Archive for July, 2018

How Ruckus Can Deliver More Consistent Performance

Tuesday, July 24th, 2018

In today’s hyper-connected world, Wi-Fi networks form a critical part of the IT infrastructure for all types of businesses and educational institutions.

Without a reliable Wi-Fi network capable of delivering good and consistent connectivity, productivity suffers. For retail businesses, this poor experience can lead to customer frustration and potential loss of revenue. Additionally, as organizations become increasingly digital-focused, reliable Wi-Fi will play an even more integral role in back-end operations.

When it comes to wireless access point (AP) deployment in real-world situations, interference, competing clients, and even building construction material all have an effect on the performance of the wireless network. The future will bring more users, more bandwidth-intensive applications, and a more diverse range of devices such as wearable tech, VR, and IoT. This will inevitably increase demand for Wi-Fi access and place additional pressure on your radio frequency (RF) environment.

Preparing for this exponential growth without exceeding your budget presents a number of challenges. You need a solution that can manage unpredictable and fluctuating Wi-Fi demands now and can easily accommodate future needs

Better Airtime Efficiency = Greater Capacity

It’s important to note that a higher AP count does not automatically equate to greater capacity. The capacity of a single AP is equal to the number of clients (i.e., devices) that can successfully transmit over a period of time.

Why is client data rate important? Wi-Fi is a shared medium, so the longer a client spends on air transmitting, the longer other devices must wait before they can transmit. If fewer devices are given an opportunity to transmit in any given timeslot, overall capacity is reduced.

To support more clients in high-density situations, simply installing additional APs will not resolve capacity issues. That’s because there is a finite number of available channels. When channel reuse occurs, any performance improvement can be diminished due to noise, co-channel and adjacent channel interference. Network deployments with multiple APs that use overlapping channels with wider channel bandwidth have a higher probability of problematic co-channel interference.

So, not only does installing more APs drive up costs significantly, this expensive approach is unlikely to result in the better experience users expect.

Ruckus resolves this problem by enhancing airtime efficiency so that all clients can simultaneously transmit to multiple devices, thereby drastically improving overall throughput and availability. This allows a given Ruckus AP to accommodate more clients than the equivalent competing vendor’s APs.

When it comes to capacity, it’s not just about the overall capacity of an AP. What’s important is ‘usable capacity’ for each client on that AP. You want each connected user to receive the required Quality of Service (QoS). A client that is connected at very slow speeds or continually times-out is not being adequately served by the network.

Ruckus’ patented BeamFlex® and ChannelFly technologies have been extensively tested in real-world deployments in which interference, noise, and physical barriers impact usable capacity.

ChannelFly is a new approach to optimizing RF channel selection based on capacity averages across all channels. Specialized algorithms select the best channel based on historical values.

BeamFlex is able to select antenna patterns that focus RF energy away from the direction of interference, thereby attenuating noise to the receiving station. This enables significant improvements in signal gain, increased capacity and enables Ruckus to support more devices in high-density situations, covering a larger area than competitors’ APs.

Here we delve deeper into how BeamFlex’s innovative technology is able to increase airtime efficiency for clients connecting to your wireless network.

BeamFlex® Adaptive Antenna Technology

BeamFlex technology encompasses a combination of patented software algorithms and multiple high-gain horizontally and vertically polarized antenna elements. This adaptive antenna system creates optimal antenna patterns for each device with which it communicates, resulting in significantly increased stability, performance and range.

Unlike omnidirectional antennas that radiate signals in all directions, BeamFlex technology focuses the antenna pattern on each client. Unlike fixed-position, directional antennas, BeamFlex technology dynamically configures and re-configures antenna patterns to optimize signal quality at the client. And unlike any other approaches, BeamFlex technology reconfigures the antenna pattern on a packet-by-packet basis, so it’s always being optimized for each client.

And because BeamFlex technology focuses RF energy where it’s needed, it reduces interference between APs and clients, increasing available capacity and enabling higher average throughput per client.

