November 19, 2018
November 13, 2018
Insider threats have been a major concern among IT security professionals for decades. Password theft and password sharing have been, and continue to be, among the most harmful of these. Fortunately, with the advent of context-based authentication, organizations now have a powerful mechanism to help prevent insider password theft and abuse.
Some of the most damaging cybercrimes of all time have been committed by insiders. U.S. intelligence agencies will probably never fully recover from the fallout caused by insider Edward Snowden, who used passwords he obtained from coworkers to access and divulge classified material. The U.S. Office of Personnel Management suffered a massive data breach in 2015, when 4.2 million employee accounts were compromised through a government contracting agency.
Of course, not all organizations are as big, or stand to lose as much, as Target or the CIA. But even small enterprises with a modest amount of sensitive data, or firms using single sign-on systems where one password provides access to multiple applications, can suffer significant losses at the hands of a corrupt insider. The 2015 Data Breach study by the Ponemon Institute found the average cost of a breach to be $3.8 million dollars, with the average compromised record costing $154 dollars.
In light of these tremendous losses, it’s only natural to ask, “How are these inside crimes being committed?” Sadly, the answer has not changed in many years. Numerous studies have shown that passwords are often the weakest link in the security chain, with password theft being responsible for most significant breaches and attacks. Verizon Data Breach Investigations Reports in the past also confirmed this unfortunate reality, indicating that stolen passwords, now the cause of two out of three breaches, continue to be the most common way that sensitive information is obtained.
Password abuse or theft by insiders is more common than one might think. Insiders obtain their coworkers’ login credentials through countless methods, and while some violators are criminally motivated from the start, others acquire passwords, initially at least, for simple convenience or just out of curiosity. Unfortunately, the mere possession of powerful passwords can entice one to use them inappropriately, and to share or sell them.
Is a significant problem for organizations today. In most cases, users share passwords as a matter of convenience, even though they know it’s against company policy. It’s common for users to forget a new password and ask a colleague for theirs in order to continue working. Sometimes passwords are shared to work around complicated password policies. Occasionally users are late, or unable to get to their computers to perform a needed task, so they provide passwords to a coworker who logs in for them. InsightExpress, a research firm commissioned by Cisco Systems, studied 2,000 IT professionals in 10 countries and found that 18 percent of employees had recently shared their passwords with coworkers, even though this practice was forbidden. The percentage jumped to 25 percent in some countries. Sadly, in all too many of these cases, despite a benign initial intent, the stolen passwords ended up being used inappropriately.
Attached to computer monitors, inside drawers, and cubicle walls often contain IDs and passwords. Intended as an aid for the legitimate user, these little stickers also tell the night janitor or anyone else in the area everything they need to know to access the system. It’s alarming to discover how often a quick search of employees’ work areas will reveal their login credentials.
Are easy. It doesn’t take a lot of skill to capture user IDs and passwords traversing the corporate wired or WiFi networks. Hundreds of Internet articles and YouTube videos show how to capture passwords from wireless networks and Ethernet LANs. Furthermore, the necessary software utilities are freely available and easy to find. While many protocols encrypt login credentials, a significant number don’t, and a moderately skilled person can easily see coworkers’ passwords flowing over the network.
Has been proven time and again to be a relatively simple procedure. Since insiders can generally get their coworkers’ IDs, all a thief needs to do is crack the associated passwords in order to gain unauthorized access. Individually encrypted passwords can often be captured by anyone on the network. Even worse, administrators can access the entire password database. Using freely-available “cracking” utilities, most of these passwords can be decrypted within minutes, if not seconds—even so called “strong passwords”.
Is another easy way to obtain a password. Many employees work in close proximity. Some actually work together, at least occasionally, at the same desk or system. Stealing a password is as easy as watching a coworker log in. Because it’s embarrassing to ask friends or supposedly trusted onlookers to turn away, most people will go ahead and type their passwords in full view of others who may be watching.
From a browser is also a relatively simple procedure. Most users enjoy the fact that their browsers can capture and replay their ID and passwords for virtually every site or application they connect to, thus automating authentication to those sites. Few realize that it’s a relatively simple procedure for anyone who has access to their browser’s files to extract and decrypt all of those login credentials. At the time of this writing, all of the major browsers are vulnerable to this attack (although some are significantly more secure than others). Several articles available to anyone via the Internet show how a moderately skilled technical person can recover passwords from browser files.
Can often be easily introduced by a coworker, either intentionally or accidentally. Password theft is a common objective of modern malware. With malware kits readily available, a semi-skilled insider can easily craft malicious code to grab passwords as users enter them.
Targets specific individuals, usually administrators or those with powerful privileges, and entices them to log into an imposter site that captures their password. While this attack is frequently executed by outsiders, insiders are known to use the technique as well, often with greater success.
Can take many forms, but it usually requires knowing something about the victim. Insiders are in a perfect position to rob users of their passwords this way. Some of cybercrime’s most famous and costly attacks have been brought about by simple social engineering techniques.
