Passwords as a means of authentication have been around for a long time. Their existence is based on the fundamental premise that it is only the consumer or user who has the secret. And in these past 60 years, passwords have served us well.

But the premise is becoming less and less true.

These days, there are an estimated 20 billion to 40 billion credentials – meaning user ID and password combinations – that are available to criminals in the dark web. These credentials are harvested and exchanged every day, and the number that is accessible to the cyber criminal community is growing.

Indeed, it is no longer just the user who can be in possession of the secret.

Using, not hacking, the key

A common tactic used by cyber criminals is credential stuffing, and it stems from the all-too-human tendency to use the same user ID and password combination across the numerous web sites he or she is using.

This is because remembering specific user ID-password combinations for specific sites are just too difficult to do. The reality is that none of us can remember a hundred passwords, even if we go to a hundred web sites. Why, we struggle remembering five! Thus, what we do is share passwords on different sites – it does not matter if we rarely or frequently use these sites.

But around five years ago, criminals figured out that the credentials they harvest from one site can just as easily be used in another web site. They thought, and correctly, that there is a high probability that users will be using the same combination. They tried it out on scale – and found that they could get a return of anywhere between 1 and 2 percent.

It’s not at all that difficult, either. There are web sites that provide videos on how exactly to do this – you can have only minimal tech skills and still succeed. And because they are using valid credentials, they can perform criminal activity without detection. They did not hack the key. They used the key!

Imagine doing this for millions and millions of records, and generating returns from 1 to 2 percent of this number, and selling these in some sort of store on the dark web. If they are extra-industrious, they can employ other means to increase the success rate to 4 percent.

So if they are able to scrape information, build a database from that information, add other data they can get from multiple sources, they will now have something they can monetize. If they get four or five dollars a record for hundreds of thousands of records…now that’s a lot of money.

All this is fueling the gradual obsolescence of the password – the foundation of authentication for every enterprise.

A CISO’s business

For an enterprise that has thousands of users and consumers with their individual user ID-password combinations, this spells a big problem. A CISO has to worry about replacing the use of passwords with a better authentication method and figuring out how to do that at scale. If the business is a large enterprise, the cost of replacing passwords would run to the hundreds of millions of dollars.

Some might say that multi-factor authentication, which is always better than a single-factor authentication (like a password), is the answer. An example of that is a one-time passcode that is sent to the user’s phone, which the user would in turn type into the interface to gain access.

Still, threat actors can find ingenious ways to intercept that code through spoofing and exploiting vulnerabilities in the carrier infrastructure. In the end, they succeed.

First, change the mindset

To defeat the ingenuity, the good guys have to go beyond the known forms of authentication. This entails challenging the basic premises we IT and security professionals have about authentication in the first place. First, that it is an event with a beginning and an end. Second, that the result is binary – either you get in or you don’t. We have to unlearn these.

Authentication could be a continuous process. It’s not an event, it has neither beginning nor end, and it does not have to have just a binary outcome. It’s continuous because instead of asking the user to do anything, it takes the behavioral attributes of the device that they are using and build a pattern that represents “normal” behavior for using that device.

And then it takes actual behavior and measures it against the pattern. Is there a deviation? If yes, this new method creates a number that represents that deviation and aggregates it across all the attributes that it is capturing, ultimately arriving at something that the application can decide how much access to provide.

We can also take this further and allow the consumer a biometric of its choice: touch ID, face, or combination.

This would improve authentication by eliminating the use of the weakest link – the password. What’s fascinating is that it would improve security and user experience at the same time. Users no longer have to remember their passwords, and we, on behalf on enterprises, no longer have to waste resources resetting them at scale. It will actually cost less.

Friction for the bad guys

In the meantime, what can people do until we get a more effective and safer authentication method that offers better security, better security experience, and lower costs?

The answer is to create friction for the bad guys as much as you can. This means forcing them to move away from techniques that have worked with them in the past and to figure out new techniques to use.

For example, consumers can use a password manager. This allows you to remember just one single password which then allows you to have complex passwords across the multiple websites that you use. Periodically reset your passwords. You can also use a series of characters in a phrase that is meaning for you, but will not be obvious when strung together. For your phone, use a biometric all the time. Because the information is not centrally located, defeating this means the bad guys have to crack the actual device.

