Communications of the ACM

Vviewpoints

I M A G E C O U R T E S Y O F ( I S C )

2

B L O G

to guess. You declared that the root cause of this is the reusability of passwords. You proposed that we use technologies where a password can be used only once. How does this work and why is it now feasible?

A: This is not simply about “weak passwords” but all passwords. It is time to abandon passwords for all but trivial applications. Passwords are fundamentally vulnerable to fraudulent reuse. They put the user at risk of fraudulent use of identity, capabilities, and privileges and the system or application at risk of compromise and contamination by illicit users. Strong passwords protect against brute force attacks but these are not the attacks that we are seeing.

We need “strong authentication,” defined as at least two kinds of evidence of identity, one resistant to brute force attacks and the other resistant to replay, that is, includes a one-time value. All strong authentication is “ multi-factor” but not all multi-factor is strong. Strong authentication protects us against both brute force attacks and the fraudulent reuse of compromised credentials, for example from so called “phishing” attacks, the attacks that we are actually seeing.

Steve Jobs and the ubiquitous mobile computer have lowered the cost and improved the convenience of strong authentication enough to overcome all arguments against it.

Q: The Internet is seen as a flat network
where any node can communicate with

WILLIAM HUGH (BILL) MURRAY is a manage- ment consultant and trainer in Information Assurance specializing in policy, governance, and applications. He has more than 60 years experience in information technology and more than 50 years in security. During more than 25 years with IBM his management responsibilities included development of access control programs, advising IBM customers on security, and the articulation of the IBM security product plan. He is the author of the IBM publication Information System Security Controls and Procedures. He has been recognized as a founder of the systems audit field and by Information Security Magazine as a Pioneer in Computer Security. He has served as adjunct faculty at the Naval Post-graduate School and Idaho State University. In 1999, he was elected a Distinguished Fellow of the Information System Security Association. In 2007, he received the Harold F. Tipton Award in recognition of his lifetime achievement and contribution. In 2016, he was inducted into the National Cyber Security Hall of Fame. In 2018, he was elected a Fellow of (ISC) 2—see https:// www.isc2.org/).

Bill Murray has been responding for
years to security threats with noncon-
ventional thinking. When he sees a se-
curity breakdown, he asks what is the
current practice that allows the break-
down to happen, and what new prac-
tice would stop it? Most of our security
vulnerabilities arise from poor prac-
tice, not from inadequate technology.

Many people today are concerned about cybersecurity and want to know how to protect themselves from malware, identity thieves, invading hackers, botnets, phishers, and more. I talked to Bill about what practices we have to deal with these issues, and where we need to look for new practices.

Q: Weak passwords have been the bane of security experts for years. Early studies of time-sharing systems showed that in a community of 100 users, two or three are likely to use their own names as passwords. A hacker can break in easily if passwords are so easy

The Profession of IT
An Interview with
William Hugh Murray
A discussion of the rapidly evolving realm of practical cyber security.
DOI: 10.1145/3306614