Blog

Quick Guide to Software Security

 

Security has been a priority for companies for many years now and with so many high profile companies being hacked, it’s no wonder. With brute force, dictionary and rainbow table attacks the amount of time it takes to crack a password is frighteningly quick. This guide discusses some of the methods to crack and what can be done to protect your systems against security threats.

How is the hacking done?

With massive parallel general purpose graphics processing password cracking and rainbow tables, it’s possible for hackers to produce more than 500,00,000 passwords per second, even with low end hardware. Depending on the software, rainbow tables can be used to crack 14 character alphanumeric passwords in about 160 seconds. Faster than how long my daughter takes to unlock my iPhone pass code!

Rainbow tables achieve this by comparing a password database to a table of all possible encryption keys. This requires a large amount of memory, and memory is cheap. With hardware improving a password doesn’t stand a chance. Over and above these techniques social engineering still remains a big threat, all the encryption and strong passwords in the world don’t mean a thing when the user gives out their password. Phishing tactics are getting better and are very effective, with false emails and forged websites they trick an alarming amount of people into giving up their passwords.

What are the options?

Basically it boils down to single factor or multi-factor/two-factor authentication (2FA). Single factor authentication secures a system through only one category of credentials, for example a login and a password. 2FA is where a user’s credentials are made up of two independent factors.

 

Single Factor

There are challenges with attempting to secure your system with a password. The most common one being that users either don’t understand how to make a strong and memorable password or underestimate the need for security.

The extra rules that are necessary to make passwords strong often result in users forgetting them or having problems which results in needing password resets, which often rely on help desks (see costs). Single factor does have its advantages though, it’s cost-effective, easier to manage and less things can go wrong.

There are some things that can be done in order to make it more effective though, namely:

  • Passwords need to be long enough (minimum of 8 characters), include a mixture of letters, numbers and be case-sensitive. A password meter is recommended and has been proven to help.
  • Passwords could be partially inputted, for example character 3, 5 & 7 of the password
  • Passwords should be stored in the database in an encrypted format and then the software can verify them via a decryption key
  • Where possible the login and password can be locked down by 1 or more IP addresses (although that effectively becomes 2FA)
  • Users need to be educated on how to protect themselves and their passwords

 

2FA

As mentioned before, 2FA is where a users credentials are made up of two independent factors, such as:

  • Something that the user knows (PIN, password, questions, etc…)
  • Something that the user possesses (key fob token, mobile phone, smartcard, etc…)
  • Biometric data (fingerprint, iris, voiceprint, etc…)

Obviously some of the above options are going to be more suitable than others and there is a cost implication with each of these. I would like to briefly discuss the more popular options in order to give a better understanding and also because it is unlikely that a company will protect their CRM system with an iris scan. Horses for courses.

Hardware tokens are the most prevalent, most commonly implemented with a user being given a key fob that is combined with a password. The key fob displays a pseudo-random number that changes periodically and the user inputs this number to prove that they have the token. The server that is authenticating the user must also have a copy of the each key fob’s ‘seed record’, the algorithm used and the correct time and then in turn can authenticate the user. The key fob itself contains this algorithm and the ‘seed record’ and generates the number that is verified by the server. There are different options to the key fob such as USB stick based solutions, for example YubiKey, which is being used Google, Facebook and the US Department of Defense. With such high profile customers and a cost starting from $18 per user it is understandable why it is so popular.

Software tokens are on the rise, the key fob functionality has been replicated for the Smartphone and been in use since the year 2000. The technology is exactly the same as that in use with the hardware version, however instead of needing an additional fob an app on the Smartphone is used. Different software apps are available for smartphone’s as well, products like Toopher can verify where the user (or their Smartphone) is physically located and the first time a user tries to login from a new location, they must be given permission to do so via the app. The pricing starts at $1 per month per user.

Another effective way to authenticate a user with the aid of their mobile phone is by sending them a code via text message, this code would change with every request and would expire. This is a relatively simple and cost-effective solution, with companies providing text message capabilities from a couple of pence for each message.

 

Parting Thoughts

There are many solutions to deal with an ever-increasing challenge that we all have to address in one manner or another. You don’t need a machine gun to kill a mosquito though, don’t know if that is a saying, it should be, but taking into account the various factors that influence your security requirements is key, so to speak.

The factors would be how sensitive the information is, what would be the repercussions if the system was hacked (customer confidence, regulations, etc…), the user particulars (number of, location, etc…) and costs.

 

George Toursoulopoulos is a technology specialist and CEO of Synetec, one of the UK’s leading providers of bespoke software solutions.

3 Reasons to NOT move away from Excel Development

 

Following the feedback I received from the earlier article titled 3 Reasons to move away from Excel, it seemed necessary to talk about why it would make sense not to move away from an Excel-based solution. There are obvious reasons why you would create a solution within Excel, but this article discusses why you would stick with it in the medium to long term and furthermore what you need to plan for initially in order for it to be robust enough to deliver value in the long term.

Dynamic Environments

When requirements are ever-changing, when inputs can vary regularly and outputs needs to be highly configurable then Excel is still an excellent choice. Its weakness is, in this scenario, its strength. While using an application built in compiled code that sits on a relational database for the same scenario can add robustness and scalability, it is also slower than Excel in terms of change. There is a trade off and if the environment is very dynamic, Excel might be the most sensible choice.

Everybody is a coder

In certain environments where requirements require a very specific skill set and where the ability to learn basic programming skills is a complimentary mindset, it can make sense to have the users develop their own applications. A few of our clients are actuaries who are ideal candidates for that scenario. They can pickup VBA coding quickly, they obviously understand the requirements and in that scenario Excel can be the perfect platform. When a more permanent data store is not required and solutions are used for repeatable calculations, a non-trained programmer with all the business knowledge can be very beneficial.

