Townsend Security Data Privacy Blog

PCI DSS 3.2 and Two Factor Authentication (2FA)

Posted by Patrick Townsend on Apr 28, 2016 9:14:00 AM

Capturing administrative credentials as a path to stealing sensitive credit card data is becoming a more common method used by cybercriminals. It is not surprising, then, that the PCI Security Standards Council would address this rising threat in the new version of the PCI Data Security Standard (PCI-DSS). For some time now the PCI council has been telling merchants, service providers, and banks that it would more aggressively respond to emerging threats, and version 3.2 of the PCI-DSS standard reflects this.

Two Factor Authentication IBM i White Paper One of the most effective ways of countering this threat is to implement two factor authentication (2FA or TFA). This is also sometimes call multi-factor authentication (MFA), and the two terms are used interchangeably. If you use Google, Facebook, Yahoo, or any number of other Internet services you are probably already aware of two factor authentication as a security mechanism. With two factor authentication you no longer just provide just a password to login as an administrator of an account, or to make administrative changes to your systems. You must supply a 5 or 6-digit PIN code to complete the login sequence. The PIN code is generated separately from your signon prompt and thus is harder for cybercriminals to capture.

A password is something you know, so the second factor for authentication must be something you have such as a cell phone or token, or something you are such as a fingerprint or iris image. Secret questions don’t qualify as as second factor as they are also something you know, like the password. A general description of two factor authentication can be found here.

Prior to version 3.2 of the PCI Data Security Standard, remote users were required to use two factor authentication for access to all systems processing, transmitting, or storing credit card data. With version 3.2 this is now extended to include ALL local users performing administrative functions in the cardholder data environment (CDE). This makes sense as user PCs can be infected with malware that leads to the compromise of administrative credentials. It hardly matters anymore if the user is local or remote.

Why is this a big deal?

First, many companies processing credit card data do not have remote workers, and 2FA will be new technology. Even if you have remote administrators, they are probably authenticating with 2FA via a VPN session which will not work with internal administrators. This means evaluating new 2FA solutions, deploying them in all of your CDE environments, training employees on how to use the technology, and implementing new HR procedures to manage employees and access to 2FA.

Second, many 2FA solutions require deployment on hardware servers that must be deployed and maintained. There may be impacts on the company network and firewalls, and it means a new technology ramp-up. This includes addressing hybrid environments that may encompass traditional IT data centers, virtualized environments, and cloud applications. If the 2FA solution is based on hardware tokens that employees have to carry, you will have to manage the distribution, revocation, and replacement of tokens.

Third, many merchants have complex cardholder data environments and a 2FA project can be daunting. Think about a large box store retailer. Besides the normal check-out Point-of-Sale systems, they might have pharmacy, optical, automotive, and many other departments under the same roof. The CDE might be complex and extensive and the 2FA effort may be large depending on how much administrative work is performed locally.

Last, it is not enough to deploy a 2FA solution. It must be properly monitored in real time. An attacker may attempt to guess or brute-force attack the PIN code. A good 2FA solution will log both successful and unsuccessful PIN validation requests. The logged failures should be monitored by a SIEM solution so that the security team can react to the threat quickly.

Here at Townsend Security we provide a solution to IBM i (AS/400, iSeries) customers that is based on mobile, voice, and optional email delivery of PIN codes. Alliance Two Factor Authentication integrates directly with the global Telesign network to deliver PIN codes. A customer who needs to deploy two factor authentication can install, configure and verify a 2FA PIN code sequence in less than 30 minutes. There is no hardware to install or maintain, and there are no individual tokens to distribute and manage. We think that this solution will help many IBM i customers quickly achieve compliance with version 3.2 of PCI-DSS and PA-DSS. More information here:

In future blogs I will talk more specifically about our solution.

Patrick

White Paper Two Factor Authentication on the IBM i

Topics: 2FA, two factor authentication

Our Top 10 Most Popular Data Security Blog Posts of 2014

Posted by Michelle Larson on Dec 31, 2014 10:37:00 AM

Encryption, Key Management, and Data Security…Oh My!

This has been a busy year at Townsend Security with the addition of 2FA, the introduction of Key Management in AWS, Azure, and Key Connection for Drupal. Looking back over our data security blog and the most-viewed topics, I wonder... Did you miss out on any of these?  Take some time to check them out!

Heartbleed

Heartbleed and the IBM i (AS/400)

by Patrick Townsend  (April 11, 2014)

Key take-away: It is important to understand that while the IBM i platform may not be directly vulnerable to the Heartbleed problem, you may have lost IBM i User IDs and passwords over VPN or other connections which are vulnerable. An exploit of Heartbleed can expose any information that you thought was being protected with session encryption.

From the blog article you can download additional content:  
Ebook: Turning  a Blind Eye to Data Security

What are the Differences Between DES and AES Encryption?

by Michelle Larson  (September 4, 2014)

Key take-away: Even Triple DES (3DES), a way of using DES encryption three times, proved ineffective against brute force attacks (in addition to slowing down the process substantially).

From the blog article you can download additional content:    
White Paper: AES Encryption & Related Concepts

Encryption & Key Management in Windows Azure

by Michelle Larson  (February 13, 2014)

Key take-away: In February 2014 we released the first encryption key manager to run in Microsoft Windows Azure. This blog highlights four of our most frequently asked questions about providing data security IN the Cloud.

From the blog article you can download additional content:    
Podcast: Key Management in Windows Azure 

Homomorphic Encryption is Cool, and You Should NOT Use It 

by Patrick Townsend  (October 6, 2014)

Key take-away: Homomorphic encryption is a promising new cryptographic method and hopefully the cryptographic community will continue to work on it. It has yet to achieve adoption by standards bodies with a proper validation processes.

From the blog article you can download additional content:  
eBook: the Encryption Guide

Authentication Called For By PCI DSS, HIPAA/HITECH, and GLBA/FFIEC

2FA Resource Kitby Michelle Larson  (March 24, 2014)    

Key take-away: Two-factor authentication (2FA) plays a critical role in both meeting compliance regulations and following data security best practices. This trend will only grow within various industries and throughout the overall data security environment.

From the blog article you can download additional content:  
2FA Resource Kit: White paper, Webinar, Podcast

Encrypting Data In Amazon Web Services (AWS)

by Patrick Townsend  (August 28, 2014)

Key take-away: Amazon Web Services is a deep and rich cloud platform supporting a wide variety of operating systems, AWS services, and third party applications and services. This blog explores some of the ways that our Alliance Key Manager solution helps AWS customers and partners protect this sensitive data.

From the blog article you can download additional content:  
Podcast:  Encrypting Data in AWS

Key Connection - The First Drupal Encryption Key Management Module

by Michelle Larson  (February 21, 2014)

Key Connection for Drupal

Key take-away:  Working together to solve the Drupal data security problem, the security experts at Townsend Security and Drupal developers at Cellar Door Media have released the Key Connection for Drupal solution, which addresses the need for strong encryption and encryption key management within the Drupal framework. Now personally identifiable information collected during e-commerce checkouts and user account that contain names and e-mail addresses can be easily encrypted, and the encryption keys properly managed, by organizations that collect and store that sensitive information.

From the blog article you can download additional content:   
Podcast: Securing Sensitive Data in Drupal

Nine Guidelines for Choosing a Secure Cloud Provider

by Patrick Townsend  (July 8, 2014)

Key take-away:  Security professionals (CIOs, CISOs, compliance officers, auditors, etc.) and business executives can use the following set of key indicators as a way to quickly assess the security posture of a prospective cloud provider and cloud-based application or service. Significant failures or gaps in these nine areas should be a cause for concern and suggest the need for a more extensive security review 

From the blog article you can download additional content:  
eBook: The Encryption Guide 

Never Lose an Encryption Key in Windows Azure       

by Patrick Townsend  (March 7, 2014)

Key take-away: This blog discusses backup/restore, key and policy mirroring, availability sets, and mirroring outside the Windows Azure Cloud.  Alliance Key Manager in Windows Azure goes the distance to help ensure that you never lose an encryption key. You might be losing sleep over your move to the cloud, but you shouldn’t lose sleep over your encryption strategy.

From the blog article you can download additional content:    
Free 30-day Evaluation of Alliance Key Manager for Microsoft Azure

3 Ways Encryption Can Improve Your Bottom Line

by Michelle Larson  (May 20, 2014) 

Key take-away: In a business world that is moving more towards virtualization and cloud environments, the need for strong encryption and proper key management is critical. Due to all the recent and well-publicized data breaches, we all know about the ways your brand can be damaged if you don’t encrypt your data. This blog takes a look at the benefits of encryption, and three of the ways it can have a positive effect on your business.

Additional content:  You’ll also discover that this is the third time in this Top-10 list that the eBook: The Encryption Guide is offered… so if you haven’t read it yet… what are you waiting for?

The Encryption Guide eBook

Topics: Data Security, Encryption, Best Practices, Amazon Web Services (AWS), Encryption Key Management, Virtualized Encryption Key Management, two factor authentication, Microsoft Windows Azure

Two Factor Authentication: A Step to Take for Better IBM i Security

Posted by Patrick Townsend on Jul 23, 2014 1:39:00 PM

Security can be hard, expensive, complicated, aggravating, confusing, and did I mention expensive?

Two Factor Authentication IBM i White Paper

As a security company, we hear this perception from new customers all the time. But there is one thing you can do for your IBM i that breaks all of these stereotypes. You can get an immediate boost in system security without much expense and without a big headache. And your users are already using this security technique on their favorite web sites.

Increase Security with Two Factor Authentication (2FA)

Almost every day a phishing email gets through our spam filters and lands in my inbox. Some of these emails are very nicely crafted and look like the real thing. The graphics are professional, the English is excellent and matches my expectations. The terminology is appropriate. Really nice work. And the links in the email are pure poison. Just waiting for that unsuspecting click to start installing malware on my PC to capture my IBM i user profile and password information.

Yup, that’s how it started at Target.

The great thing about Two Factor Authentication is that it gives businesses a lot of additional security for very little upfront cost. The aggravation factor has almost gone away. You no longer need large, expensive servers and tokens that always seem to get lost at just the wrong time. Your IBM i can do exactly what Google, Yahoo, Facebook, your bank, and many other Internet companies are doing to make security better. And your users already have the device they need - their mobile phone!

Alliance Two Factor Authentication uses the same network services and infrastructure that the big boys use for 2FA. This security solution leverages the Telesign global network to deliver PIN codes right to your mobile phone. No servers to rack up and maintain. No lost tokens.

I know, you have some reservations:

I don’t always have signal to my cell phone.

That’s OK, just send the PIN code to your voice phone. A nice lady will read you the code.

I’m in a hurry, I can’t wait for a PIN code.

PIN codes are often delivered in under a second. If you’ve got a mobile provider with a slow network, just have the PIN code delivered to your mobile phone as a voice call.

I left my cell phone home!

Right, just use one of your One Time Codes. No phone of any kind needed!

My IBM i is in Restricted State, it won’t work for me.

Alliance Two Factor Authentication does work in restricted state with a couple of steps.

I don’t want to have to enter a PIN code every time I log on, that’s just way too much work.

Don’t worry, your security administrator can configure Alliance Two Factor Authentication to only ask you once a day to authenticate, or at a user-defined interval. And if an attacker tries to access the IBM i from another device or IP address, they will have to authenticate. And that’s going to be hard to do when you have your mobile phone in your possession.

We’ve made Alliance Two Factor Authentication easy to evaluate and deploy on your IBM i. You can request a free 30-day evaluation from our web site and be up and running within an hour. You can start slowly with a few users, and then roll it out to everyone in your organization. They’ll get it right away.