The net result: each AP delivers more capacity over a larger area as compared to competitive vendor APs and, thus, fewer APs are needed to deliver the capacity and coverage required. That means more reliable client connectivity and an enhanced Wi-Fi experience at considerably lower cost than alternatives

No Client Left Behind

Increased adoption of video communications is driving worldwide growth in business IP traffic. Yet, delivering high quality video over wireless is still challenging. Video and voice are examples of applications in which latency and jitter, in addition to inadequate bandwidth, can negatively impact end-user Quality of Experience (QoE). That’s why Wi-Fi performance testing should also include tests of video-streaming capability.

Ruckus commissioned an independent third party to test the performance of a mid-range Ruckus AP against those of competitors. The tests consisted of 60 Chromebooks running video and two Mac Mini clients running data only. The number of successful simultaneous video streams supported by the AP before and after a data load was introduced was measured. The number of clients with stall-free video was recorded along with the aggregate data throughput associated with the data-only clients.

Results

The test showed that Ruckus APs delivered perfect video quality of experience in a challenging, high-density environment. Ruckus APs were able to stream high-resolution video to 60 video clients without a single stalled video while simultaneously supporting 150Mbps data throughput associated with the data clients.

Most vendor APs couldn’t deliver stall-free video to all sixty clients, even with no other traffic on the network. And no vendor except Ruckus could deliver stall-free video to sixty clients while under simultaneous data loading. These results demonstrate that Ruckus can deliver on its capacity promise.

The ever-growing number of users and devices dictates that demand for Wi-Fi bandwidth will continue its remarkable growth trajectory. But that doesn’t automatically mean that IT departments will get more budget to meet the demand. Organizations can use fewer Ruckus APs to support a given number of clients, yielding a more cost-efficient infrastructure.

Conclusion

Wi-Fi usage will continue to grow and demand for an accessible, reliable and fast network will continue to be a priority. It makes sound economic sense to choose high performance, high density-capable APs that lower your total cost of ownership, now and in the long-term.

Ruckus APs have been proven to support 30-50% more clients and to provide up to 30% better coverage than competitors’ products – without a performance penalty. More usable capacity per AP saves on capital outlay for additional APs, associated subscription fees, installation costs and other related overhead.

Patented RF technologies combat the signal degradation, noise and interference that disrupt service and make users unhappy. The result is fast and reliable Wi-Fi for everyone without the need to overprovision APs. With Ruckus, you also have the flexibility of being able to migrate from one management architecture—virtual controller, appliance-based controller, controller-less, or cloud—to another (or a hybrid deployment) without throwing away your AP investment.

If you would like to find out more about Ruckus and what they can bring to your organisation, call Net-Ctrl on 01473 281 211, or complete our Contact Form.

Is Your Data Hackproof?

Wednesday, July 18th, 2018

Just when the global cyber community was slowly recovering from the infamous WannaCry ransomware attacks that caused havoc across the globe last year, two recent cyber-attacks of an almost identical nature again shook the cyber community worldwide.

In May 2018, two Canadian banks, The Bank of Montreal and CIBC-owned Simplii Financial, were targeted by hackers who managed to get access to the personal information of thousands of their customers. The hackers demanded a ransom of $1 million from each bank failing which they threatened to publish the stolen information on the internet. The information that the hackers got access to included the names, dates of birth, social insurance number, debit card details, home address, occupation, marital status, secret questions and account balances. Security experts suspect that the hackers used a ‘spear phishing’ attack in which they targeted specific people who had accounts with both these banks and used malicious cyber techniques to make them hand over their crucial data.

Why did this happen?

Organisations, especially banks, store a lot of user data to help them service their customers, target marketing activities and run analytics to make their products/services relevant to the needs and demands of the market. Broadly, user data can be classified into two types: Personally Identifiable Information (PII) and Non-PII. In simple words, any data that can be used to identify the identity of a person is categorized as PII. This leads to an inherent need of storing and managing PII in a more secure manner as compared to the non-PII data.

In the case of the Bank of Montreal and Simplii Financial, the breach happened despite both the banks having implemented stringent perimeter security controls. Cybersecurity experts feel that had the banks employed data encryption technologies for securing their customers’ PII stored within their database, then such an attack would not have been possible.

