[Dshield] Web Site Authentication

Shawn Cox shawn.cox at pcca.com
Mon Jan 29 17:29:24 GMT 2007

This is going to sound a little harsh, but please understand it is not
directed at you Alex.

If your records are still keyed off of SSN your company has big problems.  

What you need to do is focus on protecting that SSN info.  Not changing your
authentication method.  Federal Law requires that a breech of your data
systems, that reveals as little as the SSN/Name pair, requires your company
to notify every person whose data is compromised.  Maybe you heard about the
federal government having to do just that for several million veterans?  I'd
bet you a shiny nickel your chief of IT does not under any circumstances
want to pen that letter.  (Here's your business case.)

It is far more likely that someone will obtain a password via a sticky note
or website compromise than will defeat your current authentication method.
This also applies if an unencrypted backup tape is lost.

It is surprising to me that as a company in the healthcare industry an audit
or your lawyers have not brought this up.  Companies have been converting
away from SSN identifiers for 5+ years now.  This is the first thing you
should get done.  Convert to a member number/userid and encrypt the ssn
displaying it for eyes only reports/users.

I've just spent the last 2 years doing exactly this and it wasn't fun, but
my CIO can sleep better at night now.

Good Luck to you.

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Ackley, Alex
Sent: Monday, January 29, 2007 10:28 AM
To: list at lists.dshield.org
Subject: [Dshield] Web Site Authentication

I need some help making a business case for changing our method of
authenticating users.  Our current "system" is anything but.  A person's
SSN is used and a password assigned.  The password is checked against a
field in a database and if it matches the SSN attached they are allowed
in.  This is done over SSL using a certificate but that is the end of
the system.  I believe a more robust and secure system should be
implemented because of the data that is opened to users who login.  My
problem is in communicating the business need other then because someone
could get in.  What makes moving from this system to another like a
RADIUS or Kerberos based system better?


System Admin

SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
taught by our top rated instructors plus a huge vendor tools expo.
Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)

More information about the list mailing list