protecting from within

2
feature 8 passwords, login userids and passwords, application userids and passwords, Internet userids and passwords, online passwords to subscription based informa- tion services and, indeed, any and all other combinations of userids or pass- words imaginable. The userids and pass- words are captured exactly as they are typed, before any layer of encryption or concealment can be added. In effect, this device provides a cast-iron guaranteed method by which passwords may be intercepted — not via a network or on the server — but between the keyboard and the console! If this were not disconcerting enough, this device does not impair or affect the res- ident system’s functionality and it is invisi- ble at the user interface. It cannot be detected using security software and its presence is completely transparent to the user. The key logging hardware can be con- nected to a target computer in a matter of seconds, and starts intercepting keystrokes entered into the subject computer immedi- ately, without the need to load any soft- ware, or adjust any of the computer’s hardware settings. This makes installation nearly effortless. The device has no moving parts, no settings or switches and it requires no batteries or external power supply. The software necessary to analyse the key logging data captured by KeyGhost installs on to a designated inspection com- puter in seconds and is faultless at extract- ing the recorded keystrokes to a readily intelligible log file. The device is capable of storing up to 2 000 000 keystrokes. This equates to approximately one year’s worth of intense user activity. Versions of the device are available that provide 128-bit encryption, rendering the recorded log files secure against unauthorized browsing. In its basic installation, KeyGhost is shipped as a discreet module that is placed between the keyboard plug and the computer. In truth, a careful visual inspection by a knowledgeable computer user would thus reveal the device. However, the technology can also be placed inside the keyboard making it completely invisible to the user. It can also be purchased pre-installed in a full keyboard. The manufacturer states that it is developing a version capable of transmitting the captured keystrokes on a target computer in real-time to a remote receiver. In addition to demonstrating profound security vulnerabilities, the potential uses for hardware keyboard monitoring are abundant. Augmenting its obvious inves- tigative applications, the KeyGhost also serves as a comprehensive backup device for anybody writing extensive essays, reports or dissertations. In the event of a hard disk failure or file corruption or loss, the user would simply download the recorded log-file and recreate any lost data, word for word. In conclusion, KeyGhost is an extremely effective tool for conducting covert computer investigations and should dumbfound and unnerve anyone compla- cent or foolish enough to believe that a simple password-based authentication regime is secure. On the flip-side, these devices are poten- tially extremely dangerous if they fall into the wrong hands. Armed with this tech- nology, a computer fraudster could cut through many bank security systems like the proverbial knife through butter. For information about commercially available keyboard monitoring hardware, see www. keyghost.com (KeyGhost) and www.microspy. com (MicroSpy) References 1 Electronic Funds Transfer Systems 2 One-time passwords are generated by devices such as SecurID from RSA Security Inc. (www.rsasecurity.com) 3 In the author’s experience, the passwords neces- sary to access computer systems are written down in the immediate vicinity of the machines involved on approximately three percent of occa- sions. 4 This is the case even if the target computer employs access control software or biometric authentication systems. 5 Raise, Authorize and Release are discrete, segre- gated functions allocated to separate custodians in order to enforce control and supervision within payments systems. 6 (Basic Input Output Services). These are power-on (hardware-based) passwords. Data Genetics International Limited 7 Adam Street, London WC2N 6AA Switchboard: +44 (0)20 7520 9384 Fax: +44 (0)20 7520 9385 Direct: +44 (0)20 7520 9386/7 [email protected] www.dgiforensic.com Since 11 September, it’s an assumption that has spread, but that’s just it — an assumption. According to the Office of National Statistics, between March and May 2002, 734 000 people in the UK were employed on a contract basis. And within UK plc, £40 million a day is lost to corporate fraud. An astonishing num- ber, particularly when 80% can be attrib- uted to employees. There is an old cliché — ‘charity begins at home.’ Surely senior level executives should take a similar view; after all, £40 million is no small sum and there are a number of areas where internal security can be drastically improved. For starters, think about access to your building. Some form of ID process doubtlessly exists, yet these are often ineffective as they may rely on nothing more than signing-in books. ID access control systems using a card swipe to gain access, however, can be implemented for a far greater ROI than so-called trendy security solutions such as biometrics. Not only are the initial outlay and running costs significantly lower, but Protecting from Within Mark Thomson, Eltron Security — It’s the bugbear of every company because so many threats to business integrity exist. Most organizations focus on external threats to their operations, spending time — and extensive budgets — building firewalls, fighting viruses, etc, owing to widely held beliefs that the external threats are rife.

