Recently, I visited a new Network Operations Centre that was promoted as "world class". It is currently undergoing evaluation for BS7799 certification, so, naturally, I looked carefully at their security arrangements. One impressive feature was the physical access control to the control room. To enter, staff use a smart card, type a PIN, and place their finger on a fingerprint reader. This gets them through the first door and into an anteroom. To open the second door and enter the NOC itself, they present their eye at an iris scanner. As I said, impressive.
Back to some authentication basics: there are three, possibly four, ways of authenticating someone summarised as: Something you know (in this case, the PIN), Something you have (the smart card), Something you are (biometrics, the fingerprint and iris) and Something you do (such as the way you sign your signature - I think this could be classified as a sub-category of biometrics). Using just one of these methods (single factor authentication) provides some assurance that the right person is given access, but it may still fail - a PIN can be guessed, a smart card can be stolen, biometrics have a false positive rate. Using two-factor authentication provides a higher degree of assurance, because two methods must be broken, in quite different ways. Three-factor authentication provides still higher assurance. Using the same factor twice does not increase the security - if we give the staff two, different tokens, they probably keep them in the same pocket, and they get stolen together, or if they choose two, different passwords, they probably find them difficult to remember and write them on the same piece of paper.
So, what does using both fingerprint and iris scanners gain the NOC? We can re-phrase this: under what circumstances would one of the methods fail, but the other work? When control of the fingerprint is separate from control of the iris. Perhaps the attacker cuts off the finger of an authorised member of staff, but an attacker determined enough to do that is certainly determined enough to threaten to cut off body parts if the staff does not let them in. Actually, a properly designed fingerprint scanner will check for a pulse, so a severed finger would not work, but that just makes it more likely that the fingerprint and iris stay together, and whoever controls one, controls the other.
The NOC could use just one biometric method, and still get the same level of authentication, by using two methods, it is just wasting its' money. I expect they will pass the BS7799 certification, because that evaluates whether they have effective security. It does not say whether it is cost-effective security. Security will always be an added expense, but there is no reason to make it more expensive than necessary.
Denial of Internet
In October there was a serious Distributed Denial of Service attack against all 13 of the root nameservers. Fortunately, four of the servers continued working normally through the strongest attack, which lasted an hour on Monday 21st, so most users were unaware of the problem. Since then, the FBI has been tracing the sources of the attack to large numbers of compromised computers in many locations, including South Korea and the United States. Verisign, which operates two of the servers, has since moved one of them to a different location so that they will be less vulnerable to a future attack. Analysis of performance data for October has shown unusual behaviour; probably indicating smaller DoS attacks on earlier days, these might have been testing of the attack method.
This can be compared to an incident on 16th July 1997 when a mistake in generating the top-level domain zone files resulted in the entire .COM and .NET domains becoming inaccessible. So, a highly organised attack had no visible effect, but an honest mistake by a trusted employee caused a significant outage - a very clear example of the importance of internal vulnerabilities.
What else can we learn? DDoS attacks are very common on the Internet, and are likely to remain so because they are easy to initiate, but difficult to defend against. Earlier this year there were somewhat successful attacks on Microsoft and eBay and lower profile attacks are almost continuous. It seems unlikely that the FBI will be able to trace the attackers - the source computers are simply remotely controlled zombies. In fact, we seem to know nothing about who the attackers were, or their objectives. Some analysts are repeating the tales of teenage hackers and others talk of cyber-terrorists but there is precious little evidence either way. Close monitoring of your network (using an IDS) might reveal the early tests and probes before a full attack is launched, but you must be prepared to investigate the anomalies if you want to benefit from the warning.
What if your company is the target of a DDoS attach? To keep your communications running, you want to be somewhere else, that is, you need the capability of switching your critical functions to another network on the Internet that is not being attacked. To recover from the attack you will need the help of your CERT to trace and shut down the zombies.