Everyone is concerned with digital data security today, in one way or another. For every digital advancement, there seems to be a counter development to breach its security. The trust and etiquette that once governed the use of the old telephone party lines would serve us well today, but we cannot count on such protocol for today’s data and communication devices. Additional protection is needed. Government institutions, hospitals, businesses and home office users need to invest more attention and money to insure the security of their data. With the computing power and storage capabilities of current devices, we have become vulnerable by concentrating so much data in single locations. We fear the possibility of anyone hacking our data without permission (password). Since the password is the first line of defense for data security, resetting and managing an organization’s passwords have become one of the largest IT costs for most institutions, large and small. THE TREND WITH PASSWORD PROTECTION ISSUES In a Gartner Group report, “password resets represent 20% to 50% of all help desk calls.” The Forrester Research group states “the average help desk labor cost for a single password reset is about $70.00.” In a white paper, authors from RSA Security LLC, a division of EMC Corporation, claim “for a 1,000 user organization, the total cost of ownership over the first three years is around $673,000.00 or $673.00 per user, about 98% of that cost is due to management cost and, on average, 30% of that is just for resetting passwords.” Most organizations can easily average $197.00 cost for every user for three years. With 50 users, an organization will spend approxi- mately $3,283.00 a year just to reset passwords for their employees. This money can be better spent to integrate new security technol- ogies, such as smart card readers and biometric devices, into an organization’s network. Along with this mounting password maintenance cost, we find that security experts identify weak passwords as one of the most critical security threats to an institution’s infrastructure. Mandylion Research Labs poses a challenging question to all computer users: “Do you think your passwords are strong enough to survive a brute force attack? Think again.” Continued 1 WHITE PAPER THE TRENDS AND BENEFITS OF SMART CARD AND BIOMETRIC SECURITY DEVICES
Transcript
Everyone is concerned with digital data security today, in one way or another. For every digital advancement, there seems to be a counter development to breach its security. The trust and etiquette that once governed the use of the old telephone party lines would serve us well today, but we cannot count on such protocol for today’s data and communication devices. Additional protection is needed.
Government institutions, hospitals, businesses and home office users need to invest more attention and money to insure the security of their data. With the computing power and storage capabilities of current devices, we have become vulnerable by concentrating so much data in single locations. We fear the possibility of anyone hacking our data without permission (password). Since the password is the first line of defense for data security, resetting and managing an organization’s passwords have become one of the largest IT costs for most institutions, large and small.
THE TREND WITH PASSWORD PROTECTION ISSUES
In a Gartner Group report, “password resets represent 20% to 50% of all help desk calls.” The Forrester Research group states “the average help desk labor cost for a single password reset is about $70.00.”
In a white paper, authors from RSA Security LLC, a division of EMC Corporation, claim “for a 1,000 user organization, the total cost of ownership over the first three years is around $673,000.00 or $673.00 per user, about 98% of that cost is due to management cost and, on average, 30% of that is just for resetting passwords.” Most organizations can easily average $197.00 cost for every user for three years. With 50 users, an organization will spend approxi-mately $3,283.00 a year just to reset passwords for their employees. This money can be better spent to integrate new security technol-ogies, such as smart card readers and biometric devices, into an organization’s network.
Along with this mounting password maintenance cost, we find that security experts identify weak passwords as one of the most critical security threats to an institution’s infrastructure.
Mandylion Research Labs poses a challenging question to all computer users: “Do you think your passwords are strong enough to survive a brute force attack? Think again.”
Continued
1
WHITE PAPER
THE TRENDS AND BENEFITS OF SMART CARD AND BIOMETRIC SECURITY DEVICES
Mandylion further indicates “the keyspace (number of possible combinations) created by even the most creative human mind is no match for password audit tools (crackers) running on today’s desktop machines, such as L0phtcrack 5 (LC5). Even the simplest of these tools now contains 99% of all possible English alphanumeric password combinations. These tools are clever, stealthy and lethal. Worse yet, they are widely available for download on the net.”
The Mandylion researchers have found that hackers using these tools can unethically and instantly decode any password less than 8 characters, as your encoded password is sniffed or captured as it is being passed or stored at the host/client. So, even if you take care to use more than 8 characters in a password; and it’s generated in accordance with strong policy which incorporates the use of symbols, characters and numbers; and even if it’s changed regularly and not used concurrently elsewhere, your ‘strong’ pass- word is simply no contest for today’s password cracking tools.
METHODS FOR BREACHING DATA
There are several methods for breaching data:
1. Attacks can be made through your network connections to the Internet.
2. Access can be achieved through your human interface devices for computer input, such as a keyboard or mouse, which directly attach to your computer/network/database.
3. Technology can be employed to intercept your wireless communications via wireless routers or wireless PC’s - both desktop and laptop.
A lesser known solution for enhancing the security of data is with the use of secure computer input devices. These devices can effectively control password security and maintenance costs which affect each and every institution, and are discussed here.
THE TREND IN COST-EFFECTIVE SECURITY MEASURES
State, local and federal institutions, along with insurance and medical institutions, have known about the password and mainte-nance problems for some time, and have aggressively sought out smart card and biometric security solutions. Using these devices, they have found several ways to ensure that access to their computers, networks, applications and databases are only accomplished by authorized users.
The means these large organizations are using for password replacement and logical access are beginning to trickle down to small and large business groups. These groups also realize they have to address substantial reductions in IT costs and ensure the security of their data and networks. So, like the government and other ‘data critical’ institutions, these other business groups, such as professional offices, are also turning to secure computer input devices for a solution. According to Techopedia, “Businesses, orga-nizations and other entities use a wide spectrum of logical access controls to protect hardware from unauthorized remote access.”
