CONTACT Software Blog

More cybersecurity using the password

Today is “change your password day” again. A well-intentioned
initiative for more IT security. Coming originally from the military context of the 1960s, the recommendation to change your password regularly can still be found in many corporate policies today. Modern guidelines such as the current BSI Basic Protection Compendium and the NIST Digital Identities Guidelines drop this requirement because there are more effective strategies to increase password security:

Password length over complexity

First of all, a strong password needs to be changed only if there is a suspicion that it has been revealed.

Today, attackers can try out billions of passwords within a very short time using automated systems. Especially if these systems are accessible via the network or have access to the password hashes and can therefore be effectively tried offline. The complexity of the password is therefore completely irrelevant if it is too short. Recommendations for length vary from 8 to at least 14 characters. Advances in attack tools such as Hashcat, and faster, specialized password-guessing hardware, are driving these requirements ever higher.

Compliance policies today require individualized login credentials. This eliminates the risk a password is known to many people and thus the need to change it regularly. One long password for exactly one person for exactly one service. Pretty secure.

Passwords are no repeat parts

To be honest, haven’t you ever used the same or a very similar password for multiple services? You should get rid of this habit quickly because a successful attack on one service automatically leads to a successful attack on others. The use of already privately used passwords in a corporate environment is particularly critical.

Modern password policies ensure that passwords appearing in lists of captured passwords are rejected. The website haveibeenpwand, for example, indicates whether a password has been captured. Modern systems offer interfaces to check passwords in this way. In CONTACT Elements you can easily activate them:

from cdb.sig import connect
from cdb.authentication import check_pwned_password
connect(‘password_acceptable_hook’)(check_pwned_password)

Password manager instead of one-size-fits-all

Password repeating is bad, and so are short passwords. Users face the challenge of remembering a large number of long passwords in their heads. Writing it down on a piece of paper and hiding it under the keyboard or sticking it on the bulletin board is not a solution, because a camera can capture it.

It is better to use a password manager. It can create and manage long passwords and makes them easier to enter via copy and paste. Unfortunately, some companies, driven by the concern that a Trojan will intercept the passwords on the clipboard, block the copy and paste method in their applications, preventing the use of a password manager. However, in the case of a Trojan attack, this measure is usually ineffective and companies should instruct users to use a password manager to increase their IT security.

Beware of highwaymen and tricksters

Even the strongest password does not protect against attacks if it is intercepted. It’s often surprisingly easy to do. Connections without a minimum level of security like Transport Layer Security (TLS) are an open book for any attacker. Older network protocols such as Kerberos also offer numerous gateways. Ransomware exploits these to spread across the corporate network. As soon as an administrator logs on to a compromised computer, the attacker has the credentials, and shortly thereafter gold and silver tickets are created and the Windows domain is firmly in the attacker’s hands.

Here, too, security stands or falls with the password, because it is used in the calculation of the authentication tickets and, due to the symmetrical encryption, enables the attacker to calculate the password back from the ticket.

Increase security through multiple factors

One recommendation to get around the weaknesses of passwords is to include other factors. This works very well from a security perspective. A second factor significantly increases security in almost every case. In most cases, it is of secondary importance whether these are one-time passwords such as TANs via SMS, time-based codes such as Definition Time-based One-time Password (TOTP), or even simple confirmation emails with links.

The downside of second factors is the additional effort and the impact on usability. Helpdesk processes become more complicated, users need to be trained, and login processes often happen more slowly.

Single sign-on – both a curse and a blessing

Users love single sign-on (SSO), where you only have to enter a password and a second factor once to use numerous services. This minimizes the effort enormously – but also for the attacker. Particularly if access depends on a weak password only. A central login system also solves many problems for compliance when users are blocked or reports are generated. The costs for user administration are also reduced.

Single sign-on turns the “one password per service” argument above on its head. Again, only one password stands between the attacker and your system. If the attacker knows the password, he has access. And then the single sign-on system opens all doors for the attacker.

