‘It’s elementary! You are looking in the wrong direction!’
Were Sherlock Holmes engaged to look into the epidemic of data breaches, his first admonition might be reprised from The Hound of the Baskervilles, “The world is full of obvious things which nobody by any chance ever observes.”
2015 was barely six weeks old when another “mega-breach” at Anthem Health was disclosed. Some eighty million records with personally identifiable information, including social security numbers and employment information, were compromised. The phishers and “phraudsters” then jumped on the unsuspecting victims with Anthem look-alike sites and emails.
Since social security numbers and employment information were involved in the Anthem breach, it wouldn’t be too wild to speculate that the temporary suspension of online income tax filing by TurboTax was not somehow connected. After all, security blogger Brian Krebs uncovered information that suggests the Anthem compromise may have begun in April 2014. That’s more than 10 months ago.
Is this surprising? Perhaps not as surprising as you might think. One of the forensic firms that often gets called-in following a large breach is Mandiant. A quick tour of Mandiant’s web site reveals some of what they discover in the wake of a breach.
– 100% of the firms for whom they launch an investigation have up to date virus software
– 63% of the time, the breach is reported by a third party
– 243 days is the average time attackers are on the breached network before discovery
– 100% of the incidents they investigate involve stolen credentials
In and of itself, this data is amazing, but what does it suggest? Once again Sherlock Holmes, as he did in The Bascombe Valley Mystery might offer, “There is nothing more deceptive than an obvious fact.”
What can be observed from this epidemic of data breaches? What obvious facts can be gleaned from the forensic work of Mandiant? Clearly, whatever firms are doing to detect unauthorized access is not working if hackers remain undiscovered for an average of 243 days, and 63 percent of the time, someone outside their company reports the breach to them. Just as clearly, user credentials are every bit as effective in the wrong hands as they are in the right hands. As long as the art of deduction was Sherlock’s strong suit, what might he deduce from this? Perhaps ensuring that a user credential was in the right hands, before granting access would be a valuable place to start, in preventing data breaches.
The technology to ensure that valid credentials are in the hands of legitimate users has been available for some time now, and the cost of using it has been dropping dramatically. Too much time, technology and expense has been focused on trying to keep hackers out and it’s proven ineffective. Its high time companies look in the other direction and enforce policies with technology that only allows legitimate users in. Stronger user authentication is elementary in thwarting the hackers!
By John Zurawski, Vice President, Authentify
BIO: Mr. Zurawski brings more than 20 years of technical experience to his role at Authentify. He is a thought-leader in mobile, multi-factor strong authentication practices for mitigating risk and preventing breaches of enterprise and personal data. He is an expert on replacing passwords, biometrics and post-login transaction security.
About Authentify
Authentify provides intuitive and consistent multi-factor authentication services for protecting user accounts or key information from unauthorized access. Where many authentication techniques are powerless when valid credentials are wielded by hackers and imposters, Authentify offers certainty, and certainty is power. Authentify introduced the global security community to its phone-based user authentication services in 2001. Its original phone-based Security as a Service (SaaS) revolutionized the two-factor authentication market. Two-factor authentication (2FA), or two-step verification (2SV), has become a standard for protecting accounts of all types. Authentify xFA mobile multi-factor authentication technology, which employs app endpoints on smart devices, was introduced in 2013.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.