Sorry but behavioral ID misses most basic issues with security. As a backup and qualifier to good security practices is very useful.
When a credit card company gets a behavioral hit, they then use a authentication factor (phone call, Something They Know) to verify personal information (Something I Know) then they reissue the Credit card (Something I Have) if I flag the transaction as fraudulent. Looks like multiple factor authentication to me. In fact the behavioral system only leads to changing the factors on the user end to mitigate the intrusion.
Lets use the behavioral example for WoW, no need for password or session token generation right?
Think your average person is okay if their character is used to do thing they normally do, like chat, but the normal is massive derogatory rant destroying the persons credibility in his local community (at least temporarily). Extended to any forum say TR and we have social networking chaos. Location data is not okay, its a something you have, that is easily forged. Never mind those people who use anonymizing proxies.
Saying multiple factor authentication is not beneficial is disingenuous.
If you have many long passwords why not use a password manager?
One strong password to secure a list of passwords.
Until biometric systems are widespread its on passwords that general verification hinges.
Discussion on:
View:
Show:
You beat me to it on basically every point I was going to make, with the exception of this:
Keyloggers and social engineering are not reasons to avoid using passwords. They're reasons to think before you act. They're reasons to know something about how to secure your computing environment, intelligently, and to avoid circumventing the security protections that environment provides. Period.
The whole article was absurd, and pretty typical. As I said in another TR article, "Don't Be Fooled By The Argument Against Unique Passwords" [1] . . .
QUOTE: These days it seems like every time we turn around someone has written another article that gives "security" advice directly contradicting actual secure practice:
QUOTE: * Don't use strong passwords! Just use whatever you'll remember!
QUOTE: * It's okay to use one password for everything as long as it's a strong one!
QUOTE: * You don't have to use a strong password as long as it's uncommon!
It's usually someone who has just barely learned enough about security to be dangerous, and has sometimes just barely learned enough about some other technology he or she thinks can make passwords obsolete to assume he or she understands it without, y'know, actually understanding it. That's exactly what has happened here, of course -- behavioral profiling is no silver bullet and, as you pointed out bboyd, is only suitable as an enhancement to the security provided by authentication common multifactor authentication methods (and not as a replacement for them).
The problem with passwords is merely one of education and UI, and not endemic to passwords themselves at all. I have written about "How To Get People To Use Strong Passwords" [2] here at TR as well, and about how to get people to care enough to actually employ their brains with regard to security in "Like Passwords For Chocolate, Coming Soon To A Security Theater Near You" [3]. In that latter case, I made the point that:
QUOTE: The biggest problem with password security today is not that they are too long and too hard to remember. In fact, "How to get people to use strong passwords" [2] explains how we can neatly defuse that little issue. It is not that password policies are often abysmally bad, as in the case described in "How does bad password policy like this even happen?" [4], though that definitely is a problem. It is not even the way bad security advice masquerades as common sense for people who lack an understanding of how to solve both of those issues, a growing epidemic identified in "Don't be fooled by the argument against unique passwords" [1].
QUOTE: The biggest problem with password security today is simple:
QUOTE: Nobody cares.
You need to do three things to make sure people's data, finances, and other digitally-exposed resources are secure:
1. Educate them.
2. Get them invested.
3. Give them control.
Part of both points 2 and 3 is making things easy. That's where selling people on password managers first and foremost, rather than the passwords themselves, comes in.
---
NOTES:
1. http://blogs.techrepublic.com.com/security/?p=4739
2. http://blogs.techrepublic.com.com/security/?p=5366
3. http://blogs.techrepublic.com.com/security/?p=5368
4. http://blogs.techrepublic.com.com/security/?p=528
Keyloggers and social engineering are not reasons to avoid using passwords. They're reasons to think before you act. They're reasons to know something about how to secure your computing environment, intelligently, and to avoid circumventing the security protections that environment provides. Period.
The whole article was absurd, and pretty typical. As I said in another TR article, "Don't Be Fooled By The Argument Against Unique Passwords" [1] . . .
QUOTE: These days it seems like every time we turn around someone has written another article that gives "security" advice directly contradicting actual secure practice:
QUOTE: * Don't use strong passwords! Just use whatever you'll remember!
QUOTE: * It's okay to use one password for everything as long as it's a strong one!
QUOTE: * You don't have to use a strong password as long as it's uncommon!
