Cybersecurity: Taller Walls, Deeper Moats but the Front Gate is Unguarded

Read the full article HERE.

By: Zack Martin

Imagine walking into a warehouse store that, instead of selling bulk amounts of toilet paper and paper towels, sells addresses and house keys. Now imagine that these address and keys open doors that already belong to other people.

This warehouse actually exists, albeit virtually, and fraudsters visit to buy email addresses, account logins and passwords for more than a billion accounts. For a bit more, they can add Social Security numbers, physical addresses and other demographic information. All of this is made possible thanks to the dark web.

Database and password hacks are so commonplace, that unless a breach registers in the millions it won’t even garner attention in the press. In recent months, these breaches have left everyone from casual web surfers to the president of the United States calling for efforts to better secure cyberspace.

The majority of these efforts seem to revolve around building taller towers and deeper moats to prevent hackers from gaining access. What’s lacking, however, are the efforts to add strong authentication and advanced identity and access management to make sure only those authorized are enabled to gain access. The best firewalls and intrusion detection won’t matter if someone has keys to the front door. Making identity a foundational component to cyber security, then, is paramount to any attempt to solve the issues facing enterprises.

The number one way hackers are gaining access to information on computer networks continues to be the misuse of usernames and passwords. So says the 2014 Data Breach Investigation Report from Verizon, citing that two of every three breaches exploit weak or stolen passwords.

The U.S. government is also feeling the pain. More than half of cyber intrusions to federal agencies could have been prevented using strong authentication, according to a report from the White House Office of Management and Budget. The annual report to Congress on the Federal Information Security Management Act (FISMA) details how agencies are still behind when it comes to using PIV credentials and strong authentication technologies.

Additionally, US-CERT found that 52% of 2014 cyber incidents were related to or could have been prevented by strong authentication implementations. Strong authentication for civilian agency user accounts is at only 41%, well below the 75% target.

E-Gov Cyber reviewed agency performance against authentication-related FISMA Metrics. As part of the reporting process, agencies describe the different authentication methods employees use to gain access to Federal information and networks.

Of the 24 agencies evaluated, 16 had weak authentication profiles, enabling the majority of unprivileged users to login with user IDs and passwords alone.

This makes unauthorized network access more likely as passwords are much easier to steal through either malicious software or social engineering.

Budgets also don’t seem to be going to identity and access management. In 2015, Gartner Research predicts that $77 billion will be spend on IT security, but just 4% – or $3.3 billion – be spent on identity and access management related products and services. Enterprises are investing in firewalls, secure gateways and other security systems – but still neglecting the proverbial front door key.

“There’s no silver bullet for cybersecurity,” says Jeremy Grant, managing director at the Chertoff Group and former director of the National Program Office for the National Strategy for Trusted Identities in Cyberspace. “But if you’re getting hacked because of your password technology that’s a pretty good sign you should do something with identity.”

Information security professionals have never put a focus on identity, says Jeff Nigriny, president at CertiPath. “The bulk of product development has been centered on anti-intrusion detection for the network,” he explains. “Identity has revolved around creating a better password.”

Despite the Verizon and FISMA reports, enterprises aren’t taking identity issues seriously, Grant says. “Identity is the red-headed stepchild of cybersecurity,” he explains. “People relegate the identity issue to the backburner because they don’t want to do something that’s difficult. It’s a battle getting people to take the identity threat seriously and put some simple things in place.”

Password problems plague federal agencies

The U.S. government is not immune to cyber threats. While many agencies have taken steps to improve identity and access management, a lot of work remains to be done as a recent report shows more than half of cyber attacks could have been prevented with strong authentication.

Federal agencies issue employees PIV smart cards for use for physical and logical access. However a report from the White House Office of Management and Budget shows that in too many cases, the credentials have not been enabled for widespread logical access.

The Department of Veteran’s Affairs has more than 350,000 users accessing information with only usernames and passwords, while the State Department has 100,000. On the positive side, the Department of Homeland Security leads the way for PIV access with almost 250,000 employees using the credentials followed by Health and Human Services with almost 100,000. The Defense Department was not included in this survey but requires its employees to use the Common Access Card for strong authentication.

While the substantial number of unprivileged user accounts – of which there are more than 5.3 million – are able to access Federal networks with only a username and password, the more troubling concern is the number of privileged accounts that require only username and password.

Unprivileged user accounts are the ones regular employees use to access email, applications and services. Privileged accounts are the administrators of those systems and are typically the ones that are able to create new accounts and access additional information. Privileged user accounts, of which there are 134,287 across the government, possess elevated levels of access to, or control of, Federal systems and information, increasing the risk to resources if their credentials are compromised.

There are 18 agencies that do not require a majority of their privileged network users to login using two-factor PIV authentication. Health and Human Services and the State Department are the worst offenders when it comes to having privileged users accessing networks with usernames and passwords.

Identity Pearl Harbor

Numbers from the last 12-months are staggering. The Anthem Health Insurance data breach has impacted 80 million customers, and reports have it linked to corrupt credentials of privileged IT users. But that’s a drop in the bucket compared to the Russian hackers’ theft of 1.2 billion usernames and passwords across 420,000 sites.

