ISSA's SoCal Security Symposium

Great information but forgot a key security component. User Authentication.
On Wed 26th of October I attended the Information Systems Security Association (ISSA) Security Symposium in Long Beach, Califo
ia. Different security leaders discussed poignant topics like Ali Pabrai’s, CEO ecfirst.com, “Checklist for Addressing Breach Readiness” to the lighter hearted David Perry’s, Global Director Education Trend Micro, presentation “Security from the Cloud, for the Cloud, and by the Cloud”. There were also a number of vendor stations discussing a wide array of security products and services.
With so many state and federal data protection laws, and the high costs on a company after a network breach, network security is finally being discussed at the “C-Level” and by the boards of directors. The consensus among these experts is not “if” a cyber attack will occur but “when” will you finally discover that the breach? Or putting it another way there are two kinds of companies; those that have been breached and those that Just don’t know it yet.
I have written numerous articles, white papers and blog posts on the importance of network security. As physical access control systems are important for building security, authenticated access control systems are just as important to network security. Like building security is made up multiple components (door locks, alarms, fences, guards, CCTV, etc.) depending on the risk and value of the content inside the building, network security also requires many components (firewalls, anti-whatever software, abnormality monitoring, encryption, identity management, etc.). However, there was one key component I felt was missing from the show: User Authentication.
It was stated that the first line of defense of a network is the firewall. So the focus has been on having a strong, up-to-date firewall. I agree with its importance, but to me the first line of defense has to be strong user authentication. I’m not talking about user authentication to the public website but into the internal corporate network. The use of a multi-factor smart card has to be a component.
When IT companies rely on just user name and passwords they are fooling themselves that they have network security. Grabbing, sniffing, capturing and hacking passwords has become child’s play. Disgruntled employees, dishonest contractors or money-seeking visitors will do anything to everything from leaving malware infected USB drives on a desk to over-the-shoulder-surfing to get passwords. When IT come up with policies that require longer, more complex passwords that have to be changed frequently this only makes matters worse – not better. These policies drive employees to do stupid things like write passwords down on those sticky notes so cell phone cameras can capture them.
Once user authentication is established then the smartcard can be used to security pass through the firewall and into the identity management system that determines user’s rights and privileges. Strong user authentication is also a must if you have any interest in moving important data into the cloud.
In conclusion:
ISSA held a very valuable and informative symposium; many companies are addressing all different security aspects; the importance of security is finally being discussed at the top levels within a company; and the cost of a data breach can be devastating on a company. So as your IT department develop procedures to safeguard the network, don’t overlook the importance of strong user authentication before ever touching the network.