The past few years have been overwhelming when it comes to cybersecurity. As the latest edition of the Data Breach Investigations Report (DBIR) states, it’s difficult to still be surprised by what comes our way in the murky world of cybercrime. Yet the good news is that many of the most common cyber threats can be countered by a good Identity and Access Management (IAM) solution.
Attacks on critical infrastructure: check! Massive supply chain breaches: check! Financially motivated hacker attacks: check! Nation-state attacks on other nations: check! In all, the DBIR investigated almost 24.000 security incidents that happened in 2022, of which over 5,200 were confirmed data breaches. By analyzing these incidents, the researchers came up with seven attack patterns in which these data breaches can be classified, along with an ‘everything else’ category.
Basic web application attacks
Attacks against a web application that are aimed at stealing data. This pattern is: “get in, get the data and get out fast”. To get in, cybercriminals use stolen credentials, exploit vulnerabilities or perform brute force attacks on passwords.
Denial of service
Attacks that are intended to compromise the availability of networks and systems. This includes both network and application layer attacks and continues to be one of the commonest types of cybersecurity incidents.
Lost and stolen assets
Incidents where an information asset went missing, whether through misplacement or malice. While the root of the problem is mainly employees losing track of their assets, external actors misuse these assets by selling the lost or stolen assets.
Incidents where unintentional actions directly compromised a security attribute of an information asset. Mostly, this concerns employees or partners that have access to your systems. “People are still fallible, and that fallibility can cause data breaches.”
Incidents that are predominantly driven by unapproved or malicious use of legitimate privileges. In this pattern, people use the legitimate access granted to them as employees to steal data. They may act alone, or in concert with others.
A psychological compromise of a person that alters their behavior into taking an action or breaching confidentiality. According to the report, the human element continues to be a key driver in 82% of all breaches.
Complex attacks that leverage malware and/or hacking to achieve their objectives, including deploying ransomware. Ransomware is one of the fastest-growing attack patterns, with a 13% increase in 2022.
IAM to the rescue
It may be surprising that the patterns listed above can still occur when so many solutions are available just by using Identity and Access Management. IAM offers protection for a number of use cases. Looking at the root cause of these issues, most can be avoided by helping users to secure their access in a more convenient way. The most common risks involve user password management, access rights to different assets, and sharing credentials.
Implementing a zero-trust Identity and Access Management platform helps you protect against these types of attacks.
Hackers try to be cost-effective and the easiest way for them to access an external system is by:
- Guessing: It might seem strange but even after 25 years of informing users about bad password hygiene, the most used password is still 123456. There are lists of these most commonly used passwords, and by doing a bit of research on social media, hackers can easily increase their success rate. The worst practice is to allow a ‘forgotten password’ remedy which asks a couple of questions, like what’s your mother’s maiden name, the name of your first pet…
- Buying: Troy Hunt, the owner of https://haveibeenpwned.com/, verifies multiple lists that anyone can buy on the dark web, containing account information including username and password combinations. On the website, there are almost 12 billion compromised accounts available, and this is only part of what is available to hackers. Since most users use the same password on multiple sites, it is very likely that a username-password combination used in your company is publicly available. Even if you ask your users to change their password every month, the chances are that hackers will figure out which users only change a small portion of their password.
- Calculating by brute force: In a brute force attack, a computer tries every possible combination of characters, randomly, to match a password of a user. Since the computer needs to calculate every possible combination, it doesn’t matter if you use a letter, number, or special character in your password. The key to making it difficult for these algorithms is using long passwords, ideally even whole sentences. But there are two problems with this technique: Computers are becoming ever faster, and with quantum computers on the horizon, the centuries required to hack a long password will become minutes. Secondly, long complex passwords are not easy to enter, so users will lose critical time accessing their systems. They can even lock themselves out when they entered the wrong combination.
- Social engineering: This attack method requires the most effort from hackers since they need to get into contact with their victim and convince them to give their credentials or install an application on the victim’s PC. To lower the cost, they use methods like phishing to redirect users to fake websites and lure their victims into ‘giving’ their username and password. The advantage of this method is that it can also be used with basic one-time password (OTP) solutions which allow you to enter the OTP into the fake website.
If the target is more valuable (this can be financial, but anyone who can gives access to IT systems of a company is an interesting target) hackers will spend more money and use methods like smishing (with the latest WhatsApp leak, another 500 million phone numbers are now available to hackers) or even picking up the phone pretending to be an IT administrator from your company, your telco, bank…. They then get you to log on to a (fake) website, so that they now have your credentials.
The best way to counter these types of attacks is to enforce embedded, asymmetric, out-of-band strong user authentication. Let’s take a look at what embedded, asymmetric, and out-of-band mean.
Embedded means that you integrate the strong authentication method into the web or mobile application itself. This links the authentication mechanism to the device the user has used to enroll the device. If an authentication request comes from another device/application it can be flagged as suspicious, and additional authentication requests can be asked.
With a symmetric method such as OATH used by basic OTP generators, it is possible to steal the secret used to generate the OTP. This allows hackers to generate OTPs on another device without the user being aware. Asymmetric gives the advantage that there is a unique combination between the client and the authentication server. This means a hacker also needs to have access to the device itself.
With out-of-band authentication, there is a gap between the device that generates and validates the authentication, and the application itself. This can be achieved by a push message or scanning an encrypted QR code.
While this might sound complicated, the advantages are twofold:
- User experience: upon registration of the account, users are automatically enrolled into a strong authentication mechanism by registering their browser or mobile application. They don’t need to create a password anymore, just add a pin and activate the biometrics. Next time they log in, they just need to enter their pin or use their biometrics to access the application. Onboarding will go faster, and users will be less frustrated when accessing the application.
- Security: since users don’t need to create a password when onboarding, there’s no risk of a password being compromised. The encryption in the password can be used to uniquely encrypt the user data, so the hacker needs to get each key to get to the users’ data even in the event of a breach.
Single Sign-On (SSO)
To limit the number of passwords for a user, it’s best to implement protocols that support Single Sign-On, rather than creating new accounts with passwords for each user. If forced to do so, users will use the same credentials across applications. If one application is compromised, the hacker can access any application. This is especially the case when integrating third-party applications into your ecosystem. The best way to secure these systems is by using protocols like OIDC that support authentication using a token. Authentication happens under the control of your company, while access is given automatically by sharing a secure token that is generated on the fly. From a user’s perspective, they can just click the link to the specific resource, and all the authentication and authorization processes happen behind the scenes. If a specific resource needs to be better secured than the original resource the user has been authorized to, systems like step-up authentication can be put in place to elevate security with minimal effort.
Most users will access your application on the same device, from the same location. By gathering all this data, you can create session profiles that will increase the security of the next sessions. If an access request comes from an unknown device or a different location, this triggers a risk score, so you can increase the security mechanisms, like asking for a step-up authentication or limiting access to the resource.
Another big risk that involves passwords is users giving away their credentials to help colleagues. As an administrator, you want to secure access to resources and limit the number of people accessing those resources. However, this can result in people sharing their credentials. Especially if you can’t implement a strong authentication mechanism, this means that you don’t control who can access those resources. An access management system that includes good Identity Management with Persona and delegation, allows users to give temporary access to other users. These users can then just use their credentials and, if implemented correctly, can be managed by the users themselves based on the rules you set as an administrator. Good auditing and reporting allow you to keep track of the accessed resources and by whom.
By applying these measures, most of the breaches that are summed up in the DBIR can be avoided. Put an effective IAM solution to work, and the 2023 DBIR will look a lot less gloomy than the previous editions.