Tag Archives: stop the virus

We have already written and also made practical recommendations here on how to establish secure third-party software development. Today, we want to dwell on one rapidly developing aspect of security, and not only in software development but also in your business – this is biometric access to data, information, equipment, work-space. Companies are paying more and more attention to risk management, therefore, to ensure a higher level of security, in an increasing number of systems are used cost-effective biometric readers, crowding out access card readers and keyboards for entering passwords. This affected the willingness of hard and software manufacturers to develop the industry and technology. The use of biometric technologies is not just fast authentication, but also the main security tool.

For example, Microsoft employees authenticate using biometric data and at the same time, British banks use fingerprints to authorize purchases. Biometric identification is optimal not only as the choice of reliable protection for enterprises, employees and consumers but also reliably protects itself from failures and break-ins, always leaving the security of personal data in the first place.

Biometric access control and management systems allow people to be recognized by their physical individual characteristics. Thus, the quality of control and security of the system is significantly increased, the risk of unauthorized entry and fraud of the system is reduced.

Biometric Identification Methods

There are static, based on the identification of the physiological characteristics of a person being with him throughout his life:

  • by fingerprint or palm
  • facial features
  • by the eye retina 
  • according to the pattern of veins
  • by hand geometry
  • by DNA.

And there are dynamic methods take as a basis the identification of the behavioral characteristics of people, namely, subconscious movements in the process of repeating any everyday action:

  • by voice
  • by handwriting
  • by keyboard handwriting
  • by a walk.

For example, one of the priority types of behavioral biometrics used in safe development is the keyboard style of typing. When determining it, the printing speed, pressure on the keys, the duration of pressing the key, the time intervals between presses are fixed. A separate biometric factor is a manner in which the mouse is used. In addition, behavioral biometrics cover a large number of factors that are not related to the computer – for example gait, especially the way a person gets upstairs. There are also combined identification systems using several biometric characteristics that can satisfy the most stringent requirements for the reliability and security of access control systems.

What is the basis of biometric security?

Using biometrics for authentication will work when passwords will be excluded from the authentication process. This is the main step towards access control without a password. If the system still has a password in the background, then there remains the risk of data hacking.

The company will only be able to experience the benefits of passwordless authentication if biometrics are used for security and not for convenience. When an organization removes passwords from the authentication process, the task of creating a password, entering a combination, and resetting is eliminated. When recognizing a person without a password, the only authentication method is to use a combination of biometric data.

The main parameters for evaluating any biometric system are:

FAR (False Acceptance Rate) – false pass coefficient, i.e. the percentage of situations when the system allows access to a user who is not registered in the system.

FRR (False Rejection Rate) – false failure rate, i.e. denial of access to the real user of the system.

Both characteristics are obtained by calculation based on the methods of mathematical statistics. The lower these indicators, the more accurate the recognition of the object.

Why are passwords not strong?

As long as passwords exist, hackers will not stop developing new methods of personal data capturing. There are many ways to steal a password and break into the security system. With a biometric image, everything is different – it cannot be directly entered into the reader. To deceive technology based on an image or a fingerprint, an attacker must make a good cast, and not the fact that he will be able to deceive the technology.

It is worth mentioning that biometric authentication systems are additionally protected from fraud. For example, “liveness detection” technology recognizes an alive user, during identification, a person needs to blink or move his fingers. Thus, the person proves that authentication occurs in real time. The percentage of similarity with the biometric control template is determined. If the algorithm does not recognize the person, the so-called “anomaly module” is included in the work, which analyzes the causes of the non-compliance and sends a notification to the security service in the event of a fraud threat. This approach allows you to block fraudsters within a few seconds.

Biometry in terms of quarantine

A few months ago, special attention was paid to contactless authentication only at facilities with high sanitary and hygienic requirements (medicine, food industry, research institutes, and laboratories). In the context of quarantine, it became obvious that the share of contactless authentication will grow quite quickly. This method provides many advantages of using biometric methods in physical security systems. In addition, the ability to identify a remote object speeds up the verification process, which is important for high-flow systems. Particularly effective methods that capture the biometric characteristics of the object at a great distance and during movement. For example, the future is in contactless hoop prints. With the proliferation of megapixel surveillance cameras, the implementation of this principle of operation is becoming easier.

Biometric authentication benefits

High accuracy of identification of the person undergoing control.

The difficulty of falsifying biometric features.

A high degree of reliability, since the biometric identifier cannot be forgotten as a password, lost as a plastic card, or use someone else’s data or a pass.

Ample opportunities for automating processes, and, as a result, reducing costs, for example, for security, administration, maintaining file cabinets and databases, for issuing, replacing, “flashing” access cards, passes, forms, cards, etc.

