IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

2014: The Year of the Breach? (Industry Perspective)

No matter how good an organization’s security strategy is, attackers will always find a way into a victim’s networks.

While some are calling 2014 the “year of the breach,” it’s probably more accurate to call it the “year of raised awareness of breaches.” You didn’t have to look too hard in the media throughout the year to see that we’re still learning that no matter how good an organization’s security strategy is, or how strong its preventative measures are, attackers will always find a way into a victim’s networks.
 
The legal repercussions for these bad actors are small or non-existent, but the cost to the economy is huge. A survey conducted by the Ponemon Institute showed that in 2014, the average cost of a compromise was $20.8 million for companies in the financial services sector and $8.6 million for retail stores — more than double the costs in 2013. Moreover, those numbers don’t take into account the damage to companies’ reputations, the costs to card issuers in replacing millions of credit or debit cards, or the sheer inconvenience to the consumer.
 
We also saw that the password continued to take criticism in the media as an insecure method of protection, most notably following the Apple iCloud attack resulting in the theft of celebrities’ personal photographs. We even saw a well-orchestrated attack where attackers were able to bypass two-factor authentication — arguably the most significant and well-publicized attack against two-factor since the RSA-Lockheed debacle in 2011.
 
As these events unfolded, I’ve focused on how to use strong authentication to better protect organizations against attackers and detect threats during the authentication process — whether it’s authentication at the perimeter or through single-sign-on access to enterprise and cloud-based applications. Through that lens of access control, here is a roundup of some of the noteworthy events and market trends over the course of the year, along with my take on their import.
 

Attacks continued on well-known banks, retailers, healthcare organizations, and technology companies. Throughout 2014, we continued to see compromises of many well-known names in the media, with attackers stealing everything from credit and debit card details to health-care records to celebrities’ personal data. The nature of the attacks varied drastically. For example, the attack on J.P. Morgan’s network came via an employee’s personal computer, while the attack against Apple iCloud was suspected to be via a brute force attack against users’ passwords.My key take-away is we need to accept that attackers are always going to compromise the perimeter and get in. We should focus on stronger forms of authentication that enable us to slow attackers down and restrict their ability to move laterally once they’re inside a victim’s network, as well as when they’re attempting to use valid credentials to gain access externally via methods like VPN.

Two-factor authentication showed its limitations. In the Emmental attacks on Swiss and German banks, attackers used malicious code to scrape SMS one-time passwords (OTPs) off of customers’ Android phones and access their accounts — proving that two-factor authentication is not infallible.

We should try not to throw the baby out with the bathwater and undervalue two-factor authentication just because of this one very sophisticated attack. However, it does demonstrate that additional methods, such as risk-based authentication, need to be considered in conjunction with two-factor methods.
 
Behavioral analytics: a real replacement for the password? With the publicity around these high-profile compromises, consumer confidence in the traditional password is falling. As a result, everyone is looking for something better, but what is really viable?
 
The one I’m keeping my eye on is continuous authentication through behavioral analytics. Each of us has a unique pattern in how we use the keyboard, mouse, and touch screens; we can monitor those behaviors to establish a baseline “fingerprint” for each user, and then continually measure that behavior to see if it changes.
 
While the world is not quite ready to give up the password, I believe that behavioral analytics and continuous authentication is as solid a technology as those more commonly used today in risk-based analysis (such as IP reputation data, geo-velocity calculations, group and user filtering, and geo-fencing) and will see increased adoption in the coming years.
 
Biometrics is back. For years there has been talk of widespread adoption of biometrics as a form of authentication for the masses, but it’s never really taken off. That’s changing with the new smartphones. Fingerprint readers were introduced in some smartphones in 2013, but 2014 saw much wider adoption: Apple opened up the TouchID API in iOS for application developers to use, and with the advent of Apple Pay, its use will only increase. Samsung’s Pass API became available to Android app developers as well, and PayPal quickly demonstrated that it was an effective way to authorize payments.
 
Smartphone users are looking to do more with this biometric functionality, while the security community continues to question whether it is “strong enough” to replace the password or PIN. I believe that it’s a good balance of convenience, usability, and security, rather than being a truly “strong” method of authentication.
 
It’s apparent that we’re going to be playing cat and mouse with attackers for years to come. It’s important to bear in mind that we’re not just talking about malware here. We’re talking about bad actors on a mission to steal our data. We need to thwart them at every turn, not just at the perimeter — without bringing business to a halt in the process. In 2015, I expect to see broader adoption of technologies to supplement or supplant the password, and I look forward to seeing new technologies as well.
 
 
New Year, New Cyberattack
2015 will bring new cyberattack trends, including data destruction and more capable hacktivists.
 
Attacker behavior that we’re not accustomed to is mass data destruction, and hacktivists having a level of capability where they pose a non-trivial threat to organizations. In recent cases, data on hard drives has been overwritten, and user’s machines prevented from booting. If data destruction becomes a trend, this heightens the need for improved methods of detection and protection, and arguably will drastically change the way we respond to attacks.
 
In 2015 we are going to see a rise in products focused on analysis of user behavior — both as an ongoing way of verifying the user’s identity as part of the authentication process, and also as a way of anomaly detection by running activities through various data models to determine the level of risk associated with a particular activity. There is clearly a security visibility gap today that behavioral analysis can fill — the ability to detect bad actors who are already inside your network, moving laterally to complete their mission.
 
We know that attackers quickly abandon the use of malware, and use legitimate credentials during their mission. Two-factor authentication is an excellent way to protect against this; however, it doesn’t provide any form of detection or protection when an attacker attempts to authenticate. This will change in 2015 as organizations start to realize the value of adaptive authentication provided by the next generation of strong authentication solutions. Using this in conjunction with two-factor authentication adds an additional level of risk analysis to the authentication process, all while leveraging an organization's existing VPN or identity store investment.

SecureAuth Chief Technology Officer Keith Graham

Keith Graham is the Chief Technology Officer for SecureAuth.


Special Projects
Sponsored Articles