The Way Forward

Hackers have been around since the time the Internet was born and with every passing day, their numbers are increasing manifold with data breaches taking place almost on a daily basis. According to Gemalto’s 2017 Breach Level Index report, the number of data records compromised in publicly disclosed data breaches surpassed 2.5 billion – a whopping 88% from 2016. This equates to more than 7 million records lost or stolen every day, or 82 every second!

With rising incidents of data breaches, the business impact goes way beyond a financial hit. As organisations struggle to maintain and protect their customers’ data, there is a growing concern amongst their customers about the security of their personal information. Gemalto’s recent Customer Loyalty Survey interviewed 10,000 consumers worldwide revealed that a majority (70%) of consumers would stop doing business with a company if it experienced a data breach.

This figure alone should ring the alarm bells of organisations that store their customers’ PII without deploying robust data encryption technologies. Encryption involves scrambling of the data using an algorithm with a key to creating a code – the encryption key. Unless a user has access to the key, the data cannot be unscrambled or decrypted.

However, securing the data does not end with merely encrypting it. Encryption transfers the responsibility of enterprise security from the data to encryption key management – a holistic solution that is seamlessly able to generate the encryption keys, distribute, rotate and store them and revoke/destroy the keys, as needed. In a nutshell, businesses need an end-to-end data encryption solution to ensure the security of data.

Gemalto’s Key Management Solution

While there are many encryption alternatives available on the market today, most businesses find themselves lacking when it comes to management of the encryption keys. It’s like putting a lock on all the doors of your room and not knowing where the keys are. This can still lead to a potential theft if the keys land in the wrong hands. Hence, having a centralized platform that can help organisations manage their crypto keys across all stages of their lifecycle can play an important role in ensuring optimal data protection.

Gemalto’s SafeNet KeySecure offers a robust and centralized key management solution that can be seamlessly deployed in physical, virtual, and cloud environments. Some of the salient features that play a crucial role in data security are:

  1. Heterogeneous key management – helps in managing multiple crypto keys for different types of encryption products.
  2. Multiple use cases – easily integrate with other data protection solutions.
  3. End-to-end key-lifecycle support
  4. Centralized management console – helps in assigning administrator roles according to the scope of their responsibilities.
  5. Logging and auditing – helps in storing audit trails that can be analyzed by using any leading SIEM tools.
  6. Reduces the overall cost of data security by offering automated operations.

To Sum It Up

What would you do if an organisation didn’t take the security of your data seriously? Probably stop using their products/services, right? Most of us would do the same. We are all concerned about the security and privacy of our data gathered by various businesses. As consumers, we expect all organisations, no matter how big or small, to employ the latest security tools.

When we look at it from the other side of the line, as business owners, we tend to try and get by with the security system already in place. However, hackers are evolving and your data security tools need to keep up too. An end-to-end data encryption solution can ensure that you and your customers can be assured of maximum data protection. Remember, if your customers feel that your organisation places the security of their personal information at the top of the priority list, he/she would not just be loyal to your brand but also work as a powerful brand ambassador.

Discover how Gemalto’s SafeNet KeySecure can help organisations fully secure their data. Contact Net-Ctrl for more information on 01473 281 211, or through our Contact Form.

View the original press release at Gemalto.com.

Ruckus Launch R730 – The First IOT and LTE ready 802.11AX Access Point

Wednesday, July 18th, 2018

Ruckus Networks, an ARRIS company, today announced the Ruckus R730, the industry’s first IoT- and LTE-ready, 802.11ax wireless access point (AP). The high-capacity, 12 spatial-stream R730 works in concert with the new Ruckus Ultra-High Density Technology Suite to smoothly deliver high-resolution, latency-sensitive video in ultra-high density user environments such as stadiums, train stations and schools. In addition, the R730 complies with both the new WPA3™ security protocol and Wi-Fi™ Enhanced Open for more secure connections on public networks.

