No matter how secure you think your organization is,
you can always get Stronger.

When it comes to protecting your company’s data and your customers identities from phishing, ransomware and other forms of cybercrime, there’s no such thing as safe enough. Stronger International’s consulting and training programs can help safeguard your company’s most precious asset, your reputation. In a world where identity fraud occurs every two seconds, it’s not a question of if you will be attacked, only when. Remember, risking your data is risking your business. Our security awareness course offerings include onsite, live-remote, and computer-based training options. We also provide risk assessment consulting, security planning, and vulnerability testing at the department, division or enterprise level. Beyond Security Awareness Training we offer a full range of compliance requirement training including HIPAA, PCI, and GLBA. Get trained and get Stronger.

+1 509.290.6598

Authentication Methods for VPNs

Some of the largest data breaches of the last two years, including those affecting Target, Home Depot and the U.S. Postal Service, have been the result of hackers gaining access through Virtual Private Networks (VPNs).

Between vendors, contractors, employees working remotely, and workers taking advantage of Bring Your Own Device policies, the average company has a multitude of users and devices accessing VPNs. This makes them a prime target for data thieves and a major vulnerability for your organization.

For most firms, allowing access by using a just a user name and password is no longer an adequate method of authenticating users, since that information can be easily obtained and used by hackers. Over the years more robust authentication methods have emerged, including:

Two-Factor Authentication.
This method provides an extra layer of security while still allowing for convenient access by authorized users. The most common form of two-factor authentication is having a user receive a text message or SMS on their phone with a code number. This code is automatically sent to the user after he or she inputs their standard user name and password. Payment Card Industry Data Security Standard (PCI DSS) requires two-factor authentication for remote access to a network by employees, administrators, and third parties.

Risk-based authentication (RBA).
This method applies varying levels of authentication based on the risk of a system being compromised. The greater the risk to a system, the higher the level of authentication required. For example, people who attempt to access bank accounts from another country may be asked additional security questions to authenticate their identity. Additional authentication protocols may also be applied based on a user’s IP address or because of a lack of antivirus software.

Challenge Handshake Authentication Protocol (CHAP).
CHAP uses an MD5 hashing scheme to encrypt authentication. With CHAP, the actual password isn’t sent over the wire. Instead, it uses a challenge-response mechanism with one-way MD5 hashing. CHAP protects against replay attacks through the use of an incrementally changing identifier and a variable challenge value. Microsoft has a proprietary version of CHAP called MS-CHAP.

Remote Authentication Dial-In User Service (RADIUS).
This method enables remote access servers to communicate with a central server to authenticate users. A central database stores user profiles that all remove servers can share. RADIUS allows a company to set up a policy that can be applied at a single administered network point.

Smart cards.
Smart cards are physical keys with chips that can store log-on information. Users insert smart cards into a reader attached to a network, then use a personal identification number (PIN) to gain access, much like how an ATM card works. Smart cards can be combined with an employee’s ID badge so that they can have a single card to access the building and network.

Developed at Massachussets Institute of Technology (MIT), this is a ticket-based authentication process that stores passwords on a centralized server and grant tickets for access. This is done through varying levels of encryption. Both the user and the server verify each other’s authorized identities, which can take place over an unsecured network. Once identified, communications between user and server can be encrypted to assure privacy and data integrity.

One of the more robust methods of authentication using personal, physical attributes of the user, such as fingerprint, retina scan or voice recognition.

You wouldn’t leave the door to your headquarters or worse, your server room, unlocked and accessible. It’s time to take the same approach to your virtual network and make it more difficult for unauthorized intruders to enter.

No Comments

Post a Comment