 

Thus, the use of a biometric access control system allows you to not only manage and control access to the object and data, increase its safety and security, keep accurate records of working hours, but also automate many processes of the organization and optimize costs.

Should I give development to a remote team? Today everyone felt how difficult it is to put together an in-house development team. And not always an in-house team is a possible way out. There are plenty of situations when connecting a remote, ready for rapid start team is a necessity. Organizing the proper and completely safe development on your own side requires significant financial investments in technical equipment and in-depth study of the subject and when you are on deadlines for the implementation of new modules, this is ultimately not an option at all.

If we are talking about the development by a third-party contractor – outsource. How to verify his decency and competence? Can a contractor provide complete security? Is it possible to ensure the necessary level of security by working with a remote team? What must be spelled out in the contract? And what will it take to sleep soundly? 

Let’s sift all the factors through. And you will be sure about your actions. What we recommend doing to ensure safe development and how processes should be configured. We divided all basic security measures within the contractor’s company into organizational and purely technical.

 

Organizational security measures.

Staff recruitment. In the case of data or equipment theft, unauthorized information access or interference in the system there is the risk to the profit lost and financial losses. In addition, there is a chance to lose key employees and teamwork. Without them, it is difficult to survive the crisis, restore the image and positive dynamics of enterprise development and revenue growth. Thus, the person, developer, manager is the main factor. We advise you carefully to select team members, empower the security department to collect feedback from previous jobs and customer reviews.

NDA (non-disclosure agreement) – an agreement with the customer. This is not about a common NDA. In projects with high data security requirements, it is necessary to sign an agreement with each team worker who has production data access. This applies to non-disclosure, confidentiality, and liability of all involved parties.

Organization of workspace access. When it comes to ensuring the business and employees’ safety, an access control system is the most effective way to prevent unauthorized entry, restrict some employees’ entrance to prohibited areas and control the access of the whole team. We strongly recommend organizing automated access control to the territory and to the internal premises of the office for employees and visitors taking into account the assigned access rights. An important element of security is the global re-entry control, which allows you to stop the pass usage after it is transferred to unauthorized persons or as a result of an abduction.

Regulated access to personal computers. Reliable identity recognition is critical if you need to control the users’ access rights to certain information in order to prevent its damage or loss. In our practice, we have come to the use of computers with biometric authorization. Using biometric readers, we can see who and when used this or that computer, entered the server or other room. Face recognition authorization prevents illegal access to a working computer, even if access codes have been stolen. Another point concerning the main biometric characteristics that allow identification is the analysis of keyboard handwriting. The system collects information about each employee: analyzes the speed of keystrokes, pauses between keystrokes and hold time. It creates an individual portrait. If a third party uses an access code, for example, another employee or an attacker, the system will be able to respond to an unauthorized attempt to enter by notifying a security specialist or denying data access.

Monitoring and each user activity analysis within the network using special systems. First of all, this system determines the possible risks: which employee works with valuable information, what applications he uses, whom he communicates to. Thanks to the algorithm’s actions, it is possible to predict the potential risk of the company if the employee is unreliable and also to predict risks and find potential “holes” in the information security system. Вehavior that deviates from the individual norm is a signal about a violation of the security perimeter.

Video surveillance is an essential part of a modern security system. Companies want more and more to protect themselves from unwanted intrusions and attacks. Video surveillance is an information system that provides visual information that allows you to either restore the picture of an incident or get the necessary data about events, processes, and people. The job profile directs whom, how and under what circumstances it is possible to report personal data (custom credentials) for corporate networks connecting. Instruction is an integral aspect of high-quality and reliable development.

Passing specialized courses and owning certificates for software development. Teamwork experience in accordance with standards: SEC, FINRA, SOC 2, ISO / IEC and others. Choosing the contractor company, be sure to ask: what certificates does the team have to speed up the creation of safe development processes.

 

Technical security measures.

Distributed data access rights. An obligatory component of development security is access rights (permissions/restrictions) for working with databases. They are necessarily distributed by assigning predefined roles to users and groups. The impossibility of copying and making changes to the data is ensured. There is also developers’ restriction of access to the test environment and to version management.

Securing your local infrastructure. The local infrastructure allows you to quickly test and debug features. When developers produce new features, they can access production data through an intermediate unit using a secure VPN connection. We also recommend that you configure secure VPN access for external (trusted) services and servers. Staging boxing is not a universal solution in testing, as the process becomes too complicated. Sometimes you may need to deploy a local test environment. Keep in mind that to eliminate internal threats of data corruption, it is worth recording all actions. It is also advisable to limit the transfer of data outside the company network and storage on an external media.