Cheap today, could also be cheap tomorrow

Software licenses, database licenses, support contracts, servers, cloud platforms and development tools are all a necessity in a more structured development environment. There are costs on both side of the fence, it’s simply a case of weighing up the costs on both sides along with the requirements as a whole. In the above scenarios actuaries are most definitely well equipped to build their own Excel-based solutions, but the costs of that salary needs to be taken into account.

Excel and Longevity

So, you have decided it makes sense to build or keep an existing solution in Excel, how do you ensure a return on your investment? We get called in fairly regularly to perform Excel System Audits and the primary reason for that is the solution is not performing as it once was (deteriorating performance or causing errors). Often that is combined with a team member having moved on and the solution is extremely difficult to take on for other team members. Managing code of any kind, even within an Excel application, is made infinitely easier if certain basic programming principles are adhered to and those principles can be relatively easily learnt with some initial training. An initial audit can reveal instances of non-optimal coding practises and potential problem areas along with how to correct them. Documentation is another big area that we find can make a difference. As tedious as it might be to create it makes a significant difference and should be absolutely essential. The true rewards of documentation are reaped when that team member moves on.

 

George Toursoulopoulos is a technology specialist and CEO at Synetec, one of the UK’s leading providers of bespoke software solutions.

Quick Technology Guide to Starting a Hedge Fund

 

While the initial TODO list might be staggering, this article attempts to address the technology components that need to be in place to ensure as smooth a launch as possible. Technological requirements will differ based on numerous factors, but what will not differ is that it is an essential element of achieving success.

Consultancy, Vendor Selection & Project Management

This may sound like a message from the Ministry of the Bleeding Obvious, but there is a fair amount to do in terms of vendor selection, product selection and managing the implementation of all these various elements. This translates to a large amount of time which will be significantly longer if the individual managing the process is not familiar with the current technological landscape. It pays to engage with an independent consultant that can assist in identifying the various requirements and then apply them to the current marketplace in terms of suitability of vendors and systems. There are of course the alternatives of either having a tech-savvy team member take responsibility for managing the process or engaging with a technology partner that is going to feature prominently in your overall technology environment and have them manage all elements of the process. Regardless of which option is selected the individual managing the process should have awareness of: different vendors and their offerings, different systems and possible suitability, nuances of integration with prime brokers and market data feeds and finally experience in co-ordinating everything to work in harmony.

Network Requirements and Infrastructure

The first port of call is to assess the infrastructure requirements, once they have been agreed key decisions such as cloud computing vs. on-premise solutions can be easily made. Certain elements such as data circuits and telephony need to be prioritised due to the length of time these usually take. Following on from these the relatively simple matter of workstations and other peripherals can be decided on. All of the above elements need to be brought together with delivery, installation and testing. Other items that should be addressed at this point are identifying who will host your email and ideally they can also host your website. Your domain name will need to be chosen and registered, the website requirements agreed and the website design company identified and engaged.

Software

The systems that are referred to include portfolio management, order management and accounting software. Due diligence of vendors here is essential and particularly the support capabilities of said vendor, not only that service desk hours match your operational requirements, but that also the appropriate level of service is available at an acceptable cost. Will the vendor be able to service you as a customer both today and in the future? How complex are the systems to integrate? What are their maintenance agreements like and what do they cover? How easy is it to use your preferred market data vendor with these systems? All questions that need to be considered.

Data & Research

This is impacted primarily by the nature of the required data and the requirements of the above mentioned software. This includes both market data and market research. Installation times can also vary greatly, so they need to be confirmed.

Integration

Possibly the trickiest part where all the software, data and processes needs to come together and be tested. Integration refers to not only the integration between the systems, but all data flow which encompasses the market data, prime broker data, etc…

Business Continuity and Disaster Recovery

These overlap a great deal, but are subtly different. While business continuity deals with the continuation of the mission-critical processes and how the business and its employees continue to operate, disaster recovery focuses on the infrastructure, both hardware and software, necessary to run the business e.g. phones, email and systems. Additionally, the value of having comprehensive procedures cannot be underestimated when it comes to attracting investment.

Avoiding Common Pitfalls

Rank requirements in terms of priorities and identify your nice-to-haves early, they will make a large difference in terms of choice. Costs, timings and effectively risk can quickly escalate when looking for the perfect solution.

Do not underestimate the impact of your systems and technology as a whole on attracting investment, this refers as much to infrastructure and software as it does to processes and procedures.

Managing IT effectively requires a specific skill set and an up to date understanding of the latest technologies, whilst many people within the finance sector will have the ability to perform this role to some level, their time is often better spent on the business as a whole. It’s time consuming and there are service providers, consultants and contractors that can be leveraged, each of these suited to different requirements. Do you really want to spend days writing VBA code and nights rebooting servers?

 

George Toursoulopoulos is a technology specialist and Director at Synetec, one of the UK’s leading providers of bespoke software solutions.

Page 10 of 11« First...7891011

RECENT POSTS

RECENT JOBS

ADDRESS

413 The Print Rooms
164-180 Union Street
London, SE1 0LH
Phone: 0208 1444 206
Website: synetec.co.uk
Email: info@synetec.co.uk

DISCLAIMER

Important: The information contained in this website is for general information purposes only. Any reliance you place on such information is therefore strictly at your own risk. Synetec Ltd endeavour to keep it up to date and correct.
All images are copyrighted to their respective owners.
Bitnami