Until we are completely able to unlearn what we know about passwords and shift our mindset, the burden remains to be on the individual. Therein lies the challenge.

The post The Obsolescence of Passwords appeared first on Security Current.

In the information security space, conventional wisdom says there is a simple formula for putting controls in place to protect systems, applications, and the data that courses through them.

According to the formula, you should select a risk framework and a set of authoritative sources, like NIST 800-53, ISO 27001, or the Common Security Framework (CSF). Choose the risk framework that is most appropriate for your business. Then, align all the business and IT practices with the control standards that are identified in the control objectives of that risk framework. And finally, get a third party to come in and do an attestation of the effectiveness of the controls and declare victory.

That’s the formula, and it has been well-established in all audit circles. The stakeholder groups that bought into this model are in the dozens. Board level reviews bought into it. Audit, external auditors, internal auditors, privacy, IT leaders—nearly everyone bought into this model.

Except, there’s one stakeholder group that never bought into the formula: the criminals and threat actors that are attacking your organization.

The bad guys didn’t buy in to the formulaic model of information security. Instead, they adjust their tactics based on the controls that are in place. They understand the risk frameworks, they understand the conventional control standards, and they bypass all that. They also share information with other threat actors and trade credentials and demographic consumer information to achieve their goals.

What that forces us to do – if we want to survive as CSOs and CISOs, which is generally a good thing in our business – is adjust our controls based on changes that threat actors make in terms of their tactics. We constantly adjust our controls.

Resiliency means you must adjust your controls continuously

Today, the sign of resiliency for an enterprise is how often you’re changing your controls. Fifteen years ago, if you changed your controls frequently, it was because you were at high risk. You had a lot of volatility and a lot of risk in the business. Today, the sign of resiliency is actually the frequency of the changes in controls, because it means that you’re driving a risk-driven security program versus a compliance-driven security program.

A compliance-driven security program waits for regulations to change and then makes changes to controls. A risk-driven program changes based on threat intelligence and on what threat actor tactics are, and adjusts practices to create friction for the threat actors.

The fundamental difference between the two approaches is what launched us into an era today where more and more of the changes that we’re making are unconventional controls; they’re not tied back to a specific control standard in an authoritative source or set of standards like NIST 853.

The conventional control against phishing is only partially effective and inherently unsustainable

Take phishing, for example. It’s widely considered to be a top threat vector today. The conventional control standard that is noted by every single authoritative source is to raise user awareness—to try to teach people to recognize what phishing messages look like, and then avoid them.

Let’s examine that control. What we’re actually teaching people to do is not to trust email. In the case of phishing, people should be wary of specific emails that are engineered to misrepresent and be fraudulent and convince somebody to do something they shouldn’t want to do. At its core, this is fundamentally not a sustainable model since it extracts trust from email, part of of an enterprise culture.

The fact is, email is part of the fabric of any major enterprise. When you remove trust from that fabric, you degrade the capabilities of the enterprise. When you spend time and money and effort to teach people not to trust email, it actually does damage to the business. It’s kind of like chemotherapy—it kills some good cells while it goes after the cancer cells. It’s not really a sustainable model to defend against phishing attacks, but it happens to be widespread in usage. There’s at least one financial services firm that goes to the extreme and fires people if they fail a phishing test three times.

There are other ways that are both less intrusive and less expensive that are very effective in shutting down phishing attempts. You just have to understand the attacker’s tactics and adjust your controls for them.

Unconventional controls are very effective against phishing

The most frequently used tactic in phishing campaigns is a spoofed domain. When spoofing a domain, an attacker makes the email appear to come from a known or trusted source. Depending on the techniques used, a spoofed domain can be very convincing, sometimes even to the most discerning user. Trying to teach people to avoid messages coming from a spoofed domain will never be a failsafe control.

A more effective control is to implement the email authentication, policy and reporting protocol known as DMARC, which stands for Domain-based Message Authentication, Reporting & Conformance. If an enterprise uses DMARC and authenticates its outbound email servers to Internet service providers (ISPs), then ISPs will not deliver any email that doesn’t come from that authenticated server. What that means is that fraudulent email coming from specific domains can be eliminated by organizations implementing DMARC.

Even though it’s an industry standard, DMARC is not referenced in any authoritative source as a conventional control because it’s unconventional. By eliminating the use of a domain for spoofing purposes, DMARC happens to be highly effective—so much so that it’s actually causing threat actors to use other tactics.

