Skip to main content

Eyeing risks while cutting spending

Hat Tip to Pete Lindstrom.

There's a great article over on ComputerWord: Security Manager's Journal: Eyeing risks while cutting spending.  There some great points there.  I will respond to one:


The next cuts are in the form of SecurID tokens. Until now, our company has issued the hard (key fob) tokens. There are currently more than 5,000 tokens deployed worldwide. These tokens have batteries that last only a few years, and then new tokens are needed.

With software tokens, we can eliminate the need for those hardware replacements and the cost of shipping fobs to our users around the world. They are easier to deploy, and there aren't any batteries.

The drawback is the threat of keystroke-capture programs. Since the physical tokens are separate from the computers, they're not susceptible to keystroke capture being used to obtain a user's PIN.

It's a risk we're going to have to take, and we may be able to get users to enter their PINs by pointing their mice to on-screen number pads, which would mitigate the keystroke-capture threat. An added benefit is that the software tokens can be used on mobile devices.

This is clearly a big win.  Of the items listed, dropping your hardware tokens has got to be the biggest savings.   I know that WiKID's locked tokens have anti-keystrokc logging capabilities, so I would assume that others have it too.  I think this risk is best tackled by requiring users to either use corporate laptops only or to require wireless tokens. 

Additionally, if you are using an SSL/Browser-based VPN such as Whale or Juniper, you can further reduce risks by using mutual https authentication.   This would reduce the risk of a network-based MITM attack, which is increasingly likely thanks to all the wi-fi networks and unpatched DNS servers. 

It seems that a lot of companies just bought the big brand names when times were good.  It's not surprising, since most security people are not incented to optimize their spending, only threatened with punishment for a breach.  Now, there seems to be far more companies looking for less expensive two-factor authentication.

Currently unrated

Recent Posts







RSS / Atom