In my last article, “Fixing the Weakest Link in Cybersecurity: People,” I discuss how we have a password management problem and not a password authentication problem. Now it’s time to talk about credential security.
The theft of an individual’s computer login credentials is fast outpacing the theft of credit card data. Credentials allow unfettered access to accounts, financials and services. There’s an old joke that says nobody knows you’re a dog on the internet. Now, with the credential theft epidemic, how can anyone really be sure that a person is who they say they are?
In today’s digital world, certificates are used for user verification. But, how valid are those certificates? Driver’s licenses can easily be forged, Social Security numbers can be stolen, and social media sites can share detailed information all resulting in questionable user verifications. Even biometrics identification is not safe. Biometrics is public knowledge and you leave it behind everywhere.
Since most verifications are done remotely by third-party registration and certificate authorities, they are constantly questioning the submitted documentation and identity of individuals requesting a digital certificate. Mistaken verification leads to fraudulent certificates, which lead to cyberattacks and data breaches. DigiNotar (2011) and Comodo Group (2015) issued fraudulent certificates that affected the operating systems, applications and browsers of industry giants like Microsoft, Google, Yahoo, Mozilla and others.
Credential theft is much more than a stolen credit card.
It often takes companies months to discover that their network has been compromised. Plenty of time for the actor to get everything they need.
Many state and federal laws require companies to report a breach, especially if it involves customers’ personal information. The number one way individuals discover their personal information has been stolen is when the corporation discloses it to the public months after their initial discovery. This is a massive problem. The penalties are far more severe for the business and their management (expensive fines and prison) than they are for the criminals perpetrating the data theft. Additionally, there are very few laws to help victims and make their recovery process manageable.
The financial repercussions of a breach are enormous. Companies need to understand both the direct and indirect costs.
While different organizations calculate the costs in different ways, the Ponemon Institute is the most widely quoted research firm that analyses the costs of a data breach to companies. According to Ponemon’s “2019 Cost of a Data Breach Report,” the average global costs to companies per sensitive record lost or stolen in the U.S. in 2019 was $242 per record, for a combined average total cost of $8.19 million per breach. Lost sales, lawsuits, rebuilding the company brand, new equipment, insurance premiums and so much more contribute to this high expense. All this chaos starts from the simple theft of an employee’s login credential.
Building a Chain of Trust
A chain of trust is built on the premise that all hardware and software are authorized within a computer network and disperses information only to authorized users or places. Systems today are complex. They are continually changing with new apps, personal devices and Internet of Things (IoT) devices connecting and disconnecting from the network. It only takes one flawed link within this trust chain to create an insecure portal for actors to exploit.
Once the actor is in, they start worming through the networks to gain access to other parts until they eventually achieve full system administrative rights. Then, all confidential data and private information become available for the actor to use as they wish.
Something to Think About:
Hackers are creative and they think outside the box. I remember reading stories about how a hacker broke into a network through the fish aquarium located in a company’s front lobby. Someone placed the aquarium monitoring sensor (“Hey, who cares about fish water?”) onto the same server that housed the company’s data.
There was another case where a hacker used the soda vending machine outside their hotel room to hack into the hotel’s guest logs. The vending machine was programmed to report to the hotel kitchen staff when a machine needs to be refilled with more flavored carbonated sugar water. Too bad it used the same network as their guest’s sensitive information. Sensitive data must be isolated from stupid data.
Often these IoT devices have no credential login requirements. They are given an open door policy into the network. When an IT cybersecurity strategy ignores locking the virtual front door and starts by first protecting the data behind the firewall, then working their way out, the best IT can do is to protect against known attacks. A futile endeavor. Networks have to know who’s knocking on the door.
There Is No 100% Security
Trying to protect against every known attack is cost-prohibitive. Hackers regularly make minor modifications to their attacks in their efforts to get past known defenses. This fact alone gives hackers a considerable advantage over IT. It also creates the greatest fear for the chief information officer (CIO) and chief information security officer (CISO): the unknown attack.
Something to Think About:
I recently heard a White Hat hacker tell a shocking story. A bank hired him to test their network. In a matter of minutes, he was in their system, snooping around. That was his first task. While there, he came across some IP addresses that he didn’t recognize. After a quick investigation, he discovered they were the IP addresses to the bank’s ATM network. Wanting to test the ATMs’ security, he copied a program he found on the internet (dark web) and uploaded it into the bank’s server to make a specific ATM spit out a twenty-dollar bill the next day at 12:02 a.m. At the appointed hour, he hopped into his car and drove to the remote location. Just before midnight, he set up a video camera and pointed it at the dark ATM. He waved at the camera and waited. At 12:02 a.m., right on schedule, the ATM magically came to life. The screen lit up, the cash door opened, and the machine spits out a twenty-dollar bill.
It doesn’t matter how or where a breach occurs. Once the hacker has broken in, the entire network loses the chain of trust. By implementing a stong credentialing program, and keeping those credentials secure, that can foil over 90% of the initial attacks. The 10% that do get through are manageable by IT to discover and eliminate faster.
It’s an understatement to say that a data breach is devastating to a company’s future, its employees, its management and its customers. Sadly, it’s the virtual front door often left unsecured and open to everyone that’s the culprit.
Hackers breach a network from the outside, in front of the firewall, and then tunnel to everywhere they can. What’s in front of the firewall, you may ask? The user’s login credentials. Securing the credentialling process also helps IT discover breaches much faster because they are not overloaded with login requests. This is why the login credential and the verification process both have to be secure and trusted.
On a final, side note, stop putting stupid data in the same data network that stores sensitive data. Isolate, isolate and isolate where each data system requires its own unique credential.
Dovell Bonnett has been creating computer security solutions for over 25 years. He passionately believes that technology should work for humans, and not the other way around. This passion lead him to create innovative solutions that protect businesses from cyberattacks, free individual computer users from cumbersome security policies and put IT administrators back in control of their networks. He solves business security needs by incorporating multiple applications onto single credentials for contact or contactless smartcards. In 2005, he founded Access Smart LLC to provide logical access control solutions. His premiere product, Power LogOn, combines Multi-Factor Authentication and Enterprise Password Management on a government-issued ID badge (CAC, PIV, PIV-I, CIV, etc.).