FFIEC Multifactor Authentication: The Vendor's RoleGuidance Needed to Ensure Providers Offer Layered Security
At a time when U.S. banking regulators are on the verge of handing down new authentication guidance, Ferguson has a message to banking institutions.
"Multifactor authentication is perceived by many as being the panacea," he says. "[But] the real problem is: we're not authenticating the right things."
The challenge: Malware has evolved to the point where it can sit inside the browser of the infected computer and intervene with any transaction. "That's where we need to focus our technology -- on guaranteeing the integrity of transaction that takes place, not just guaranteeing the identity of the user."
In an exclusive interview in security and compliance trends, Ferguson discusses:
- The state of cloud computing at banks;
- Cloud security hurdles that must be cleared;
- Regulatory compliance trends to track in 2011.
As Director of Security Research and Communications for Trend Micro, Ferguson interacts with CIOs from a wide variety of European and global multi-national blue chip enterprises, government institutions, law enforcement organizations. Recognized as an industry thought leader and analyst, he is regularly quoted by the press on issues surrounding information security, cybercrime and technology futures. With over 15 years experience in the IT industry with companies such as EDS, McAfee and Xerox, Ferguson's broad experience enables him to have a clear insight into the challenges and issues facings businesses today.
TOM FIELD: To start out, Rik, why don't you tell us a little bit about yourself, your experience and your role with Trend Micro, please? RIK FERGUSON: I've been working in the IT industries since I guess about 1994, so it's been a while now. I did a fair few years working in technical support, but then I moved to working for system integrated designing secure systems mostly for blue chip and government accounts. I've been with Trend Micro now for three years, and prior to that I was about five years with McAfee, working obviously in the same industry, and right now I'm actively engaged in ongoing threat research, security research and I work closely with our customers to help them understand the challenges they face through the adoption of new technology and the kinds of security technologies that needs to be applied.
The Problem with MultifactorFIELD: Very good. I'd be curious to get your perspective on what you see as the top security threats today to U.K. banking institutions, and I'd be particularly interested in what's unique from those that we see in the U.S. and elsewhere.
FERGUSON: I think in Europe in general, and certainly in the U.K., the deployment of two-factor authentication happened a lot sooner, and it's been a lot more widespread than according to my impression it has been in the U.S. I've spoken to friends and colleagues from the U.S., and certainly some of them are still relying on simple user name and password combinations to access their online accounts. And I think that's one of the major challenges of banks, actually -- keeping their losses to a minimum through the theft of consumer information and business information when it comes to accessing those accounts and making unauthorized transfers of funds.
The problem really stems from the really well-established underground economy, where this kind of information is traded and you can buy access to an online bank account where it is 2 or 3% of the available balance in the account. You can buy whole identities for as little as $10 U.S. dollars. So that thriving and established underground economy is really what's driving the risks to financial institutions ...
FIELD: Rik, you talked about multifactor authentication. I'd like to hear more about that because as you know in the U.S. now there is pending guidance about multifactor authentication. In your experience, what works and what still needs work with multifactor authentication and banks?
FERGUSON: You know that's a really interesting question because I think the answer is often misunderstood. Multifactor authentication is perceived by many as being the panacea, the thing that will resolve [everything] if we give all of our users some kind of USB token or if we give them SMS passwords or a sheet of paper with on- time passwords on it. then we're good. But the real problem is that we're not authenticating the right thing. What we're doing is we're authenticating the person. So the person is proving that they are who they say they are by use of multiple factors, and that could be receiving an SMS through the mobile phone. It could be using a password from a sheet of paper. Multifactor authentication is based traditionally on something you know, which usually is your password; something you have, which could be your USB token or your mobile phone or something like that; and sometimes based on something that you are, which is often you know the biometric factor. Obviously rolling out biometrics in a financial institution is atypical because you need to make sure that every customer's PC has access to some kind of biometric reader. So we're relying more on things like tokens and one-time passwords.
So ... what I mean is we sit in front of our computers, we open a browser, we connect to our banking website. We enter our user name, certain digits from our password and then our one-time code, and at that point we establish a secure tunnel between the client and the financial institution. What we need to remember is that malware has developed to the point where it can sit inside the browser of the infected computer and intervene with any transactions that we make, even if it's in a secure tunnel. So I could be telling my browser to tell my bank that I want to transfer $500 U.S. dollars or 500 pounds to my mum, and I have to rely that my browser is going to relay that information intact to the bank. Of course, if a criminal is inside my browser, he can modify that transaction and change it from $500 to $5,000, transferring not to my mum but to some money mule somewhere. When the bank sends the reply, the first person to see the reply is the criminal in the browser ... Malware is absolutely doing that already.
So, when we create that privileged environment, yes, we authenticate the person and we prove that we are who we say we are, but we don't do anything at all about verifying the integrity of the transaction, and that's where we need to focus our technology is on guaranteeing the integrity of the transactions that take place, not simply the identity of the user.
Cloud ComputingFIELD: Rik, to go in another direction entirely I'd like to talk about cloud computing with you. What would you say is the state of cloud computing today with banks in the U.K.?
FERGUSON: I think a lot of enterprises in general -- and I don't mean banks and financial institutions are any exception to this -- definitely see the benefits from building and using cloud. I think there is more reticence when it comes to using public clouds than private clouds for obvious reasons. It's a heavily regulated industry, and they have limitations on what they can do with the way they continue to store the kinds of protection that should be applied. But I think the problem is that the term "cloud" means different things to different people.