Encryption. All stored on computers and laptops data must be so encrypted that even in the event of theft they cannot be used. It is necessary to provide data encryption protocols, encryption of the transfer protocol of integration buses, and so on.

Architectural solutions, architectural protection – personalization and posting information are separated. For example, in medicine, this may be the storage of personal information about the patient separately from the history of his illness.

Production Data should be denominated so that it is impossible to trace the data owners.

Code-based security. According to statistics, most sites and software are vulnerable due to errors in the code. The code can be checked with a third-party company, but this is an additional cost. The ideal option is the implementation of safe development tools on the contractor’s side. Requirements for code verification and safe development should be included in technical requirements. For example, it should include: conducting static code analysis at the development stage and code acceptance within the SDLC. Dynamic analysis (DAST-analysis, Dynamic Application Security Testing) of developed applications. Conducting an analysis to search for the so-called zero-day vulnerabilities, whose signatures and patterns are unknown. While transferring the finished software, should be prepared a report for the analysis of its security. On the developer’s side should be the analyzer adapted for embedding into the development environment, thereby providing the ability to check the code for vulnerabilities at each stage of the software life cycle. It’s enough for the client to have the same analyzer as the developer, but already in a lighter desktop version that just checks the final result (ready-made application).

What is worth noting? This is not a complete list of steps that can be taken to organize safe software development. We will be very happy to tell you more. If you have any questions remaining unresolved, please ask us and let’s share experiences and improve development security.

Despite the rapidly evolving world situation, the calls of doctors and governments to isolate themselves, it turned out that many companies and teams have not switched to remote work. And the point here is not always in company management. An instruction from the management may have passed, but the head of the department does not want to work from home or employees are faced with internal issues between the departments. Let’s try to figure out why? And how to solve this issue?

The company and teams always have ambitious goals and performance and this is not a reason to endanger people. You need to quickly find answers to questions related to the transition to remote work. The example of one project manager, Alex, has shown that all issues can be resolved, but the majority should be considered before. When Alex received a message about switching to remote work, he could not even imagine how many questions and approvals this could cause. What pitfalls are hidden, at first glance, by the seemingly harmless remote work and what Alex faced with:

– The ambiguous reaction of the team employees (I can’t work at home, I don’t want, you have to provide me with everything, etc.)

– How to overcome managers’ resistance?

– How to organize continuous and uninterrupted communication?

– Do all employees work on laptops that can be taken home?

– Does the company have tools allowing the usage of personal devices for corporate purposes?

– Is it possible to organize a remote and secure connection to an office computer network? We wrote about this here.

– How to get secure data access that does not go outside the office?

In an ordinary situation to arrange all these issues, the project manager needs to get around the office not just once: top management, security, system administrators, HR, accounting, etc. Maybe one of the readers sees yourself in this chain? On that occasion, all departments need to organize themselves because everyone will have to work remotely. Remote access to data may be needed not only by the project manager Alex but also by tops and the security service. We must all acknowledge and accept the situation and work in a new reality.

With the right approach and a thorough assessment of the situation, the process can be organized quickly and efficiently. After some thought and with Alex’s help, we created a checklist to simplify the transfer to distance work.

  1. Engage the HR service to form a questionnaire for employees what is needed for full-fledged remote work: devices, software, access to specific data, communication.
  2. Collect information from the heads of all departments or teams.
  3. Make the maximum list of required work resources that employees use. Check whether computers, access to corporate information, communications will work remotely.
  4. Gather all the steps of standard workflow and evaluate at what stage difficulties may arise. No one will do this for you in the current situation. Clearly check everything by yourself.
  5. Try to organize a mini rehearsal: run a normal workweek in an accelerated mode in a few hours.  If you are still in the office, then do it better in the workplace. If you have already switched to remote mode, then such actions will help you quickly find bottlenecks.
  6. Write a short checklist for your department or team: what they need to take from the office for remote work.
  7. As soon as you find gaps in the business process, immediately connect the necessary employees and treat them. Do not hope that everything will work by itself. It is necessary to consistently check each stage: how you will plan the work, how the data will be shared, the exchange of data, how you will report on the work done. After you need to test for possible bottlenecks.
  8. Be prepared now that you will have a budget overrun due to the organization of a remote mode of operation. You need to buy the necessary devices, software, accesses. Ongoing expenses for taxis, etc.
  9. Don’t let out of your sight that you will need to work closely with HR service throughout the whole remote work of the office. Some employees may not be able to withstand and leave, the team will need to be replenished. After stabilization of the situation, it turns out that some employees want to work from home or partly from home and will be asked to change the work schedule. The manager must foresee the likelihood that part of the team will have to be quickly replaced.

