Security is something that all of us, from C-level down are now fully aware of. This is at least in part due to the onslaught of cyber attacks over the last few years that have resulted into the loss of nearly 4 billion data records since 2013. In the PWC 2015 Information security breaches survey, they found that 90% of businesses had suffered a data breach. So this is a problem that is affecting us all. And the problem is exacerbated by the fact that digitization of all business types has grown so quickly, that we now find our selves in a post-Cloud world, where the rate of connection between devices is growing exponentially – estimates of around 6.4 billion devices connected up by 2020 according to Gartner. This situation has run away with itself and left us reeling and our data exposed.
What transpires, is that the idea of having any kind of corporate control over a perimeter was lost long ago. The previously fuzzy perimeter is now more like a ‘dark perimeter’; no one is quite sure if it exists or not.
One thing is sure however, data, which is ultimately what cybercriminals are after, can be protected, perimeter or no perimeter. Data access is the key to the castle. Get that key and the drawbridge comes down, letting a hacker walk right into the store and pick what they like. The only way to control distributed data, that can be stored, transmitted and accessed from anywhere, anytime, by any device, is by implementing robust authentication measures.
Authentication: The Key to Safe Data
If you look at any of the most prominent cyber attacks of recent years, for example the Office of Personnel Management, Anthem or Target Corp. analysis of the breach is pointing to one thing – privileged credential exposure. The methods of getting at the credentials are most often though a spear phishing email, often directed at privileged users like a system administrator. Once the hacker has access credentials, they have the keys to the castle, and data exfiltration quickly follows – or slowly in the case of an Advanced Persistent Threat (APT).
The trouble is that authentication is equivalent to data. In this way it is as valuable as data and needs to be viewed as such. Creating a robust and hack free credential is not an easy task. The hunt for a login credential that is both usable and secure has been elusive and there are a number of bodies working in this area to resolve the issue.
One thing is certain. Authentication is a vital part of a cyber security program. As access becomes more fluid, as it crosses device types, and becomes more about inter-company than intra-company, then the more we need to think seriously about how we control that access and which authentication measures we implement.
Authentication Issues: Single Factor Failure
The problem with the cyber breach examples above is that spear phishing works really well. FireEye found the open rate of a spear phishing email was 70%, that is a very high open rate for any type of email. Once that email is opened and the process to steal credential begins, then you have already lost the data those credentials are protecting. If your system uses a first factor like username and password only, then spear phishing emails are an incredibly easy way for a cybercriminal to get access to network resources. As soon as you enter those credentials into a spoof website, they are gone and so is your data.
But it isn’t just phishing that causes data loss. Any single factor based login system is at risk. It seems that employees like to share credentials. In a Centrify study, it was found that in the USA, amongst IT staff, 52% admitted to sharing a credential with a contractor, and 59% with a fellow member of staff. When you couple that with the fact that according to a PWC report on insider threats, 15% and 18% of security incidents were caused by contractors and consultants, respectively, then you can see why single factor authentication is a root cause of data exposure.
The use of a single factor to control access to, especially sensitive, resources, has been proved to be less than effective. But there are options. Using second or even multiple factor is an option. Even if the app itself can’t support second factor, USP SES can apply this for you, ensuring your whole system has the ability to apply a second factor layer. The issue then comes down to finding the right level of usability vs. security vs. cost.
Where first factor authentication is usually something you know, second factor options usually involve something you have. The something you have is most often a specialized device, like hardware token or a smartphone app, even wearables can be sent push notified second factor codes. The second factor is most often in the form of a code. It can be based on HOTP, which is a hashed password, TOTP which is a time limited code, or U2F (Universal Second Factor).
Like many things in life, there is more than one way to ‘skin a cat’ and second factor is no exception. The implementation of second factor can add increasing levels of security, whilst retaining usability. For example, entering the second factor code into a field on a website is potentially open to Man in the Middle attacks, whereas, sending the generated code from the mobile device to the web application back end will bypass this hack.
Other methods, such as linking granular policies to an access control method will also improve security, whilst retaining usability.
Many new systems also combine a third factor, such as a biometric, e.g. fingerprint or retina, with a mobile device. This adds an extra layer of authentication, of ‘what you are’ to the access of a resource, upping the ante and making the cybercriminals life a little less easy.
Adaptive authentication is a more intelligent way of applying authentication based on risk levels. It uses a mix of profile types and risk associated with particular access scenarios and applies polices based on this. In other words, it ups the level required to login to a system based on the risk associated. For example, Bob wants online banking. When he accesses his account he wants to use two factor, but only if he is not on a specific device. In this case a policy for suppressing the second factor, if the device is recognized, will be applied and Bob will only enter his first factor to gain access. In another example, Alice, a system administrator for a SAP system, has a policy applied so that she cannot access the system outside of a specified IP address range. And even then she has to enter a second factor and a biometric for full SAP access rights. This type of risk-based login can also be used to alert administrators of rogue employee action and spot incoming access attempts from unrecognized sources. Adaptive or risk based authentication also works well with Single Sign On (SSO) adding a layer of trust, creating a highly usable, yet secure, authentication option.
A number of groups are looking at the conundrum of authentication, knowing that it is the key to cyber security. The Fast Identity Online Alliance (FIDO) is one such organization. FIDO is building industry standards for two-factor authentication in an attempt to remove the need for passwords altogether. Other groups like OpenID Connect are looking at building web based authentication protocols that can be used across multiple locations and applications.
Protocols like OpenID Connect are also based on the idea of user attributes or ‘claims’. Gartner in their Identity and Access Management 2020 report predicts that access control will be based on attributes and context. This is already happening now and equates to attributes like age and location controlling access to resources, with authentication shoring up this access. The idea of authentication and the identity behind the authentication, being an intrinsically linked entity, is revolutionizing how adaptive authentication works, creating a more complex matrix with greater controls. In this way, we can take on the cybercriminals at their own game, phishing simply wont work and they will have to up their game to retain their position in the cyber security struggle.
Michael Liebi ist Gründer und nun als Board Member bei United Security Providers tätig.