Worldwide data and video traffic is growing at double-digit rates, driven by an increase in connected devices. ABI Research predicts that Wi-Fi device shipments will grow to nearly 35 billion by 2022. Data and video traffic also will surge due to increased per-device data consumption driven by applications like 4K video streaming, virtual and augmented reality and live-stream gaming.

“Ruckus customers and partners demand more when it comes to their networks,” said Ian Whiting, president of Ruckus Networks. “We have a long history of delivering products and technologies that go beyond the current state-of-the-art to meet the world’s most demanding network requirements while driving down the cost-per-connection. Ruckus R730 and Ruckus Ultra-High Density Technology Suite are the latest examples.”

The congestion of people, devices and bandwidth-hungry apps makes for challenges that current wireless tech cannot handle. Adding to the complexity of this environment are diversifying device categories and apps, such as instant messaging, IoT control messages and voice-over-Wi-Fi.

“Real-world use cases are bumping up against the limits of existing Wi-Fi standards, and the need for 802.11ax to address a wide variety of heterogeneous, high-density scenarios is clear,” said Chris DePuy, founder and technology analyst at 650 Group. “Ruckus has already differentiated itself in the realm of network consolidation. With this launch, Ruckus is reinforcing that by setting the stage for converged Wi-Fi, IoT and LTE deployments.”

802.11ax: More connections and bandwidth, higher QoS

The new 802.11ax standard was designed for high-density connectivity, with the ability to support up to a four-fold capacity increase over its 802.11ac Wave 2 predecessor. With 802.11ax, multiple APs used in dense device environments are collectively able to deliver required quality-of-service (QoS) to more clients with more diverse usage profiles due to the use of orthogonal frequency-division multiple access (OFDMA) and multi-user multiple-in multiple-out (MU-MIMO) technologies.

Delivering expected service levels in ultra-high-density environments

Increased end-user expectations and application QoS requirements pose unique difficulties to network designers. Locations such as stadiums, public venues, train stations, and schools in which video content and applications are central to the curriculum, are representative examples. The R730, supporting eight spatial streams on 5 GHz and four spatial streams on 2.4 GHz, is better able to address those expectations through increased capacity, improved coverage and performance.

“Train stations are especially challenging Wi-Fi environments due to spikes in client count each time passengers exit a train,” said Tetsuo Mukai, general manager, KDDI. “We challenged Ruckus to help us improve the in-station experience for subscribers with devices that were already on the network when the train arrives, and Ruckus came back with a solution that dramatically reduced the impact of these transient client events on affected subscribers, minimizing throughput degradation and shortening recovery time.”

The Ruckus Ultra-High Density Technology Suite addresses these challenges using techniques that go beyond the 802.11ax standard, including:

  • Airtime decongestion—Increases average client throughput in heavily congested environments by using patent-pending techniques to reduce unnecessary management traffic.
  • Transient client management—Maintains throughput levels for priority clients in high transient-client environments such as rail stations by using patent-pending techniques to delay AP association with low-priority transient clients.
  • BeamFlex™+ antennas—Patented technology improves AP coverage and capacity by continuously optimizing antenna patterns on a per-device, per-packet basis.

“At Golden 1 Center, we’re committed to delivering the best fan experience in the industry. One of the ways we deliver value to our fans is to build a network that enables live streaming during the games. This is incredibly challenging to do in a venue like ours with as many live-streaming fans as we have,” said Ryan Montoya, chief technology officer, Sacramento Kings. “Ruckus was up to the challenge and demonstrated to us several innovative features that let us squeeze the most out of our available spectrum, ensuring no connections are dropped and that adequate bandwidth is available for anyone that wants to live-stream the game.”

Converging IoT access networks

The R730 includes embedded Bluetooth Low Energy (BLE) and Zigbee radios and can be augmented with Ruckus IoT modules to support additional physical layer protocols such as LoRa. Using the Ruckus IoT controller, these separate networks and the IoT endpoints associated with them, can be managed, coordinated and connected to IoT cloud services as part a single, converged IoT access network.

Preparing for private LTE

The R730 accommodates modular Ruckus OpenG™ LTE APs operating in the U.S. Citizens Broadband Radio Service (CBRS) 3.5 GHz band, enabling existing Wi-Fi APs to provide LTE service. Using modular or stand-alone LTE APs, organizations will be able to build their own private LTE networks to improve the quality of indoor cellular service within their facilities.