Another tactic used in phishing campaigns is called a lookalike domain. That’s when the phishing email is coming from a domain that looks a lot like a legitimate company’s domain; however, there’s one character off, so the name is close but not exact. For example, a lookalike domain might replace the lowercase letter L with the numeral 1, as in goog1e.com. Depending on the fonts in use, it can be quite difficult for people to spot a lookalike domain, especially if they are busy and not paying close attention.

Even this technique can be easily defeated if you understand that most phishing attacks utilize very fresh domains that have been registered in just the last day or so. Phishers change their domains often – typically every 24 to 48 hours – because spam and reputation filters catch up with them, so they have to move to a new domain often to prevent being filtered out.

You can use this ploy to your advantage by not delivering email from all newly registered domains for a period of 48 hours. This will block the majority of phishing attacks that come into your enterprise email server simply by not delivering them in email messages. It turns out that no legitimate email originates from domains that have been registered within the previous 48 hours because any enterprise is going to test out their capability before they go live with a legitimate new domain. The domains that are active within the first 24-48 hours of set up are almost always fraudulent. They’re the bad guys who are sending spam or phishing emails. If you drop email from them, you’re eliminating the fraudulent email.

It’s not difficult to test to see how old a domain is. Take a security intelligence feed that lists newly registered domains. Then write a script in your email gateway that identifies or flags any email coming from a domain listed by the intelligence feed. The script instructs the email server to drop flagged messages into a “do not deliver” bucket. This is not technically challenging to implement. It probably requires fewer than 20 hours of scripting and testing. It also is not referenced anywhere in conventional controls, making it another example of an unconventional control that’s highly effective.

Another technique is to use brand protection services that use web crawling technology that hunt for any domains that look like your domain and then issue a take-down once they are registered. Both of those controls are effective in combination as a layered approach. But neither one of them is mentioned anywhere as a conventional control in any risk framework. There’s no authoritative sources saying that you should do this.

It’s a chess match to shift your controls to block threat actors’ tactics

These are all examples of shifts in defense tactics that are in direct response to the shifts that threat actors take. If you study their tactics, you can identify patterns and then anticipate what threat actors are likely or beginning to do, and adjust your controls. This is an ongoing process—it never ends. It’s always a game of cat and mouse where you’re constantly adjusting your controls.

How do you keep track of the threat actor tactics? You study them, and there are various ways of doing this. Security intelligence services can keep you informed, and there are numerous sources, both public and private. You can monitor the online forums that criminals use to communicate and share their tactics. Following such forums helps you know exactly what they’re thinking and what they’re doing.

Next, join an Information Sharing and Analysis Center, or ISAC. An ISAC is where you can determine whether something you see in your environment also is impacting other people’s environments as well. If it is, then you know it’s an opportunistic and not targeted attack, so that’s helpful, useful knowledge. Plus, you can ask the other organizations, “What control are you using?” or, “What unconventional approach are you using?” and, “What works and what doesn’t work?” That information sharing allows you to operate the same way the criminals do today, which is to share information on forums on which tactics work and which ones don’t.

Basically, you have to consume intelligence through multiple sources. Some of that intelligence comes from boots on the ground, other practitioners just like yourself. You need your ISACs to share that information in a safe forum, in some cases with government entities. Then you need to adjust your controls on a regular basis as shifts in threat actor tactics occur. If you only use conventional controls, you won’t stop the unconventional attack methods.

The post Unconventional Controls in a Shifting Threat Landscape appeared first on Security Current.

The most common identity and access management (IAM) authentication control in use today is a user ID and password, and there is growing awareness that passwords are incrementally becoming obsolete as an authentication control.

Three billion credentials were harvested in North America in 2016 alone according to Shape Security. You and I know there’s only 320 to 330 million people that even could have passwords in the US. Credentials are getting harvested from multiple sources (phishing, data breaches, cloud account leakage, etc.), meaning there’s a lot of credentials accessible in the Dark Web for criminal use.

The main problem with passwords is that they are binary. Authentication, historically, is an event at the front end of any electronic interaction (a web app or a mobile app). When you pass the authentication process by providing the right answer – in this case a user ID and password combination – the credentials are validated. After that point, you’re trusted as any user in the application. This is traditional authentication that is heavily relied upon today.

