Category: authentication

By Mike Greene, CEO, Enzoic

Companies are evaluating artificial intelligence and other emerging technologies to combat cyber threats, with IDC predicting the AI cyber security market will top $46 billion by 2027.

While there are numerous vendors clamoring to capitalize on this spending, it’s a mistake for companies to assume these technologies are the quickest path to protection against cyber threats.

In fact, Verizon’s 2023 Data Breach Investigations Report (DBIR) found once again that the top methods employed by threat actors exploit the most basic security measures. As the DBIR authors put it, “…exploiting vulnerabilities, using stolen credentials and phishing are very similar to previous years’ findings, and let’s face it, they are straight out of InfoSec 101.”

This begs the question, what should organizations be doing to strengthen foundational security? Some of the most pressing considerations include:

Protecting the Password Layer: Stolen credentials were the chief means by which hackers infiltrate organizations, with their use involved in 86% of breaches studied. The challenge with password security comes down to human behavior.

Born out of a desire for convenience and efficiency, people typically select simple, easy-to-remember passwords and employ them across numerous accounts and services. One study found that employees reuse a single password an average of 13 times.

Companies have historically attempted to address credential security by enforcing complexity requirements, periodic resets, and similar practices, yet the password vulnerability problem persists. In fact, NIST now recommends against many of these approaches, advising instead that companies screen for exposure against an updated list of compromised or easy-to-guess credentials. It’s imperative that organizations overhaul their authentication security through credential screening and other modern practices if they wish to eliminate passwords as a threat vector.

A related security misstep is falsely believing that MFA offers complete protection. While it’s an important consideration as part of a layered security approach, it’s no magic bullet—as evidenced by Microsoft’s warning late last year over hackers finding ways to bypass it. According to NIST, using MFA does not negate the need to maintain an updated list of compromised passwords and use this list to enforce strong credentials throughout the organization. It’s critical that more companies embrace this approach; otherwise, viewing it as comprehensive authentication protection will continue to leave a door open to threat actors.

Avoiding the Phishing Line: Phishing is another persistent problem identified by the DBIR. Campaigns have grown increasingly sophisticated in recent years, with a KnowBe4 report deeming that 33% of employees are likely to fall for these scams.

Organizations need a combination of technology and training to combat these threats; according to KnowBe4, the latter can help reduce the likelihood of falling victim to a scam by 83%. While phishing awareness programs may not receive top prioritization on the average security budget, investing resources in this area can help reduce it as a threat vector.

Deploying web filters to stop employees from accessing malicious websites is another key step. In addition, it’s important to ensure that internet browsers, apps, and operating system software are all kept current with the latest security patches and updates. Finally, companies should confirm that regular backups are scheduled to help recover data should a successful phishing scam occur.

Protecting the Expanding Endpoint: With a recent report finding that 79% of IT teams have witnessed an increase in endpoint security breaches, detecting these threats is another foundational element companies can’t afford to ignore. The hybrid work environment contributes to the challenge, as the perimeter is extended by more employees using their devices for work.

Every personal computer, tablet or smartphone represents a potential entry point that hackers could exploit to access sensitive corporate data or conduct a range of other nefarious activities. That’s why it’s critical that endpoint security strategies address every type of operating system on the company’s network, not just the traditional Windows or Linux options.

In addition to OS concerns other critical endpoints include servers, printers, IoT devices, and point-of-sale systems. Essential security considerations to protect these include encryption, intrusion detection tools, device firewalls, and application controls. It’s important that organizations ensure they have the right strategies and tools in place to protect the expanding endpoint and stay a step ahead of hackers.

Security from the Bottom Up 

You can’t build a resilient house without a strong foundation and the same is true for enterprise security. The latest AI solutions will ultimately fail to deliver on their potential until companies address the basics. Now more than ever, it’s imperative that organizations ensure that foundational security elements are permanently eliminated as a threat vector.

 

Image by rawpixel.com on Freepik

The post Foundational Security is the Enterprise’s Weakest Link appeared first on Cybersecurity Insiders.

Cyber threats have grown increasingly sophisticated in recent years, with an expanding attack surface, today’s hybrid work environment and new vulnerabilities introduced by the IoT are a few of the challenges. Despite this evolving landscape, most organizations have yet to modernize their authentication security to effectively prevent password-based attacks and related vulnerabilities. With the most recent DBIR finding that compromised credentials are behind more than 50% of breaches, it’s imperative that companies act now to bolster authentication security.

To understand more about this issue, Enzoic recently commissioned a survey of over 480 cybersecurity professionals. The State of Authentication Security Report underscores that—despite the passwordless hype—username and password combinations remain the primary authentication mechanism, with nearly 70% of companies utilizing this method. By contrast, only 12% of organizations are deploying passwordless strategies.

