In this week's #TechTuesday Roundup: 3.3 Million Hello Kitty fans have information exposed after a database leak, Gyft resets customer passwords after a breach, researchers have discovered another malicious app in the Google Play store, an IRS-themed ransomware spam campaign has surfaced and HSBC customers become the lastest victims of a phishing attack.
This week we are proud to present a spotlight blog from one of our trusted partners, Mr. Andy Osburn at SecureReset. With over 15 years of experience in network password reset, Andy and his team are an integral part of what makes Courion great. Take it away Andy!
Andy Osburn, Secure Reset
You can’t throw a digital rock in the IT security blogspace without hitting an article concerning the risks and consequences related to password compromise. This attention is well-placed given the numerous high profile cases of data theft and reputational losses that can be traced back to either weak or stolen passwords.
The recognition of the inherent risk in any single-factor authentication method is not new. In 2001, the US Federal Financial Institutions Examination Council (FFIEC) issued guidance on authentication in the electronic banking environment, identified the risks and controls, and concluded that, “single factor authentication alone may not be commercially reasonable or adequate for high risk applications and transactions.”This reality has generated a wider call to move beyond authentication, security’s reliance on passwords, and their ever-increasing complexity and rotation. When employed as a single-factor to verify identity and grant access to critical enterprise resources, the overwhelming conclusion is that the password is simply not good enough.
The FFIEC went further to advocate the use of multi-factor authentication (MFA) where two or more of the three basic factors are used in combination.
- Something the user knows (e.g., password, PIN)
- Something the user possesses (e.g., ATM card, smart card)
- Something the user is (e.g., biometric characteristic, such as a fingerprint or retinal pattern).
So it begs the question: if the risks, consequences, and potential solutions have been known for 15+ years, why has there not been wider adoption and usage of MFA?
Well, the answer lies in the fact that the implementationof additional authentication control methods in the IT Security environment must take into account many considerations, not the least of which is user experience, cost, and convenience.
Early MFA solutions that incorporated smart cards, biometric scanners, and hardware tokens, in addition to knowledge authentication, made significant strides in elevating the security of user authentication. However, the relative complexity and inconvenience of these MFA solutions hampered widespread adoption in the enterprise marketplace. This experience, together with the relatively high lifecycle management costs of the solutions, limited the scope of usage to environments requiring higher-end authentication security.
So what has changed in this intervening period through to today’s reality of enterprise environments and authentication challenges? Two things: the first of which is the acceptance of the high risk inherent in single-factor authentication and the corresponding potential for significant data and reputational losses. The second is the ubiquity of the mobile smart device.
Each of us now carry a mobile device that has tremendous capability to behave as a security token. Not only is there exceptional computing capacity, but perhaps even more importantly, we as users are now completely comfortable with employing these devices for a myriad of daily common routines. It is only natural that we now look to use these devices as part of an enterprise MFA strategy.
This new mobile MFA capability is being reflected in the products available to enterprise customers from Courion partners such as QuickFactor and Ping Identity. Both companies are members of the FIDO ("Fast Identity Online") Alliance which is an industry organization created to address the lack of interoperability among strong authentication devices and the problems users face creating and remembering multiple usernames and passwords.
These advances in mobile products and standards means that the new reality of enterprise user authentication strikes a better balance between security and convenience. End users have more flexible authentication choices where the enterprise can now leverage the significant capabilities of mobile authentication with three true factors.
Coming full circle then, it is unlikely that the password will completely go away. However, it is equally unlikely that it will continue to exist in the familiar form as we know it today. What we can expect to see is that the password will play a role as a one-time-use or rotating knowledge-based authentication component of the mobile MFA model. When employed wisely in an MFA structure, the password can still prove to be a valuable authentication factor.
For more information on how Courion works with SecureReset to create the most innovative and industry leading technology, read more on our datasheet or click here for information on SecureReset and our other partners.
Every January, our blog feeds and magazine headlines are full of the top 5, 10, or 20 trends for the coming year; do we ever hear if they were right? How did those things impact our industry? Did our diligence in these subjects really pay off? Rather than giving you five more things to look out for, I'm taking a look back on what the experts highlighted for 2015 to discuss both how they have impacted us so far and if/how your focus should shift for the remainder of the year.
Here is a list of my 2015 mid-year trends to watch:
We all know that the biggest headache for any security team lies within employee credentials. So far this year we have seen breaches at OPM, Anthem, and UCLA Health which total close to 30 million records being compromised. Even the services that supposedly keep our passwords safe aren't immune which we saw in the case of the LastPass breach
These hacks, along with the other thousands we don't hear about, prove that passwords and other credentials are more valuable to hackers than ever. What I believe this will lead to is the implementation of multifactor authentication. Companies like Apple already have a two-factor authentication in place using the thumbprint scan as an additional password option for banking and other applications. I believe that not only will more personal applications begin to use this for their customers but also that security teams will introduce multifactor authentications in order to access their companies’ sensitive data.
2. Internal Breaches
We've already discussed the different breaches of Anthem, LastPass, UCLA and OPM; one thing they have in common is that all were breached within the past six months, and all were breached from the inside. This trend isn't going to stop because people are continuously finding ways around the firewall.