Upload: mark-thomson

Post on 19-Sep-2016

215 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Protecting from Within

feature

8

passwords, login userids and passwords,application userids and passwords,Internet userids and passwords, onlinepasswords to subscription based informa-tion services and, indeed, any and allother combinations of userids or pass-words imaginable. The userids and pass-words are captured exactly as they aretyped, before any layer of encryption orconcealment can be added. In effect, thisdevice provides a cast-iron guaranteedmethod by which passwords may beintercepted — not via a network or onthe server — but between the keyboardand the console!

If this were not disconcerting enough,this device does not impair or affect the res-ident system’s functionality and it is invisi-ble at the user interface. It cannot bedetected using security software and itspresence is completely transparent to theuser. The key logging hardware can be con-nected to a target computer in a matter ofseconds, and starts intercepting keystrokesentered into the subject computer immedi-ately, without the need to load any soft-ware, or adjust any of the computer’shardware settings. This makes installationnearly effortless. The device has no movingparts, no settings or switches and it requiresno batteries or external power supply.

The software necessary to analyse thekey logging data captured by KeyGhostinstalls on to a designated inspection com-puter in seconds and is faultless at extract-ing the recorded keystrokes to a readily

intelligible log file. The device is capable ofstoring up to 2 000 000 keystrokes. Thisequates to approximately one year’s worthof intense user activity. Versions of thedevice are available that provide 128-bitencryption, rendering the recorded logfiles secure against unauthorized browsing.

In its basic installation, KeyGhost isshipped as a discreet module that isplaced between the keyboard plug andthe computer. In truth, a careful visualinspection by a knowledgeable computeruser would thus reveal the device.However, the technology can also beplaced inside the keyboard making itcompletely invisible to the user. It canalso be purchased pre-installed in a fullkeyboard. The manufacturer states thatit is developing a version capable oftransmitting the captured keystrokes ona target computer in real-time to aremote receiver.

In addition to demonstrating profoundsecurity vulnerabilities, the potential usesfor hardware keyboard monitoring areabundant. Augmenting its obvious inves-tigative applications, the KeyGhost alsoserves as a comprehensive backup devicefor anybody writing extensive essays,reports or dissertations. In the event of ahard disk failure or file corruption or loss,the user would simply download therecorded log-file and recreate any lost data,word for word.

In conclusion, KeyGhost is an extremelyeffective tool for conducting covert

computer investigations and shoulddumbfound and unnerve anyone compla-cent or foolish enough to believe that asimple password-based authenticationregime is secure.

On the flip-side, these devices are poten-tially extremely dangerous if they fall intothe wrong hands. Armed with this tech-nology, a computer fraudster could cutthrough many bank security systems likethe proverbial knife through butter.

For information about commercially availablekeyboard monitoring hardware, see www.keyghost.com (KeyGhost) and www.microspy.com (MicroSpy)

References1 Electronic Funds Transfer Systems2One-time passwords are generated by devicessuch as SecurID from RSA Security Inc.(www.rsasecurity.com)3In the author’s experience, the passwords neces-sary to access computer systems are writtendown in the immediate vicinity of the machinesinvolved on approximately three percent of occa-sions.4This is the case even if the target computeremploys access control software or biometricauthentication systems.5Raise, Authorize and Release are discrete, segre-gated functions allocated to separate custodians inorder to enforce control and supervision withinpayments systems.6(Basic Input Output Services). These arepower-on (hardware-based) passwords.

Data Genetics International Limited7 Adam Street, London WC2N 6AASwitchboard: +44 (0)20 7520 9384Fax: +44 (0)20 7520 9385Direct: +44 (0)20 7520 9386/[email protected]

Since 11 September, it’s an assumptionthat has spread, but that’s just it — anassumption. According to the Office ofNational Statistics, between March andMay 2002, 734 000 people in the UK

were employed on a contract basis. Andwithin UK plc, £40 million a day is lostto corporate fraud. An astonishing num-ber, particularly when 80% can be attrib-uted to employees.