Legacy Approaches Weakening Password Security

Unfortunately, many companies are failing to evolve password management to reflect the current threat landscape. What’s more, the majority of those surveyed continue to follow legacy practices that have actually been found to weaken credential security.

For example, 74% of companies require forced resets every 90 days or less. Not only does this generate more work for employees and IT alike, it also fails to align with NIST’s updated password policy recommendations. The latter, along with Microsoft and other leading organizations, have found that employees typically select easy-to-remember credentials or swap out one letter or character when faced with frequent resets—resulting in a weak credential that threat actors can easily exploit.

The Dark Web Dilemma

Password reuse is another problem contributing to authentication security challenges, with Google finding that employees reuse a single password an average of 13 different times. The volume of breaches means that the Dark Web has become a treasure trove of this information; hackers can easily find and obtain lists of compromised credentials to fuel ongoing password-based attacks.

Our research highlights that most companies are aware of this vulnerability, with 84% of respondents concerned about weak and compromised passwords. However, many fail to grasp the extent of the threat—46% estimate that less than 1/5 of their passwords could be found on the Dark Web, while another 26% are unsure what percentage might be available there.

The Case for Credential Screening

This underscores the importance of modernizing authentication security to incorporate screening for compromised credentials—something that less than half of the respondents in our survey are currently doing. Enzoic helps companies protect against this threat by screening password and username combinations against its proprietary database of billions of exposed credentials. We maintain the latter using a combination of proprietary automated processes, submitted contributions, and research from our threat intelligence team. Because our database is automatically updated multiple times per day, organizations can be assured that their password security reflects the latest breach intelligence.

Another key benefit of our credential screening solution is that it eliminates the IT helpdesk burden of frequent resets and other legacy approaches while offering a more frictionless user experience. Because the screening happens automatically in the background, non-compromised users gain efficient access to their accounts and services. Should a compromise be detected, organizations can automate their response with a range of actions, including the immediate disabling of the account in question.

The Path Forward

While there are many unknowns in cybersecurity, there is one universal truth: hackers will continually hunt for new ways to exploit companies for financial gain and other nefarious purposes. With the DBIR and other studies repeatedly pointing to compromised credentials as a common threat vector, it’s imperative that organizations act today and shore up authentication security.

You can read more about this issue and other findings from the State of Authentication Security Report here.

The post Bringing Authentication Security Out of the Dark Ages appeared first on Cybersecurity Insiders.

Google has consistently prioritized enhancing trust among its users by introducing novel defensive measures to counteract cyber threats like phishing attacks. Moving forward, Workspace users can expect an added layer of protection against takeover attempts, as a new safeguard necessitates approval from two administrators.

This signifies that any modifications pertaining to the workspace will only take effect when accompanied by two-step verification (2SV) authentication. This serves as an additional barrier, effectively thwarting social engineering attempts by hackers and safeguarding against their success.

Initially, this multi-party authorization procedure will be integrated into the workspace group, subsequently expanding to encompass other services based on feedback received from administrators.

In an era were relying solely on passwords is outdated, hackers can exploit software to swiftly decipher a 10–12-digit password, even one incorporating a combination of alphanumeric and special characters, within just half an hour. Consequently, bolstering online account security with sophisticated measures is imperative to fend off prevailing cyber threats.

“This initiative empowers enterprise administrators to fortify their account security through 2SV authentication using Threat Defense Controls,” explained Andy Wen, Director of Product Management at Google Workspace.

It’s important to note that Google Workspace provides enterprise functionalities, including tailored email addresses within a domain, limitless drive storage, and other administrative privileges for productivity and collaboration tools such as Gmail, Calendar, Contacts, Meet, and Chat. The data within these products is stored directly in cloud storage and synchronized across geographically separated data centers to ensure data continuity and facilitate disaster recovery. Originally launched as G-Suite in 2006, it was rebranded as Google Workspace in April 2020.

The post Google allows Workstation actions only with two admin authentication appeared first on Cybersecurity Insiders.

A bunch of networks, including US Government networks, have been hacked by the Chinese. The hackers used forged authentication tokens to access user email, using a stolen Microsoft Azure account consumer signing key. Congress wants answers. The phrase “negligent security practices” is being tossed about—and with good reason. Master signing keys are not supposed to be left around, waiting to be stolen.

Actually, two things went badly wrong here. The first is that Azure accepted an expired signing key, implying a vulnerability in whatever is supposed to check key validity. The second is that this key was supposed to remain in the the system’s Hardware Security Module—and not be in software. This implies a really serious breach of good security practice. The fact that Microsoft has not been forthcoming about the details of what happened tell me that the details are really bad.