Making users safer at home, in the office and in public

The R730 will implement the next-generation WPA3 wireless security protocol and Wi-Fi Enhanced Open. Users with compatible devices will benefit from significant security enhancements, including:

  • Protection against brute-force dictionary attacks through use of a new key exchange protocol known as a simultaneous authentication of equals handshake.
  • Protection against traffic-sniffing attacks common to unauthenticated networks associated with public venues.

Getting the most out of your 802.11ax deployment

The 802.11ax standard and the R730 offer a step-function increase in over-the-air throughput. To make the best use of that new capacity, network designers need to optimize the wired access infrastructure to support it, while minimizing upgrade costs. Ruckus helps network designers by:

  • Offering two switches—the entry-level ICX 7150 Z-series and the ICX 7650—that meet the increased power-over-Ethernet (PoE) requirements of the R730;
  • Providing the access port capacity needed to support multi-gigabit throughput on the ICX 7650 Z-series—with up to 24 auto-sensing 1/2.5/5/10 gigabit Ethernet (GbE) ports—and the 100 gigabit-per-second (Gbps) uplink capacity required for ultra-high-density deployments;
  • Enabling them to replace APs without extensive network redesign by using the adaptive Wi-Fi cell sizing feature included in the Ultra-High-Density Technology Suite.

“Many of our customers have future-proofed their networks with the Ruckus ICX 7650 switches, in anticipation of the upcoming 802.11ax access points,” said Don Gulling, president and CEO of Verteks Consulting. “The launch of the R730 enables us to quickly get these APs into the hands of our customers that serve high-density Wi-Fi deployments such as stadiums, auditoriums and large public venues. These APs and switches will provide our customers with what they need to meet next-generation demands.”

Availability

The R730 will be generally available this calendar quarter. The Ultra-High Density Technology Suite is available now for use with all Ruckus APs.

View the original press release at ruckuswireless.com.

Johnson Control Releases CEM Systems AC2000 v10

Tuesday, July 17th, 2018

Johnson Controls, announces the release of CEM Systems AC2000 v10.0, which offers users a new modernised look and feel along with new features such as enhanced enterprise capabilities that increase the performance and scope of the AC2000 access control system suite from CEM Systems.

CEM Systems AC2000 v10.0 workstation client applications have been restyled with a modern, clean and intuitive interface. The restyle has focused on the user experience with improvements to all visual elements of the applications. Operators are now able to select their preferred theme (light or dark) to run their AC2000 Workstation Client applications in.

A major feature of AC2000 v10.0 is the enhancements to the AC2000 Enterprise offering for AC2000, AC2000 Lite and AC2000 Airport editions. The enhanced enterprise system provides superior centralized access control and monitoring capability where wide geographical distribution occurs, or where departmental or business unit separation is necessary. The new architecture improves device configuration, reporting, alarm processing and personnel management across multiple site locations.

A business or organization can scale its single site AC2000 access control system to a multi-site enterprise solution, while at the same unifying policy requirements and reducing administrative and operational costs. Each business unit can be administered at a local and/or centralized level. Other features of AC2000 v10.0 include new visitor escort functionality to ensure visitors are not left unaccompanied around secured areas, and unrestricted AC2000 Authorization levels to reduce configuration times for users and user groups.

Building on the range of ID scanner integrations, AC2000 now offers a new interface to SnapShell ID and passport scanner.

Find out more about the CEM Systems Access Control solution and contact our team on 01473 281 211, or submit a contact form.

View the original release by CEM Systems.

5 technologies that will help kill usernames and passwords

Tuesday, July 17th, 2018

We’ve all struggled to remember a complicated username and password combinations when trying to access an online account. According to a Dashline Inbox Scan study, the average user has at least 90 online accounts and with every account comes to a new password to remember. To make their digital life simpler, 89 per cent of people use the same one or two passwords for everything.

