The Best Identity Expert Authentication Lessons from 2019

The Best Identity Expert Authentication Lessons from 2019

Throughout 2019, we suffered from breaches. A lot of breaches. Too many breaches. As a result, we spoke to authentication experts. Thus we gleaned expert authentication lessons from numerous sources throughout the year. 

Of course, the data breaches continue to proliferate because enterprises persist in the belief that they are immune to hacks and attacks. Nothing could be further from the truth. In fact, without an identity management solution to serve as perimeter and principle defense, your enterprise could end up as a headline. Actually, hackers prefer to target enterprises with legacy identity security as easy targets. 

Please use the example of past breaches as a model of what not to do. Recent studies indicate customers tend to abandon enterprises after they suffer a data breach. Additionally, 60 percent of small businesses go out of business after a data breach according to Switchfast Technologies.

Identity Expert Authentication Lessons From 2019

State Farm Credential Stuffing Attack

We reported on the State Farm Credential Stuffing Attack on September 6, 2019. These expert authentication lessons come from Anurag Kahol, CTO of Bitglass.   

“This hack could have been prevented if the company used dynamic identity and access management solutions that can detect potential intrusions. Organizations should authenticate their users in order to ensure that they are who they say they are before granting them access. Fortunately, multifactor authentication (MFA) and user and entity behavior analytics (UEBA) are two tools that can help companies to defend customer information as well as the rest of their corporate data.

Additionally, people commonly reuse passwords across multiple accounts, which means if a cybercriminal gains access to login information for one account, they can potentially gain access to various accounts for that individual across multiple services. Although State Farm has reset account passwords after hackers gained access to its systems, other accounts for those users could still be in jeopardy. Customers should change their passwords not only for State Farm but across all accounts where that same password may be used. Better yet, they should stop using the same passwords across multiple accounts altogether.” 

Verifications.io Database Leak

We reported on the Verification.io Database Leak on March 29, 2019. These expert authentication lessons come from Byron Rashed, VP of Marketing of Centripetal Networks

“Businesses and consumers should always verify and deal with trusted businesses. In today’s digital environment, giving electronic information out about one’s self is exposing the individual to a variety of cyber crimes. Credentials can be leveraged by a threat actor for identity theft on a personal level and corporate network infiltration and data exfiltration for businesses.

Enterprises should enable blocking of such malicious sources, which is key to preventing network infiltration and reducing and mitigating the risk of data exfiltration. Corporate policy should govern and prevent the use of their corporate credentials on non-work related sites as well. Education of employees is always the best first line of defense since most breaches are caused by human error.”

The Sprint Breach 

We reported on the Sprint Breach on July 17, 2019. These expert authentication lessons come from Robert Prigge, President of Jumio.  

“[The Sprint breach] provides yet another wake-up call for any company that still protects their users’ online accounts with a simple username and password. We now live in zero-trust world thanks to the dark web and near-daily data breaches. Any cybercriminal with limited skills can perpetrate account takeover fraud with ease. Online accounts need to be protected with much stronger forms of biometric-based authentication. This is no longer a nice-to-have feature — it’s a must-have. The good news is that users are now ready for simple face-based biometrics (thanks to Apple’s Face ID). It’s even easier, faster and way more secure than legacy methods of authentication.” 

The Chipotle Credential Stuffing Attack 

We reported on the Chipotle Credential Stuffing Attack on April 18, 2019. These expert authentication lessons come from Stephen Cox, Chief Security Architect of SecureAuth.  

“Credential stuffing [constitutes] the process of acquiring a cache of previously stolen credentials and using them, often in an automated fashion, to gain unauthorized access to a resource. It is a popular technique for attackers looking to break into both consumer and enterprise accounts because people often reuse passwords across multiple accounts.

“This swell of consumer account breaches is unfortunately common today and is evidence that our continued reliance on passwords is not sustainable and ultimately fails users. Decades of experience shows us that the password is an archaic method of authentication, often not under the control of the user, and simply isn’t enough to satisfy today’s threat landscape. The reality is that people will continue to reuse passwords across multiple resources, allowing stolen credentials to have far-reaching consequences like Chipotle customers are experiencing.”

The VFEmail Incident 

We reported on the VFEmail Incident on February 12, 2019. These expert authentication lessons come from Terence Jackson, Chief Information Security Officer of Thycotic

“This type of attack highlights the significance of having, updating and testing your disaster recovery/business continuity plans frequently and using an established Privileged Access Management solution.

The about page on the website shows a network diagram that includes an offsite backup server attached to the public internet. At this point, I believe we still have more questions than answers.

However, I do believe that the owner gave us a nugget as to how the compromise occurred. Rick Romero stated ‘This was more than a multi-password via ssh exploit.’ So, was this simply a Brute Force attack? Credential Stuffing?  Based on his statement, perhaps. Nevertheless, there are some good best practice takeaways from this incident:

  1.            Develop and test your Disaster Recovery Plan.
  2.            Don’t store production and backup data together..
  3.            Have online and offline backups.
  4.            Use Privileged Access Management solutions to automatically rotate your passwords and ssh keys.
  5.            Patch, Patch, Patch.” 

The Collections #2-5 Data Leak

We reported on the Leak of Collections #2-5 on January 31, 2019. These authentication lessons come from Sarah Whipp, CMO and Head of Go-To-Market Strategy at Callsign

“This is moving beyond a technological or cybersecurity argument. The breadth and depth of breaches are making this a humanitarian issue and we need to completely rethink our approach to digital identity and security. We may never be able to move completely away from the username and password, but we can take intermediary steps to make securing digital identity more of a global priority. This starts with encouraging further adoption of two-factor (2FA) and multi-factor authentication (MFA) that incorporates biometrics to help us take back control and protect our identities.

While we have come leaps and bounds in terms of biometric authentication technology, improving the protection of our identities online, the ability to collect sufficient biometric data tends to be quite difficult and consequently not 100% secure. By incorporating both hard biometric characteristics like facial recognition, fingerprints and iris scanning; along with soft characteristics like how people type, move their mouse or hold their phone, we can start to create security protections both personal and unique to each individual.”

Thanks to the identity professionals for the expert authentication lessons. For more such expert authentication lessons, be sure to check out our 2019 Identity Management Buyer’s Guide. We cover the top solution providers in the market and their key capabilities. 

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner