Read the latest news and blogs surrounding access control, time and attendance systems and integrated security solutions with Tensor plc.
The Growing Challenge Of Identity Management
Identity management is a security issue which is becoming increasingly challenging as the perimeter of the network crumbles. This is well illustrated by the DTI Information Security Breaches Survey of 2006, which shows that one in five larger businesses had a security breach associated with weaknesses in their identity management, with the number of incidents being less for smaller companies. The survey found that incidents were from staff gaining unauthorised access to data, staff obtaining and misusing confidential information, financial theft or fraud, and impersonation or phishing attacks. While the incidence of fraud was low, the impact was greater than for any other type of security incident. Several small businesses lost between Â£10,000 and Â£50,000 as a result of fraud and one large bank lost millions. Identity management has been a problem for many years, but recent changes to the security landscape have made the risks greater. The growth of mobile computing and remote access are important factors. Couple this with the rapid rise of wireless and the growth in access to applications, then you have significantly increased the opportunities for unauthorised access into your network. At the same time, the internal threat of staff gaining access to confidential information remains as high as ever. Alongside this, the range of potential breaches has materially increased with problems such as pharming, phishing, spyware, keyboard logging, war-driving, etc. on the increase. A number of issues arise in this new landscape. How do you ensure that users activate security features when they connect to the Internet? How do you get them to protect confidential information and guard against threats such as spyware? And not least, how do you manage access to their machines by other colleagues, family or friends. This is a challenging picture and the continued reliance on weak single-factor authentication looks increasingly ostrich-like. The DTI 2006 survey found that some 96% of large companies and 93% of all companies are still using single factor authentication to authenticate users. There isn’t a single answer to resolving these problems, but a number of options. There is one thing, however, which is certain – single factor authentication (passwords) is not enough. There are a number of authentication options: single sign-on is a step forward, but requires superior identity management two-factor authentication is much better and involves the user of authentication tokens, biometric devices, etc. three factor authentication is far superior and involves something you know (e.g. password), something you have (e.g. authentication token) and something you use (e.g. device authentication) Article courtesy of Security Park
Smart Card Technology
The ID card debate continues to rage with questions over their purpose, necessity and logistics of a nationwide roll-out still to be answered. In the background, a few organisations are starting to invest in increasingly sophisticated identity authentication technology. Banks including LloydsTSB and HSBC are already starting to roll out token-based solutions, which combine the traditional username and password with a one-time code generated by a keyring-style token, in order to combat ID fraud. It is encouraging to see that financial services organisations are starting to move away from purely password-based authentication techniques in a bid to combat sophisticated key-loggers and phishers. However, the benefits of two-factor authentication devices, such as tokens and smart cards, are not confined to banks. Yet take-up amongst other industries has been slower. Smart cards take strong authentication into a new realm, because they are capable of storing so much information on them and have a vast number of uses. One card, issued by an employer, can allow staff access to office buildings as well as the IT network, thereby combining physical and logical security into one device. Multiple applications on the network can be accessed via a single sign-on mechanism, removing the user’s headache of remembering many different passwords and cutting down calls to the IT helpdesk for password resets. What is more, remote users can access the network with the same level of security as office-based workers using the same card. Not only that, smart cards can be used to make a digital signature, which in future could make electronic documents permissible as evidence in a court of law. Tensor have used smart cards within our security systems for a number of years, and represents a prime example of how the technology can be incorporated into a number of applications. From time and attendance solutions, to access control and cashless catering, one smart card is able to perform a variety of individual tasks. As we continue to move rapidly towards a completely digital age with complex regulations to adhere to, being able to prove beyond reasonable doubt that an email or document was sent or received will be a must-have, not just a nice-to-have. Increasingly, private enterprises are working with government bodies to deliver commercial and public services to citizens via smart cards, because they are capable of storing multiple credentials for access to different buildings, systems and accounts. Further development depends on public and private sector investment in new infrastructure, and the most cost-effective approach is to work together in order to develop the technology then use it according to the needs of their individual organisations. The potential benefits of stronger identity authentication technologies to commercial and public sector organisations alike are immense, encompassing increased efficiency, compliance issues and better access to public services for all.
Stolen Laptops Providing Gateway To Hackers
Lost or stolen laptops which fall into the wrong hands can be used to launch an attack on the corporate LAN using tools obtained online or from auction websites. In a recent demonstration showing network vulnerability, a sample laptop with commonly used password security was used to carry out a series of hack attacks to show how these mobile devices can act as a gateway to data housed on internal systems. Local user passwords were compromised allowing data residing on the hard drive to be harvested and attacks were launched on the device’s associated network connections. The first step to compromise the laptop entailed hacking the BIOS before the Windows operating system had launched. A BIOS reset connector, typically used by manufacturers to deactivate and reset the laptop BIOS password during repair, can easily be made or purchased from Ebay and allows complete access to data housed on the hard disk. Alternatively, the hacker can remove the hard drive from the laptop entirely and install this in another device without a BIOS password, again allowing access to data on the drive. Compromising Windows passwords was equally as simple. Backtrack, a Linux tool on CD-ROM, was booted on to the device, providing access to the Windows file system before the operating system had even launched. Software hacking programmes such as GetSyskey and Gethashes were downloaded from the internet and used to access the Windows encrypted passwords. In addition, Rainbow Crack, a software tool which creates Rainbow Tables was used to compute the various password hashes used by the LM password algorithm. Using a precomputed table of over 60GB of hashes, the administrator password was cracked in under two minutes. Moreover, encrypted WEP passwords and remote desktop log-in details from the Windows registry file were discerned using password recovery software. Having cracked these passwords, the desktop could be browsed at leisure and files and documents on the laptop could be identified, even those which the user had deleted from the hard drive. Disk Investigator, a downloadable software tool, was used to recover deleted files from the file system, as well as locating deleted files from flash media such as USB pen drives. Finally, a fictitious corporate LAN was broken in to using a remote access client. An installed Cisco VPN client was used, and cached login credentials stored locally in a .pcf file were located, enabling access. Cain and Abel, a tool readily available online, was then used to crack the Cisco VPN encrypted client passwords, decoding these into clear text. Once inside the network, an enumeration attack was carried out to browse named hosts. These PCs and servers, often given away by telltale names ranging from the obvious, such as ‘Payroll’, to old techie favourites such as Star Wars or Lord of the Rings characters, planets or Greek Gods, were easily identified. Having selected a target client, a free, open-source exploit tool called Metasploit, which provides a simple graphical user interface, was then used to gain administrative access. The hacker was now free to export data from the internal host or carry out corporate sabotage or espionage. The risk of attack to the corporate LAN has increased along with the popularity of mobile working and hotdesking. FBI Computer Crime and Security Survey claims around 50 per cent of organisations reported mobile device theft in 2005 and it’s a problem that affects both the private and public sector. Over the last twelve months in the UK 21 laptops have been stolen from Department of Trade and Industry (DTI) buildings and five laptops have been misappropriated from the Office of the Deputy Prime Minister. Any of these devices could have been used to compromise the core networks of business or government using these simple tools and techniques. Here are recommendations to organisations with mobile workers to help combat information theft: At the very least, encrypt your sensitive files with freely available software. Set a BIOS password, even if they can be reset. Don’t allow users to boot from USB keys, floppy disks, CD ROMs or from a network. Use a secure VPN technology. Don’t allow the caching of passwords or user names in RAS clients. Educate your staff. All too often credentials can be found in notepad files on the desktop. Incorporate biometric logon devices. Consider full disk encryption. PIN lock GPRS or 3G SIM cards. Encourage staff to report laptop or mobile device theft immediately on discovery and ensure you have a 24-hour process to enable this. Consider using passwords which use UK-specific character sets, as most RainbowTables currently available are computed from American keyboard codepages. Article courtesy of Security Park
New Guides On Vandalism Released
The Home Office has published a series of 5 short practical guides through its crime reduction website, to help businesses and organisations tackle vandalism and criminal damage. Each guide is short and snappy at only 4 pages long, and addresses practical issues, illustrating its points with pen picture case studies. The five guides are: Tackling Vandalism and other Criminal Damage; Tools and Powers for Tackling Criminal Damage; Environmental Approaches to Tackling Vandalism; High Visibility Policing; Tackling Youth Vandalism. And can be found by following this link. Recommended in the literature is the implementation of surveillance systems. Tensor can provide your organisation with state-of-the-art digital CCTV camera and recording systems, which are compliant with UK police requirements. Tensor are also leaders in the provision of access control systems, which prevent unauthorised access to your premises. Suitable for both large and small sites, Tensor can provide a system to suit your needs. If you are interested in learning more about digital CCTV or access control and how it can help you, why not contact Tensor, and we would be happy to provide you with additional information.
