Page 31 - Cyber Warnings
P. 31
“Promotional websites and secure data storage must be maintained at unique IP
addresses.” Data must be segregated into publically available, “Open” data; “Private”
data and “Secure” data. “Open” and “Private” data stays in a browser-based
environment providing the widest potential audience for the hosting organization.
“Secure” data and its access method must be moved to an IP address that has no
relation to the public IP address and browser-based access.
“True two-factor authentication is mandatory when accessing secure data.” This
should go without stating. Accessing secure data with knowledge alone has not and will
not work. “Something you have and something you know.”
“Secure data that has been accessed cannot be written to any permanent storage
device, including temporary data.” This is the most obvious standard of them all.
Writing data to a local computer leaves data behind. Deleting written data at the end of a
session does not remove the data just the directory entry pointing to the data.
“Access to secure data cannot be granted through any installed application.” Any
installed software can be compromised and is therefore suspect.
“No data mining can be performed by the application providing the access to
secure data.” The access method cannot spy on the user.
The solution is simple and must address all of these areas or it will fail! An Intern was
booking a trip on expedia.com. The purchase was completed and the Intern went to
Google maps to look for the location of his hotel. There was a pin in the hotel with the
dates of the visits! How did secure data, entered on an https page, get used to put the
pin in a map? The truth is, it doesn’t matter! Browser-based access is not secure,
period.
Cyber Safety Harbor is deploying a cyber solution that exceeds the six standards above. We
believe knowledge is also a problem. The decision makers don’t understand the problem, so
they hired experts that are selling products. New innovations aren’t what they represent.
Cyber Safety Harbor has introduced private CyberID Community solutions to facilitate
protection of “Secure” data. The premise of a CyberID Community is that only members of the
community have a right to access. An organization deploying a CyberID Community can do so
with minimal disruption to existing online services.
The first step to deploying a CyberID Community is analysis to identify deployment specific
issues, but after analysis the deployment process is the same for most organizations. The
process:
Create a mirror of exiting browser-based website containing the secure portal.
Deploy a plugin or proxy server that blocks all non-authorized access to the mirrored
site. Requires CyberID for access.
Modify existing client database adding an additional key field to store the CyberID public
key.
31 Cyber Warnings E-Magazine – April 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