These are just two of the more high-profile breaches. Some would think that they would be enough to push organizations to start doing more with identity. The thought has been that a single event might finally push the collective “us” over the edge and into battle – a metaphoric identity Pearl Harbor.

Sergio Galindo, general manager at network security developer GFI Software, wishes that were the case. His family’s data – including that of his children – was stolen in the Anthem breach.

Anthem has offered a year of identity theft protection, but he wants it for the rest of his children’s lives. “Their digital life is at risk forever,” he says.

Since the breach involved Social Security numbers, he fears his children will be battling fraudsters forever. “The Social Security number lasts forever and that’s how people will be impacted,” he explains.

Others aren’t as sure there will be one event that is the impetus for change. “Will it be death by 1,000 cuts?” asks Nigriny. “Or will it be some financial institution that loses a tremendous amount of money that makes everyone finally feel vulnerable?”

Consumers are already paying for these breaches, they just don’t know it yet, says Daniel Turissini, CTO at SolPass. In medical fraud alone hundreds of billions of dollars are wasted. “It’s a ridiculous amount of money and some of it can be mitigated,” he adds. “Too many people think it’s an unsolvable problem and it’s not.”

Turissini fears that the data breaches over the past two years are harvesting data. “The actors are harvesting this information and piecing it together to attack something else,” he explains. “People are at the point where they think it’s inevitable.”

Even if an individual changes passwords every couple of months but ends up using the same one two years later they are at risk, says Pamela Dingle, senior technical architect at Ping Identity. “People are being systematically logged and tracked and nothing that they have done in the past has evaporated,” she explains. “I don’t understand why people aren’t running to multi-factor authentication vendors to put another obstacle in the way.”

Still, Dingle says the great identity breach is not inevitable. “There won’t be an identity Pearl Harbor, but we need a Winston Churchill to realize we’re under a protracted siege and make some changes,” she says.

Analysis: Identity is hard

IT personnel trying to convince executives that they need a new firewall or intrusion detection system have an easy sell. Both are simple to explain products, one keeps the bad guys out while the other informs if the bad guys get in.

Identity and access management isn’t the same, some would call is squishy. Is it what enterprises use to enable employees to access systems and applications? Yes.

Can is be used by partners to easily place orders or share information? That’s possible. Do customers use it to access information, buy things and keep track of data? That can fit the bill as well. Can one system address all three purposes? If you want it to, yes. And while explaining what an identity and access management system can do is difficult, that is nothing compared to the actual deployment.

“Identity is a complex problem, even for smart people,” says Mary Ruddy, research director at Gartner.

Taking all employee, partner and customer information, making sure it’s properly loaded along with the proper attributes and permissions is a daunting task. And how does an enterprise justify the expense and time? What’s the benefit?

There are not that many people who know how to answer these questions and solve the problem. “There’s a big hole in cybersecurity and there aren’t too many people out there who now how to fill it,” says CertiPath’s Nirgriny. But just because it is challenging, doesn’t mean it can be ignored.

Catalysts for change

Part of the problem is that digital identity is daunting. In the corporate world, enterprises can force employees to comply with whatever authentication processes it deems necessary, says Jamie Cowper, senior director of business development and marketing and Nok Nok Labs. “In the consumer world the identity problem is a bit more complicated,” he says. “You can’t force customers to use them or they’ll go somewhere else where it’s easier to make a transaction.”

There are also issues with semantics. Some in the IT world don’t put identity under the cybersecurity umbrella, says Mary Ruddy, research director at the Gartner Group. “When people think cybersecurity they don’t think about identity,” she says. “But having strong authentication is a key piece of what needs to be done.”

The problem with people

The biggest challenge when it comes to online security and identity, however, is the consumer and employee. A CompTIA report found that the biggest factor when it comes to security breaches is people. Some type of formal security training could help mitigate these breaches.

But while training employees and consumers not to click suspicious emails is a step in the right direction, it’s not enough. Better authentication technology is mandatory.

Usernames and passwords remain popular because they’re easy to use. A common word in the strong authentication business these days is friction. It refers to the complexities that are added to a transaction when new authentication is deployed.

“When talking to banks and large consumer-facing web sites, the word friction comes up almost immediately,” says Jim Reno, chief architect for security at CA Technologies. “A tiny increase in friction means a solid drop in service or a significant increase in help desk calls or recovery mechanisms – which drives up cost.”

Google, Apple and others have implemented two-factor authentication as an option but have had limited success, Reno says. “Multi-factor authentication is important but we need to do it while maintaining a user-friendly experience,” he adds. The mobile is a key piece to this identity puzzle and frictionless authentication, says Gartner’s Ruddy. Instead of issuing hardware tokens enterprises can use a secure app or send a one-time password for multi-factor authentication. “It’s cheaper than hardware tokens and easier to use and implement,” she adds.

Mobile devices have the ability to democratize identity, says Alan Goode, principle at Goode Consulting. “You can’t replace passwords,” he says. “But you can deploy thousands of software tokens to mobile devices and strengthen security overnight.”

