Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

US Government cyber attack demands tighter access control

SecurEnvoy : 09 November, 2012  (Technical Article)
SecurEnvoy comments on increasing occurrences of cyber attacks on state government creating greater need for two-factor authentication of access credentials
US Government cyber attack demands tighter access control

The recent, and largest, cyber attack ever on a state government in the US, shows that attacks on third-party credentials - which can be used in identity theft frauds - are becoming more and more commonplace.

The problem, says Andy Kemshall, chief technology officer at SecurEnvoy, is that public sector organisations in the US have a lot of identity information on citizens in their database, including payment card details.

“US credentials such as the person’s social security number, name, address and payment card details, are pure gold when it comes to identity theft information, which has now become a global cybercriminal commodity business,” he said.

“The South Carolina state computer system hack is notable for the volume of data – 3.6m social security numbers and 387,000 credit plus debit card credentials – that were stolen, and which can be used by cybercriminals to create cloned payment cards and apply for credit plus bank accounts in the victim’s name,” he added.

Even with a conservative $3.00 rate per card information set, that means the cybercriminals could grab more than a million dollars for selling on the credentials they stolen in this data theft, he explained.

More than anything, the SecurEnvoy CTO says, this highlights the immense profits that can be derived from a short period targeting and hacking a public sector computer system, after conducting reconnaissance using an automated set of hacking tools to probe likely IP addresses on the Internet.

And coming against the backdrop of the NHS having lost 1.8 million sets of patient records in the last year, he notes, there is a big question mark hanging over the security of government systems, which could be targeted in a similar fashion to what is happening in the US.

The NHS, he adds, has come in for understandable criticism for its data losses over the years, as have several councils, but given the fact that the government – at both local and national levels – is short of money in these straightened times,  IT professionals in the public sector clearly do not have the security resources that are available to the private sector.

Given the widespread ownership of mobile phones – with almost every adult now carrying one in their jacket pocket or purse – Kemshall says there is a strong argument to harnessing the mobile as a means of authentication when accessing data on a public sector computer system.

This is what security experts call tokenless two-factor authentication ((2FA)) and secures an IT interaction with `something you have’ (the handset) and `something you know’ (the challenge authentication data) across an easy-to-use system (the mobile network.

“Implementing tokenless (2FA) using a mobile is a very easy and low-cost way of securing access to large data repositories in the public sector, both with employees and members of the public, where appropriate. This contrasts with the relative insecurity of conventional ID/password credential-based systems,” he said.

“We call this BYOT – Bring Your Own Token – and means that organisations gain access to a secure authentication methodology without all the expense and administration involved with hardware tokens, but still retaining all the convenience and security,” he added.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo