Category: authentication

New attack against the RADIUS authentication protocol:

The Blast-RADIUS attack allows a man-in-the-middle attacker between the RADIUS client and server to forge a valid protocol accept message in response to a failed authentication request. This forgery could give the attacker access to network devices and services without the attacker guessing or brute forcing passwords or shared secrets. The attacker does not learn user credentials.

This is one of those vulnerabilities that comes with a cool name, its own website, and a logo.

News article. Research paper.

[By Gal Helemski, co-founder and CTO at PlainID]

There has been a substantial trend toward improvement of authorization capabilities and controls. Policy Based Access Control (PBAC) provided by advanced authorization and access control system is progressively displacing more basic and traditional procedures like Access Control List (ALC) and Role-Based Access Control (RBAC).

PBAC provides a substantial advancement in authorization control approaches. It expands on the frameworks established by its predecessors, by providing flexibility, taking a more holistic approach, incorporating the strengths of each model while concurrently addressing their limitations.

The Evolution of PBAC

Even though it has been on the market for over 30 years, the existing RBAC management solution is complex and inflexible. Because of the intricacies of these solutions, significant amount of IT resources are invested in setting access controls and permissions right.
Role-based Access control is a coarse-grained technique in which access is static and granted simply based grouping of permissions. As the organization grows, keeping track of the increasing number of changing user roles, and the combination that need to be supported, becomes practically impossible, resulting in the known a “role explosion” problem.

Attribute-based Access Control (ABAC) is a finer-grained technique that provides access controls based on combinations of attributes. However, it is considered a localized and highly technical solution, still resulting in significant investment.

As both approaches are still utilized, Policy-Based Access Control takes the best of both techniques but makes it accessible and visible. PBAC can support both roles and attributes, of the user, the asset and the environment, providing more restricted access control and management capabilities. PBAC approaches often allow policies to be coded in plain language, bridging the gap between the app owners and dev

These capabilities have become increasingly important as organizations require more flexible access controls to the company resources, to support their growing business objectives.

Top Reasons to Consider PBAC

  • Authorization Control Efficiency: PBAC provides the most efficient method of managing authorization controls. Organizations can design and enforce access restrictions centrally by leveraging policy-based procedures, reducing complexity, and maintaining consistency across systems.
  • Simplified Development Lifecycle: The development cycle is simplified by PBAC’s policy-as-code methodology. This means that the policy can be developed and controlled as code, making version control, testing, and deployment of authorization rules easier. This streamlined procedure improves agility and minimizes application time to market.
  • Real-Time Authorization Decisions: PBAC allows for dynamic and real-time authorization decisions based on contextual information. PBAC ensures that access is provided or refused at a highly granular level by considering elements such as qualities, resource features, and environmental variables.
  • Enhanced Visibility: PBAC improves visibility by providing insight into the reasons behind access decisions. Organizations can learn why a specific access request was authorized or rejected, which can help with auditing, compliance, and governance activities. Transparency improves accountability and allows for improved decision-making.

PBAC is an essential milestone in authorization controls as it provides several benefits to enterprises. Its capacity to provide access restrictions and a more streamlined lifecycle and decision-making process, makes it a significant tool in today’s cybersecurity landscape. Remember that without policies, all access is an exception; thus, having well-defined and implemented regulations to manage access is critical. Organizations may strengthen security posture and ensure seamless access management by embracing PBAC. In an ever-changing landscape, PBAC is a testament to the continual innovation required to combat future threats to your organization.

The post The Evolution of Authorization Controls: Exploring PBAC and Its Benefits appeared first on Cybersecurity Insiders.

New attack breaks forward secrecy in Bluetooth.

Three news articles:

BLUFFS is a series of exploits targeting Bluetooth, aiming to break Bluetooth sessions’ forward and future secrecy, compromising the confidentiality of past and future communications between devices.

This is achieved by exploiting four flaws in the session key derivation process, two of which are new, to force the derivation of a short, thus weak and predictable session key (SKC).

Next, the attacker brute-forces the key, enabling them to decrypt past communication and decrypt or manipulate future communications.

The vulnerability has been around for at least a decade.

Alex Laurie, SVP Global Sales Engineering at Ping Identity

Passwords have been with us for decades. The problem is that people have far too many to remember – does this one have a capital letter, a number or a special character? Often, we don’t know. So, we delegate responsibility to a password manager and then get frustrated again when forms don’t auto-fill.

While frustrating, passwords are also the gateway to billions of dollars of fraud each year. We can’t continue on this path where demanding ever more complex passwords people can’t remember becomes the only way to access services.

Google estimated in 2019 that multi-factored authentication (MFA) on-device prompts prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks by hackers trying to login as you. It has been a great success. But criminals adapted, and we are currently seeing breaches which prove, once again, that we’re falling behind the bad guys in the quest for security. And, while MFA works, a user receiving hundreds of authentication prompts during an attack only needs to click the wrong button once for an attacker to gain access.

It’s time these issues were removed with a passwordless approach. This entails a user setting up their account once, and then using a range of methods such as push notifications, one-time passwords and biometrics to gauge whether a login attempt is genuine. Thanks to AI innovations, this is a very real, and accurate, possibility for organisations.

So how does passwordless authentication work in practice? Instead of relying on something you know, like a password which is the name of your first pet, the system works on something you are (e.g., your face or fingerprint) or something you have (e.g., a smartphone to receive a prompt).

More advanced passwordless authenticators use signals and behavioural insights to analyse the likelihood of an authentic login and send the right type of prompt to the user. These signals could be your location, IP address or approved device MAC address. And behaviours would include user preferences and choices. For instance, are you logging in at the time you usually do on a browser you always use? How are they typing or using the mouse (this signal easily filters-out bots)? Are they trying to access company resources they haven’t before?

By combining and analysing these readings, the passwordless system gives each user/login attempt a risk score. If a threshold is breached, either a prompt is sent to check it’s a genuine login attempt, or the session can be closed completely, and the user kicked out.

The challenge, however, is there is no one-size-fits-all approach to passwordless. As it is new to many, companies must evaluate their own fraud and risk priorities before implementing it. Here, one of the most useful things an organisation can do is to develop their software services using accepted standards like SAML and OAuth and OpenID Connect. FIDO2 WebAuthn has also become popular, partly because of its adoption by Apple, Google, and Microsoft as well as the makers of several popular devices, browsers, and operating systems. Once the preparation has been done, a company can then design authentication journeys that balance security and login friction for employees, suppliers and customers. Of course, during rollout, it is critical not to disable existing authentication methods until enough telemetry has been collected to surface emerging issues. You must not go unprotected.

AI is core to the experience. It will enable models to learn about each login attempt and refine every user’s profile. These models already help banks for transactions and identifying whether customers are abroad and now they are helping stop bad actors from gaining access to systems and resources they shouldn’t.

When it comes to fraud, there will always be a weak link – people. To help mitigate against this we need to ensure they’re not relied upon too heavily, meaning passwords should be retired as soon as possible. Attackers use stolen credentials more than phishing or exploiting a vulnerability to access companies, according to Verizon. This alone should be enough to push us towards passwordless.

The identity access management industry is working to put the standards in place so this change can happen quickly and be deployed across a wide range of enterprise and consumer applications. Fraud prevention technology folded into the authentication experience, is the way for organisations to be able to more successfully stop fraudsters’ in their tracks when they’re duping people and companies out of their money and secrets.

The post Why we need to make passwords a thing of the past appeared first on Cybersecurity Insiders.

They’re not that good:

Security researchers Jesse D’Aguanno and Timo Teräs write that, with varying degrees of reverse-engineering and using some external hardware, they were able to fool the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN sensor in one of Microsoft’s own Surface Pro Type Covers. These are just three laptop models from the wide universe of PCs, but one of these three companies usually does make the fingerprint sensor in every laptop we’ve reviewed in the last few years. It’s likely that most Windows PCs with fingerprint readers will be vulnerable to similar exploits.

Details.

Signal has had the ability to manually authenticate another account for years. iMessage is getting it:

The feature is called Contact Key Verification, and it does just what its name says: it lets you add a manual verification step in an iMessage conversation to confirm that the other person is who their device says they are. (SMS conversations lack any reliable method for verification­—sorry, green-bubble friends.) Instead of relying on Apple to verify the other person’s identity using information stored securely on Apple’s servers, you and the other party read a short verification code to each other, either in person or on a phone call. Once you’ve validated the conversation, your devices maintain a chain of trust in which neither you nor the other person has given any private encryption information to each other or Apple. If anything changes in the encryption keys each of you verified, the Messages app will notice and provide an alert or warning.

Compromised credentials stand as the predominant cause of data breaches, underscoring the urgency for organizations to bolster their defenses. It’s crucial to acknowledge that, often, the only barrier separating an attacker from an organization’s most precious resources is the strength and security of its passwords. These compromised passwords not only pose a security risk but also jeopardize regulatory compliance, leading to potential operational and reputational damage.

Enzoic for Active Directory addresses this pressing issue head-on. It enhances initial and ongoing password security to meet compliance standards like NIST 800-63b, thereby mitigating risks and elevating an organization’s overall security stance. This solution review explores how Enzoic serves as a foundational tool for organizations, focusing on an often-underestimated vector of cyber vulnerability.

What negative consequences have organization experienced due to unauthorized access to sensitive data, applications, or systems in the past 12 months? In the State of Authentication Security Report, cybersecurity professionals reported that the reallocation of IT resources for incident response and remediation was the most immediate negative impact (28%), followed by system or service downtime (26%) and increased helpdesk workload (24%).

Enzoic for Active Directory goes beyond traditional password filters and security measures by offering a real-time, dynamic solution for maintaining password integrity within an Active Directory (AD) environment. By integrating directly with your existing AD infrastructure, it offers an additional layer of security that is often missing. What sets it apart is the power of an in-house threat intelligence team backed by machine learning, which continuously updates a massive database of compromised credentials.

Traditional password security solutions, such as Microsoft’s Entra ID, typically focus on enforcing strong password policies at the time of password creation, but they often miss the forest for the trees. The real issue is keeping up with the ever-changing landscape of compromised credentials, and this is where Enzoic shines. Their solutions fills a critical gap by continuously monitoring and validating not just newly set passwords, but also existing ones, thus securing the very foundational layer of your cybersecurity framework. This feature is a prerequisite for meeting leading compliance standards.

KEY FEATURES

Enzoic offers a cutting-edge solution for safeguarding your credentials with a range of exceptional features. Let’s explore how Enzoic stands out with continuous credential security, broad threat intelligence, and a seamless user experience.

1 – Continuous Credential Security: Enzoic sets itself apart by offering continuous screening against a database containing billions of compromised username and password pairs found on the Dark Web. This not only addresses newly created passwords but also identifies and remediates any existing vulnerable passwords that become compromised over time.

2 – Expansive Threat Intelligence: A dedicated in-house threat research team utilizes proprietary, powerful tools to scour the surface internet and Dark Web. This allows Enzoic to capture the most in-depth data sets, making its threat detection one of the most robust in the market. Moreover, this database is continually updated, ensuring that users can remediate swiftly before breaches occur.

3 – Great User Experience: While some solutions add friction at the user and admin level by incorporating more layers of authentication, Enzoic operates invisibly behind the scenes. This not only enables users to select stronger, more secure passwords but also reduces the workload for help desk support.

KEY BENEFITS

Enzoic’s continuous scanning and automated alerting system ensures that compromised or weak passwords are identified in real time. This contributes to a tangible enhancement in the overall security posture, fulfilling both compliance requirements and internal security benchmarks. The real power of Enzoic for Active Directory is in its simplicity and efficiency.

Within minutes of deployment, it starts offering:

• Streamlined Compliance: Companies striving to meet NIST 800-63b, HITRUST, or other leading industry compliance standards can automatically enforce compliance within their environment using Enzoic.

• Proactive ATO Prevention: By continuously monitoring passwords against a live database, Enzoic actively prevents Account Takeover (ATO) attacks, one of the leading causes of data breaches.

• Audit Efficiency: Real-time reports and alerting make it significantly easier to comply with auditing requirements.

• Resource Optimization: By automating the most labor-intensive aspects of password security, IT departments find a significant reduction in the time and resources needed for maintenance.

SOLUTION DELIVERY

The Enzoic solution is offered as a software-based plugin that integrates seamlessly into existing AD Domain Controllers. Optional endpoint agents are also available that provide users with specific instructions during password resets. If a user attempts to set a password that doesn’t meet policy requirements, they are guided on what adjustments need to be made for their password to align with policy, thereby enhancing the user experience and ensuring compliance.

In most cases, Enzoic for Active Directory can be up and running in under an hour, a testament to its userfriendly design. Enzoic for Active Directory operates on a subscription model, including a self-serve option with a free startup plan covering up to 20 users. The subscription cost is directly tied to the number of accounts that need protection. For specific pricing, you can refer to the official pricing page.

FINAL THOUGHTS

In a rapidly evolving cybersecurity landscape, Enzoic for Active Directory offers an agile, robust, and user-friendly solution to the ever-present challenge of compromised credentials. Its standout features like continuous credential security, expansive threat intelligence, and a minimalistic approach to user experience make it a highly recommended choice for any organization looking to fortify its first line of defense—passwords.

ABOUT ENZOIC

Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through threat intelligence monitoring. Organizations can use Enzoic solutions to screen customer and employee accounts for exposed passwords, credentials, and PII to identify accounts at risk and mitigate
unauthorized access.

Learn more about Enzoic at: info@enzoic.com | www.enzoic.com

The post SOLUTION REVIEW: Enzoic for Active Directory appeared first on Cybersecurity Insiders.

By Mike Greene, CEO, Enzoic

Companies are evaluating artificial intelligence and other emerging technologies to combat cyber threats, with IDC predicting the AI cyber security market will top $46 billion by 2027.

While there are numerous vendors clamoring to capitalize on this spending, it’s a mistake for companies to assume these technologies are the quickest path to protection against cyber threats.

In fact, Verizon’s 2023 Data Breach Investigations Report (DBIR) found once again that the top methods employed by threat actors exploit the most basic security measures. As the DBIR authors put it, “…exploiting vulnerabilities, using stolen credentials and phishing are very similar to previous years’ findings, and let’s face it, they are straight out of InfoSec 101.”

This begs the question, what should organizations be doing to strengthen foundational security? Some of the most pressing considerations include:

Protecting the Password Layer: Stolen credentials were the chief means by which hackers infiltrate organizations, with their use involved in 86% of breaches studied. The challenge with password security comes down to human behavior.

Born out of a desire for convenience and efficiency, people typically select simple, easy-to-remember passwords and employ them across numerous accounts and services. One study found that employees reuse a single password an average of 13 times.

Companies have historically attempted to address credential security by enforcing complexity requirements, periodic resets, and similar practices, yet the password vulnerability problem persists. In fact, NIST now recommends against many of these approaches, advising instead that companies screen for exposure against an updated list of compromised or easy-to-guess credentials. It’s imperative that organizations overhaul their authentication security through credential screening and other modern practices if they wish to eliminate passwords as a threat vector.

A related security misstep is falsely believing that MFA offers complete protection. While it’s an important consideration as part of a layered security approach, it’s no magic bullet—as evidenced by Microsoft’s warning late last year over hackers finding ways to bypass it. According to NIST, using MFA does not negate the need to maintain an updated list of compromised passwords and use this list to enforce strong credentials throughout the organization. It’s critical that more companies embrace this approach; otherwise, viewing it as comprehensive authentication protection will continue to leave a door open to threat actors.

Avoiding the Phishing Line: Phishing is another persistent problem identified by the DBIR. Campaigns have grown increasingly sophisticated in recent years, with a KnowBe4 report deeming that 33% of employees are likely to fall for these scams.

Organizations need a combination of technology and training to combat these threats; according to KnowBe4, the latter can help reduce the likelihood of falling victim to a scam by 83%. While phishing awareness programs may not receive top prioritization on the average security budget, investing resources in this area can help reduce it as a threat vector.

Deploying web filters to stop employees from accessing malicious websites is another key step. In addition, it’s important to ensure that internet browsers, apps, and operating system software are all kept current with the latest security patches and updates. Finally, companies should confirm that regular backups are scheduled to help recover data should a successful phishing scam occur.

Protecting the Expanding Endpoint: With a recent report finding that 79% of IT teams have witnessed an increase in endpoint security breaches, detecting these threats is another foundational element companies can’t afford to ignore. The hybrid work environment contributes to the challenge, as the perimeter is extended by more employees using their devices for work.

Every personal computer, tablet or smartphone represents a potential entry point that hackers could exploit to access sensitive corporate data or conduct a range of other nefarious activities. That’s why it’s critical that endpoint security strategies address every type of operating system on the company’s network, not just the traditional Windows or Linux options.

In addition to OS concerns other critical endpoints include servers, printers, IoT devices, and point-of-sale systems. Essential security considerations to protect these include encryption, intrusion detection tools, device firewalls, and application controls. It’s important that organizations ensure they have the right strategies and tools in place to protect the expanding endpoint and stay a step ahead of hackers.

Security from the Bottom Up 

You can’t build a resilient house without a strong foundation and the same is true for enterprise security. The latest AI solutions will ultimately fail to deliver on their potential until companies address the basics. Now more than ever, it’s imperative that organizations ensure that foundational security elements are permanently eliminated as a threat vector.

 

Image by rawpixel.com on Freepik

The post Foundational Security is the Enterprise’s Weakest Link appeared first on Cybersecurity Insiders.