Am I saying to forget your firewall? Of course not. Everyone needs a fence around their important property and that’s what the firewall does. However, with the rising trends of outsourcing, consulting, interns and other non-employee access, you exponentially increase your risk by providing access that isn't always managed correctly and/or shut off when needed. Keeping an eye on your user access is more important than ever and I see the call for real-time monitoring taking over by the end of the year.
Last year, we saw the first major instance of ransomware with the breach of Sony Pictures. The hackers held information and released it slowly while asking Sony for a ransom in order to stop the leak. This year we have seen ransomware take center stage again, most recently with the breach of 4 New Jersey online casinos whose information was held in exchange for a bitcoin ransom.
While this was clearly an issue for the targeted casinos, it opened up an even larger threat surface. This breach has the potential to not only affect the ransomed casinos but anyone in the city who shared the same ISP provider. Were the other companies on that ISP provider not as lucrative as the casinos? Maybe not today. However, this shows us the power of hackers and their ability to not only steal our information but to use it against us.
4. Internet of Things & Bring Your Own Device Risks
The Internet of Things (IoT) has become one of the hottest topics in the industry, but how has it affected us so far? While the issue of smart refrigerators, coffee makers, etc. might not be showing up in your office yet, the IoT is alive and well and showing itself most often in your employees devices.
Employees bringing their own devices doesn't just mean smart phones or tablets; now we have smart watches, wearable fitness devices, and more. With constant Bluetooth upload, these devices not only change how we consume personal data but also opens a window into our company's data and the portals where we are connected. It is estimated that these devices numbered 21M in 2014 but will increase to 150M by 2019 – a 48% increase. The IoT and bring your own device issues I see in the near future are as simple as "will hacking your Apple watch affect entry into your organization?"
North Korea didn't want to see "The Interview" — and while I don't blame them — I also think that a massive breach of Sony Pictures was a bit over the top. While this may have been the first widely publicized nation-state breach, it is far from the first time one country breached another.
Last month's HackingTeam breach shows a list of customers ranging governments including several US agencies such as the DEA, FBI, and department of from over 10 different defense. Mix this with the allegations that the OPM hack was instigated by China and we have a whole new issue. Will hacking tools be defined as the new weapons of mass destruction?
While these certainly weren’t the only trends to watch in 2015, they were consistently mentioned by industry experts. I happen to agree that these five issues are ones to watch and will continue to evolve and change how we do business.
However, these aren't the only risks that we are seeing now, nor are they the only ones to affect our future. If you are worried about the risks you face in your organization or how to protect yourself against these risks, comment below, contact us at info.courion.com or tweet us @courion.
Tags: cybersecurity, password protection, insider threat, ransomware, midyear trends, cyber, cyber security, Passwords, BYOD, criminal, cyber attack, cyberterrorism, information security, password management, password, BYOID, internal breach
Four online casinos were asked to pay bitcoin ransoms to avoid cyber attacks
In a move that would make Danny Ocean proud, a new crop of casino robbers has left the Vegas strip and found new success online. According to the article "four New Jersey-based casinos were asked to pay a bitcoin ransom after being hit with distributed denial-of-service attacks." While it lacks the finesse of Ocean's 11, it does sound a lot easier than breaking into the Bellagio. Stan Higgens, Coindesk, Businessinsider.com
Email worries: providers name their top health data security risks
A few weeks ago, we brought you a blog on Healthcare's Unique Security Challenges, and it looks like we aren't the only ones diving into ways to increase security. The Advisory Board Company named email worries, compromised applications, and hackers as three of the top health data security risks. Read more to see if you agree. Advisory.com
It's time we stopped calling Millennials "dumb" about data privacy
Full disclosure: I am a Millennial so it's no surprise that I agree with this article. However – putting my bias aside – I think this is a great look into why security teams shouldn't confuse this generation's sense of self with its sense of security. John Zorabedian, nakedsecurity.com
Hacking Team 0-Day Shows Widespread Dangers of All Offense, No Defense
You've heard the old saying "the best offense is a good defense" and this article agrees. With last week's Hacking Team breach, we saw how the issue of strong password practices once again can help keep you safe. Read more on passwords and how to #DefendfromWithin. Sara Peters, Darkreading.com
The insane ways your phone and computer can be hacked-even if they're not connected to the internet
Do you know what's inside your smartphone? Learn about how these tiny machines can give away even more of your information than you thought possible as well as seven other ways your phone and computer can be hacked. Cale Gutherie Weissman, Businessinsider.com
On Monday April 7th, OpenSSL disclosed a bug in their software that allows data, which can include unencrypted usernames and passwords, to be collected from memory remotely by an attacker. OpenSSL is the most popular open source SSL (Secure Sockets Layer) implementation and the software is used by many popular websites such as Yahoo, Imgur, Stackoverflow, Flickr and Twitpic. Many of these popular websites have been patched. However as of this writing some, including Twitpic, remain vulnerable.
Several tools have become available to check whether an individual website is vulnerable. We recommend that you double-check whether websites that you use are affected before logging in. If the website you are logging into is not vulnerable, you should reset your password since the password may have been captured if the server was previously vulnerable. The bug is also present in some client software and a malicious web server could be used to collect data from memory on client machines running these pieces of software.
This particular vulnerability has been present since 2012 and underscores the need to look beyond typical perimeter defenses and continuously monitor for unusual behavior within your network. Persistent attackers will continue to find creative ways to breach the perimeter and detecting abnormal use of valid credentials is becoming extremely important.