So, I think instead of talking about cloud, it's more important from a technological perspective to focus on the engines that drive the cloud, and to my mind that's virtualization and storage area networks. Without those two technologies, the whole concept of cloud wouldn't be possible and it's certainly true to say that there are new risks that arise within those kinds of environments that were not present in their physical format.
So with virtualization, first of all the systems are much more mobile especially in a private cloud environment. You can never be sure which server system will come to life on any given point in time, and you can never be sure exactly where your data will be stored at any point in time, and those problems are exacerbating when you talk about a multi-tenant [ph] environment whether that's public cloud or a multi-tenant cloud. We may end up with mixed trust level virtual machines on the same hypervisor, and when it comes to auditing we need to make sure we can effectively segregate those machines one from another ... and the same is true not just for systems, but also data.
But when data is stored in a storage area network, the audit is in the checks of who is accessing that data is just your department, or is it the department who shouldn't have access? Is it your service provider who's gaining unauthorized privileged information? How do you audit the access? How do you demonstrate compliance?
So, we're in an era now where the traditional physical perimeter of a network ... is blurred almost to the point of indistinction, and we need to make sure that we can deploy technologies that are capable of securing each individual virtual machine at the perimeter of that virtual machine to effectively segregate them on the same hypervisor, and we need to make sure that we can encrypt the data that we put into clouds, whether private or public, so that it can't be accessed by people who don't have the authority. And that includes the service provider, and the only way we can really achieve that is to reflect the use of encryption where the data owner maintains ownership of the keys to that data.
FIELD: Well, we've all had a number of challenges there, and one of the things I found to be resonant at this year's RSA Conference in the U.S. was that whereas a year ago the CEOs all were talking about were going to the cloud, this year it seemed like the CISOs were all saying "We've got security issues that need to be addressed." What issues do you see that the banks have addressed, and what are the big ones that remain to be tackled?
FERGUSON: Yeah, I think when you talk about C-level executives, as you said, security means different things to different people. I think for a C-level executive security is really all about control and accountability, and this move to the cloud is something which is being driven in the most part by the commercial side of the business. People see a lot of commercial benefits with moving into the clouds: its scalability enhancements, performance enhancements, lower in cost ...
Now you can't outsource accountability. That's not something that's legally possible. So executives are left in this uncomfortable position where they maintain accountability for the security of their data, but they don't feel that they have the control, and I think we're just about at the point now where technology is beginning to allow the CISOs, the people who feel the need to maintain technical control over their systems and data. where the security industry is beginning to give them the tools that give them the necessary level of comfort to actually begin to embrace that move to cloud.
2011 TrendsFIELD: We talked about a fair amount in this conversation. We touched upon web authentication, we've touched upon cloud computing. Rik, what are some of the specific security and particularly compliance trends that you are looking at in 2011?
FERGUSON: When it comes to finance obviously, the biggest one the biggest driver is definitely obvious that's compliance, and one of the things that can make that quite cumbersome and unwieldy is determining the scope of the audit. As I mentioned before, when you move virtualization you can very quickly begin to lose control of the scope of that audit, as you have these mixed trust levels. So that's definitely a challenge when it comes to planning your virtualization deployment. Other problems that certainly instituted in Europe are related to the European directive on breach prevention, which has been translated into national legislation in each of the member countries of the European Union. All of them inside different ways, some more strict and some less strict, but they're all based around the same directive and that's about protecting the security of personal information, anything which is personally identifiable so we're talking about things like you know the European equivalent to Social Security Numbers. we're talking about names, addresses, dates of births, and then there are other kinds of information which may or may not be helpful for financial institutions which can be classified as being even more sensitive. That's things like religion, sexual orientation, those kinds of more personal information, and every organization that is a data owner is under a legal obligation to protect that data from breach, and in the event of the breach the penalties can be quite severe. But again they vary from country to country, but they almost all include the notion of some quite stiff financial penalties and in some jurisdictions can also even increase jail time. So there are a lot of financial institutions looking at some kind of protection for data in storage, so that's more the encryption side of things, but also protection of data in transit and making sure the information is not leaking inappropriately from organizations so that's more you know the DLP technology side of things. The biggest challenge for institutions ... is actually being able to identify what data they have, where it is, who should have access to it and what kind of actions should be allowed in order to even begin building out that policy. I mean, I spoke to one of the big four banks in the U.K. at a meeting in London recently, and they came very clean and said "We know where our data is; it's one big amorphous blob in the data center. But we have no idea of exactly what we hold or who should have access to it or in fact who's doing what with that data." And that's probably one of the biggest challenges to financial organizations right now is that initial identification and audit process around it.
FIELD: Well, Rik, a final question for you. If you were to give banking institutions a piece of advice on how to tackle that challenge, what would your advice be?
FERGUSON: I think when you're talking about the larger financial institutions, you need to get external advice when it comes to the identification and classification of data. But I think one of the most important things that you can do is don't simply rely on the responses that you will get to paper-based or interview type questionnaires about how people are accessing and using data. Because more often than not people will tell you what they think they should be doing with data, but it's much more of a challenge to find out exactly what people are doing with data. It's important to put some technology in place that is capable of monitoring what is actually happening with information you deem sensitive on your network and doing some kind of gap analysis between what do people think they're doing and what are people actually doing, so that you have the real picture of where you stand, so you're baseline is correct and enables you to plan security effectively from that point on.