You don’t have to be the next Target. Get cracking (so to speak).

Patrick

White Paper Two Factor Authentication on the IBM i

Topics: 2FA, IBM i, two factor authentication

Two Factor Authentication (2FA) on the IBM i

Posted by Luke Probasco on May 14, 2014 3:30:00 PM

Google is doing it.  Amazon is doing it, too.  Apple, Microsoft, Facebook, and Twitter have also been using it.  What is stopping you from deploying two factor authentication on your IBM i?

Two Factor Authentication IBM i White Paper How do you stop a hacker who has just accessed a username and password that allows them *ALLOBJ authority on your IBM i?  Despite your best efforts at locking down user accounts, including enforcing complex and unique passwords, your most restricted credentials are now in the hands of hackers.
 
For companies who have deployed a two factor authentication solution on their IBM i, the situation is less dire.
 
While the IBM i is generally considered a very secure platform, it is still susceptible to hackers.  Most users access the IBM i via a PC, which are constantly being targeted with Malware.  Malware on a PC can easily capture usernames and passwords, send that information to a hacker, and in turn, open your systems up to a data breach.  Other points of attack include:

  • Memory scraping
  • Stolen vendor credentials
  • Stolen user passwords from external web services

Fortunately, there is still a way to stop hackers who have your top credentials – with two factor authentication.  By requiring two of the following for their users, businesses can easily enhance their security in a cost-effective way:

  • Something you know, such as a password
  • Something you have, such as a phone or fob
  • Something you are, such as a fingerprint

In Verizon’s “2014 Data Breach Investigations Report”, the company found that of the 63,437 total security incidents that occurred in 2013, “stronger passwords would help reduce the number of incidents, but larger organizations should also consider multiple factors to authenticate third-party and internal users.”  The report continued, “Two-factor authentication will help contain the widespread and unchallenged re-use of user accounts.”

Choosing a Two Factor Authentication Solution
Historically, companies used physical tokens (something you have) to provide authentication on the IBM i beyond username and password.  Unfortunately, tokens increasingly do not make fiscal sense for enterprise IT departments who have to deploy, manage, and troubleshoot these tokens.  Further, tokens are not foolproof as the recent attack on RSA proved.

Innovative solutions, such as Alliance Two Factor Authentication, that leverage the phone as a reliable means of out-of-band authentication have emerged. For example, instead of tokens, businesses can simply send an SMS or voice message containing a one-time authentication code to the IBM i user’s phone. This means cyber criminals cannot log into the IBM i without physical control of the actual phone.

Mobile-based two factor authentication solutions have become the preferred choice for businesses who don’t want the added expense of security tokens and the overhead of deploying and maintaining an appliance.  By deploying a two factor authentication solution on the IBM i, businesses can protect their critical data and operations, as well as their reputation, by adding an additional, cost-effective layer of security.

For more information, download the white paper Two Factor Authentication on the IBM i – Security Beyond Usernames and Passwords to learn more about why the IBM i may not be as secure as you think, the need for authentication on the IBM i, and how to meet compliance requirements with two factor authentication.

White Paper Two Factor Authentication on the IBM i

Topics: two factor authentication, Alliance Two Factor Authentication

The Target Data Breach: Could Two Factor Authentication Have Prevented It?

Posted by Patrick Townsend on Jan 30, 2014 2:09:00 PM

Today we learned that the Target data breach may have started when hackers used stolen vendor credentials to access a Target web site or application. The application and vendor is not known at this point, but there are some lessons we can learn from this breach:

Podcast - Two Factor Authentication on the IBM i You should be sure that your vendor applications do not have fixed administrative passwords or backdoor passwords. Talk to your vendors and get their responses in writing. Don’t deploy any vendor solution that has fixed passwords that can’t be changed.

You should change any default passwords on installation of vendor solutions.

