Vviewpoints
I
M
A
G
E
C
O
U
R
T
E
S
Y
O
F
(
I
S
C
)
2
B
L
O
G
to guess. You declared that the root
cause of this is the reusability of passwords. You proposed that we use technologies where a password can be used
only once. How does this work and why
is it now feasible?
A: This is not simply about “weak
passwords” but all passwords. It is
time to abandon passwords for all but
trivial applications. Passwords are
fundamentally vulnerable to fraudulent reuse. They put the user at risk of
fraudulent use of identity, capabilities,
and privileges and the system or application at risk of compromise and
contamination by illicit users. Strong
passwords protect against brute force
attacks but these are not the attacks
that we are seeing.
We need “strong authentication,”
defined as at least two kinds of evidence of identity, one resistant to brute
force attacks and the other resistant to
replay, that is, includes a one-time value. All strong authentication is “
multi-factor” but not all multi-factor is
strong. Strong authentication protects
us against both brute force attacks and
the fraudulent reuse of compromised
credentials, for example from so called
“phishing” attacks, the attacks that we
are actually seeing.
Steve Jobs and the ubiquitous mobile computer have lowered the cost
and improved the convenience of
strong authentication enough to overcome all arguments against it.
Q: The Internet is seen as a flat network
where any node can communicate with
WILLIAM HUGH (BILL) MURRAY is a manage- ment consultant and trainer in Information Assurance specializing in policy, governance, and applications. He has more than 60 years experience in information technology and
more than 50 years in security. During
more than 25 years with IBM his management responsibilities included development of access control programs,
advising IBM customers on security,
and the articulation of the IBM security product plan. He is the author of
the IBM publication Information System Security Controls and Procedures.
He has been recognized as a founder
of the systems audit field and by
Information Security Magazine as a Pioneer
in Computer Security. He has served
as adjunct faculty at the Naval Post-graduate School and Idaho State University. In 1999, he was elected a Distinguished Fellow of the Information
System Security Association. In 2007,
he received the Harold F. Tipton Award
in recognition of his lifetime achievement and contribution. In 2016, he
was inducted into the National Cyber
Security Hall of Fame. In 2018, he was
elected a Fellow of (ISC)
2—see https://
www.isc2.org/).
Bill Murray has been responding for
years to security threats with noncon-
ventional thinking. When he sees a se-
curity breakdown, he asks what is the
current practice that allows the break-
down to happen, and what new prac-
tice would stop it? Most of our security
vulnerabilities arise from poor prac-
tice, not from inadequate technology.
Many people today are concerned
about cybersecurity and want to
know how to protect themselves
from malware, identity thieves, invading hackers, botnets, phishers,
and more. I talked to Bill about what
practices we have to deal with these
issues, and where we need to look for
new practices.
Q: Weak passwords have been the bane
of security experts for years. Early studies of time-sharing systems showed
that in a community of 100 users, two
or three are likely to use their own
names as passwords. A hacker can
break in easily if passwords are so easy
The Profession of IT
An Interview with
William Hugh Murray
A discussion of the rapidly evolving realm of practical cyber security.
DOI: 10.1145/3306614