Lesson from the Target Breach: IT Must Implement Two-Factor Authentication

Redmond Magazine

DECISION MAKER

Lesson from the Target Breach: IT Must Implement Two-Factor Authentication

Last year’s Target incident should be a wake-up call for IT to fundamentally change how they handle passwords.

Now that the dust has settled on the Target credit card breach — along with data theft at other retailers — I hope you’re taking a hard look at your organization and asking, "Are we stupid or lazy?" Frankly, with the high-profile Target case top of mind and security experts predicting more breaches are inevitable, "ignorance" isn’t really an acceptable excuse for IT decision makers anymore.

It’s time to scrap the way IT allows passwords for authentication. It’s no secret security experts for decades have been moaning about how terribly passwords are used. Two-factor authentication, which greatly reduces the chances of a breach, is still practically a trite phrase even though it’s been available for quite some time. Yet very few companies bother implementing two-factor authentication, or for that matter anything stronger than a password even though it’s easier than ever. Even Microsoft, which has offered multifactor authentication in its Microsoft Azure cloud service, in February extended that to Office 365 and plans to offer it in the desktop version later this year.

Target should wish they had used two-factor authentication. The root cause of Target’s breach was a password, stolen from an HVAC contractor who had access to some store networks. I’m sure that password was at least eight characters long and consisted of letters, numbers and symbols. That didn’t matter a bit, because it was stolen. The cost of that theft is likely going to be in the millions of dollars after the retailer covers losses, pays fines, makes fixes and so on.

An RSA token would have cost about $25. A software security token is a mere $2. And every organization — including yours — should absolutely be using these for all network access, including logging in from within the office. Using security tokens — or smart cards, or some other physical factor — can put a complete stop to the unauthorized access that resulted in the Target breach.

"But we’ve never been hit!" is the almost invariable counter-argument — and it’s one I’m sure the IT folks at Target heard a few times. But that’s the point — until you are hit, you haven’t been hit, but once you’re hit, you’re screwed. You don’t buy homeowner’s insurance because your housedid burn down, you purchase it in case the house burns down, and you hope to heck you never need to use it. But you spend the money because the insurance is cheaper than the loss should a loss actually occur.

Two-factor authentication is pure IT insurance, plain and simple. It’s a lower cost now, to help prevent a high-cost loss later. And it doesn’t take much to result in a high-cost loss. I mean, for pity’s sake, an HVAC contractor’s password was stolen. That’s not even a blip on the IT radar for most organizations it’s such a minor event. But look at what it enabled. It led to millions of dollars in fraudulent charges plus an untold cost in revenues. Tens of thousands of customers were furious when they had to replace debit/credit cards. Yet these are losses that could have been prevented with a minimal investment in security infrastructure.

I don’t care if you’re a small mom-and-pop, $1-million-a-year business — someone will find a reason to attack you, whether for financial gain or just to prove they can. They might not want whatever you sell, and they might not want your intellectual property — they might just wantaccess to collect credit card numbers, e-mail addresses and phone numbers. All of this data is valuable in the hands of criminals and your business is a potential source.

At this point, there’s absolutely no excuse for not having better authentication on your network, both for in-office and remote users. In fact, the next big company that gets hit this way — and there will be one, I assure you — should fire its executives for malfeasance. The facts are on the table. The outcomes are clear. The costs are low. If you get hit by busted authentication at this point, you must have done so out of deliberate spite. There’s no other excuse.

About the Author

Don Jones is a 12-year industry veteran, author of more than 45 technology books and an in-demand speaker at industry events worldwide. His broad technological background, combined with his years of managerial-level business experience, make him a sought-after consultant by companies that want to better align their technology resources to their business direction. Jones is a contributor to TechNet Magazine and Redmond, and writes a blog atConcentratedTech.com.

Advertisements

Women in Technology – Amazing Grace

Computer Scientist Grace Murray Hopper was an American computer scientist and United States Navy Rear Admiral. A pioneer in the field, she was one of the first programmers of the Harvard Mark I computer, and developed … Wikipedia

Born: December 9, 1906, New York City, NY

Died: January 1, 1992, Arlington County, VA

Buried: Arlington National Cemetery, VA

Awards: National Medal of Technology and Innovation

Education: Wardlaw-Hartridge School, Vassar College, Yale University

And what are you going to do?

Project managers often are asked, tongue-in-cheek, what do they actually do. I once worked in a department where an employee, who was attached to my team, asked me what he needed to do. This query led to a lengthy explanation of how his job function is performed and what his key contributions needed to be. After a tacit display of gratitude for clarifying some things he had apparently been pondering, he then asked, “and what are you going to do?”

The answer is simple. I am the one would has to either inform the person paying for the project that they will get what they asked for when they asked for it or explain why they will not. To do this I need to be able to apply resources to places that will accomplish our goals and since there are never enough resources (money or people are examples) this takes some skill.

Fortunately, PMI has been around for some time and many people have passed this way before me. The science of Project Management is growing rich with empirical data and scholarly analysis.

image

3rd Day Worship Service at FUMC- Denton

3rd Day Worship is a new, family-oriented church service which is scheduled to kick off on December 18th in Flinn Hall. “I’ve always wanted to make worship more important to kiddos” says Reverend Deana Ferguson, head of Children’s Ministries, “I want to teach children how to get excited about worship and to help families learn to worship together.” The new service will be held once a month on the 3rd Sunday in Flinn Hall. Service will begin at 11:15am and is expected to end at noon.

Based on the success of a similar program at FUMC-Ft. Worth, 3rd Day Worship will combine traditional elements of Methodist liturgy with interactive activities and songs. The service is designed to appeal to a wide range of age groups from pre-k through elementary school aged children, their parents, and the church youth. The fun and interactive nature of the service will be facilitated both by offering youth members the opportunity to fill leadership roles in worship and through the Worship Arts Studio; a supporting activity where items to be used during 3rd Day Worship will be designed and constructed. Worship Arts Studio is planned to meet on Wednesday evenings.

It is important to distinguish 3rd Day Worship from children’s church. Parents are encouraged to participate with their young ones and form habits of togetherness in worship. “My prayer is that [3rd Day] makes being together in worship exciting and special for young families and that it will reach out to families that are anxious about being in the worship environment with their children” says Rev. Deana. “My hope is that [3rd Day] worship will help children connect with God and will be a major part of their lives.”

For more information about 3rd Day Worship Service or Worship Arts Studio please contact Rev. Deana Ferguson at (940) 382-5478 or by email at dferguson@fumc-denton.com.

Carnegie Cover Letter

To whom it may concern,

These trying times call for ideas and innovation. If you have a vision for your business I can help you turn it into a reality. Innovation is sometimes not realized because its initiator doesn’t have time to plan the change, manage the risks involved, or communicate the vision.

I leverage best practices in technology, leadership, and communication to turn your vision into reality. From refining the vision into traceable requirements, through bridge training to socialize transition, I can offer twenty years experience in business, process engineering, training, and project management.

Together we can bring your ideas to life.