Using existing mobile devices is key, Goode explains. “We need to leverage existing authenticators and see them integrate into risk and adaptive security for stronger identity,” he says. “The major authentication platform providers have realized that technology is changing, and there needs to be less emphasis on the authenticator and more emphasis on using risk-based solutions and integrating into threat intelligence.”

Adaptive authentication is another popular term. Adaptive systems use multiple identity attributes to verify an identity – geo-location, biometrics, IP address and others. “The authentication of the future will look like a medical feedback system,” says Ping Identity’s Dingle. “It will be constantly checking for major and minor events and detect a sickness like an EKG detects an arrhythmia.”

Part of the problem is gathering all this data and making it usable. “The idea is to use applications that will take our daily interactions and form a tapestry that can be examined for anomalies or abuse,” Dingle explains.

And the password will most likely still be a part of that tapestry, albeit only one of many threads. “If you look at a bank vault, the combination is just one piece of the security,” Dingle explains. “You don’t put the vault door on the outside of the building. Before you need that combination, you must get past all the guards and cameras.”

Corporate enterprises are starting to use these systems for employees and they will trickle down for use by consumers, says Kayvan Alikhani, senior director of technology at RSA. The next couple of years will see more uses of advanced technologies. For one, Microsoft’s adoption of fingerprint, iris and face for access and use as authenticators marks a big step. “We’re moving in the right direction but it’s a massive beast and I would say we’re three to five years away from total adoption,” he adds.

Here FIDO, here

Alikhani is referring to Microsoft’s recent adoption of the FIDO Alliance specification for authentication. FIDO standards rely on the existing security of handsets and computers for secure access to other systems.

“FIDO turns credential management upside down,” says Ramesh Kesanupalli, FIDO vice president and founder of Nok Nok Labs. “Instead of generating the private keys on the server side they are generated on the device and the service provider gets the public key back.”

With FIDO a user authenticates to the device and then the device authenticates to the server, Kesanupalli explains. If a service provider is hacked all the fraudster would receive are public keys. In order to get the private key a hacker would have to have access to each specific device. The user would also have the option of choosing the authenticator, be it a built-in fingerprint scanner, facial recognition, voice or a simple PIN.

FIDO has existing deployments enabling the fingerprint scanner on the Samsung Galaxy S5 with PayPal and Alipay. Google is also enabling the FIDO specification for two-factor authentication to Gmail and other accounts. Along with numerous pilots already underway, more relying parties will be deploying uses for FIDO in the coming months, Kesanupalli says.

Business problems

One issue is that some in the identity and access management world have wanted to make money at the cost of good security, says SolPass’ Turissini. “Instead of making this an ecosystem of collaboration, everyone wants to corner the market,” he explains. “Industry needs to embrace a framework and move it forward.”

The payment card market could be an example of how the identity world could work, Turissini says. When the credit card companies federated – decided to all use the same basic infrastructure – it made payments simpler for the retailer and the consumer. “They wanted as many people as possible to come and swipe their credit cards,” he adds.

There are frameworks that identity could borrow from, but there are nuances to identity that make it a bit more difficult. Five years ago if someone found an unauthorized charge on their card they were upset and jumped into action, Galindo says. Now the reaction isn’t as strong, and it can be resolved by simply clicking on a button next to the transaction online.

Identity is harder to resolve because it’s personal. If someone hijacks a Facebook account it’s much more troubling than if an errant charge shows up on a credit card statement.

Identity is forever and along with teaching his children how to ride a bicycle and drive, Galindo also has to teach them to check credit reports and make sure no one has stolen their identities. “We have the usual parental conversations, but now also have to add identity theft and technology use to the list,” he concludes.

Could states crack the digital ID dilemma?

State governments might not be known for taking progressive stances on new technologies but a handful are starting to issue digital identity credentials to citizens for access to government services. While these credentials are initially only used to access one or two sites, other functionality could be added.

Virginia, Michigan, Pennsylvania and North Carolina are issuing digital IDs to citizens for access to Medicaid services. The programs all have a slightly different spin, but in Virginia and North Carolina, the states are leveraging the driver license database to issue higher-assurance credentials.

In North Carolina the credentials are being used to enable access to the state’s Health and Human Services systems, but if the pilot goes well other functions could be added, says Mark DiFraia, senior director of solution strategy at MorphoTrust.

When a person decides to participate in the North Carolina pilot they download an app to their smart device. They scan their driver license, take a selfie and submit that information to be checked through the North Carolina Department of Motor Vehicles, explains DiFraia.

Once a match is made, an eID is tied to the app. When returning to access information on the HHS site they click a different login button and are presented with a QR code. The code is scanned with the app – information is exchanged between the mobile and the site – and access is granted.

The project is in a pilot phase now, but if successful the state plans to allow other relying parties to consume the credential, DiFraia says. “Consumers are aware that they are vulnerable but they don’t know what they can do about it,” he explains. “The average individual doesn’t have something they can run to, so we’re trying to create an electronic ID that’s the same level of trust as the driver license.”