How to decide software flow / business process is secure enough

Question

Most of the time when we develop a software flow to implement a business logic often we are giving some decision that effecting safe and comfortable usage of the system and maybe success of the business.

For example to validate a member that is trying to update important data on the system (like credit card data etc.) we may decide to ask confirmation by SMS with OTP. So we may send 4 digit code and ask for confirmation. But first of all how can we sure that OTP over SMS is secure enough for our process? How long OTP we should send, 4 digit enough? Is it enough secure to use only numbers instead of letters too? We are of course always trying to make it easy for members so it will be comfortable to them and not to decide stop using our systems. Otherwise we may do it as hard as we can so it would be more secure.

Of course this is not a specific question and answer would not be clear on this but I am asking this question to understand if there is methodology or statistical method to decide business process or software flow statistically secure? Because mostly we are deciding according to ours and some of the colleagues opinion nothing else which is not measurable. There must be a way to handle such questions?

So any idea?

Answer 1

Basically you need to perform a Risk Assessment, and the company needs to define their limits.

Risk assessment

Is performed to identify risk to a company. In Information Security these risks come in the forms of breechs/ social engineering /etc. Risk has a defined description which is

Risk = Potential Loss X Probability that something will happen

Risk assessment use two form of was to apply value to an assessment.

Quantitative

Quantitative is an assessment of value which typically numeric value to it. You could for instance measure the numeric value of your incoming data lines and compare it to the losses your company would suffer (in terms of dollars) if those line we're to go down

Qualitative

Qualitative is an assessment of value which can't be typically measured in numeric forms. For example, how easy would it be for an attacker to Social Engineer his way into change account information.

As some words of advice, if you have never done a risk assessment before, I would highly recommend you hire a company to do a small assessment with you. There is a lot that can go into these and while the internet has great resources on what it is and what you are trying to accomplish with it. It's kind of all over the map on executing one. Learn how someone else does it, see what goes into it, and than take that knowledge and improve upon it.

Answer 2

Of course 8 alphanumeric digits are "more secure" than 4 numeric digits.

But there are also several attack vectors sending OTP via SMS. So I would not attack by guessing a 4 pseudo random 4 digit number, but I would

1. attack the rollout process. The 4 digit number is some home generated using a secret key or a random number generator. Maybe I can get a hand on this.

2. attack the users phone just by stealing it for a short period of time. Even Sheldon was able to do this in big bang theory ;-)

3. steal the persons phone number. Some years ago this was done successfully by just faking the persons identity and transfering the mobile phone number to a new provider. I will get all SMS then.

4. Setting up a base transceiver station and having the victims phone connect to my BTS.

Shane already gave an impression what "secure enough" should mean for you.

If you want to be more secure regarding the second factor, you might still think of using hardware tokens like the yubikey, which you can initialize yourself. The open source solution privacyIDEA supports all those ways, SMS, hardware token, yubikey... So you can decide in which process you want to have which level of security.