Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/22/2008
08:32 AM
50%
50%

Life Insurer Takes New Approach to Two-Factor Authentication

Cryptocard technology helps Kansas City Life get the handle on a thorny access problem

Kansas City Life Insurance Co. needed a two-factor authentication solution for its employees, and it found one. Unfortunately, though, it wasn't the last time the company found itself looking for authentication technology.

Founded in 1895, Kansas City Life Insurance sells individual life, annuity, and group insurance policies. The bulk of the company’s 500-person staff works at the company's Kansas City headquarters, while a smattering of employees are stationed in various regional offices servicing more than 1,400 agents which serve its 500,000 customers.

As the Internet boom hit its peak at the turn of the millennium, the life insurance provider decided to move away from its old proprietary environment to an open, enterprise-class IP network. For security purposes, the firm needed to limit access to its network, restricting the bulk of its employees to local email and company intranet connections.

The tricky part was how to provide secure remote connections. “We knew that by going to IP we were opening up our network to the whole world, so there was a lot of risk involved in the change,” said Keith Beatty, systems engineer at Kansas City Life Insurance.

To ensure remote access security, the company deployed a virtual private network from F5. And to make doubly sure of the remote connections, the insurance firm also purchased a second factor of authentication: smart cards from RSA, now a division of EMC. The cards were bought in the summer of 2003 and easily integrated with the VPN, adding an extra level of protection for the enterprise network.

But the happy tale slowly turned sour. Gradually, the cards began to expire and needed to be replaced. “We could not simply replace the batteries, because the cards were sealed,” Beatty explained. “It seemed silly to buy a new one when the ones we had were still functional.”

Another problem was pricing granularity in the RSA product line. Kansas City Life Insurance found that each time it deployed a new technology that touched the smart cards -- such as Microsoft’s Active Directory -- it was forced to pay RSA another licensing fee. “We felt the company was nickel and diming us,” stated Beatty.

Then there was the problem of the Apple Macintoshes, which were becoming increasingly popular with some individuals in the insurance company's marketing department. The RSA SecurID system did not mesh well with the Macs.

With many of the cards set to expire, Kansas City Life decided to examine its options in the spring of 2007. The evaluation quickly evolved into a battle between RSA and Cryptocard. The latter’s purchase price of $3,300 was slightly higher than RSA’s alternative. But Cryptocard’s products were Apple friendly, the cards never have to be replaced, and its licensing policy is all-inclusive.

The insurance firm weighed a number of factors in its decision. For one thing, Cryptocard’s CryptoShield lets IT departments customize each card security setting, such as password characteristics. One of the company's employees had used the CryptosShield products in a previous job without any problems.

RSA, on the other hand, had the better management system. Its management tools are richer, offer more reporting features, and run more efficiently than those from Cryptocard. In the end, however, Cryptocard won the evaluation and RSA lost its Kansas City Life Insurance’s business.

After tinkering with Cryptocard evaluation unit for a few weeks, the insurance company swapped out its smart card authentication system in the summer of 2007. Minimal user training was required, because the RSA system continually generates a password, while Cryptocard only does so on demand. The deployment took a few weeks.

Having now gone through two deployments, Kansas City Life Insurance's IT staff now feels that it now has a system that will last, and that will meet its long-term security needs as well as its near-term requirements.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • CryptoCard Inc.
  • F5 Networks Inc. (Nasdaq: FFIV)
  • RSA Security Inc. (Nasdaq: EMC)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    10 Ways to Keep a Rogue RasPi From Wrecking Your Network
    Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
    The Security of Cloud Applications
    Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
    Where Businesses Waste Endpoint Security Budgets
    Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Building and Managing an IT Security Operations Program
    As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
    Flash Poll
    The State of IT Operations and Cybersecurity Operations
    The State of IT Operations and Cybersecurity Operations
    Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-13611
    PUBLISHED: 2019-07-16
    An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.
    CVE-2019-0234
    PUBLISHED: 2019-07-15
    A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
    CVE-2018-7838
    PUBLISHED: 2019-07-15
    A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
    CVE-2019-6822
    PUBLISHED: 2019-07-15
    A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
    CVE-2019-6823
    PUBLISHED: 2019-07-15
    A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.