And again, we want to encourage all companies and employees to follow the recommendations as much as possible: stay at home and work remotely! If you can share your ideas for effective remote work with us, we look forward to hearing from you. All working issues can be resolved. We wish you all good health.

How to set up remote office work as quickly as possible, efficiently and at the same time safe? How to make people like in an office, but not in the office? We can definitely say there is no single common way. It all depends on a number of factors that must be considered:

– We set the goal of what kind of work employees should perform remotely (read at home). Read mail or have full access to corporate information? We make this decision deliberately, and not in a panic in a matter of minutes. And always leave yourself a reserve of opportunity.

– Consider the company size or the number of employees who need to be transferred to remote work.

– Can we use existing hardware or there is a possibility of equipment and network resources purchase corresponding to the number of people and goals? Don’t overdo it here. There are entire hardware systems, but they are not always in demand in small organizations, due to their focus on servicing large enterprises and, as a result, high cost. Let us stay on this in more detail. 

 

We would recommend choosing a Virtual Private Network (VPN) technology. It allows you to create a secure connection in a potentially dangerous segment of a public network, such as the Internet and is one of the most common solutions. In simple terms, the VPN on the remote computer or mobile device connects to the VPN gateway of the company’s network, which authenticates and authorizes the user using a key or login and password. As a rule, with the help of both. After successfully completing this procedure, the user gets access to internal network resources (file server, databases, printers, and others) as if he was connected to the local network.

To protect remote access, IPsec or SSL protocols are most commonly used. They are not interchangeable and can function both separately and in parallel, determining the functional features of each of the implemented VPNs. SSL is more focused on providing a secure connection to a single application (for example, SharePoint or email), rather than to the entire internal network. For a full-featured permanent connection to the corporate network, we recommend choosing the IPsec protocol.

 

How to act? And what type of VPN to choose?

– VPN in routers – there are lots of cheap solutions on the market. Almost any router has the functionality of a built-in VPN server. Usually, this is a simple on/off functionality and adding password logins for users, sometimes integration with a Radius server. We do not recommend considering such a solution. First of all, you need to think about your safety and the continuity of the service. Such equipment cannot boast of an appropriate level of protection and the reliability of operation leaves much to be desired.

– OpenVPN – we recommend using this type of VPN only for small companies or projects up to 15 people. Just for such companies, which do not make sense to purchase professional network equipment in view of the absence of a large load. The main advantage of this out of the box solution is that it works on all platforms. You can purchase a device and configure it. Using special software, you can achieve its operability to build an OpenVPN tunnel. The disadvantage is that OpenVPN cannot withstand a serious load. For encryption and transmission of traffic on the server-side is used not specialized equipment, but server resources.

– Microsoft VPN – the Microsoft company offers a free solution for those who have the entire infrastructure built on their basis. In simple cases, the setup does not cause difficulties even for a novice system administrator. It should be borne in mind that in the case of building a more complex system, it will be necessary to delve deeper into the settings, in this case, the cost part will certainly grow in the same way as the complexity of servicing the solution. Nevertheless, this solution is not without advantages. 

– Enterprise-class VPN is high-class network equipment of Juniper, Cisco, Check Point companies: all of them have comprehensive solutions, which also include a VPN service. But it should be borne in mind that this solution has a higher cost. An annual fee is required. If you do not pay annual support fees, then do not count on security updates. The main advantages are that the level of security of the transmitted data is very high. Server security level – protected. Ensuring the reliability of the solution – redundancy technologies are provided.

Which type of VPN connection to choose is your decision. We can only give you our vision and recommendations.

 

Verify VPN Security

Regardless of which type of VPN you choose, to ensure a high level of security, you must perform a mandatory check. The VPN service that listens for incoming connections must correctly verify the credentials provided by the user. It is not enough to simply verify the username and password; to increase reliability, it is necessary to use security certificates. It is also required to use a competent password policy (complexity, storage periods, automatic generation, etc.). These actions together with the certificate will exclude attacks and hacking with password selection.

 

Take into account basic VPN benefits

– Scalability of the system. When adding new employees or opening a new office/branch in the future, there is no special additional cost for communication.

– System flexibility. For a VPN, it doesn’t matter where you access from. An individual employee can send mail from a corporate mailbox or have access to corporate data while working from home. It is also possible to use the so-called mobile offices, where there is no connection to a specific area.

– From the above, it follows that to organize the employee’s workplace is geographically unlimited, which is almost impossible when using a private network.

 

In general, this is all we wanted to share with you. We presented the information rather briefly, but the purpose of the article is to show possible solutions. Since not a single article can be devoted to a specific implementation. We are ready to give more information and disclose issues of interest.

Do not wait any longer and configure secure remote access and be healthy.