  • Use strong passwords and regularly change them
  • Use Dual Control and Separation of Duties for any highly privileged users such as system and security administrators
  • Add additional security methods to protect against this type of attack (read on)

Is there anything we can do to mitigate this type of attack?

Yes, the use of Two Factor Authentication (sometimes called Multi Factor Authentication) authentication can go a long way towards preventing this type of attack. We know that passwords alone are a poor means of authenticating a user and providing protected access to applications. Passwords are easily guessed, are often very weak, and can be stolen from our systems or a from a third-party system. Two Factor Authentication (2FA) makes it difficult to use a stolen password to access a sensitive system.

How does Two Factor Authentication work?

Two Factor Authentication adds something new to your authentication process. In addition to providing a password (something you know) to access a system, you must also authenticate with something you have (such as a mobile phone or hardware token) or something you are (fingerprint or iris scan). By adding an additional authentication method that is not readily accessible to a hacker, you get much more security.

Mobile phones are ubiquitous and have become a common way to implement 2FA. After providing a password to a web site or application, a PIN code is sent to your phone via an SMS text message or voice phone call. You have to provide the correct PIN code in order to continue. This is the method that Google and Yahoo offer, and is a common feature in on-line banking web sites. A hacker may steal password credentials, but it is much harder to take control of your phone.

In recognizing the need for better access security we recently released our new Alliance Two Factor Authentication solution for the IBM i platform. It is intended to mitigate exactly this type of attack using mobile-based 2FA.

Podcast - two factor authentication on the IBM i

Topics: 2FA, Data Breach, two factor authentication

RSA 2011 Security Take Away: Mobile Two Factor Authentication is Hot

Posted by Patrick Townsend on Feb 28, 2011 8:26:00 AM

two factor authenticationOne thing that jumped out at me at this year’s RSA conference in San Francisco was the number of new vendors showing off mobile identification solutions.  There were at least four new vendors of mobile-based two factor authentication solutions, and one regular exhibitor with a new entry in this area. These vendors didn’t have the biggest booths or the most lavish give-aways, but as a category they certainly made a big splash.

I think there are really two things responsible for this big change:  Two factor authentication is now more important for security, and everyone now carries a cell phone or mobile device. The second part of this is completely obvious. In fact, I often see people carrying multiple cell phones. The ubiquity of the  cell phone makes them an ideal platform to deliver a one-time password or PIN code. And phone numbers are a lot easier to manage than hardware tokens.

The first part of this, the change in the security landscape, is not as well known to many people. As we’ve moved to a de-perimeterized security reality, we are more dependent on passwords to authenticate the users of our systems. And security professionals know how weak that dependence is. People who access our systems persist in the use of weak passwords, and the bad guys get better and better at password cracking and harvesting. By itself, password authentication is a poor defense, and that’s why two factor authentication is getting a lot of attention.

So what is two factor authentication? It means that you use two different authentication methods to access a system. Those authentication methods include:


•    Something you know (like a password or PIN code)
•    Something you are (fingerprint, iris)
•    Something you have (cell phone, HID card, hardware token)

By combining two of these authentication methods during system access you greatly reduce the chance of a security breach. For web applications, you generally find the use of a password with a PIN code generated with a hardware token (something you know, something you have), because it really hard to use a fingerprint reader or iris scanning device (something you are).  And that’s why cell phone based two factor authentication is picking up steam.

Don’t be confused by security systems that use one factor twice. I’m sure you’ve seen it at work on banking web sites. First you enter a password, then you answer a personal question (where were you born, the age of your oldest child, etc.). This is one factor authentication (something you know) used twice. This is when 2 times 1 is not equal to 2.  The use of one factor authentication twice does not add up to two factor authentication, and does not provide the same level of security.

Cell phones and mobile devices are a great way to deliver that second authentication factor. You have to have your cell phone to get the one time PIN code used for authentication. And everyone has one.

For more information on data security and compliance issues, visit the regulatory compliance section of our website to learn more.

Patrick

Topics: system security, two factor authentication, mobile identification