Making security simple

Conventional wisdom says that simple security is an oxymoron. Good security is complex, while uncomplicated security is weak.

Whenever security is discussed, I think of Bruce Schneier. The US-based security guru describes crime and prevention forcefully. What's YOUR security profile?

Much of our everyday security practices are unconscious, notes Schneier. We do them out of habit, and don't recognize them as strategic security decisions.

Authentication factors

When you leave your home, you lock the door, don't you? We all do. Reasons range from burglary to wandering pets, but it's a security precaution. We carry a hard token (a key) that allows us to de-encrypt the security mechanism (our door-lock) when we want to enter.

This is single-factor authentication. Anyone can use a copy of the key to enter your flat--the door won't know the difference.

Two-factor authentication (2FA) is often described as "something you know, plus something you have." The best example is the online banking system mandated by the HKMA in 2005. The hard token, a small electronic device that generates a numerical code when you press a button, is the thing you have--your username/password combination is the thing you know.

The e-channel's 2FA setup

Another example: the world-class e-channel setup used by both Hong Kong and Macau Immigration departments. ID card holders possess a hard token which contains a biometric: the card-holder's thumbprint. Presenting the token (your ID card) for scanning is the first factor--the second factor is your thumb pressed against the scanner.

This isn't a case of "something you know, plus something you have." This is a hard token produced by the Hong Kong government--an ID card that contains your unique thumbprint as identity-authenticator. The card is produced at a dedicated facility where you present yourself for identity authentication and is a world-class identifying token, with a host of anti-counterfeiting measures.

Of course, the card could be lost or stolen. But it would take an uncommon criminal to fake your thumbprint on the scanner at an Immigration checkpoint.

The system is easy and convenient to use, yet it's highly secure. The e-channel at both Hong Kong and Macau Immigration checkpoints is an exemplar of tech security deployed on a large scale to benefit ordinary citizens.

It's also a prime example of a public-sector initiative that helps drive private-sector business. Secure and streamlined passport-free travel between Hong Kong and Macau smooths transit for frequent business travelers and improves business ties.

Security now for the future

The recent massive DDoS attack against South Korean banks illustrates, yet again, the depths of intrusion possible within the cyberdrome. Our digital interconnection, it seems, leads to trench warfare on the wires. Government spokespeople spin dire tales of "cyberwarfare" and accuse nation-states of hacking, spying, DDoSing or otherwise committing digital mayhem in search of intelligence...or simply to commit evil deeds.

Is there a limit to the scale of cyberintrusion? I can't see it. But 2FA is an important component of any security strategy. Consumer services like Gmail and Apple's iCloud now offer 2FA: the second factor being an SMS message to a previously secured mobile phone number (not necessarily available in Asia, yet).

The evolution of 2FA as a simple yet effective security measure is heartening. Nothing invented by humans cannot be broken by humans, but as ever in the security world, we take our small victories and build on them.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Apple

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stefan Hammond

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place