BETTER WAYS TO BETTER PROTECTION
One well-regarded solution was to lower the incentive for hackers to attack systems by safeguarding data with cryptography and multiple independent "keys" (such as smart cards or tokens) that would make stolen data unusable.
LANDWEHR: Isn’t there another way we can look at solving this though? Instead of focusing a lot on how to educate users, on what is and is not malware, we can change the rules of the game for the hackers so they’re less interested in attacking our computers, because we’re better at protecting the information that’s on them. Then if anybody steals the files that are on the disk, they’re encrypted. If someone accidentally email something, it’s encrypted. If it goes anyplace that it shouldn’t, they don’t have the keys to open it.
Further, if the sites that we frequent aren’t using static text passwords but something more secure, and somebody happens to stage a phishing scam or install a keystroke logger, they’re not capturing people’s complete log-in information. If we’re able to use a smart card or some other two-factor encryption technology then it’s just no longer interesting to break into a computer, because everything inside the computer that’s running on the disk and running in memory is somewhat useless without the external authentication mechanism that goes with it.
DIFFIE: I think given the amount of time we’ve been trying to do those things, they must be harder than they sound.
GILLILAND: And I would say they exist already but they’re invisible to the end user. So nobody knows that this stuff exists.
HEIM: I think you’re hinting about digital rights management -- protecting the data itself at the data level. And it’s wonderful from a conceptual perspective. But if you look at the history of the music industry, for example, it’s not altogether successful. I think there was a case where certain sites were shut down recently, and people who legitimately purchased content no longer have access to the keys, and their legitimate access to the purchased content was lost. So unless we have an extraordinarily robust infrastructure to maintain continuous access to the keys for data over long periods of time, it could have very significant repercussions.
ABHYANKAR: And a big challenge is that in most organizations, there is little clarity about where this important data is kept, in which systems it is, how it is being manipulated, by which processes….
SHERSTOBITOFF: Agreed. I would say in the financial community, they’re taking on the evolution of out-of-band authentication. For example, Bank of America has recently implemented cell phone out-of-band authentication. It gives an additional layer of authentication that’s very difficult to break, especially when the keys are random and being sent in a mechanism that cannot be intercepted by hackers today.
So the banks have decided, for now, to go in for multi-factor authentication, beyond passwords, beyond tokens, by going to the out-of-band authentication. And some of the higher rolling traders are getting authentication devices, smart keys, RSA tokens. Some in the financial community are also putting anomaly detection in the back ends, to detect suspicious patterns and localizations. Ultimately, financial institutions are adapting their technologies and authentication mechanisms so that they basically do not invite hackers. It’s as you were saying: de-interest them in wanting to attack. If they cannot get past the authentication, then what’s the point?
DIFFIE: Two factors has a real advantage, which is that the two components tend to get lost in different ways.
LANDWEHR: We’re seeing a lot of activity around smart cards. I’ve got my smart card badge here, and it’s the same badge that I use to go into the buildings that we have around the world, but it also has PKI [public key infrastructure] credential on it that I can use to log in to applications, encrypt business documents and digitally sign PDF forms. There’s also a PIN code that protects it, just like an ATM card. If you steal the card from me, you get a couple of guesses on the PIN code, and then it stops working.
The U.S. federal government is rolling out smart card badges that will have PKI on them to every government employee. Employees will be able to just put their badge in the computer, and log in with a PIN code, and they won’t have to remember complex user names and passwords. Overseas, entire countries are issuing smart cards to their citizens. Belgium is rolling out electronic IDs so as to better protect their citizens and their personally identifying information online. You have a smart card reader on your PC, you put your card in, and it’s doing real PKI crypto underneath the covers there to sign, encrypt, and authenticate electronic information. But all the end user has to know is, “I put the card in the slot and I type my PIN code in just like I do at the bank, and it makes it tougher for people to claim that they’re me in the electronic world.”
Some of the challenges, though, are the silos of authority within organizations. There’s the physical security team that controls the badge, and then the IT security team that controls the authentication infrastructure, and then the team that controls the documents and forms. I think an opportunity for education is to show how teams can work together, not only within organizations but across organizations to use security technology that makes online processes faster, cheaper, and more secure than their legacy paper counterparts.
HEIM: Again, it goes back to scale. In Hong Kong or in Belgium, it’s doable, especially with strong central governments that can mandate these things. If we look at or within an industry, where you have a well-defined work flow of some kind, you can have an economic benefit to doing this. But project across something the size of the U.S., for example, especially where states and individuals prefer the liberty to do what they would like, and grand plans such as a national I.D. card really go against the grain of the diverse society.
LIPNER: I don’t think we need a national ID card, we just need to make our existing cards stronger.
DIFFIE: That in principle is what the Real ID Act does.
ABHYANKAR: There are so many practical constraints on the implementation of the Real ID Act. Who’s going to maintain that central database? How are states going to authenticate against it? And again, going back to the smart card, is that now a single point of failure? Because now all your identity is within that card, and if that gets lost, then the cost of the compromise is much higher.
LIPNER: I think that any real user-authentication solution for the U.S. is going to have to admit a range of credentials, a range of authenticating or proofing authorities, and systems are just going to have to deal with that. We’re not going to have a single galactic ID for users. We’ll probably have multiple ones. You’ve got to make them easy. I don’t know whether that means a wallet full of smart cards. I have a wallet full of credit cards now that don’t inconvenience me unduly because they’re easy to use, and I know which ones to use.
LANDWEHR: But I think the interesting thing is that there are two sides here. There are organizations that already know me and have my personally identifying information. They need to protect that; we all agree on that. The other side is the organizations that are electronically signing up new customers or new patients or new citizens; they need to do a better job of vetting who those people are. The problem is when information from that first set of organizations goes to the second sort of organizations without the users’ knowledge. That’s when identity theft frequently occurs. What can we do to better control impersonation of identity where somebody is incorrectly claiming to have visited a doctor that I never saw, or signed up for a credit card, or bought a car or a house in your name?