I believe this all traces back to SolarWinds. In addition to Russia inserting malware into a SolarWinds update, China used a different SolarWinds vulnerability to break into networks. We know that Russia accessed Microsoft source code in that attack. I have heard from informed government officials that China used their SolarWinds vulnerability to break into Microsoft and access source code, including Azure’s.

I think we are grossly underestimating the long-term results of the SolarWinds attacks. That backdoored update was downloaded by over 14,000 networks worldwide. Organizations patched their networks, but not before Russia—and others—used the vulnerability to enter those networks. And once someone is in a network, it’s really hard to be sure that you’ve kicked them out.

Sophisticated threat actors are realizing that stealing source code of infrastructure providers, and then combing that code for vulnerabilities, is an excellent way to break into organizations who use those infrastructure providers. Attackers like Russia and China—and presumably the US as well—are prioritizing going after those providers.

News articles.

EDITED TO ADD: Commentary:

This is from Microsoft’s explanation. The China attackers “acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com. All MSA keys active prior to the incident—including the actor-acquired MSA signing key—have been invalidated. Azure AD keys were not impacted. Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. The actor was able to obtain new access tokens by presenting one previously issued from this API due to a design flaw. This flaw in the GetAccessTokenForResourceAPI has since been fixed to only accept tokens issued from Azure AD or MSA respectively. The actor used these tokens to retrieve mail messages from the OWA API.”

It’s neither hard nor expensive:

Unlike password authentication, which requires a direct match between what is inputted and what’s stored in a database, fingerprint authentication determines a match using a reference threshold. As a result, a successful fingerprint brute-force attack requires only that an inputted image provides an acceptable approximation of an image in the fingerprint database. BrutePrint manipulates the false acceptance rate (FAR) to increase the threshold so fewer approximate images are accepted.

BrutePrint acts as an adversary in the middle between the fingerprint sensor and the trusted execution environment and exploits vulnerabilities that allow for unlimited guesses.

In a BrutePrint attack, the adversary removes the back cover of the device and attaches the $15 circuit board that has the fingerprint database loaded in the flash storage. The adversary then must convert the database into a fingerprint dictionary that’s formatted to work with the specific sensor used by the targeted phone. The process uses a neural-style transfer when converting the database into the usable dictionary. This process increases the chances of a match.

With the fingerprint dictionary in place, the adversary device is now in a position to input each entry into the targeted phone. Normally, a protection known as attempt limiting effectively locks a phone after a set number of failed login attempts are reached. BrutePrint can fully bypass this limit in the eight tested Android models, meaning the adversary device can try an infinite number of guesses. (On the two iPhones, the attack can expand the number of guesses to 15, three times higher than the five permitted.)

The bypasses result from exploiting what the researchers said are two zero-day vulnerabilities in the smartphone fingerprint authentication framework of virtually all smartphones. The vulnerabilities—­one known as CAMF (cancel-after-match fail) and the other MAL (match-after-lock)—result from logic bugs in the authentication framework. CAMF exploits invalidate the checksum of transmitted fingerprint data, and MAL exploits infer matching results through side-channel attacks.

Depending on the model, the attack takes between 40 minutes and 14 hours.

Also:

The ability of BrutePrint to successfully hijack fingerprints stored on Android devices but not iPhones is the result of one simple design difference: iOS encrypts the data, and Android does not.

Other news articles. Research paper.

By Sameer Hajarnis, CPO, OneSpan

With the digital economy flourishing, both organizations and consumers are becoming more comfortable making high-value transactions online. To keep up with Web3, organizations have had to offer flexible, digital alternatives to their business processes. Among these processes is the electronic signature, or rather “e-signature,”– the digital alternative to signing documents in person. Although e-signatures ease the consumer process, many organizations neglect security practices throughout the transaction lifecycle. In parallel, remote online notarization is also becoming more commonplace, with high-value transactions including contractual agreements, mortgages, and powers of attorney, becoming digitized. As the threat landscape continues to progress, there is a growing concern that hackers will increasingly manipulate the integrity of digital agreements, especially as more transactions of higher and higher value are taking place online.

According to MSB Docs, 65% of companies using pen and paper report that collecting physical signatures add an entire day to their work process. In addition to accelerating workflow, E-signature improves customer experience, eliminates errors, tracks processes, etc. The commoditization of e-signatures happened so quickly, but it was so convenient that many organizations neglected security measures when implementing these digitized processes.

Along with this, cyberattacks are becoming increasingly sophisticated; recently, The Neustar International Security Council found that only about half of companies have the necessary budgets to meet their current cybersecurity requirements. This is especially alarming for industries that conduct high-value transactions online, such as banking, healthcare, government, etc., because a person’s most critical information could potentially be exposed. According to the Insurance Information Institute, there was a 45-percent increase in identity theft in 2020, and the rapid digital transformation that took place during 2020 would not have helped improve this figure.

