Wednesday, May 24, 2017

It takes a disaster to unite everyone, then the blame game starts

A recent but fading cyber incident exposed technology vulnerabilities that were always known and ticked off as acceptable risk by almost every enterprise. It was all about deferring necessary change with lower spends; for some it was about inability to change because vendor or supplier or support provider did not offer an upgrade thus necessitating a change which would have raised the budget. Unfortunately in this case the risk materialized into a disaster of which the impact would take a long time to understand.

It was unsurprising to see friend, foe, acquaintance, partner, bystander, everyone shed differences and come together to tackle the situation and problem; for many survival was at stake, for others an opportunity to make a fast buck. Either way they flocked together commiserating the unfortunate and talking about safety steps they took that fended off the enemy. It did not matter if their good fortune was a result of their actions or providence of their inaction or ignorant apathy, for now they were the heroes and survivors.

Flashback to an earlier incident of similar nature: In a large enterprise an ERT (Emergency Response Team) meeting was called to discuss the threat as it spread and anticipation of more to come with an accidental recess. The CXO collective gushed forth with their assessment of the widespread damage and impact to the market, revenue, and the world at large. It gave them an excuse for future quarterly results should the numbers not make the cut. Soon they ran out of things to say and there was silence in the room when everyone turned to the CIO.

The CIO stood up and gave the gathering the good and the bad news; good news that almost 99% of the enterprise survived the attack. He paused for the applause to subside and then continued to the bad news that the systems impacted had critical machine data now unrecoverable and it impacted regulatory compliance. No pin dropped to break the eerie lack of sound as the Head of Risk and Compliance (R&C) stood up and asked the CIO to clarify the specifics of the damage, which plant, which product, which market ?

CXOs no longer needed an excuse, the resultant impact was real and they had a tough situation at hand considering the last audit management response clearly stated a budget for upgrade of the impacted systems. Not too long ago Finance had at the last minute stayed the upgrade/replacement with a view to depict a better quarter. R&C Head was tasked to declare the news to the Board and CEO while the CFO agreed to not hold back further budgets which even remotely impacted any regulatory compliance.

Never let a good crisis go to waste, so said a well-known statesman well before most of us were born or for that matter technology overtook our lives. Our team did exactly the same; between the CIO and Head R&C, they garnered budget required to take care of future eventualities. Rest of the CXOs used the opportunity to justify the suboptimal performance, the company took a hit larger than most others in the industry. Things came back to normal and life moved on, the lessons catalogued and filed for posterity.

Less than 24 hours had passed since the news broke of the disaster that hit far and wide; the same team barring a few who had moved on, met again to assess the damage. This time the news was scarier, spread wider, impact larger, and the world was unable to contain the losses. This time faces were grim and little small talk precluded the meeting; the CEOs presence too added to the gravity of the event. The impact was not dissimilar to the past, it appeared that remediation sanctioned did not change the fortunes of the company.

Livid and frustrated the CEO wanted heads to roll; how can we make the same mistake twice ? He sensed the fear and waited for the CIO and Head R&C to finish before seeking the perpetrators of the current situation. No guesses for who the sword fell upon, it was swift and no explanations were sought, none given. Money flowed to solve the problem, lessons learned catalogued once again, the impact fortunately not allowed to be used as an excuse for any future adverse performance by any of the functions.

It is a rare enterprise that imbibes learning without finding scapegoats; make yours one !

Monday, May 08, 2017

Lost passwords can be changed, but lost biometric identity ?

Everyone hates passwords but uses them as a necessity to protect corporate digital assets, personal information, and financial assets. Complexity level has increased with time and so has the ability to crack them. This resulted in multi-factor authentication with various means, the most popular being OTP (One Time Password) delivered to the mobile phone as a SMS. The insecure delivery channel susceptible to MITM (Man In The Middle) attacks poses challenges to almost all communication including the OTP as recently discovered with SS7 vulnerability.

Appification offers alternatives claiming higher grade secure solutions to solve the problem by consuming some of the available solutions; adoption has been slow and efficacy dependent on device features and action from the consumer. The slow pace of change in the ability to rise to the security challenge has resulted in multiple breaches, financial and reputation loss. As a result there is an attempt to raise the bar and deploy biometric solutions as the final measure of security which is perceived to be difficult to replicate.

In the early days of science fiction and world of espionage the highest level of security depicted was biometric control; starting with fingerprints to hand scan, facial patterns, voice recognition, and finally iris scan. These were immutable and secure that saved the protagonist or defeated the antagonist in movies. With imagination overtaking reality, these were also compromised with recorded voice, lifted fingerprints and face masks; real world mimics fiction in many ways and replay attacks overcome security barriers.

Ingenuity to stupidity and everything in between has played a role in creating the fragile walls around physical and digital assets that need protection. Governments are capturing biometric data for basic identity creation and management of citizen services; enterprises capture fingerprints and more – largely for access to physical premises and attendance recording. Within an enterprise all the data gets replicated across servers and locations to seamlessly allow access and convenience to employees and partners.

Enterprise security has faced challenges with data protection and leakages – intentional or by error and omission. Widespread use of biometric data now raises concerns for individuals when the data is dispersed across multiple access points for authentication by the enterprise. Should the information be compromised, the repercussions for individuals can be far and wide. Masquerading and false identities from the data now used with Government services leads to seriously scary scenarios for individuals and more.

Fingerprint data is the most commonly used form factor and we have just 10 of these unique identities available to us. While they can be altered to some extent with cuts and or abrasions, they cannot be changed; and therein lies the challenge for individuals who are now being asked to provide their bio-identities across the board with no recourse, stored, retrieved and used to verify the person. Widespread use poses significant risk, their propagation on channels – secure or otherwise increasing the attack surface.

What are the alternatives ? Do we need additional factors of authorization for use of biometric data ? Do we need federated identities which subsume other forms of identity to create better alternatives ? Identity based cryptography and encryption has been a theoretical solution to the problem though not much headway has been made in this direction due to underlying complexity and the large set of identities to be provided in the now hyper connected digital world where the need goes beyond human identities.

Use cases explode with IoT and other devices – all of which need unique identifiers and private keys; the resultant solution however fails if the Private Key Generator is compromised or subject to quantum computer attacks. M2M communication is on an exponential growth path requiring a different level of thinking to solve the problem. Limitations of current PKI (Public Key Infrastructure) are well known and need to be addressed for a viable alternative to succeed and overcome the growing problem.

Coming back to biometric authentication and authorization, it is imperative that it be used in an encapsulated form without transmission or storage of the data. Individual consumers too need to be educated and made aware of the fallacies of the current structure; enterprises should review the capture and use across the enterprise to safeguard interests of their employees. After all once the data is compromised, there is little that a person can do with his fingerprint identity and that is a scary place to be.

PS: Happened to meet with a startup which claims to have solved the problem; more as I get to the bottom of this !