It's usually someone who has just barely learned enough about security to be dangerous, and has sometimes just barely learned enough about some other technology he or she thinks can make passwords obsolete to assume he or she understands it without, y'know, actually understanding it. That's exactly what has happened here, of course -- behavioral profiling is no silver bullet and, as you pointed out bboyd, is only suitable as an enhancement to the security provided by authentication common multifactor authentication methods (and not as a replacement for them).
The problem with passwords is merely one of education and UI, and not endemic to passwords themselves at all. I have written about "How To Get People To Use Strong Passwords" [2] here at TR as well, and about how to get people to care enough to actually employ their brains with regard to security in "Like Passwords For Chocolate, Coming Soon To A Security Theater Near You" [3]. In that latter case, I made the point that:
QUOTE: The biggest problem with password security today is not that they are too long and too hard to remember. In fact, "How to get people to use strong passwords" [2] explains how we can neatly defuse that little issue. It is not that password policies are often abysmally bad, as in the case described in "How does bad password policy like this even happen?" [4], though that definitely is a problem. It is not even the way bad security advice masquerades as common sense for people who lack an understanding of how to solve both of those issues, a growing epidemic identified in "Don't be fooled by the argument against unique passwords" [1].
QUOTE: The biggest problem with password security today is simple:
QUOTE: Nobody cares.
You need to do three things to make sure people's data, finances, and other digitally-exposed resources are secure:
1. Educate them.
2. Get them invested.
3. Give them control.
Part of both points 2 and 3 is making things easy. That's where selling people on password managers first and foremost, rather than the passwords themselves, comes in.
---
NOTES:
1. http://blogs.techrepublic.com.com/security/?p=4739
2. http://blogs.techrepublic.com.com/security/?p=5366
3. http://blogs.techrepublic.com.com/security/?p=5368
4. http://blogs.techrepublic.com.com/security/?p=528
"Keyloggers and social engineering are not reasons to avoid using passwords".
Also, I think behavioral systems are better suited to the corporate environment than the common home user. Yes, phishing is a problem in both worlds, but a behavior system would probably be more effective in the corporate environment, as Dominic states, since employees can have specific roles. But, even then its only as effective if they in fact, stick to those roles; the general user (as in the example of the credit card user) tends to change their behavior more often than not, regardless of what research the card companies state; I tend to think their research is dated too. Empoyees can very well change their behavior as well, even unintentionally. It may be worth it to utilize both models, (password systems and behavioral systems) and not just do away with password systems?
Bah....What do I know....
Also, I think behavioral systems are better suited to the corporate environment than the common home user. Yes, phishing is a problem in both worlds, but a behavior system would probably be more effective in the corporate environment, as Dominic states, since employees can have specific roles. But, even then its only as effective if they in fact, stick to those roles; the general user (as in the example of the credit card user) tends to change their behavior more often than not, regardless of what research the card companies state; I tend to think their research is dated too. Empoyees can very well change their behavior as well, even unintentionally. It may be worth it to utilize both models, (password systems and behavioral systems) and not just do away with password systems?
Bah....What do I know....
Passwords can not be eliminated based on behavioral patterns. Patterns of behavior have long been proposed for intrusion detection (ex. employeeA should not have been at work at the time of that login record). To use them for analysis of "bad" behavior is also an old idea, forensics. However, none of that makes a case for eliminating the use of passwords.
Your "Takeaway" is not a "Takeaway"...it is a tease. Takeaways don't end with a question mark. Give me the bottomline in the takeaway and quit worrying so much about clickthroughs. Please, quit wasting my time.
your comment doesn't really contribute to the knowledge of this article, nor does it questions its contents.
Please, quit wasting my time.
Please, quit wasting my time.
Since when has "Comments" been defined as a receptacle for contributory knowledge? A comment is nothing more than a comment.
And FWIW, his comment does nothing BUT question the articles content.
And FWIW, his comment does nothing BUT question the articles content.
It might contribute to the future value of writing at TR, if anyone is listening.
This comment by "chip" is something I'll keep in mind in the future, writing for other venues.
This comment by "chip" is something I'll keep in mind in the future, writing for other venues.
Without passwords as authentication we move on to more and more private information. How many people would honestly be willing to scan their eyes, hands or DNA to log on to Facebook.
If people are convinced to give up more of their private information out it will only be a matter of time before someone finds away around the new security in place. Databases are hacked everyday and information is lost.
Access is an issue but limiting what people can do with that access may be more important. If you just log into your bank account to check the balance and look for lost receipts then you do not need bill pay for a hacker to still your money.
If people are convinced to give up more of their private information out it will only be a matter of time before someone finds away around the new security in place. Databases are hacked everyday and information is lost.