Cyber threats have grown increasingly sophisticated in recent years, with an expanding attack surface, today’s hybrid work environment and new vulnerabilities introduced by the IoT are a few of the challenges. Despite this evolving landscape, most organizations have yet to modernize their authentication security to effectively prevent password-based attacks and related vulnerabilities. With the most recent DBIR finding that compromised credentials are behind more than 50% of breaches, it’s imperative that companies act now to bolster authentication security.

To understand more about this issue, Enzoic recently commissioned a survey of over 480 cybersecurity professionals. The State of Authentication Security Report underscores that—despite the passwordless hype—username and password combinations remain the primary authentication mechanism, with nearly 70% of companies utilizing this method. By contrast, only 12% of organizations are deploying passwordless strategies.

Legacy Approaches Weakening Password Security

Unfortunately, many companies are failing to evolve password management to reflect the current threat landscape. What’s more, the majority of those surveyed continue to follow legacy practices that have actually been found to weaken credential security.

For example, 74% of companies require forced resets every 90 days or less. Not only does this generate more work for employees and IT alike, it also fails to align with NIST’s updated password policy recommendations. The latter, along with Microsoft and other leading organizations, have found that employees typically select easy-to-remember credentials or swap out one letter or character when faced with frequent resets—resulting in a weak credential that threat actors can easily exploit.

The Dark Web Dilemma

Password reuse is another problem contributing to authentication security challenges, with Google finding that employees reuse a single password an average of 13 different times. The volume of breaches means that the Dark Web has become a treasure trove of this information; hackers can easily find and obtain lists of compromised credentials to fuel ongoing password-based attacks.

Our research highlights that most companies are aware of this vulnerability, with 84% of respondents concerned about weak and compromised passwords. However, many fail to grasp the extent of the threat—46% estimate that less than 1/5 of their passwords could be found on the Dark Web, while another 26% are unsure what percentage might be available there.

The Case for Credential Screening

This underscores the importance of modernizing authentication security to incorporate screening for compromised credentials—something that less than half of the respondents in our survey are currently doing. Enzoic helps companies protect against this threat by screening password and username combinations against its proprietary database of billions of exposed credentials. We maintain the latter using a combination of proprietary automated processes, submitted contributions, and research from our threat intelligence team. Because our database is automatically updated multiple times per day, organizations can be assured that their password security reflects the latest breach intelligence.

Another key benefit of our credential screening solution is that it eliminates the IT helpdesk burden of frequent resets and other legacy approaches while offering a more frictionless user experience. Because the screening happens automatically in the background, non-compromised users gain efficient access to their accounts and services. Should a compromise be detected, organizations can automate their response with a range of actions, including the immediate disabling of the account in question.

The Path Forward

While there are many unknowns in cybersecurity, there is one universal truth: hackers will continually hunt for new ways to exploit companies for financial gain and other nefarious purposes. With the DBIR and other studies repeatedly pointing to compromised credentials as a common threat vector, it’s imperative that organizations act today and shore up authentication security.

You can read more about this issue and other findings from the State of Authentication Security Report here.

The post Bringing Authentication Security Out of the Dark Ages appeared first on Cybersecurity Insiders.

Google has consistently prioritized enhancing trust among its users by introducing novel defensive measures to counteract cyber threats like phishing attacks. Moving forward, Workspace users can expect an added layer of protection against takeover attempts, as a new safeguard necessitates approval from two administrators.

This signifies that any modifications pertaining to the workspace will only take effect when accompanied by two-step verification (2SV) authentication. This serves as an additional barrier, effectively thwarting social engineering attempts by hackers and safeguarding against their success.

Initially, this multi-party authorization procedure will be integrated into the workspace group, subsequently expanding to encompass other services based on feedback received from administrators.

In an era were relying solely on passwords is outdated, hackers can exploit software to swiftly decipher a 10–12-digit password, even one incorporating a combination of alphanumeric and special characters, within just half an hour. Consequently, bolstering online account security with sophisticated measures is imperative to fend off prevailing cyber threats.

“This initiative empowers enterprise administrators to fortify their account security through 2SV authentication using Threat Defense Controls,” explained Andy Wen, Director of Product Management at Google Workspace.

It’s important to note that Google Workspace provides enterprise functionalities, including tailored email addresses within a domain, limitless drive storage, and other administrative privileges for productivity and collaboration tools such as Gmail, Calendar, Contacts, Meet, and Chat. The data within these products is stored directly in cloud storage and synchronized across geographically separated data centers to ensure data continuity and facilitate disaster recovery. Originally launched as G-Suite in 2006, it was rebranded as Google Workspace in April 2020.

The post Google allows Workstation actions only with two admin authentication appeared first on Cybersecurity Insiders.