Throughout 2019, we suffered from breaches. A lot of breaches. Too many breaches. As a result, we spoke to authentication experts. Thus we gleaned expert authentication lessons from numerous sources throughout the year.
Of course, the data breaches continue to proliferate because enterprises persist in the belief that they are immune to hacks and attacks. Nothing could be further from the truth. In fact, without an identity management solution to serve as perimeter and principle defense, your enterprise could end up as a headline. Actually, hackers prefer to target enterprises with legacy identity security as easy targets.
Please use the example of past breaches as a model of what not to do. Recent studies indicate customers tend to abandon enterprises after they suffer a data breach. Additionally, 60 percent of small businesses go out of business after a data breach according to Switchfast Technologies.
Identity Expert Authentication Lessons From 2019
State Farm Credential Stuffing Attack
“This hack could have been prevented if the company used dynamic identity and access management solutions that can detect potential intrusions. Organizations should authenticate their users in order to ensure that they are who they say they are before granting them access. Fortunately, multifactor authentication (MFA) and user and entity behavior analytics (UEBA) are two tools that can help companies to defend customer information as well as the rest of their corporate data.
Additionally, people commonly reuse passwords across multiple accounts, which means if a cybercriminal gains access to login information for one account, they can potentially gain access to various accounts for that individual across multiple services. Although State Farm has reset account passwords after hackers gained access to its systems, other accounts for those users could still be in jeopardy. Customers should change their passwords not only for State Farm but across all accounts where that same password may be used. Better yet, they should stop using the same passwords across multiple accounts altogether.”
Verifications.io Database Leak
“Businesses and consumers should always verify and deal with trusted businesses. In today’s digital environment, giving electronic information out about one’s self is exposing the individual to a variety of cyber crimes. Credentials can be leveraged by a threat actor for identity theft on a personal level and corporate network infiltration and data exfiltration for businesses.
Enterprises should enable blocking of such malicious sources, which is key to preventing network infiltration and reducing and mitigating the risk of data exfiltration. Corporate policy should govern and prevent the use of their corporate credentials on non-work related sites as well. Education of employees is always the best first line of defense since most breaches are caused by human error.”
The Sprint Breach
“[The Sprint breach] provides yet another wake-up call for any company that still protects their users’ online accounts with a simple username and password. We now live in zero-trust world thanks to the dark web and near-daily data breaches. Any cybercriminal with limited skills can perpetrate account takeover fraud with ease. Online accounts need to be protected with much stronger forms of biometric-based authentication. This is no longer a nice-to-have feature — it’s a must-have. The good news is that users are now ready for simple face-based biometrics (thanks to Apple’s Face ID). It’s even easier, faster and way more secure than legacy methods of authentication.”
The Chipotle Credential Stuffing Attack
“Credential stuffing [constitutes] the process of acquiring a cache of previously stolen credentials and using them, often in an automated fashion, to gain unauthorized access to a resource. It is a popular technique for attackers looking to break into both consumer and enterprise accounts because people often reuse passwords across multiple accounts.
“This swell of consumer account breaches is unfortunately common today and is evidence that our continued reliance on passwords is not sustainable and ultimately fails users. Decades of experience shows us that the password is an archaic method of authentication, often not under the control of the user, and simply isn’t enough to satisfy today’s threat landscape. The reality is that people will continue to reuse passwords across multiple resources, allowing stolen credentials to have far-reaching consequences like Chipotle customers are experiencing.”
The VFEmail Incident
“This type of attack highlights the significance of having, updating and testing your disaster recovery/business continuity plans frequently and using an established Privileged Access Management solution.
The about page on the website shows a network diagram that includes an offsite backup server attached to the public internet. At this point, I believe we still have more questions than answers.
However, I do believe that the owner gave us a nugget as to how the compromise occurred. Rick Romero stated ‘This was more than a multi-password via ssh exploit.’ So, was this simply a Brute Force attack? Credential Stuffing? Based on his statement, perhaps. Nevertheless, there are some good best practice takeaways from this incident:
- Develop and test your Disaster Recovery Plan.
- Don’t store production and backup data together..
- Have online and offline backups.
- Use Privileged Access Management solutions to automatically rotate your passwords and ssh keys.
- Patch, Patch, Patch.”
The Collections #2-5 Data Leak
“This is moving beyond a technological or cybersecurity argument. The breadth and depth of breaches are making this a humanitarian issue and we need to completely rethink our approach to digital identity and security. We may never be able to move completely away from the username and password, but we can take intermediary steps to make securing digital identity more of a global priority. This starts with encouraging further adoption of two-factor (2FA) and multi-factor authentication (MFA) that incorporates biometrics to help us take back control and protect our identities.
While we have come leaps and bounds in terms of biometric authentication technology, improving the protection of our identities online, the ability to collect sufficient biometric data tends to be quite difficult and consequently not 100% secure. By incorporating both hard biometric characteristics like facial recognition, fingerprints and iris scanning; along with soft characteristics like how people type, move their mouse or hold their phone, we can start to create security protections both personal and unique to each individual.”
Thanks to the identity professionals for the expert authentication lessons. For more such expert authentication lessons, be sure to check out our 2019 Identity Management Buyer’s Guide. We cover the top solution providers in the market and their key capabilities.
Latest posts by Ben Canner (see all)
- 3 Vendors in the 2019 Gartner Peer Insights Customers’ Choice for Access Management Software - December 5, 2019
- Key Findings: The KuppingerCole IDaaS IGA Leadership Compass 2019 - December 3, 2019
- What’s Going on at the IAM Insight JAM on December 10? - November 25, 2019