Access is an issue but limiting what people can do with that access may be more important. If you just log into your bank account to check the balance and look for lost receipts then you do not need bill pay for a hacker to still your money.
While I can see that there's a clear problem with the user name/password model for account access, how many companies have the resources available to match the banks with behavioural authentication methods of fraud detection? Very few, I would think. I can't fault it as a system ideal, but it's as impractical for most companies to put in place as it would be individuals to remember 256 character, multi-faceted passwords.
As a manager of accounts on a business system, the biggest problem I have account wise is not, directly anyway, a problem with the user name / password model. It's that people don't use it properly. In these modern times, if people are idiot enough to use 'password' as their password for all of their account related access then they've only got themselves to blame when accounts get hacked. I'm gob smacked at the number of our employees that do however. Or did, I should say. Having seen this behavioural trait, I've put measures in place to make sure that's not possible any more on our systems, but the fact that people would if I let them is indicative of the wider issue.
As a collection of supposedly smart people, the majority still don't see password driven account access as being under any sort of threat. We don't need sophisticated, expensive systems to help that situation. People simply need a better understanding of the consequences of using poor passwords, and using the same password on multiple sites. It won't resolve the problem, but it would help enormously.
As a manager of accounts on a business system, the biggest problem I have account wise is not, directly anyway, a problem with the user name / password model. It's that people don't use it properly. In these modern times, if people are idiot enough to use 'password' as their password for all of their account related access then they've only got themselves to blame when accounts get hacked. I'm gob smacked at the number of our employees that do however. Or did, I should say. Having seen this behavioural trait, I've put measures in place to make sure that's not possible any more on our systems, but the fact that people would if I let them is indicative of the wider issue.
As a collection of supposedly smart people, the majority still don't see password driven account access as being under any sort of threat. We don't need sophisticated, expensive systems to help that situation. People simply need a better understanding of the consequences of using poor passwords, and using the same password on multiple sites. It won't resolve the problem, but it would help enormously.
I am pretty sure there are people who would look at the account access setup you use and say, "How could anyone be that ignorant to use such a simplistic system." There are people who can remember dozens of pseudo-random 64-character password strings. So, why not use them and require their re-generation with every successful access.
The right way would be that the system is where the smarts have to be. A 5-year-old on-line would be much less computer, i.e., password, savy than most adults, but should be no less secure.
What we really need is access control systems that do not depend on the user having extensive computer security knowledge or an extrordinary memory.
The right way would be that the system is where the smarts have to be. A 5-year-old on-line would be much less computer, i.e., password, savy than most adults, but should be no less secure.
What we really need is access control systems that do not depend on the user having extensive computer security knowledge or an extrordinary memory.
Thanks for acknowledging the obvious and pointing out the flaws of password-based security. Your analysis of the problems is spot-on.
But, behavioral-based security it is by definition leaky. While it is a good containment strategy, credit card companies still must bear the financial loss for fraud on behalf of the consumer.
Few companies would buy into a security scheme where leaks are certain, without a similar guarantor willing to compensate them for their losses.
But, behavioral-based security it is by definition leaky. While it is a good containment strategy, credit card companies still must bear the financial loss for fraud on behalf of the consumer.
Few companies would buy into a security scheme where leaks are certain, without a similar guarantor willing to compensate them for their losses.
The biggest problem with secure authentication is still the average user - who could not care less about their corporate password's security. They will likely care much more about passwords they use on banking and sale/auction/payment sites. Trying to impose stricter and more complex rules for passwords will only succeed in people finding more ingenious ways to get around them. Until corporate security matters to end users (and good luck with that) there needs to be some other system to protect corporate data. The behavioral thing that banks use could potentially work - except for a person who travels regularly and does not have a "normal pattern" of behavior.
In theory, this sounds like a good idea, but the real question is whether or not replacing passwords (or combining them) with advanced behavioral security systems in an actual applied environment will offer a great enough increase in data security to offset any loss in productivity, flexibility, fiscal cost, etc to be worth implementing in most corporate workplaces.
Also, I've seen firsthand how, especially in smaller operations, users may very well have to do things outside their normal scope of job operations, eg: someone calls in sick, is on vacation, etc.
Finally, what about when someone changes positions and thus duties/shifts? How will such a system deal with it? Must their behavioral pattern set be reset, overrided, or perhaps re-written by a system admin? Each of those possible and necessary resolutions creat a different security hole which an attacker could possibly take advantage of, at least for a time.
Also, I've seen firsthand how, especially in smaller operations, users may very well have to do things outside their normal scope of job operations, eg: someone calls in sick, is on vacation, etc.