Detect phishing

Even stronger mechanisms such as TOTP or hardware key generators do not protect if the password and access code are entered on a fake website. This practice is known as phishing. The solution, on the other hand, is channel or token binding and links (binds) the desired access to the channel through which the access is requested. This means that a token is only accepted for access to device A but not to device B of the attacker. This form of multi-factor authentication is very secure and easy to use with modern hardware or cell phones. For enterprise IT, integration with common platforms is relevant here. Windows Hello, Apple and Android support the FIDO2 / WebAuthn standard specified by the FIDO Alliance to detect phishing and make single sign-on secure.

Passwords are obsolete!?

Starting from the WebAuthn standard, there is a new initiative since 2022 with passkeys – driven by Apple, Microsoft and Google – to banish passwords from applications and single sign-on. You can change your password to a passkey today if your device supports it and use 2024’s “Change your Password Day” to delete your password and never have to use it again.

More Information on Cybersecurity

Learn everything you need to know about building a reliable IT security architecture for protection against cyberattacks in our free white paper “IT Security for Enterprises”.

With the digitization roadmap to a truly digital company

The digitization of business processes has received remarkable attention in recent years. On the one hand, the Corona pandemic ruthlessly exposed digital gaps, and on the other hand, in view of the political, social and ecological changes, companies are being called upon more than ever to act in a more agile and sustainable way. Motivation is high enough and progress in digitization is becoming more and more visible. However, implementation is usually less based on a digitization roadmap that shows the milestones and waypoints to the goal, but rather on a salami tactic.

Digitalization in small bites poses risks

When I talk to representatives of medium-sized companies about digitization, the answer is often: Yes, we do it all the time! Examples include actions such as the creation of policies to increase the use of Office software features throughout the company, the introduction of a ticket system, or the use of a requirements management tool in product development.

This reflects a common practice of carrying out digitization projects on a divisional or departmental basis, in relation to individual tasks or sub-processes. At first glance, it often seems attractive to plan and implement projects from a departmental or site perspective, because the coordination effort is lower and department-specific solutions can supposedly be implemented quickly.

In principle, implementing demanding projects in manageable steps is a sensible approach. So does generating benefits quickly and making digitization progress continuously visible. However, the fragmented approach also carries risks: This is when the target image of digitization is unclear and the path to achieving it is not adequately described. Here, there is a realistic risk of not achieving essential goals of digitization projects. For example, not exploiting the potential of new, digital business models and thus not driving forward the digital transformation of the company. Or not using the company-wide and cross-company data treasures if the focus is only on local optimization.

The benefits of a digitization roadmap

To put it up front: With a digitization roadmap, companies can minimize the above-mentioned risks with little effort. It provides a reliable, medium-term guideline for all digitization activities in the company, aligned with a clear target image. With its different perspectives on the topic of digitization, it addresses the specialist departments, IT and management. The digitization roadmap should contain some essential information:

What is the company’s level of digitization?
The basis of the digitization roadmap is an inventory of the current level of digitization in the company. For this purpose, the existing target images, requirements, and activities in the various corporate divisions and hierarchies are reviewed. Common maturity models help to assess the company’s level of digitization.
What is the target scenario?
Once the status quo has been established, a clear, coordinated target scenario for digitization can be drawn up. The target scenario contains an overview of the future digitally end-to-end business processes as well as the future application architecture and the necessary information services.
Which sub steps are necessary?
Once the goal is clear, the next step is to define and describe the necessary subprojects. In order to prioritize the subprojects in a meaningful way, the required internal and external resources and the possible project risks are estimated. The information previously obtained from the inventory is also used to extrapolate the benefit and business potential of the individual digitization subprojects. This makes it possible to calculate business cases for the planned projects.
The project team and management are thus able to decide on the subprojects and their prioritization according to objective cost/benefit criteria, resource availability and other company-specific parameters. In this way, today’s digitization bites become defined, evaluated subprojects within an overarching context.
What is the business case?
The high degree of concretization of digitization activities, especially of the relevant business case, is an essential basis for reliable financing of digitization projects. For example, special IT project financiers offer flexible top-up leasing that adjusts the leasing rates to the expected increase in benefits. Or even the financing of internal personnel resources. With such financing models, digitization then even succeeds without any restrictions on liquidity.

