Monthly Archive September 2016

VirtualCISO: the philosophy of product development

The Dalai Lama said: ‘When you talk, you are only repeating what you already know. But if you listen, you may learn something new’. It is, of course, doubtful that he was thinking of the world of information security when he came up with these words of wisdom, but they can and do apply to all of us involved in this constantly evolving industry. And nowhere more so than in the sphere of product development. After all, coming up with a product or service because it makes sense to the developer is a bit like repeating what you already know. Whereas, working on a new service with major input from existing clients, responding to a genuine gap or problem, will in turn meet a genuine need.

That is how SRM set about developing its VirtualCISOTM service. As an organisation, we do not sell products or impose structures on clients; we work with them. And through this approach, we build good working relationships based on a thorough knowledge of their businesses and the understanding that we are there to support, guide and facilitate them in achieving their goals. Our consultants never sell services or products their clients do not need. In short, they don’t talk; they listen.

So it was a natural development when our consultants were increasingly hearing requests from Chief Information Security Officers (CISOs) for support with their roles. At one end of the spectrum are those who simply want the whole problem effectively managed by an expert team. Others, for example, know what they need but want strategic guidance for long term plans or support in the board room. Because as the world of cybersecurity becomes increasingly challenging, so has the role of CISO. In blunt terms, the buck stops with them and that is particularly daunting when that individual is to be held accountable for any single breach of the company’s defences.

Through collaboration and listening we know that the challenges faced by different CISOs varies. But by pooling the accumulated wisdom of their collective experience, as well as the knowledge of our highly experienced consultants, we are developing a service which will provide users with an unrivalled resource to address specifically identified existing problems while also enabling them to pre-empt potential future issues.

After a development phase lasting many months, we are delighted to be able to say that the VirtualCISOTM will soon be launched to a wider market. We have worked with, listened and responded to the needs of all types of business: large corporates, SMEs and micro businesses as well as national government, health and educational institutions. And while their specific requirements may vary, the VirtualCISOTM has been developed to be flexible and responsive to this wide range of need.

Look out for an announcement at the beginning of Q4 2016 that the VirtualCISOTM is live. If, in the meantime, you would like to be involved with the last stages of product development or have any specific questions, please contact us.

Multi Factor Authentication – why is this something that is so commonly misunderstood?

“The single biggest problem in communication is the illusion that it has taken place.” said George Bernard Shaw. This can be true in so many aspects of life and unfortunately, it is all too often reflected within the world of Information Security. It is common for many of us to think we have got to grips with a solution to a problem, only to realise half way through that the problem is not quite as we envisaged.

Take the case of “Multi Factor Authentication” (MFA), meaning the use of multiple methods of authenticating ourselves to one another, or to a computer system or application. We had all become used to the phrase “Two Factor Authentication”, meaning that we need two different credentials to provide this authentication. Seem simple enough to extend this out to “Multiple” means of authentication right?

Well – as it turns out, this is still an area that causes confusion, even before we changed the wording to make things even more vague! So, what is the problem? Let’s go back to the start.

We all use MFA without giving it much thought on a regular basis. Whenever we go shopping or take money out from an ATM, we are using MFA. In short, in any Chip and Pin transaction there must be multiple authentication methods, and these usually fall into the following categories:

  • Something you know (such as a password or PIN)
  • Something you have on your person (such as a Bank card or a USB stick generating a Token)
  • Something you inherently are (such as a biometric like fingerprint or retinal scan)

When accessing a system that requires you to authenticate yourself in more than one way we present two or more of these values to the authentication system. So why is there still confusion?

Well – it is easy enough to get this mixed up. Take the following scenario into consideration; “I log onto a system with my username and password, and then I access a database application with a separate user name and password. That is Multi Factor isn’t it?” – NOPE!……this is single factor being used multiple times, and is often the cause for much confusion.

In order for Multi Factor authentication to be truly implemented, at least two of the above means of authenticating yourself must be presented as part of the same log on procedure. So I present my User name and Password to my access application, which then also requests my fingerprint. This is two factor authentication. MFA is any access method that requires 2 or more authentication factors.

In the case of the trip to the shops, when I purchase something I present my payment card (something I have) and then I must enter my PIN, (something I know). 2 Factor Authentication. Apple Pay brings in another element in that it uses biometrics as the second factor, which is another step up the security ladder.

This is something that will affect us all in our daily lives as security tightens up to reduce identity theft and online fraud. How many of us have been given a PIN reader for use with our online banking accounts? This is generating a ‘second factor’ token for you to use alongside your password.

The PCI DSS version 3.2 now requires the use of Multi Factor Authentication for administrators accessing Payment Card systems from within the local network. MFA was previously reserved for remote access but the additional security that MFA brings is such that it is a useful tool, even from within trusted systems.

So, MFA is here to stay and when it is implemented well it should be easy and intuitive to use. There are lots of solutions out there, so finding one that suits your needs should no longer be a barrier to increased security.

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

SRM Blog

SRM Blog