Finally, what about when someone changes positions and thus duties/shifts? How will such a system deal with it? Must their behavioral pattern set be reset, overrided, or perhaps re-written by a system admin? Each of those possible and necessary resolutions creat a different security hole which an attacker could possibly take advantage of, at least for a time.
I'm not a fan of it, but that will make it cheaper for everyone to implement. I'm afraid this will just extend the expense and failure of password based technology - hopefully it will at least slow the crimiinals down a bit, until something smarter and cheaper comes along.
Personally, I like Passwindow mixed with Magneprint. That would be a killer combo in my best estimation.
Personally, I like Passwindow mixed with Magneprint. That would be a killer combo in my best estimation.
Interesting, I teach Security/Forensics classes at a local college. It is almost like reading my notes when viewing this entries. It is cat and mouse my friends. And the one with the most cheese ($$$$) to build the walls or break them down, wins.
Guido
Guido
Behavioral rules is all well and good but will be difficult to apply across all activities in an enterprise. I would have thought a more appropriate next step would be more tightly applying the principle of least privilege. If all accounts are prevented from doing anything other that that which they are meant to do, the organisations exposure to data leakage is minimised with minimum effort. Behavioral semantics can then be more tightly and effectively focused.
The behaviour based model seems fundamentally flawed when applied against computer resource access. By definition, the system has to have some behaviour to monitor to establish the identity. Suppose it was possible, and I don't think it is in the real world. If you had a bunch of people, say in a call centre. Their behaviour is all very similar, so having assumed someone else's identity, how long will the system take to lock me out. I then just use another identity and keep stealing information or performing transactions that would be normal for the call centre operators...
Now look at the SysAdmin scenario... What pattern?... they do all manner of things randomly, as the tasks require, even accessing other's data when required. What is abnormal behaviour and how much damage can be done before the behavioural system thinks there's something fishy going on?
Naaah. This is the sort of stuff that people like to put on overhead projector slides, and the argument sounds good, but don't try thinking about the practicalities.
Now look at the SysAdmin scenario... What pattern?... they do all manner of things randomly, as the tasks require, even accessing other's data when required. What is abnormal behaviour and how much damage can be done before the behavioural system thinks there's something fishy going on?
Naaah. This is the sort of stuff that people like to put on overhead projector slides, and the argument sounds good, but don't try thinking about the practicalities.
Wow..... Just simply wow to the ignorance of some people that make public postings. If you are uninformed on a subject there is no problem with this, but to them make a post on a website visited by millions, on a subject you clearly know nothing about is just worrying!
Having worked in the finance industry, I can tell you right now that BILLIONS of pounds/dollars/whatever is lost every MONTH because behavioural patterns are (1) Easy to forge/copy, (2) It rarely prevents, and is actually reactive, rather than proactive to historic actions. (3) Users in work places often do their job the "proper way" for 6 months, until they know the system of their job, then they find shortcuts. (4) Why would you REPLACE passwords with Behavorial ID (BID)? it should surely be in addition to it! (5) When you launch a new application, or provide a new technology to the user, which results in them changing, will you fund the millions of currence it costs to install a predicted BID for on expected usage of that new resource? (6) Simply using sufficient encryption on drives, communications, and any where else applicable, + a solid pass phrase rather than passwords, should be enough to reduce most attacks, in a corporate environment proper administration of locking down users so new addons and apps can not be installed + firewall + A/V and IPS, and so on so on provide enough options for a capable admin to do their work. It then falls down the users to be somewhat careful in life, and failure to do so should result in punishment.
Having worked in the finance industry, I can tell you right now that BILLIONS of pounds/dollars/whatever is lost every MONTH because behavioural patterns are (1) Easy to forge/copy, (2) It rarely prevents, and is actually reactive, rather than proactive to historic actions. (3) Users in work places often do their job the "proper way" for 6 months, until they know the system of their job, then they find shortcuts. (4) Why would you REPLACE passwords with Behavorial ID (BID)? it should surely be in addition to it! (5) When you launch a new application, or provide a new technology to the user, which results in them changing, will you fund the millions of currence it costs to install a predicted BID for on expected usage of that new resource? (6) Simply using sufficient encryption on drives, communications, and any where else applicable, + a solid pass phrase rather than passwords, should be enough to reduce most attacks, in a corporate environment proper administration of locking down users so new addons and apps can not be installed + firewall + A/V and IPS, and so on so on provide enough options for a capable admin to do their work. It then falls down the users to be somewhat careful in life, and failure to do so should result in punishment.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