The main reason why companies continue to abandon cybersecurity is because they believe it will disrupt the customer journey. Abandonment and customer drop-off are through the roof and today, the slightest inconvenience will turn consumers away. While customers are looking for digital trust, many organizations believe security processes can disrupt the customer experience, but Digicert’s 2022 State of Digital Trust Survey found that 47% percent of consumers have stopped doing business with a company after losing trust in that company’s digital security. Another 84% of customers would consider switching providers.

With those consequences in mind, organizations should consider the following cyber initiatives to secure digital interactions.

Compliance

Organizations must comply with e-signature security requirements. Electronic signature solutions are regulated by the ESIGN and UETA. These acts were passed to (1) solidify the legitimacy of e-signatures in the business world, (2) ensure all parties have consented to conduct business electronically, and (3) authenticate the signer’s identity. Depending on a company’s location and/or industry, these regulations may differ.

In the past year, nine in ten Americans encountered a fraud attempt. To safeguard users’ identities and critical information, the government stepped in to enforce strict security measures. It is of the utmost importance that e-signature solutions act in accordance with these laws, as they ensure the highest level of security and reduce the probability of identity fraud.

When it comes to remote online notarization, the compliance requirements become even more complex. Where a traditional notarization calls for an in-person screening to help protect the personal rights and property from threat actors, a remote online notarization requires organizations to authenticate the applicants’ identities virtually. Applicants must virtually verify their identity through ID Verification and Knowledge-based Authentication (KBA) and then execute the e-signature before being affixed by the notary. Failure to meet these compliance requirements may result in notaries facing civil liability or the loss of their license.

Certificates of Completion

Vendors must provide immediate proof of completion upon the execution of an electronic agreement. That certification of completion must include the associate IP address, email address, date, timestamp, names, and all other aspects of a transaction. The certificate will act as a legal record of the transaction and should be stored on a secure site to avoid any tampering. By doing so, organizations can be confident that all e-signatures are lawful and will hold up in court. When notarizing a document online, consumers must obtain a digital certificate that provides evidence of the notarization.

Authentication

To ensure the highest level of security, e-signature providers must also provide a two-key encryption system, such as public key infrastructure (PKI), and/or two-step verification. This helps avoid attacks such as man in the middle (MITM), a common attack where an attacker positions themselves between two parties and attempts to intercept the information passed between them. Authentication also reduces the overall likelihood of compromising information.

For online notarizations, organizations can mitigate security risks with identity verification, KBA, and built-in security controls preventing participants from signing on behalf of others.

Digital processes and customer interactions must be secured at every touchpoint throughout a transaction. Most providers will require one-time verification, which may seem secure for consumers when carrying out a transaction. But, in order to secure e-signatures and notarizations, continuous authentication is essential– organizations must secure every interaction throughout the customer journey.

The digitization of high-value transactions lends many benefits to an organization, but it also poses quite a few risks if its associated cyber threats remain ignored. In the world of Web3, organizations must be made completely aware of such cyber attacks, insider threats, and compliance failures, threatening the validity of online transactions. When focusing on online notarizations, it is  important that they occur in a secure environment, as they operate across industries where valuable information is transferred (automotive, banking, real estate, legal, and insurance).

Following such awareness, security needs to be interwoven into all choices application providers are making. Solution providers must adopt an increased level of security to be integrated into the fabric of all transactions and agreements. Organizations, especially those that handle high-value transactions, should invest in alternative e-signature and notarization solutions that utilize multi-factor authentication, identity verification, encryption, and other secure processes. These processes safeguard important information and ensure those completing the transaction are who they say they are.

The post Signed, Secured, Delivered: Authenticating Digital Agreements in the Time of Web3 appeared first on Cybersecurity Insiders.

Jenny Blessing and Ross Anderson have evaluated the security of systems designed to allow the various Internet messaging platforms to interoperate with each other:

The Digital Markets Act ruled that users on different platforms should be able to exchange messages with each other. This opens up a real Pandora’s box. How will the networks manage keys, authenticate users, and moderate content? How much metadata will have to be shared, and how?

In our latest paper, One Protocol to Rule Them All? On Securing Interoperable Messaging, we explore the security tensions, the conflicts of interest, the usability traps, and the likely consequences for individual and institutional behaviour.

Interoperability will vastly increase the attack surface at every level in the stack ­ from the cryptography up through usability to commercial incentives and the opportunities for government interference.

It’s a good idea in theory, but will likely result in the overall security being the worst of each platform’s security.