Security breaches make headline news. Even the most seemingly secure and untouchable organizations are vulnerable as security measures are only as effective as the weakest link. Most recently, Equifax was compromised, potentially exposing vital information of half of all adult Americans.
When it comes to protecting digital identity, there needs to be a more sophisticated way to identify, authenticate, and trust identity information. How does your organization need to change the way it thinks about digital identity? And what measures should you take to better protect your systems and information?
Evolving Threat Landscape Makes Identity Management a Challenge
As hackers employ more sophisticated means to infiltrate an enterprise, organizations need to change the way they prove identity – including moving beyond password security. In Verizon’s 2016 Data Breach Investigations Report, it’s revealed that 63% of confirmed data breaches involve password attacks, including phishing or some other kind of password harvesting technique. (http://www.verizonenterprise.com/resources/reports/rp_dbir-2016-executive-summary_xg_en.pdf)
Once the initial breach happens, more damage occurs as the hackers harvest additional passwords to explore the enterprise from the inside, working to compromise more systems and access more information.
How this Impacts Your Business
Passwords are not enough to protect important data. The more valuable the data, the more important it is that only the right people have access to it. To keep up with changing technologies, market conditions, and attack methods, NIST updated their Digital Identity Guidelines to provide a more robust way to approach safeguarding identity.
Version 3 of NIST 800-63 (https://pages.nist.gov/800-63-3/) was released in June. The revised guideline helps organizations by outlining methods to adequately evaluate requirements to authenticate users and evaluate identity management tools. The previous version, NIST 800-63-2, had one measure of identity effectiveness. This revised guideline now outlines three individual measures, providing more clarity on how to measure the trust of digital identities. Instead of a single measure for Levels of Assurance, three new measures are defined. They are:
- Identity Assurance Level (IAL): How well do you know that the person creating this account is the real person he or she claims to be?
- Authenticator Assurance Level (AAL): How well do you know that the person accessing this service is the same person that created the account?
- Federation Assurance Level (FAL): How well do you trust the identity provided to you by a third party Identity Service?
Creating Your Identity Management Approach
- Determine what types of users interact with your various systems. Typically an enterprise will have employees, customers, vendors, partners, and perhaps other user types.
- Map business case and levels of access for each user type. Define what information each role needs to have access to as well as the level of trust that the person accessing it is the person that should be accessing it. If you are not going to require a user to have a high level of assurance, then you are going to restrict the data he or she has access to.
- For instance, you trust your employees more than you trust your partners, perhaps your partners more than vendors, and vendors more than customers. A market system would require a different level of trust than your internal development system with all of your intellectual property.
- Determine how you manage access, and verify and protect digital identity. Some questions to ask include:
- Do you need to look at someone’s Driver’s License in person before authorizing access to high-value information, or is an email address sufficient for accessing lower value information?
- Do you need Multi-Factor Authentication (MFA) before allowing access to critical assets, or is password security sufficient for routine access?
- Important note on MFA: When evaluating MFA vendors, NIST 800-63-3 defines and puts into context the capabilities they need to provide. Some methods of authentication that are in common use today are no longer considered safe – specifically, SMS one-time passwords. If you are currently using SMS or email to send one-time passwords to verify authentication, consider transitioning to push or soft token technologies.
- Do you need a dedicated on-premise identity management system, or can you rely on a third party Identity as a Service (IDaaS) provider such as Google, Facebook, or Microsoft.
Identity Management is a Balancing Act
The onus is on your company to keep information secure – and to make sure those that interact with your systems are protected. It’s also important for identity management systems to enhance – not limit – your enterprise’s productivity. We can help you understand your needs for identity management. Contact us to learn more.
You may have heard all the buzz about Pokémon Go, Nintendo’s latest generation of games developed after the popular animated show from the 90’s, created as a mobile phone app. In people’s haste to download and install the latest and greatest, users are also falling victim to additional malicious apps disguised as tutorials or alternate versions of the game. As the app is only officially offered in the US, New Zealand, UK, and Australia, users in other countries are passing around Android Package Kit (APK) files in an attempt to play the game as well. However, users are required to “sideload” the app in order to download the APK which modifies their core Android security settings and allows their device to install applications from untrusted third-party sources.
Users have been cautioned against these illegal downloads as one of the popular APK files has been modified to install a backdoor known as DroidJack. DroidJack is a Remote Access Tool (RAT) that allows third parties to take remote control of a user’s device, record private conversations, read emails, browsing the history, and texts, and tracks the user’s physical location all without their knowledge. If a user has downloaded DroidJack on any device linked to their bank accounts, corporate/personal email, all that information is now available to untrusted third parties.
The threat of this malicious software is very real, as the security firm Proofpoint discovered the infected version of the app within 72 hours of the game’s launch in New Zealand and Australia on July 4th. To verify the version, malicious or not, of the app you have installed on your device, navigate to your Android device settings for Pokemon Go and scroll through the list of app permissions. If the version installed on your device has permission to directly call phone numbers, read/edit your SMS messages, record audio, read browser history, read/edit your contacts, read/edit call logs, and edit network connectivity, then you should wipe your device immediately. This is the only guaranteed method of removal from your device. Business leaders, especially those overseas, caution your employees about this application as the user base is not exclusive to any age group.
When working with CyberSheath, we will empower your organization against common threats such as these to effectively reduce risk through proper security and awareness training.