Two-factor auth? (SecurID?)

Discussion in 'Networking and Security' started by heech, Mar 23, 2009.

  1. heech



    I'm getting really paranoid about some of my (remotely hosted) trading systems. I'm taking normal precautions (anti-virus, Windows firewall, IDS)... but considering the amount of money involved here, I don't think I can be too careful.

    Does anyone have any experience with enabling two-factor authentication? Something like RSA's SecurID tokens...? Something physical that will keep anyone from logging in into my Windows machine, even if they know my password?

  2. Learn how to manage security (and I don't mean technical stuff), monitor your good and bad habits on a computer and learn to improve your habits.

    Neither a Smart Card or RSA key is going to provide you with any greater security unless YOU improve your own practices. There is nothing inherently secure about them, security is still foiled by the user (that being you in this example).

    For workstation security just use a good passphrase (one that is easy for you to remember, and hard for someone else to figure out) on your computer than you change regularly and remember to lock your screen when you get up. That will pretty much provide exactly the kind of security you are looking for and neither smart card nor RSA key are going to provide any additional security until you learn how to manage you own security habits.

    If you are concerned you computer is going to be stolen, then physically secure your computer and encrypt your harddrives.

    If you are worried about viruses and worms getting into your finance computer, then keep your protection software up to date. Maybe get a cheap netbook for your internet browsing and e-mail so you aren't concerned.

    There are lots of other things you can do to spruce up your security. Security all weighs on what YOU do, not the tools you use.

    If you have poor security practices an RSA key will ONLY help mitigate brute force password attacks on your account, and a smart card wil ONLY allow you to authenticate your own identity to someone else. Without proper practices, these expensive tools are otherwise useless and won't do what you intend.

    I hope this helps.

    Scot, CISSP, MCSA
  3. heech



    I'm already trying to implement good security practice, but believe RSA two-factor authentication will still be hugely beneficial.

    For example, while I do maintain current anti-virus definitions on my primary server + laptop... I can not guarantee security on every client machine I will be using to log in. It's just not efficient, not the way I operate. So I'm terrified a keytracker will steal my remote login password.

    With a RSA SecurID token, that would no longer an issue. I could publish my password right here on Elitetrader, and no one would be able to log into my primary trading servers. Right?
  4. Yes, an RSA key in that case would be very useful.

    Please remember to practice good habits, even on your own computers.
  5. I'm not sure how it would apply to your situation but a whitelisting firewall keeps intruders out. I have my trading machine behind one, once I got over the learning curve and could set up a whitelist I was a lot better off. Basically my computer can only contact the broker. If I want to update software I can add the url into the whitelist for that... even if somebody got a key logger on my machine somehow it can't phone home with any info...

    If I have to transfer files to the trading machine I use a thumb drive. I format it, copy the file to it, check the filesize, plug it into the trading machine, copy the file and then format it again...

    Security is my big chance to be paranoiac and I just embrace the paranoia...
  6. an RSA Key would allow you to log onto your broker site from anywhere even a public KIOSK with assurance that your passphrase can't be highjacked.

    That's it's purpose.

    A firewall can have many different complicated rules to get a desired result, but to keep it simple, each rule says "yes this may pass" or "No this may not pass"

    You can configure a firewall to be totally restrictive, and then configure one or few single rules to let a single ser vice through. This is called "Most Restricitive", IT does lend the greatest protection, but can sometimes be a chore to figure out what you need to do to get a service working properly.