Cybereye | Authorizing devices could be worth a look
A recent study of Justice Department prosecutions suggests that authentication of devices'not just people'when logging into privileged accounts could go a long way toward securing sensitive data.
Most of the cases reviewed involved outsiders who logged on with stolen identifications and passwords, using computers that had no business accessing those accounts, according to the study by Trusted Strategies LLC of Pleasanton, Calif.
'Most crimes, 84 percent, could have been prevented if the identity of the computers connecting were checked in addition to user IDs and passwords,' computer security analyst Bill Bosen concluded.
Some caveats are in order here. First, the company that commissioned the study, Phoenix Technologies Ltd. of Milpitas, Calif., is in the business of selling software that identifies end devices. Second, the statistics of the study probably should be taken with a grain of salt. Of the countless thousands of network breaches that occur each year, the study included only 107 successful DOJ prosecutions from March 1999 through February 2006.
'It's a pretty wide array,' Chris Painter, principal deputy chief of the DOJ Computer Crime and Intellectual Property Section, said of the sample. 'The cases run the gamut' in terms of dollar loss and impact on infrastructure.
But is the sample statistically valid? 'It's hard for me to say,' Painter said.No good stats
One of the big problems in assessing the impact of computer crime is that there are no good statistics. The widely quoted annual survey by the FBI and the Computer Security Institute relies on voluntary responses from victims.
'That's not a scientific study, and it doesn't pretend to be,' Painter said. 'One of the big challenges for us is that we only know what we know. A lot of crimes never come to our attention.'
Bosen says that although the number of cases included in the study is small, the information culled from them is good.
'This is the first time we've had data that's been validated,' he said.
He described the resulting numbers as useful, but admitted the data is bound to be skewed. In what direction, no one can say.
This said, the conclusions about device authentication make sense. The first line of network defense, the perimeter with its firewalls and intrusion detection systems, is pretty mature and it is clear that this is not adequate by itself.
No matter how good the perimeter, a stolen password and user ID can be the keys to the kingdom. User accounts accessed with valid IDs and passwords accounted for 88 percent of the cases studied and resulted in the highest dollar losses, an average of $1.5 million per occurrence. And the majority of these attacks, 78 percent, were committed from the home computer of an attacker who had nothing to do with the organization being attacked.
Clearly, in these cases at least, authenticating the device as well as the user would have been helpful in keeping the bad guys out. Given the investments already made in firewalls and other perimeter tools, device authentication might provide a bigger bang for the buck.
In the end, the level of protection device authentication can provide depends largely on the organization's policy. To be effective, access to privileged accounts should be limited to a handful of known devices, which probably would mean installing and managing client software on authorized machines.
Limiting access to authorized machines may not be a popular move with an increasingly mobile workforce. Users, including administrators, are becoming used to accessing network resources not just from their office desktop or their home PC, but from whatever device is available wherever they are. This mobility has been a boon to productivity. But security always comes at some cost, and as the concept of 'insider' and 'outsider' is blurred on our networks, some added level of accountability is required.
It could be worth the effort to enact and enforce more restrictive policies if it raises the bar for the guy who has gotten access to a stolen password.William Jackson is a GCN senior writer. E-mail him at email@example.com.