Many incidents occur through access control and authentication vulnerabilities. Just consider the recently reported Fruit of a Loom incident that allowed easy access to 1,006 names and Social Security numbers of former employees. It is likely poorly constructed and inadequately tested applications controls resulted in this breach, not unlike so many other breaches that have occurred.
Significant security vulnerabilities can exist if Web applications do not implement authentication mechanisms appropriately. The U.S. government saw these risks and reacted to protect consumer PII by recently requiring banks to implement multi-factor authentication on their Web sites. The Federal Financial Institutions Examination Council (FFIEC) considers single-factor authentication as inadequate for transactions involving PII, and on October 12, 2005, issued updated guidance requiring financial institutions engaging in any form of Internet banking to use effective methods to authenticate the identity of customers using those products and services.
I just posted a new paper, “Addressing Web-Based Access and Authentication Challenges” to this site that focuses on these two important aspects of applications and systems security: authentication and access controls. Business leaders must ensure authentication and access controls are implemented effectively, based upon risk and legal requirements, to help protect the business as well as PII.
Please let me know your feedback. What other issues related to access controls and authentication worry you, or do you have plans to address?
Tags: access controls, authentication, awareness and training, FFIEC, government, Information Security, IT compliance, multi-factor authentication, policies and procedures, privacy, privacy breach