SRM Blog

Multi Factor Authentication – why is this something that is so commonly misunderstood?

“The single biggest problem in communication is the illusion that it has taken place.” said George Bernard Shaw. This can be true in so many aspects of life and unfortunately, it is all too often reflected within the world of Information Security. It is common for many of us to think we have got to grips with a solution to a problem, only to realise half way through that the problem is not quite as we envisaged.

Take the case of “Multi Factor Authentication” (MFA), meaning the use of multiple methods of authenticating ourselves to one another, or to a computer system or application. We had all become used to the phrase “Two Factor Authentication”, meaning that we need two different credentials to provide this authentication. Seem simple enough to extend this out to “Multiple” means of authentication right?

Well – as it turns out, this is still an area that causes confusion, even before we changed the wording to make things even more vague! So, what is the problem? Let’s go back to the start.

We all use MFA without giving it much thought on a regular basis. Whenever we go shopping or take money out from an ATM, we are using MFA. In short, in any Chip and Pin transaction there must be multiple authentication methods, and these usually fall into the following categories:

  • Something you know (such as a password or PIN)
  • Something you have on your person (such as a Bank card or a USB stick generating a Token)
  • Something you inherently are (such as a biometric like fingerprint or retinal scan)

When accessing a system that requires you to authenticate yourself in more than one way we present two or more of these values to the authentication system. So why is there still confusion?

Well – it is easy enough to get this mixed up. Take the following scenario into consideration; “I log onto a system with my username and password, and then I access a database application with a separate user name and password. That is Multi Factor isn’t it?” – NOPE!……this is single factor being used multiple times, and is often the cause for much confusion.

In order for Multi Factor authentication to be truly implemented, at least two of the above means of authenticating yourself must be presented as part of the same log on procedure. So I present my User name and Password to my access application, which then also requests my fingerprint. This is two factor authentication. MFA is any access method that requires 2 or more authentication factors.

In the case of the trip to the shops, when I purchase something I present my payment card (something I have) and then I must enter my PIN, (something I know). 2 Factor Authentication. Apple Pay brings in another element in that it uses biometrics as the second factor, which is another step up the security ladder.

This is something that will affect us all in our daily lives as security tightens up to reduce identity theft and online fraud. How many of us have been given a PIN reader for use with our online banking accounts? This is generating a ‘second factor’ token for you to use alongside your password.

The PCI DSS version 3.2 now requires the use of Multi Factor Authentication for administrators accessing Payment Card systems from within the local network. MFA was previously reserved for remote access but the additional security that MFA brings is such that it is a useful tool, even from within trusted systems.

So, MFA is here to stay and when it is implemented well it should be easy and intuitive to use. There are lots of solutions out there, so finding one that suits your needs should no longer be a barrier to increased security.

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

Promoting and Protecting your Identity

How much control is too much when it comes to social media?

Organisations spend millions on their marketing campaigns in the hope and expectation of raising brand awareness and increasing publicity. However, one seemingly innocuous tweet sent by an employee has the potential to give an organisation all the publicity and attention they could ever want – just with the spotlight focusing in the wrong area.

Managing employee usage of social media is a growing concern for organisations worldwide. Many social media platforms give users the option of stating where they work. If an employee decides to share this information, their behaviour could be considered reflective of the who they work for. The information could provide an insight as to what kind of people that organisation hires and what they find acceptable, thus reflective of their morals and culture. Essentially, this gives employees the leverage to make or break a brands image. This topic is just as important whether or not an organisation has a social media presence too – effectively, their employees create a presence by the virtue of their own online activity.

In 2013, a single tweet ended Justine Sacco’s career as Communications Director of the New York-based internet empire IAC. She posted the tweet before boarding an 11 hour flight to South Africa, which received over 2000 retweets whilst she was in transit – she’d become an internet phenomenon before she’d even landed. Justine was subsequently fired by IAC, a move taken in order to protect their own brand image.

Sacco’s story is an extreme case, but the incident has become a byword for the need for people to be cautious about what they post on social media. However, seemingly innocuous posts could still do a lot of damage to an organisations brand image. Complaining about working conditions could deter future applicants; posting sensitive information could affect the company strategically; and general online behaviour could reflect badly on the company’s culture.

Many social media users are now keen to highlight the fact that “all views are my own”, however these kind of disclaimers will not prevent your employer from firing you if you say something that reflects badly, and it’s not going to prevent people from associating your views with your employer.

Social media policies are being introduced throughout organisations large and small, and we’ve listed a few things to consider when creating these policies:

  • Creating a safe space for employees to speak about concerns goes a long way. Having an outlet for discrepancies within the organisation reduces the chances that employees will express any negative information online.
  • It is worth defining what is considered to be confidential/sensitive information. The assumption that all employees will generally know this is a dangerous assumption to make.
  • It may also be worth discussing involvement in illegal online activity. Warn employees against engaging in any illegal activity. Remind employees to respect others’ copyright, trademarks when online for both personal and professional reasons.

If the UK votes to leave the EU, will we still have to comply with GDPR?

The 23rd June referendum is fast approaching and it is getting increasingly difficult to get simple answers to simple questions. As we think about how we will vote, just one of the things to consider is the raft of regulations and directives in the EU pipeline which could have a significant effect on us in the UK. The most high profile on the cyber security agenda is the General Data Protection Regulation (GDPR). This is due to come into effect on the 25th May 2018 when it will become law across all 28 member states, without the need for member states to pass local legislation. But will we be bound by GDPR if we leave the European Union?

Most businesses are looking for a simple answer. Yes or No. If Britain votes to remain in the EU then it’s very simple indeed: the GDPR will become law in the UK as well as all other member states and we will have to comply.