All Work And No Play For Boozing Brits
Despite a culture of binge drinking and a reputation for drinking European counterparts under the table, British workers play hard and work hard, with 62% refusing to pull a sickie after a night out on the tiles. In fact, just over a third of Brits have ever taken time off work because of a hangover. A recent poll asked, "Have you ever taken a day off because of a hangover?" Out of 3,359 respondents, the votes were as follows: 49% (1619 votes) – No, I always come to work however hungover I am; 24% (814 votes) – Yes, several times; 14% (486 votes) – Yes, but only once; 13% (440 votes) – No, I think my colleagues/boss would find out. Even with such an open attitude towards social drinking, emergence of the "ladette culture" and last year’s change in licensing laws, British workers still take the line that when there’s a job to do, don’t let a hangover get in the way. Chris Evans and Pete Doherty have infamously turned up for work slightly worse for wear. While these levels of excessiveness are not standard behaviour for everyone, in general the majority of Brits choose to work through their hangover rather than to sleep it off. So what’s getting Brits out of bed and into the office? A hard-working ethos and increasingly competitive workplace may be attributable. In addition, more businesses are offering financial incentives to encourage people to turn up for work. The Government has also called on businesses to invest more time and money in preventing ill health at work. The Royal Mail’s much publicised scheme, launched last August, offered staff the chance to win a car if they did not take any sick leave in six months. Attendance levels rose, with the equivalent of 1,000 more staff at work daily. Sick pay currently costs the industry about Â£32billion a year, with Â£4billion purely based on absenteeism figures alone. While it is imperative for employers to identify the root cause of staff absenteeism, steps should also be taken to recognise staff with a good attendance record . Top Tips On How To Work Through Your Hangover DO Tackle big tasks and the most important jobs first DO Drink plenty of water DO Keep your head down – work quietly to conserve your energy DO Remember your manners – be polite and courteous, no matter how rough you feel DON’T Wear sunglasses in the office DON’T Boast about your drinking escapades DON’T Fall asleep at your desk DON’T Email the entire company asking for aspirin
Protecting Against Terrorism Guidelines Released
The Security Service, in partnership with the Home Office and the Cabinet Office, have updated existing protective security guidance for organisations with a duty of care for others. This guidance, entitled ‘Protecting Against Terrorism’ has been published in response to requests from businesses to have a hard copy version of the guidance on the website. To help you get the gist of the information, Tensor has produced the following top ten protective security points, which summarise the guidance given in the booklet. Whether you are creating, reviewing, or updating your security plans, keep these key points in mind: Carry out a risk assessment to decide on the threats you might be facing and their likelihood. Identify your vulnerabilities If acquiring or extending premises, consider security at the planning stage. It will be cheaper and more effective than adding measures later Make security awareness part of your organisation’s culture and ensure security is represented at a senior level Ensure good basic housekeeping throughout your premises. Keep public areas tidy and well-lit, remove unnecessary furniture and keep garden areas clear Keep access points to a minimum and issue staff and visitors with passes. Where possible, do not allow unauthorised vehicles close to your building Install appropriate physical measures such as locks, alarms, CCTV surveillance and lighting Examine your mail-handling procedures, consider establishing a mailroom away from your main premises When recruiting staff or hiring contractors, check identities and follow up references Consider how best to protect your information and take proper IT security precautions. Examine your methods for disposing of confidential waste Plan and test your business continuity plans, ensuring that you can continue to function without access to your main premises and IT systems. Welcoming the publication of the new guidance, Home Office Minister Hazel Blears said: "Government and business need to work in partnership to ensure that emergencies are avoided, and when they do happen we are well prepared to deal with the consequences. We know that protective security works." "It is important for all businesses and organisations to plan for unforeseen events in order to deter potential attackers and mitigate the effects of attacks when they happen. This includes having an up to date business continuity plan that should ensure that staff are prepared and that the essential functions of business can survive a terrorist incident, natural disaster, or other disruption."
