by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : October 2014
CYBEREYE BY WILLIAM JACKSON IT HAS BEEN a brutal season for data breaches, from the wholesale theft of customer records numbering in the billions to the exposure of naughty celebrity pictures. More significant to agencies is the case that cost US Inves- tigations Services (USIS) a contract to perform govern- ment background checks. It was bad enough when USIS gained attention as the contractor that vetted NSA leaker Edward Snowden and Washington Navy Yard shooter Aaron Alexis. But in the wake of an IT breach that might have exposed the files of thousands of Homeland Security employees, the Office of Personnel Management in September said “enough,” and dropped the company. The growing pressure by hackers against high value targets and the volumes of personal and other sensitive information being stolen highlights one of the basic questions of cybersecurity: How do you keep the bad guys out? Identity management and access control are the front lines of security. The ability to accurately identify users and control what they do within your systems is what sepa- rates insiders from outsiders. It has been apparent for some time that the traditional tool for this task – the password – is inadequate for the job, and biometrics is emerging as an alternative. Which is better? The answer is that neither is adequate for strong, practical security on its own. Each has strengths and weaknesses, and real security requires some combination of these or other technologies. The password by itself actu- ally is a pretty good tool. It is simple to use, easy to imple- ment and can be reasonably strong. The problem is one of scale. For a user juggling passwords for multiple ac- counts and for administra- tors juggling many users, the system quickly becomes unwieldy, and strong secu- rity begins to break down. In addition, the steady growth in computing power erodes password security by making dictionary and brute force attacks more practical. Biometrics – the use of physical traits such as finger- prints, irises, faces or voices to identify persons – is more complex, but is becoming more practical. It offers the promise of better security based on the premise that there is only one you. Yet it has its drawbacks. All forms of biometrics operate on the “close enough” prin- ciple. Whereas a password must be exact to be accepted, matching a biometric trait requires a judgment about whether there is a proper match. This leaves room for mistakes, either as false posi- tives or false negatives. The algorithms making the decision can be tuned depending on the level of security required. But higher security comes at a cost in the form of increased time or computing power to determine a match and by increasing the possibility that a legitimate biometric will be rejected. And although there is only one you, biometric systems can be susceptible to spoofing. A stolen digital template of a biometric trait could be inserted into the authentication process to au- thenticate the wrong user. There are other ID manage- ment technologies, of course, such as digital certificates, a form of electronic ID vouched for by a trusted party. These can be powerful, but also challenging to manage on a large scale. The bottom line is, no mat- ter how much these technolo- gies improve, no single tool is likely to be good enough for really practical strong authentication, and it is un- likely that a new and perfect technology will come along any time soon. None of these technologies is a complete failure, either. By combining strengths to offset weakness- es, these common tools can be integrated into multifactor authentication that provides security that is stronger than the sum of its parts. Government already has a tool that can enable multi- factor authentication, the Personal Identity Verification Card and its military coun- terpart, the Common Access Card. Taking full advantage of these for access control could go a long way toward improv- ing federal cybersecurity. • Passwords vs. biometrics: Which is better? No matter how much these technologies improve, no single tool is likely to be good enough for really practical strong authentication, and it is unlikely that a new and perfect technology will come along any time soon. GCN OCTOBER 2014 • GCN.COM 11
November and December 2014