The ability to remotely access the judiciary’s private network (the DCN) is a fundamental part of how we do our work―especially after hours, while on travel, or during an adverse weather event. Whether you are connecting to the DCN using a hotel kiosk or from your judiciary laptop at a coffee shop, untrusted computers or wireless networks pose risks to your user IDs and passwords (collectively referred to as “credentials”).
For example, malicious software installed on a computer in a conference’s business center could collect your keystrokes, which a hacker could use to reconstruct and reuse your credentials. In 2014, a significant compromise of healthcare information was attributed to this precise kind of harmful software. [1] If the only thing between you and access to the DCN is your user ID and password, taking full advantage of compromised credentials to access judiciary information is a simple process―just click on a link to JPORT, enter the user’s credentials, and go! But what if logging in required more than a password―something that couldn’t be readily used over the Internet? [2]
More than something you know
The key to protecting remote access is to use something in addition to a password to log in―to require a “second factor.” The “first factor” is something you know, such as a PIN code or a password. The second factor can be something you have (such as a single-use code sent to your mobile phone) or something you are (that is, biometric data, such as a fingerprint). [3]
You’ve already been using two-factor authentication
While two-factor authentication is new for remote access to judiciary accounts, you’ve probably been using this concept for banking for years. When you use a debit card at an ATM, for example, you need both your card (something you have) and your PIN (something you know) to complete the transaction. More recently, several Internet email providers (and even commercial banks [4]) have begun offering two-factor authentication for improved security when accessing your account. [5] If you haven’t adopted this model, consider doing so―with hacker activity ever increasing in volume and sophistication, everyone should take advantage of the available options for protecting sensitive accounts.
The value of two-factor authentication
The strength of two-factor authentication is that if one factor is compromised, an attacker has another significant obstacle to overcome before being able to break into the account. Furthermore, one of the factors (the something you have) requires physical proximity to compromise―it can’t be compromised over the Internet. Lastly, the second authentication factor can be temporal, that is, it can change every time you enter it. Hence, it cannot be reused, which makes each connection a unique experience that cannot be repeated. Typically, this is achieved through the use of smart apps, key fobs, and other similar methods for creating that one-time experience. Implementing two-factor authentication in this manner provides substantive gains in security.
In the spring of 2016, judiciary users will be leveraging two-factor authentication for remote access in order to reap the benefits of this authentication model. Look to the JNET for more information on this exciting initiative. [6] For additional information about your options for two-factor remote access, contact your local IT staff.
[1] Keylogger hack at root of HIPAA breach
[2] Changes to Remote Access Coming Soon
[3] The judiciary’s options for two-factor authentication are limited to “something you have” and do not include biometrics. See Remote Access with Two-Factor Authentication: Methods and Use Cases.
[4] SANS Technology Institute: Two factor authentication for online banking
[5] Google 2-Step Verification and Hotmail Single-Use Code
[6] Remote Access Authentication Upgrade (RAAU)
For example, malicious software installed on a computer in a conference’s business center could collect your keystrokes, which a hacker could use to reconstruct and reuse your credentials. In 2014, a significant compromise of healthcare information was attributed to this precise kind of harmful software. [1] If the only thing between you and access to the DCN is your user ID and password, taking full advantage of compromised credentials to access judiciary information is a simple process―just click on a link to JPORT, enter the user’s credentials, and go! But what if logging in required more than a password―something that couldn’t be readily used over the Internet? [2]
More than something you know
The key to protecting remote access is to use something in addition to a password to log in―to require a “second factor.” The “first factor” is something you know, such as a PIN code or a password. The second factor can be something you have (such as a single-use code sent to your mobile phone) or something you are (that is, biometric data, such as a fingerprint). [3]
You’ve already been using two-factor authentication
While two-factor authentication is new for remote access to judiciary accounts, you’ve probably been using this concept for banking for years. When you use a debit card at an ATM, for example, you need both your card (something you have) and your PIN (something you know) to complete the transaction. More recently, several Internet email providers (and even commercial banks [4]) have begun offering two-factor authentication for improved security when accessing your account. [5] If you haven’t adopted this model, consider doing so―with hacker activity ever increasing in volume and sophistication, everyone should take advantage of the available options for protecting sensitive accounts.
The value of two-factor authentication
The strength of two-factor authentication is that if one factor is compromised, an attacker has another significant obstacle to overcome before being able to break into the account. Furthermore, one of the factors (the something you have) requires physical proximity to compromise―it can’t be compromised over the Internet. Lastly, the second authentication factor can be temporal, that is, it can change every time you enter it. Hence, it cannot be reused, which makes each connection a unique experience that cannot be repeated. Typically, this is achieved through the use of smart apps, key fobs, and other similar methods for creating that one-time experience. Implementing two-factor authentication in this manner provides substantive gains in security.
In the spring of 2016, judiciary users will be leveraging two-factor authentication for remote access in order to reap the benefits of this authentication model. Look to the JNET for more information on this exciting initiative. [6] For additional information about your options for two-factor remote access, contact your local IT staff.
[1] Keylogger hack at root of HIPAA breach
[2] Changes to Remote Access Coming Soon
[3] The judiciary’s options for two-factor authentication are limited to “something you have” and do not include biometrics. See Remote Access with Two-Factor Authentication: Methods and Use Cases.
[4] SANS Technology Institute: Two factor authentication for online banking
[5] Google 2-Step Verification and Hotmail Single-Use Code
[6] Remote Access Authentication Upgrade (RAAU)