Context-based authentication from ThreatMetrix protects organizations from the problems associated with traditional password security.
Context-based authentication from ThreatMetrix protects organizations from the problems associated with traditional password security. It transparently detects hackers and imposters, even if they possess stolen but valid user IDs and passwords. Password theft is rendered meaningless, so there’s no incentive to use theft techniques like network sniffing, shoulder surfing, password sharing, browser retrieval, password cracking, or malware.
Context-based authentication works by examining the entire scenario surrounding each login attempt— analyzing much more than just credentials. For example, the user’s device is located geographically, and individually and uniquely identified. The device is also profiled for malware, or other threats and anomalies that indicate fraud or hackers. Specific characteristics and behaviors of both the user and the device are gathered from the world’s largest shared Digital Identity Network. Any association with botnets or crime rings is analyzed. Context-based authentication examines all of these elements, allowing the entire situation to be scrutinized and an appropriate risk score to be generated. This risk score is then used to determine, in real time, whether the user is legitimate or not.
Specific policies, established by the organization for each application, determine the thresholds and risks tolerated for access. An organization may, for example, establish policies requiring users to connect with devices registered specifically to them, and to be located within certain geographic regions. Legitimate users with new devices can register them using out-of-band authentication methods. Hackers, on the other hand, are immediately detected and denied access, even with valid IDs and passwords.
This solution allows the system to 1) develop a comprehensive view of everything pertaining to the attempted connection; 2) intelligently establish the level of risk and trust; and 3) make an informed decision as to whether access should be granted.
Utilizing advanced analytics, along with custom policies and rules for each application, context-based authentication provides the following major features:
An essential element of context-based authentication is the ThreatMetrix Digital Identity Network. By leveraging the combined experience and intelligence of thousands of organizations around the world, all battling to detect and defeat cybercrime, ThreatMetrix can detect impostors and attacks that would otherwise be unidentifiable.
ThreatMetrix profiles tens of millions of users and their devices daily, and regularly processes hundreds of millions of logins and related transactions. The Digital Identity Network is the repository for this wealth of data. Devices infected with malicious malware, or associated with botnets or crime rings, are identified. In fact, any device involved in cyberattacks or suspicious activities is noted. When any of those devices later connect to your site, ThreatMetrix informs you of its history and risk, intelligently analyzes your custom policies and rules for the specific application, and helps you determine the correct course of action.
The Digital Identity Network detects, not only high-risk situations, but elements of trust as well.
The Digital Identity Network detects, not only high-risk situations, but elements of trust as well. Imagine that one of your users is visiting her sister’s home, and connects to your enterprise application with her sister’s device. The network will likely reveal that the device may be new to your user, but has been known by the ThreatMetrix community for many months with no suspicious history or threats. In fact, the new device might be “trusted” by numerous organizations, which have associated it with step-up authentication or valid transactions. With this information and associated trust scores from ThreatMetrix, you may elect to grant access without requiring step-up authentication, allowing your user frictionless access without compromising security.
The world’s largest and most comprehensive trust intelligence network, created by ThreatMetrix, makes all this possible.
Powerful features available only within context-based authentication can answer critical questions— questions traditional authentication systems can’t even begin to respond to. Because the solution understands the entire authentication scenario, questions like the following can be answered:
All of the above questions should be answered before access to sensitive data or critical applications is granted. But since most traditional authentication systems only evaluate user login credentials, they can’t answer any of them.
ThreatMetrix provides context-based authentication via its SaaS-based ThreatMetrix Cybercrime Protection Platform. This scalable and cost-effective solution allows enterprises, regardless of size, to implement effective authentication for any device, including mobile devices, without impairing the user experience.
The solution is unique in that it contains all of the advanced analytics and processes necessary for context-based authentication in one platform, including the following:
Regardless of an organization’s size, the lion’s share of expensive and damaging cybercrimes have been carried out by, or through, insiders. With stolen passwords being criminals’ most common attack method, it’s crucial that organizations implement mechanisms to protect themselves against password theft and abuse.
It’s crucial that organizations implement mechanisms to protect themselves against password theft and abuse.
While numerous security measures are needed to protect an organization, effective authentication is perhaps the most important, since it is the key to everything else. Encryption is meaningless if an impostor gains access to accounts that are capable of bypassing, disabling or decrypting the data. Audit trails don’t help if they can be modified or erased by cybercriminals who have hacked into privileged accounts. Requiring administrative rights to access sensitive applications or additional security systems is a useless endeavor if fraudsters can become administrators. In short, if the authentication mechanism can be breached, everything else is at risk.
ThreatMetrix’s context-based authentication solution is straightforward to deploy and delivers a cost-effective solution to protect against password theft and abuse, and it does so without altering the experience of legitimate users. In fact, context-based authentication can enhance legitimate user access, providing secure, transparent access to keep users as productive as possible.
Organizations of all sizes should look to context-based authentication solutions as their first line of cyberdefense.