Managing several digital identities using usernames and passwords is not something our brains are wired to do. And it also presents a huge security threat – insecure passwords caused an estimated 80% of breaches, according to a 2017 report from Verizon.

No doubt, passwords aren’t the best authentication solution in the digital age. But how can digital technologies help us address this issue? With huge strides being made in digital authentication technologies, and biometrics, in particular, the end of the password could soon be a reality. Keep reading to find out which 5 technologies can help us kill passwords.

1. Physiologic Biometrics

In a previous post, we discussed how biometrics are already helping solve the all-important issue of a “unique identifier”, replacing the username/password combination, while keeping the user experience simple and secure at the same time.

Biometrics refers to the individual’s unique physiological characteristics such as facial recognition, fingerprint authentication, iris scan and DNA. It can be used to automatically identify and authenticate individuals, s and such authentication methods have become the norm for accessing devices like smartphones, smart speakers and tablets. They’ve also been deployed by many eGovernment service providers and financial institutions and in other aspects of our lives including driving our cars or accessing our homes!

2. Behavioural Biometrics

Going forward, behavioural biometrics are becoming a very good alternative for secure authentication, when combined with other authentication methods. As described by IBIA, behavioural biometrics measure the unique patterns which characterize our daily activities. Yes, that’s right, the way we type, walk, our heartbeats, brain waves, and many others, can all be captured in a digital signature that is unique to the individual.

Technologies based on machine-learning algorithms can help build out a rich, multi-dimensional profile of each individual customer. Such technologies are currently used in law enforcement and border control and combined with context-based signals like geolocation, they provide a very personalised and silent authentication method.

3. Artificial Intelligence

Just as insurance companies use data to predict accidents, or retailers to figure out the optimal time to target consumers with a personalised promotion, user authentication could rely on similar data analytics. Machine learning can be used to collect a combination of patterns in data related to log-in times, locations and device footprints. The goal is to spot normal versus abnormal user behaviour and change access accordingly.

This will be based on the concept of adaptive authentication, by assigning a risk score and adjusting the level of access the user gets, based on the actions they are performing and the assurance level of the user’s authentication method.

This type of technology is in its early stages of development, although conversations around context-based and risk-based authentication have already become very popular.

4. Two-factor (2FA) or Multi-Factor Authentication

These systems have been in use for a while now, and end users have become accustomed to adding an extra layer of security for certain type of transactions. It relies on the user acknowledging control of a confirmed communication channel, such as an email address, a text message or an authentication app.

Several service providers, especially those in eGovernment, are using a text message sent to the number on record with containing a one-time password (OTP) valid for one login session or transaction on a digital device. However, there are certain risks associated with using OTP, that’s why it’s best they are always used in combination with other forms of authentication like biometric authentication.

5. Mobile Identity

As we’ve discussed in a previous blog, with so many people using digital devices to communicate and access data, services and transact, the new challenge to ensure the success of this digital economy relies on knowing who you transact with.

Mobile trusted digital identities can be the answer as they provide the means to collect all end-user attributes and enable seamless authentication all through the mobile device. Mobile enables the combination of identity documents, physical and behavioural biometrics and user information as geolocation, device numbers and other attributes.

While everyone is talking about how we should kill passwords, the fact is the average person has at least 90 online accounts associated with their email address and use the same password to access them, and that number is growing every year.

Usernames and passwords will continue to be used for authentication in 2018, but the widespread adoption of scalable technologies will help eliminate this hassle over the coming years. End-user adoption of biometric technologies will drive the movement towards seamless and convenient digital experiences while reinforcing security and privacy.

New UK NCSC Guidelines Urge Use of Multi-Factor Authentication and Single Sign-On Solutions

Tuesday, July 10th, 2018

A couple of weeks ago, the UK National Cyber Security Centre, a part of the British intelligence and security organization GCHQ, published guidelines for enterprise information security leaders on how they can implement multi-factor authentication to thwart breaches and unauthorized access to online accounts. The guidelines cover both consumer authentication to online services, such as banking and retail sites, as well as employee authentication, such as when accessing enterprise VPNs and cloud-based apps.

