Posted on Mon, May 03, 2010 @ 12:59 PM
We're all familiar with the concept of people being fingerprinted to verify identities. But now Uniloc USA, an Irvine, California company has developed Physical Device Recognition (PDR) technology that creates a unique fingerprint for networked devices. The implementation of their NetAnchor server software, security appliance and management software creates a trusted-device network in which only authenticated devices are allowed to communicate.
Authorized client machines are identified using Uniloc's PDR technology to generate a device fingerprint based on the unique and inherent characteristics of each device. The device characteristics are based both on naturally occurring manufacturing imperfections as well as intentional configuration differences. This fingerprint becomes an authentication credential that is locked to that device.
One of Uniloc's target markets for this technology are industrial control systems in industries designated as critical infrastructure; including water, power, oil and gas, chemicals and transportation. The idea is to leverage a unique device fingerprint in trusted communications between SCADA (Supervisory Control and Data Acquisition) master stations and RTUs (Remote Terminal Units) and PLCs (Programmable Logic Controller).
Most recently the company has been focusing on network security professionals with the pitch of adding another authentication credential (device fingerprint) to network edge devices. Their story goes like this:
"While there is a trend towards moving technology into the cloud, properly validating the identity of a user, or user authentication, must continue to occur on the connected device. Today's passwords are not reliable enough for advanced cloud concepts like billable edges but many authentication technologies like smart cards are too expensive and inconvenient. Uniloc's Edge ID identifies the device itself for an affordable, enhanced user authentication without any user hassle."
Will this technology fly in the long run? Or will it be just another great idea that ends up in the "that's interesting" bin of technology landfills. We'll just have to see.
Posted on Thu, Jul 23, 2009 @ 01:38 PM
"Back in the day" (a phrase that amuses me due to its generality yet allusion to specificity--but I digress) when you needed to order office supplies you had to visit the supply room. When you needed additional raw materials you had to submit a materials request form. Need the latest sales figures? Call the sales department. In order to perform a risk assessment of these "systems" the security practitioner rarely had to travel outside the corporate walls. And this was fine for the aforementioned "general/specific" time in history.
We do things a bit differently in the 21st century. Many organizations have agreements with suppliers, distributors, data collection agencies, etc. so that identified follow up action is available from your company Intranet or is accomplished behind the scenes. For example, many grocery stores have electronic connections with their suppliers, distributors and shipping partners throughout the supply chain. This allows for a more efficient process of ordering and receiving items as they are sold to consumers. Need office supplies? Go to your Intranet, click on office supply request, punch in an authorization code and select your items. They will be included in the next delivery date--you can even check the status of an order.
Now suppose you have been given the task of performing a risk assessment of your inventory process. If you were to only look at the systems within your corporate walls (as you did in the "old" days) a significant amount of risks could go unidentified. Looking at it abstractly, your corporate walls are merely one tree in the forest of your inventory process and you can not learn about the forest from one entity. You need to be able to examine the whole forest, perhaps one tree at a time (a lengthy process but my point is made) but from one end to the next.
When looking at the entire forest (inventory process in this case) some questions that should come to mind include: How are your partners performing security on their end? Are they sharing authentication credentials among their employees? Do they practice configuration control? What happens to the data they receive from you? It is very difficult, if not impossible, to gather this information from only looking internally at your systems (one tree in this example). Perform a risk assessment (or audit, scan, etc.) against the entire system and not just one piece. More expensive? Probably. Take longer? Typically. Systems in the forest not under your control? Most definitely.
But all of these issues can be addressed through budgetary, timeline and contractual agreements. Money and time issues are fairly easy to understand while the more difficult part will be working with partners. Maybe you can share the costs. After all, a risk assessment can only help their security posture--and possibly marketing--not to mention strengthen the relationship.
My point being, however the details are worked out, performing an assessment, audit, etc. against one part of your system can lead to a false sense of security and thus disaster. Security functions such as these should take into account the whole forest and not just a few trees.
Posted on Wed, Jun 10, 2009 @ 12:43 PM
Recently I attended a webinar that discussed the need for a business continuity plan (BCP) in case a pandemic virus was to affect hundreds of thousands, if not millions, of people around the world, possibly in your area. Obviously playing off of the fears from the recent H1N1 (a new flu virus of swine origin according to the CDC; http://www.cdc.gov/H1N1FLU/), the presentation seemed to focus on how your business would continue to operate if such an event were to happen.
To be sure the possibility exists of regions/localities being closed off from access if the outbreak was to happen, but I think the presenter was missing the bigger picture.
I don't think you need a business continuity plan for a pandemic. You need a business continuity plan for any event that can cause business operations to slow down or potentially stop for multiple days. Let's not specify a BCP for a pandemic, rather let's create a BCP that includes measures for situations that would not allow workers into the building, street, or city for a certain period of time. Certainly a pandemic would qualify for this, but so would many natural disasters including hazardous chemical leaks/explosions massive civil disturbances, etc.
Trying to plan for a specific event is tricky at best - it is almost impossible to guess every potential situation that may cause your workers to not be allowed into their workplace. Do you have a separate pandemic plan for a one-day outage? Two-day outage? Five days? You get my point.
I would suggest that rather than planning for specific events, instead plan for estimated days of non-access regardless of the reason. Your BCP should have plans for multiple day events, multiple week events, and at least a framework for multiple month events. While multiple-month events may seem far-fetched one only has to remember September 11, 2001 or Hurricane Katrina to at least give some consideration for the possibility.