Wikipedia describes authentication as "the act of establishing or confirming something (or someone) is authentic, that is, that claims made by or about the subject are true. In the world of cyber security, authentication is a process based upon three factors; 1. Something you know (Password, PIN, etc.), 2. Something you have (security token, ID card, etc.) and/or 3. Something you are (fingerprint, retinal pattern or DNA sequence). A typical logon process contains both identification (user id) and authentication (as discussed above).
So, with all of these security measures in place to identify and authenticate users, why are the so many successful cyber attacks? How is it that a cyber criminal can both identify and authenticate themselves as someone they aren't? If authentication is the act of confirming something to be authentic, it seems to me that we either have no current technology that is actually a true measure of authenticity or we aren't using what we have correctly. Once a cyber criminal has exploited a vulnerability and installed some malware containing a bot or keylogger, it is only a matter of time before they can harvest much of the users identification and authentication information. It seems to me that passwords and/or pins are no longer valid forms of authentication, and I am perplexed that most financial institutions still use them. Two-factor authentication such as security tokens provide an extra layer of assurance, but even these aren't fail proof.
I guess what concerns me about authentication is that there is really only one solution, and that will no doubt require serious ideological debate. To establish 'authentic authentication', the only answer is DNA linkage to the identity of the user.... genetic validation. To reach this level of authentication will require serious progression in the linkage of technology to the human genetic fingerprint. Something to think about...
Monday, February 22, 2010
Sunday, February 21, 2010
Cyber Shockwave...CNN's simulated meltdown
So, like many of you I tuned into the CNN Presents program, "Cyber Shockwave" with interest. I guess my initial thought is that of disappointment and concern. The panel of experts didn't exactly leave me with that "everything is going to be Ok" feeling, quite the contrary. I guess the most disturbing thing was the notion that these leaders appeared to be ready and willing to abandon current legal statutes without regard to the precedence that these decisions could be setting. There is a reason why we haven't nationalized the telecom industry or that the 3,000 various utility providers in the country are self managed. I do agree that more could and should be done by our elected officials to ensure that our critical infrastructures are protected ...including the Internet, which I believe is an absolutely critical component of our national security. However, I don't think the federal government should be in the position to nationalize all sectors of industry with the notion that it is the only way to protect us from a cyber attack. The exercise, although somewhat unrealistic, was nonetheless thought provoking and so I must give them credit for that.
I suppose there is need for new legislation to ensure people aren't intentionally or unintentionally creating more problems by failing to patch their computers regularly, or by refusing to incorporate some level of self-imposed security protections, such as anti-virus software and the like. Maybe, the time has come to require periodic checks of laptops and PC's by a state run organization...much like the annual emissions test on vehicles.
Hey, we could all bring our computer to the local Department of Internet Access and get that annual security scan?
I suppose there is need for new legislation to ensure people aren't intentionally or unintentionally creating more problems by failing to patch their computers regularly, or by refusing to incorporate some level of self-imposed security protections, such as anti-virus software and the like. Maybe, the time has come to require periodic checks of laptops and PC's by a state run organization...much like the annual emissions test on vehicles.
Hey, we could all bring our computer to the local Department of Internet Access and get that annual security scan?
Hello World!
As is often the case when learning a new programming language, the first program is a simple one. I felt it prudent therefore that the title of my initial blog entry should be "Hello World!"
Subscribe to:
Posts (Atom)