Even multi-factor authentication is just a modest improvement. Whether ID and password alone are enough, or another factor such as a token is required, the fact is that binary authentication is all based on the assumption: if you pass through the gate, you’re in and good to go. It’s like getting a key to a door that gives you access to the house for as long as you want to stay.

IAM has to evolve beyond user name and password

IAM has to evolve into continuous authentication throughout the life cycle of the mobile app or web app usage. Traditional authentication using passwords is based on the fundamental, but flawed, premise that you’re the only one that has your password. (See that statement above about the three billion stolen credentials.)

Once criminals have a set of stolen credentials – which can be acquired easily enough on the Dark Web – they use a tool like Sentry MBA to see where else those credentials might work, which increases their value. Let’s say the criminals acquire 10,000 of the credentials compromised in the Yahoo breach. Sentry MBA lets them try those credentials on another domain, say a bank’s web app. The criminals get a 2% hit. Now they have 200 sets of legitimate credentials that can be used to login to and own a banking application.

The reason they’ll get a 2% hit is that we all re-use passwords because we can’t remember unique passwords for every application we use. We’ve got hundreds of sites we have to use passwords for; we don’t remember them, so we use our same passwords over and over again. We use our Yahoo password, or something very similar, to get into our banking application, and maybe a few other apps as well.

The Sentry MBA tool runs scripts that test various combinations of credentials across domains. Suppose John Doe likes to use the login ID “Jdoe” for most of his apps. To make his password easy to remember, he uses the domain plus a few added characters; for example, “Yahoo123”. For his Chase bank account, he uses “Chase123” and his Amazon account password is “Amazon123”.          Sentry MBA allows the criminals to try millions of credential combinations until they own more and more legitimate credentials. Criminals with these tools can do this at scale, which they actively do today.

It’s also possible for criminals to not just login with stolen credentials, but to take over accounts completely. There’s enough demographic information in the wild (thanks to breaches like OPM and Equifax) to bypass password reset and account registration processes established for most enterprise applications.

These are the kinds of techniques that CISOs and CSOs have to thwart to prevent unauthorized logins to our important applications.

A better approach to IAM

Passwords are obsolete and their continued use puts every business that hosts an application at risk. The more credentials that are out there, the more you can’t trust the assumption that the only person with the password is the legitimate user. Passwords, as we know them, must be replaced.

A better approach to authentication is to use continuous behavioral authentication. With this technique, authentication is no longer an event just at the front end of the interaction; rather, authentication is done throughout the user’s session. Continuous behavioral authentication typically uses anywhere from 30 to 60 attributes about the legitimate end user and their use of technology and their device. These attributes include behavioral biometrics that measure things like the person’s keystroke pattern, typing rhythm, mouse movements, iris patterns, and other attributes that can’t easily be mimicked or spoofed.

The totality of these measurements is used to build a mathematical representation of that user’s behavior, which is then compared to the real-time behavior taking place within an application. When there’s a deviation, that creates a risk score that tells the app how much access to provide.

Throughout the user’s interaction with the mobile app or the web app, we can determine whether it’s the legitimate end user actually using the device and interacting with us based on their previous behavior. We can prove that out mathematically. The risk score populates into the app and the app decides how much access to provide throughout the interaction. That’s a continuous behavior-based authentication. You will not find this kind of approach described in NIST standards or any other control framework because it’s an unconventional control—one that is becoming critically important because conventional controls like passwords are failing. Control definitions in risk frameworks evolve incrementally over time while innovative and unconventional controls enable enterprises to change controls as threat actor tactics change.

Model-driven security is essential today

This kind of model-driven control is especially important for privileged users. Cyber weaponry such as what was unleashed in the WannaCry and NonPetya attacks goes straight after the privileged user as the target. With that kind of weaponry, there’s only one possibility for some level of resilience, and that is privileged user monitoring driven by a model—a mathematical representation of past behavior and a measurement of actual behavior compared to that.

In real time, that model can reject suspicious privileged access to mitigate the damage. It’s the only thing that will work.

There’s a whole class of unconventional controls that comprise model-driven security. My own company already has seven implementations of this in production today. Model-driven security is the future of identity and access management, and it’s absolutely essential because bad actors know how to circumvent traditional IAM controls.

The post Model-Driven Security is the Future of Identity and Access Management appeared first on Security Current.