But what happens if Britain votes for Brexit and leaves the EU? Will we then be able to ignore the regulation and just adhere to the 1998 UK Data Protection Act? The answer to this is equally simple: no. Because GDPR applies to any country processing EU data, regardless of the outcome of the referendum, it will impact on virtually every UK business. For the vast majority of us, there is simply no avoiding it: we will need to get into a position of compliance.

Because, when it comes to GDPR, it’s not about where data is held that matters, it’s whom the data is about. If the data is about EU citizens then companies have to comply with the regulation no matter where they are in the world.

So the fundamental questions all organisations need to ask are:

  • Do we do business with anyone in the EU?
  • Do we store or process any personal data as part of that?
  • Do we employ any EU citizens within our organisation?

If the answer to any of these questions is yes then it’s a yes to GDPR compliance. But even if the answer is no, there are some additional political factors to take into account which make GDPR compliance unavoidable. Consider the following scenarios:

The first scenario is that the Brexit process takes several years to come into effect, meaning that on 25th May 2018 the GDPR will be invoked into national law and every organisation will have to comply regardless. This will only change if the Government subsequently passes new legislation repealing the GDPR and creates a UK specific Data Protection law.

In the second scenario, the process of separation is swifter than expected and we effectively leave the EU before 25th May 2018. In this case, it’s likely that the GDPR will not become law but other factors will come into play. Namely, whether the UK remains a member of the European Economic Area (EEA). If we do then there will be a mandated requirement to comply with GDPR as prescribed in the Treaty of the Function of the European Union.

Even if we choose to not remain part of the EEA, any transfer or processing of EU data will only be permitted if the EU Commission deems the UK to have adequate Data Protection regulations in place. This is often referred to as “Safe Third Country” status. If we are deemed not to be a “Safe Third Country” then any UK organisation processing the personal data of EU citizens will need to examine ways to change how they operate to ensure they comply with EU law. Which means we’re back to GDPR.

So, the answer is simple. Whatever the outcome of 23rd June 2016, UK organisations need to ensure they are prepared and in a position to comply with the GDPR. Professional advice will ensure that you do this in the most cost effective and efficient way possible.

The Unreliability of Technology

“Technology is so unreliable” is a phrase you often hear following something going wrong at a critical moment. One of the greatest misconceptions is that our day to day devices are designed to be reliable.  Due to this misconception, organisations are often strategically unprepared when breaches and system failures occur despite considerable investment in sophisticated IT departments. If senior management took the time to understand the foundations of the platforms their businesses are based on, they would understand that it is almost impossible for technology to be completely reliable.

Understanding the history of the Internet will tell you that it was not built with business in mind. It was a solution for researchers who wanted a cheap, fast and easy way to communicate and share data. Like many developers, they worked to solve their own problem, and didn’t think what else might be possible with their achievements. They could never have imagined that ordinary businesses and consumers would rely on it every day. Furthermore they could never have thought that this technology would become critical to the competitiveness of some of the most powerful organisations in the world. We are often so dazed by the benefits the Internet can offer us, that we forget the fact that it was not designed for what we use it for today. It was not built with security or privacy in mind, this being the source of all the threats we face.

Simply put, the Internet is a network of connected computers. If we accept that a chain is only as strong as its weakest link, then we must accept the fact that the internet can never be completely safe. The internet connects powerful, up to date and secure computers with poorly managed, outdated and unsecure computers. Hackers will deploy attacks through the weakest link. Tyler the intern, who brings his own laptop to work, doesn’t think it’s a big deal to put off that security update for a couple more days. What he doesn’t realise though is that he’s left the door wide open for a hacker to take advantage of – most exploits are designed to take advantage of unpatched computers.

No matter how much time and resource you dedicate to cyber security, your organisations security is only as strong as Tyler’s laptop. However, if you don’t allow home devices on the network and you think this gets you off the hook, think again!

Attackers focus on data flows from one part of a computer to another, thus both hardware and software need to be managed well. The hardware you use to conduct day to day operations isn’t always built for safety or reliability.

A lot of hardware companies aim to build cheap quick and profitable solutions, and once new models are introduced, some companies accept that left over bugs are not worth investing any more time on and move on to their next product. Thus old machinery is a threat to your organisation.

It is no longer a matter of if a breach will occur, but when. Not only is it important to protect yourselves now, but it is also important to protect the ability to protect yourselves.

Up to £1,500 available to Scottish SMEs to develop Cyber Resilience

Businesses in Scotland can receive up to £1,500 to help develop their cyber security as part of a Cyber Resilience Programme. The Digital Scotland Business Excellence Partnership (DSBEP) has delivered a number of projects over the years, mainly designed to encourage Digital Participation. Its last project is the Cyber Resilience Programme to help businesses participate in a safe manner.

According to Digital Scotland vulnerability applies to: ‘Any company that relies on computerised systems for payroll, marketing via social media or a website, booking systems, databases of customer details including payment details and/or any Intellectual Property or Patent information that could be of value. Companies can also be targeted as a route in to businesses who they supply goods or services to.

‘A business does not need to be specifically targeted to become a victim; cyber criminals constantly scan websites, systems and/or devices to detect vulnerabilities. Therefore, if you are not taking the appropriate steps, you will flag up as an easy target during this scanning process.’

The first element of the programme is the Cyber Resilience Toolkit which brings together current information for businesses on how to be cyber resilient. Workshops promoting the Toolkit will be run from June 2016 to September 2016.

The second element is the Cyber Resilience Voucher which delivers up to £1,500 to eligible companies to secure the services of an industry expert to help them develop a cyber security strategy together with assistance in the self-assessment required for Cyber Essentials UK Government Standard.

The Cyber Resilience Voucher is available to businesses that are based in Scotland, meet the definition of an SME and are VAT registered. For more information see