There is an old cliché — ‘charity beginsat home.’ Surely senior level executivesshould take a similar view; after all, £40million is no small sum and there are anumber of areas where internal securitycan be drastically improved. For starters,think about access to your building. Someform of ID process doubtlessly exists, yetthese are often ineffective as they may relyon nothing more than signing-in books.ID access control systems using a cardswipe to gain access, however, can beimplemented for a far greater ROI thanso-called trendy security solutions such asbiometrics. Not only are the initial outlayand running costs significantly lower, but

Protecting from WithinMark Thomson, Eltron

Security — It’s the bugbear of every company because so many threats to businessintegrity exist. Most organizations focus on external threats to their operations,spending time — and extensive budgets — building firewalls, fighting viruses, etc,owing to widely held beliefs that the external threats are rife.

Page 2: Protecting from Within

feature

9

card printers are now desktop peripheralsand as easy to use as any PC printer. Thisallows security systems to link with PC-based employee information – meaningspecific employees are granted access tocertain areas of a building. It’s not justabout signing in; the key element is ‘per-mission granting’.

But take it a stage further. Companieshold so much data on their networks,much of which is critical to work inprogress, or relating to internal finan-cial issues. Maintaining this data is nowrightly seen as critical for organizationalsuccess and is encapsulated in the termKnowledge Management that is centralto many CRM programmes. Howeverpart of Knowledge Management is toensure that the right people have accessto the right information for their role.Most organizations simply assign pass-words to enable full network access.Surely it makes sense that, say, onlythose in the finance department havesecure access to payroll information.And in terms of contractors, where doestheir loyalty really lie? How can you besure that what they learn from youwon’t be repeated in a few weeks time toimpress bosses at a rival organization?In the same way that access to yourbuilding is controlled, you can easilycreate access control for your networks.

Your solution could even be to combinethe two. The card that is created to givean employee or contractor access to cer-tain areas of the building could veryeasily be encoded (using the magneticstrip, smart chip or proximity chip) toprovide controlled systems access, aswell as access to many other facilitiessuch as vending and canteen.

And it doesn’t have to be a complexprocedure. You could undertake a review of the latest technologies andopt for biometric access control. Butwhat of the cost? These systems have been tried, but not always success-fully; one airport recently abandonedtheir trial as mistaken identity occurred 47% of the time. Implementation, staff training, encoding network data— the cost added up, only to be rejected before the trial was complete. Alternatively, you couldmaintain a simple Windows password.Most users are comfortable with this option, but therein lies the prob-lem. It’s too commonplace and open toabuse.

The solution lies in combining factorsthat people accept. Finance directorsneed to see the cost benefit — and letsface it, nothing can be done in the cur-rent climate without their say-so. And, importantly, the legitimate

end-user needs to be able to conducttheir work unhindered. We conducted a survey recently in which 73% of peopleclaimed ownership of more cards than can fit in their wallet, 86% ofwhich had magnetic strips. So, cardbased technology, in other words, isaccepted and commonplace. All that a company would need is to connect a swipe-machine to their PCs and uponemployment, provide each staff memberwith an ID card giving access to the area of a network that they require —and no more. Ensure the swipe/ID cardis password enabled and you have one card, two levels of protection andno additional expense for the imple-mentation because these systems are plug-and-play enabled. A live exam-ple exists at the University ofCambridge’s Management InformationServices Division where a single cardgives permission-based PC, network,photocopying access and building security. All this and in so-doing thedepartment can monitor its expendi-ture.

Far from being restrictive the schemehighlights how a well handled securitysolution actually empowers employees. Itallows them in, and keeps those whocould perpetrate fraud, out.

In reality these are valuable measures totake to protect corporate informationfrom unauthorized access, however what

they can’t do is protect electronic assetsfrom internal breaches of security, whetherthose be intentional or accidental. The

fact is that none of the highly publicisedsecurity measures are able to recognize thedesired state of data within the corporatenetwork and revert to this state immedi-ately, should an unauthorized changeoccur.

The truth is, no security strategy is com-plete without measures to safeguard dataintegrity. Only with comprehensive dataintegrity assurances in place to work along-side other perimeter defence products can acompany truly feel that they are achievingmaximum protection for their data assets.

A layered security strategyA complete security strategy should belayered. If we take the security of a house

Data Integrity Assurance ina Layered Security Strategy

Ian Tickle, UK manager,Tripwire

The security industry generally places most emphasis on dealing with threats fromexternal sources, that is, from outside the corporate network. Companies areencouraged to implement firewalls and perimeter defence tools to keep intrudersout. Network administrators monitor traffic for abnormal events, raising the alarmas soon as a suspicious email attachment is spotted. So it is fair to say that there is ageneral assumption that security threats come from outside.