Holidays For Pay
The EU has ruled that British workers are no longer allowed to be paid for unused holiday entitlement. European judges said that the so-called "rolled-up holiday pay" system breached the Working Time Directive, which guarantees employees a minimum four weeks’ holiday a year. The issue came to light after a group of British shift workers brought a case to the European Court of Justice in Luxembourg, where they were demanding the right to payment during their holidays instead of notional extra hourly pay. EU rules state that the minimum period of paid annual leave cannot be replaced by an allowance, except where employment is terminated. If the legislation allowed payment for annual holidays to be included in hourly or daily pay rates, then it could potentially lead to situations where minimum holiday was replaced by an allowance in lieu. As annual leave is a key entitlement under the Working Time Directive, this loophole had to be closed. "The entitlement of every worker to paid annual leave is an important principle of community social law from which there can be no derogation," said the judgement." Holiday pay is intended to enable the worker actually to take the leave to which he is entitled."
Biometrics Fighting Identity Theft
A new survey has revealed that UK consumers place most confidence in biometric technologies, such as fingerprint recognition, to help combat the rapidly growing identity theft industry, which is now estimated to be costing UK industry Â£1.7 billion per year. The independent survey asked 1,000 UK households to investigate the incidence of and attitudes towards financial fraud and solutions. The survey revealed that 2 in 3 consumers believe that banks should be turning to biometric technology in order to combat identity theft – a widespread problem which now affects 1 in 4 British adults according to Home Office statistics. Despite token security being presented as an online authentication standard by some industry bodies, 92% of respondents were unfamiliar with the term and unaware of its use as a security measure. Once explained, only 42% of consumers believed that banks should adopt token security to help combat identity theft. In comparison, the majority of respondents (73%) stated that biometric technology would assist banks in the fight against fraud and 48% placed confidence in smart cards. Considering some historical resistance towards biometric technology, the survey demonstrated that consumers offer a high level of support for biometrics, which appears to have cemented it’s position as the preferred security device in the war against identity theft. Tensor have been incorporating biometrics into our time and attendance and access control systems since 2002. The two-factor authentication not only provides the additional security needed to safeguard a system, but also the peace of mind associated with knowing that you are protected against security breaches.
UK Companies Turning To Physical Security
According to the results of a survey of IT Directors by Comunica, an IT service provider, the ‘Smart Office’ is becoming a reality. Comunica has found that out of 100 major companies, 64 percent have already adopted or plan to adopt physical security over IP networks in 2006. This will enable companies to monitor and control systems and buildings using card readers, biometrics and other access systems such as CCTV all from a web interface. The financial sector has taken the lead in implementing this technology with 31 percent having implemented it already and a further 38 percent planning to do so in 2006 which will take the total to 69 percent. Manufacturing has been sluggish in taking up this technology with just 9 percent so far, but the signs are very positive for the future, with 43 percent planning to implement physical security in the next twelve months. There are many advantages to controlling physical security over IP, including cost reduction resulting from being able to use one network for all the security systems and devices. Also, control will be improved and simplified by being able to manage all the security devices on a single platform. Tensor have been developing and installing IP-based physical security systems over the last decade, and have a plethora of knowledge and expertise in the industry. Whether it’s access control, digital cctv, or visitor monitoring you’re interested in, Tensor has a solution for you.