Conclusion

In the past, only individual projects were often launched. Currently, however, more and more of our customers are taking advantage of strategic planning with digitization roadmaps. With little effort, they offer a reliable orientation for the digital transformation with a clear target picture, concrete business case and alternative financing options.

What is Material Data Management?

When someone asks me something about Material Data Management, I always counter by asking what exactly is meant by “material”. This may not be the answer the other person expects at that moment, but it saves us both long minutes of confusion and talking past each other. The reason: not all materials are the same.

About the ambiguity of language

As a Frenchman in Germany, I am used to the fact that ambiguity leads to misunderstandings. Some expressions cannot be translated one-to-one from one language to another – at least not in such a way that it is immediately clear to everyone what is meant. A well-known example is the word “Gemütlichkeit”. The term only exists in German. More insidious, however, are the so-called false friends: word pairs such as “gift” in English and “Gift” in German. They look the same, but the meaning is fundamentally different. Even as an experienced polyglot, one is not protected from this. For example, my French interlocutors may seem irritated when I say that something has “irrité” me, meaning that something has surprised me. However, they understand this to mean that I have got some kind of skin rash out of sheer annoyance.

What can lead to funny and even sometimes slightly embarrassing situations in everyday life often causes inefficiency in the working world. To find examples, we don’t even have to look in an international context: Even within a German-speaking organization, not everyone necessarily speaks the same language. This is not due to the strong dialects in many places, but to the disciplinary nature of the language: Different people with different qualifications or expertise can understand different things by the same word.

And that brings me to the topic of this article. More precisely, to the multilingual mesh and the interdisciplinary ambiguity of the word “material”, whose galactic confusion around the terminology I would like to resolve.

Material is not equal to material

Enterprise software is a lot about managing materials and their data. There are great solutions for this. They are called Materials Management or Materials Data Management or even Master Material Data Management. The names sound very similar and are often used synonymously in practice. Yet they refer to completely different things. Freely following the motto “material is equal to material”, it is overlooked that the word can have a different meaning for different disciplines and things are lumped together that have little to do with each other. Confusion and misunderstanding are guaranteed.

Differences within the disciplines

In production logistics or material requirements planning, a material is a logistical unit, a resource that is needed for some value-adding process. Goods that can be purchased, such as a screw, a flange, a spindle, a tire, and so on. The art of sensibly procuring, moving and storing materials is called “Materialwirtschaft” in German and Materials Management in English.

In the context of product development, materials in this sense do not play a role. Development is not interested in the hood and where it is stored, but only in its description. To put it in the language of information technology: Development defines classes, production logistics manages instances of these classes. However, the concept of material reappears here as well, because in linguistic usage, items, parts, and assemblies are readily called materials. The reason for this is that they become materials in the sense of production logistics at the interface between PLM and ERP. This gives rise to misleading terms such as Material Management or Material Data Management. It would be more correct to speak of Master Data Management in the sense of parts master management.

In engineering (including design and simulation), the word material describes the physical composition of an object in the sense of materials science or materials technology: i.e., whether an object is made of wood, PA66, Inconel, or GFRP, for example. This is obvious. The management of all information about materials and their properties is called Material Data Management. Confusingly, the acronym MDM also stands for Master Data Management, which is not particularly conducive to sharpening the terms.

Different disciplines, different meanings of the word material

Conclusion

The confusion is great. PLM solutions that are tailored to the respective disciplines provide a remedy. They serve the different requirements optimally and thus ensure better collaboration overall. With Master Data Management as a core PDM function, all parts master data can be kept consistent and managed efficiently. Modern Material Data Management stores all information on materials and serves as a reference for the entire product development process. Material Compliance helps document the quality-checked delivery of regulated materials and precursors and ensures that only approved substances are processed. With interfaces to ERP systems, digital materials (in the sense of development) then also easily make the step into the physical world and become materials in the sense of production logistics.