The guidelines are timely with marketing and data aggregation firm, Exactis, making the headlines for failing to secure a database with 340 million records of American adults and businesses that include “phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person’s children.” In response to the deluge of personal information compromised, some are calling for stricter regulations around privacy in the US, comparable to those required by GDPR, which requires users to provide their explicit consent to online services to collect this type of data.

So what does the UK National Cyber Security Center (UK NCSC) advise IT leaders and administrators to do? We’ve recapped the main points below.

Consider Multi-Factor Authentication an Enterprise Essential

Traditionally, passwords were used to authenticate users to a single all-encompassing entry point in the form of access to the enterprise network.

Since enterprises today use a large number of cloud-based applications and virtual private networks to enable collaboration and remote work arrangements, the enterprise firewall no longer provides sufficient protection.

In effect, all access becomes remote access – in the cloud or remotely to on-premises resources. In either case, authentication becomes the central ‘decision point’ for granting or denying access to a user – be they legitimate or a hacker.

The problem with relying on passwords is that they are famously inadequate for protecting against leaked user databases, phishing attacks and password spraying. This is where multi-factor authentication, or MFA, comes into the picture.

When to Use Multi-Factor Authentication

Due to social engineering, e.g. phishing, and machine-guessable passwords, organizations are advised to:

  • Choose cloud and web services that offer MFA, and be wary of the risk of using web services that offer only single-factor authentication
  • Apply MFA for all web and cloud-based resources
  • Secure IT administrator accounts with MFA

Common Implementations of Multi-Factor Authentication

What are some common, effective implementations of MFA?

  • Remember me on this device – Device fingerprinting is used by many services such as Google and LinkedIn as an additional authentication factor. Logins from an unregistered device could prompt the user for additional authentication.
  • Requiring MFA at every access attempt – Most applicable to high-impact services, such as webmail and online banking accounts.
  • Stepping up authentication during high-risk activities – For example when transferring money online or changing a password.
  • Stepping up authentication based on high-risk behaviours – Such as logging in from an unusual geographic location.

Common Authentication Factors

Regardless of the type of device being used, UK NCSC recommends implementing Single Sign-On to provide a smooth experience for end-users. Single Sign-On solutions eliminate the need to re-authenticate separately to each application, enabling users to access all their apps after logging in just once. Where SSO is unavailable or costly to implement, such as on mobile devices, a solution providing a good UX should once again be preferred.

So what are the authentication factors available to secure access to enterprise or consumer resources? The UK NCSC mentions these:

  • Managed devices – These could be protected using digital PKI certificates, or an embedded secure element that cannot be removed, among others. Additionally, IT leaders can choose to enable access to resources only when that access originates from the enterprise network or VPN.
  • Using mobile-as-a-token – This includes one-time passcode apps (OTP apps) generating OTPs as well as single-tap push authentication.
  • Hardware tokens – These include FIDO tokens, PKI Smart cards with PIN-protection (require a PIN to unlock the smart card and authenticate), OTP key fobs, chip-and-pin (EMV) card readers used in banking and backup codes designed to use as a default when the usual 2nd factor is not available.
  • Out-of-band – This includes out-of-band delivery of a one-time passcode via email, SMS text messages and phone calls.

Other recommendations for the successful implementation of MFA include the logging and reporting of failed and successful access attempts—functionality which is key to post-event forensics and demonstrating compliance. The UK NCSC also advises deploying user self-service portals, to let users report or resolve numerous issues on their own.

Looking to revamp your Identity and Access Management strategy? Learn about Gemalto’s identity-as-a-service or join a 30-minute live demo webinar of SafeNet Trusted Access. Alternatively, call the Net-Ctrl team on 01473 281 211, or submit a contact form.

View the original article at Gemalto.com.

Is the CIA protecting the World Cup in Russia?

Thursday, July 5th, 2018


The 2018 FIFA World Cup is expected to be the largest yet, with fans from all over the world watching. When it comes to TV audiences, the games are expected to be watched by 3.4 billion fans from 200 countries, which is nearly half the total world population. Not only is the World Cup available to view worldwide through a variety of broadcasting platforms, but smart technologies are now increasingly used by the fans to watch the games and interact with their favourite players. In fact, a survey by GlobalWebIndex found that 47% of the online population plans to watch the games online, and a quarter of millennials have declared they’d follow the tournament on their smartphone or tablet.

