cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Why Smart Cards are Just One Piece of the Network Security Puzzle

Level 12

By Joe Kim, SolarWinds EVP, Engineering and Global CTO

In last year’s third annual SolarWinds Federal Cybersecurity Survey, 38 percent of respondents indicated that the increasing use of smart cards is the primary reason why federal agencies have become less vulnerable to cyberattacks than a year ago. This 2016 survey also revealed that nearly three-fourths of federal IT professionals employ the use of smart cards as a means of network protection. And more than half of those federal IT professionals surveyed noted that smart cards are the most valuable product when it comes to network security.

Indeed, thanks to their versatility, prevalence, and overall effectiveness, there’s no denying that smart cards play a crucial role in providing a defensive layer to protect networks from breaches. Case in point, the attack upon the Office of Personnel Management that exposed more than 21 million personnel records. The use of smart cards could have perhaps provided sufficient security to deter such an attack.

But there’s increasing evidence that the federal government may be moving on from identity cards sooner than you may think. Department of Defense (DoD) Chief Information Officer Terry Halvorsen has said that he plans to phase out secure identity cards over the next two years in favor of more agile, multi-factor authentication.

Smart cards may be an effective first line of that defense, but they should be complemented by other security measures that create a deep and strong security posture. First, federal IT professionals should incorporate Security Information and Event Management (SIEM) into the mix. Through SIEM, managers can obtain instantaneous log-based alerts regarding suspicious network activity, while SIEM tools provide automated responses that can mitigate potential threats. It’s a surefire line of defense that must not be overlooked.

Federal IT professionals may also want to consider implementing network configuration management software. These tools can help improve network security and compliance by automatically detecting and preventing out-of-process changes that can disrupt network operations. Users will be able to more easily monitor and audit the myriad devices hitting their networks, and configurations can be assessed for compliance and known vulnerabilities can be easily addressed. It’s another layer of protection that goes beyond simple smart cards.

At the end of the day, no single tool or technology has the capability to provide the impenetrable defense that our IT networks need to prevent a breach or attack. And technology over time is continually changing. It is the duty of every federal IT professional to stay up on the latest tools and technologies out there that can make our networks safer.

Be sure to look at the entire puzzle when it comes to your network’s security. Know your options and employ multiple tools and technologies so that you have a well-fortified network that goes beyond identification tools that may soon be outdated anyway. That’s the really smart thing to do.

  Find the full article on GovLoop.

12 Comments
MVP
MVP

Pretty much mirrors the non Federal IT world.

Between Microsoft's MFA solution and others (e.g.: Duo), I smile and shake my head when folks (who used to get "easy" remote access through VPN via simple https and a clientless solution) object to being forced to install and use security-access-apps on their smart phones.  "I won't do it."  "It's too intrusive."  "I don't HAVE a smart phone!"  "You can't make me."

Those folks change their tunes when there's no choice presented (other than finding employment elsewhere, or driving back into work instead of remoting in from home).

Around my neck of the woods, organizations using Smart Cards seem to moving away from them towards other smartphone-based MFA solutions.

I'm waiting for the logical other-shoe-to-drop:  a simple script-based GUI-oriented hack that will compromise MFA solutions on smartphones.  Is that already out there?  Is someone hijacking MFA sessions to phones by redirecting them to another number or text-destination, then taking the opportunity to attempt to get in?

Level 20

They have been telling us that our CaC and other network tokens will possibly be replaced by something else... not sure what it's going to be for sure yet though.  I'm not really sure what the CIO thinks the answer is??? CaC cards have been great for securing DoD networks.  We're still working on getting many new ACAS and HBSS systems configured to be CaC authenticated today.

I'm not sure we're going to be using our CaC and other tokens as bookmarks just yet...

https://federalnewsradio.com/tom-temin-commentary/2016/06/no-cio-scissors-access-cards/

I'll believe it when I see it!  https://federalnewsradio.com/defense/2016/04/cac-less-network-access-mobile-devices-summer/

The problem I've seen is that The Cloud isn't reliable.  NetPath proves it, and when you can't get your MFA notification on a smartphone, or your approval of the request on your smartphone isn't received in a timely manner through The Cloud, then there's no access happening for you.

It's still not ready for prime time, IMHO.  Not for mission-critical situations, not for security when you have to trust a Cloud provider to not allow physical or virtual or remote access into some part of their facility that could impact your business's data.

And certainly not when my organization hasn't budgeted for, and deployed, proper cloud management/monitoring tools like SW offers.

On Amazon Prime Day I saw a tweet that the Yubico Yubikeys were 50% off.  I bought a Yubikey 4 and a Yubikry Nano for $45 total.

I carry my two-factor hard token with me.

RT

Yubikey 4 and Yubikey Nano.JPG

Yes, the SMS text and for that matter cell phones have been hijacked to get the second factor to drain PayPal accounts. 

RT

MVP
MVP

Good article

I wish I'd seen that yubikey offer.

Level 20

CACCard.jpg

That's not me btw...

Level 20

The dumb thing about it is they say moving away from smart cards but they don't list any real alternatives... they just don't like having to use a cradle on their phone or their tablet for the CaC card... that's what it really is about.

MVP
MVP

On the phone you could have a QR code on a card the camera scans...

I saw the offer late on Prime Day and jumped on it.  I wish I would have bought a dozen more.

I could have sold them all to friends and family.

RT

About the Author
Joseph is a software executive with a track record of successfully running strategic and execution-focused organizations with multi-million dollar budgets and globally distributed teams. He has demonstrated the ability to bring together disparate organizations through his leadership, vision and technical expertise to deliver on common business objectives. As an expert in process and technology standards and various industry verticals, Joseph brings a unique 360-degree perspective to help the business create successful strategies and connect the “Big Picture” to execution. Currently, Joseph services as the EVP, Engineering and Global CTO for SolarWinds and is responsible for the technology strategy, direction and execution for SolarWinds products and systems. Working directly for the CEO and partnering across the executive staff in product strategy, marketing and sales, he and his team is tasked to provide overall technology strategy, product architecture, platform advancement and engineering execution for Core IT, Cloud and MSP business units. Joseph is also responsible for leading the internal business application and information technology activities to ensure that all SolarWinds functions, such as HR, Marketing, Finance, Sales, Product, Support, Renewals, etc. are aligned from a systems perspective; and that we use the company's products to continuously improve their functionality and performance, which ensures success and expansion for both SolarWinds and customers.