms or attacks becomes easier to achieve even from a home office or purchased from the darkweb. My primary concern is not the effect or even the cause but the response, adding server capacity, changing firewall settings, increasing bandwidth, disconnecting cables all might have a short term impact on the threat but in the medium to long term are like trying to catch raindrops so they don’t wet the ground it just isn’t going to happen. The top IT networking and security companies understand this and either partner with specific DDoS mitigation companies, buy them or steer well clear of the problem. A denial of service attack can be infinitely increased in a very short period of time and can be sustained indefinitely and I don’t use either descriptive word lightly. The weight of a DDoS attack can be crippling to any size of organisation or entity including central governments and so what hope does a hosted website for mums have to defend against a determined attacker?

What is worse is that specialist DDoS mitigation security companies like Arbor Networks consistently prove that a DoS attack is statically just a cover for some other web based threat and in the Mumsnet scenario is appears to be just that. As a follow up @dadsecurity claims to have stolen user data and since then unauthorised posts have been made by administrative users which have later been found to be fraudulent. All this is yet more proof that DDoS mitigation is the front line for preventing fraud and a host of hacking, theft and damaging online threats.

Mumsnet is not the first, and most certainly will not be the last, but dedicated DDoS prevention solutions would have limited the impact, and potentially removed the threat entirely, by blocking the data in the cloud or at least reducing the impact on the service provider thereby buying more time for the smart IT folks to lock down the Mumsnet servers preventing the follow-up threats.

See the original Mumsnet post here.

For more information on how true best in class DDoS mitigation would benefit you or your organisation you can always take 10 minutes to respond to AssessMy DDoS Mitigation here.
As a reward AssessMy and Arbor Networks will send you a bespoke Executive report identifying your DDoS operational strengths and weaknesses to help you get to great.