And if this doesn’t give you enough hint about the scale of the event, here are some more numbers:

  • 12 hosting stadiums requiring good IT infrastructures
  • More than 5,000 media representatives present at the games
  • 36 participating teams, 736 players and 99 referees
  • 17,040 people from 112 countries in the volunteer’s team

High profile sporting events like the FIFA 2018 World Cup could provide many opportunities for hackers to target not just consumers and their smart devices, but also stadiums’ infrastructure, such as grid power and lightning among others. Cyber criminals often use these large gatherings of people and technology to steal personal information or harvest users’ credentials for financial gain, among other malicious activities.

Digital threats likely to be seen at the World Cup

While attacks at previous major sporting events have focused on ticket scams, and availability of IT services and personal data, there are now more substantial cyber threats to stadium operations, infrastructure, broadcasting and participants and visitors to the games. For example, the 2012 London Summer Games were hit by a DDoS attack on broadcast operations and power systems seeking to limit viewer access to live broadcasts; fortunately, it had limited success. In response to similar threats, the South Korean government and Pyeongchang organising committee invested around £850,000 into cybersecurity measures for the 2018 Winter Games.

Individuals taking part in the matches, either organisers or fans, could become targets to hackers in various ways. The most popular scams could include spam emails about winning tickets in the FIFA lottery and fake websites. Hackers could also create duplicates of bank websites and popular tourist sites, such as Booking.com and Airbnb, and use them to gain access to the users’ banking information. Below, we’ve listed a few of the most common ways in which the personal details, devices and services availability for all present at the football games could be compromised:

Protecting the World Cup: the CIA pillars for digital security

In order for organisers of such sports events to protect everyone involved, they need to rely on cybersecurity strategies that protect the three main pillars that underpin connected devices and services: Confidentiality; Integrity; and Availability (CIA). This means that connected devices and the services associated with them should factor:

  • Confidentiality: ensuring that devices, systems or data are not accessed by unauthorised parties
  • Integrity: ensuring that no data can be manipulated or tampered with
  • Availability: ensuring that attendees can connect whenever, and to whoever, they need to

The table below illustrates how the 3 CIA pillars reflect the World Cup digital environment, including different threats that can be associated with each of those.

Ensuring Confidentiality, Integrity and Availability

Major sporting events like the 2018 FIFA World Cup require months of preparation that include evaluation of risks and mitigation based on different scenarios.

Simple measures for fans and visitors such as switching off the Wi-Fi and Bluetooth connections of devices when not in use, using a credit card to pay for online goods and services, updating the software of devices, and using strong PINs and passwords can all help.

But here are a few security principles that major sport events, organizers should always follow to ensure confidentiality, integrity and availability:

  • Create strong IDs for connected devices and services – ensuring Trusted Digital Identities could be a good way forward
  • Encrypt sensitive data at all stages as it moves from devices, gateways or cloud servers. This will protect against data tampering or data theft.
  • Implement strong authentication processes, to securely store credentials and ensure only authorized individuals, entities or devices have access to sensitive data and services
  • Ensure remote software and security updates capabilities, with access credential management. This will ensure the best performance for connected devices, block devices/services access or allow to come back to a safe security status, whenever needed if a threat is considered.
  • Create redundant systems and databases for the recovery of disaster case scenarios
  • Install monitoring and intrusion prevention systems to detect anomalies and be alerted before issues arise

Increased connectivity, both among the public and global infrastructures, makes the 2018 World Cup a prime target for digital threats. Luckily, now going into its final stages, one of the most significant global sports event hasn’t been intruded by major cyberattacks. But these last couple of weeks are also the most important ones for all parties involved, therefore digital security prevails at all costs.

If you would like to someone about your security measures, please submit a form through our Contact Page, or call the team on 01473 281 211.

Read the original blog post at Gemalto.com.