The IT security industry has found that the two most cost-effective security measures to reduce IT costs and enhance an institution’s security are biometric devices and smart card readers.
Continued
THE TRENDS AND BENEFITS OF SMART CARD AND BIOMETRIC SECURITY DEVICES [ CONTINUED ]
2
WHITE PAPER
THE STATE OF BIOMETRIC DEVICES
There are a number of biometric devices on the market today with a growing number of software providers that have made the biometric solution easier than ever to develop and deploy into any size organization. In the past, the lack of software providers has hindered the growth of the biometric industry. However, software suppliers for biometric technology are growing and starting to catch up to the demand to meet the ever increasing demands for security.
The available devices for secure computer access and control are many: single standalone fingerprint readers, notebook fingerprint readers, biometric mice, biometric keyboards, biometric keyboards with smart card readers, face scanners, retina scanners, iris scan-ners, and palm and vein scanners, each of which offer one or two points of authentication.
Matt Hoffman from Wired.CO.UK writes about some of the limitations of biometric security: “What about biometrics? Could a fingerprint reader or iris scanner be what passwords used to be: a single-factor solution, an instant verification? They have two inherent problems. First, the infrastructure to support them doesn’t exist, a chicken-or-egg issue that almost always spells death for a new technology. Because fingerprint readers and iris scanners are expensive and buggy, no one uses them; because no one uses them, they never become cheaper or better. The second, bigger problem is also the Achilles’ heel of any one-factor system: a fingerprint or iris scan is a single piece of data, and single pieces of data will be stolen. Dirk Balfanz, a software engineer on Google’s security team, points out that pass-codes and keys can be replaced, but biometrics are forever: ‘It’s hard for me to get a new finger if my print gets lifted off a glass,’ he jokes. In the age of HD photography, using your face or your eye or even your fingerprint as a one-stop verification just means that anyone who can copy it can also get in.”
Biometric devices have a place in the current and future war against hacking, but they need to be incorporated into a two- factor authentication system to really keep a guard against unwanted intrusion. Wikipedia says “Two-factor authentication (also known as 2FA) provides unambiguous identification of users by means of the combination of two different components. These components may be something that the user knows, something that the user possesses or something that is inseparable from the user. A good example from everyday life is the withdrawing of money from
a cash machine. Only the correct combination of a bank card (some-thing that the user possesses) and a PIN (personal identification number; i.e., something that the user knows) allows the transaction to be carried out. Two-factor authentication is a type of multi-factor authentication.”
The best practice solution, therefore, is having a fingerprint (something that is inseparable from the user), along with a strong password (something the user knows) to establish authenticated access. Such a 2FA system will provide a user of biometric readers with the security which all organizations and office groups are seeking.
THE STATE OF SMART CARD READERS
The second, and probably most embraced method of reducing IT costs and securing networks, is the use of bidirectional smart cards and readers. There are a number of companies providing both hardware and software solutions for smart card use, making them easier to deploy and a cost-effective approach to enhancing security.
The federal government is one of the largest organizations to embrace smart card technology through the use of the Common Access Card (CAC) into their mainstream security measures. This card is very similar in size to a standard credit card and requires the use of a PIN to utilize the CAC card. As a result, the organization can achieve the two-factor authorization previously discussed as a primary factor in network security. The CAC card includes a Public Key Infrastructure (PKI) certificate which enables the cardholder to “sign” documents digitally, encrypt and decrypt emails and establish secure on-line network connections.
Continued
THE TRENDS AND BENEFITS OF SMART CARD AND BIOMETRIC SECURITY DEVICES [ CONTINUED ]
3
WHITE PAPER
It also contains two digital fingerprints, a digital photo, a Personal Identity Verification (PIV) certificate, the organizational affiliation, agency, department and an expiration date. The CAC card provides a lot of information that is paired with the card holder’s PIN number. This allows a governmental organization to achieve maximum security for network access and reduces IT costs for password maintenance, which is no longer needed.
There are several styles of smart cards for the private sector as well that will help private organizations and professional offices to reduce IT costs and secure access to their network, just as in the government sector. With the numerous styles of smart card readers and supporting software programs available today, many private sector companies are also starting to embrace smart card reader technology for the security it offers and the reduction in IT costs that can be achieved.
The styles of smart card readers include
1. Standalone readers for ease of placement on a desktop, counter, etc.
2. Integrated readers that can be incorporated as part of a notebook, desktop computer or a keyboard for convenience and ease of use.
No matter which style of smart card integration is chosen, an organization using smart card readers will realize enhanced security for network access, and reduce IT costs at the same time.
In summary, either a biometric device or a smart card reader will offer a simple solution to increase an organization’s security, while at the same time reducing IT costs. The net cost of these devices provides great value to any organization, large or small, without breaking the bank.
AUTHOR:
Russell MacKenzie ZF Electronic Systems 11200 88th Avenue Pleasant Prairie, WI 53158 Phone: (262)942-6508 Email: [email protected]
ZF Electronic Systems designs and manufactures Computer Input Devices under its CHERRY brand, including keyboards, mice, smart card readers, biometric and other devices for secure access and use of computers and networks.
More information can be found at www.cherrycorp.com/cid.
THE TRENDS AND BENEFITS OF SMART CARD AND BIOMETRIC SECURITY DEVICES [ CONTINUED ]
