“We’re doing more to help empower Americans to protect themselves online. In partnership with the industry, we’re launching a new national awareness campaign to raise awareness of cyberthreats and encourage more Americans to move beyond passwords—adding an extra layer of security like a fingerprint or codes sent to your cellphone,” wrote President Barack Obama.
In tandem with his request to increase federal cybersecurity budget to over $19 billion, President Barack Obama announced a new Cybersecurity National Action Plan (CNAP). He elaborated on both the plan and the spending uptick in a Feb. 9 Wall Street Journal editorial, “Protecting U.S. Innovation From Cyberthreats.”
Both the editorial and actual CNAP verbiage address the need for multi-factor authentication.
“Empower Americans to secure their online accounts by moving beyond just passwords and adding an extra layer of security. By judiciously combining a strong password with additional factors, such as a fingerprint or a single use code delivered in a text message, Americans can make their accounts even more secure. This focus on multi-factor authentication will be central to a new National Cybersecurity Awareness Campaign.”
The password, used alone, is an obsolete form of authentication. As we have seen with high profile breaches, it is simply too easy for an attacker to compromise credentials and use them to their advantage.
The strongest authentication make use of multiple factors (i.e. something I know, something I have and something I am). This is the year multi-factor adaptive authentication goes main stream. Attackers are showing increased skill in acquiring credentials and using them to pivot around an environment once they are in.
Oftentimes methods such as phishing, spear phishing, malware or spyware are used to compromise valid user credentials, and used to move laterally within the network among applications and sensitive data. In some cases they are used to create a new identity with new valid credentials – either way the attacker’s goal is to blend in with normal access traffic and therefore become very difficult to detect.
By using techniques like device recognition, geo-velocity, geo-location or IP reputation, adaptive authentication continuously contextualizes elements for accurate user identification. This tactic makes the importance of employing the latest innovations in multi-factor and adaptive authentication vital to defending federal systems, as users will need to be continuously verified to detect malicious behaviors.
No doubt you’re familiar with physical biometrics, such as a fingerprint swipe on your phone. Behavioral biometrics work with behavioral patterns rather than biological attributes. The concept is built on the same foundation in that the user acts as the core asset – something difficult for a hacker to imitate. Each user has a unique way of interacting with computers, and those elements become authentication criteria. After all, attackers can’t mimic users’ identity down to their typing behavior and mouse movement.
Behavioral biometrics can identify risk associated with the use of credentials (we’ve seen accuracy rates as high as 98 percent); they are also easy to collect, without impacting the user experience. In other words, we can create a behavioral biometric profile and use it to authenticate the user without them knowing it happened. If the behavioral biometric profile behind a set of credentials has changed, organizations can force the user through additional steps to verify their identity.
Federal CIO Tony Scott estimates over 80 percent of government employees currently use two factor authentication. While 80 percent is encouraging, there’s no reason it shouldn’t sit at 100 percent. After all, the number of federal government employees is estimated around 2 million. This means the credentials of 400,000 employees are potentially susceptible to theft – and this number doesn’t begin to take into account that these employees are potentially handling data associated with millions of Americans.
Organizations are suffering from a lack of visibility into the later stages of the attack lifecycle (once the attacker has gained an initial foothold and is attempting to move laterally). The result is the constant stories we read about attackers going undetected for weeks to months.
The federal government simply cannot afford to fall behind implementing these fundamental security practices. President Obama and his administration have been hailed by strong authentication experts for his attention to cybersecurity. While the President is cognizant of the stakes, he must also continue to push on this critical issue. For whoever wins the American election, worldwide cybersecurity will be front and center and technologies that provide visibility into these later stages, such as adaptive authentication, will help solve these critical problems.
Making security progress
While progress has been made in federal cybersecurity, there are inexcusable gaps that must be addressed, and quickly. Recent years have seen vast improvements in the affordability, deployability and maintainability of the National Institute of Standards and Technology compliant two-factor implementations. Many implementations offer additional security on top of PIV/CAC secure identity cards, adding adaptive techniques. These will become a necessity to counter the ever-evolving tactics of the adversary.
Multi-factor adaptive authentication should be a top priority, post-breach or not. The reason is simple: even if you have completed an incident response, there may be attackers hiding deep within the environment.
Houston, we have a post-breach problem
Adaptive authentication should empower a post-breach situation. The need to include detection and response capabilities into security operations is not fully realized and government organizations, until very recently, were thought of as immune. But with recent high profile breaches, it’s time for federal agencies to set the pace as we advance the cybersecurity ecosystem.
There’s a mantra: “if you can’t protect it, don’t collect it.” Organizations should consider whether data they’re collecting is necessary to business operations. After that, they need to shift focus to the detection and incident response phases of the security lifecycle.
With increases in phishing attacks, malware and compromised credentials comes a new call to action to step up, combine forces and combat large scale threats. Only once we’ve implemented a multi-layered approach to security and encouraged collaboration between the private and public sector will we be able to ensure, history does not repeat itself.