Archive for May, 2018

Single Sign On in the Eyes of a Hacker

Monday, May 21st, 2018

By: Jason Hart, CTO, Gemalto Enterprise & CyberSecurity

Querying an unprotected database Single Sign On is one of my favourite ways to get a crowd’s attention, moving from a simple Google search to a list of unencrypted usernames and passwords. Of course, when it comes to passwords, there are many other tricks in a hacker’s bag: Circulating phishing emails, running brute-force attacks or getting people to install malware that steals anything they enter into their browser. Malware kits and password cracking tools are affordable and widely available on the dark web.

My work as an ethical hacker and founder of WhiteHat Security, an infosec consulting firm, more than a decade ago led me to recommend clients to implement two-factor authentication (2FA). Putting my money where my mouth was, in 2006 I used WhiteHat Security as a vehicle to acquire CRYPTOCard, along with the help of a few angel investors. At the time we acquired CRYPTOCard, it was a traditional, somewhat cumbersome, on-premises 2FA solution. The core objective and key vision for that acquisition was to take something very complicated—namely 2FA—and make it very, very easy for people to consume.

Serving as the CEO of the newly-acquired company, this vision gradually took shape with the hard work and development of engineers, until it finally materialized. We took a traditional, on-prem 2FA solution and turned it into the world’s first cloud-based authentication service, known today as Gemalto’s award-winning SafeNet Authentication Service. Unlike other solutions on the market at the time, the service was elegant, fully automated and 100% cloud—installing with an organization’s existing infrastructure.

Fast forward to today, and the proliferation of cloud-based applications has only exacerbated the password problem. Underscoring the havoc wreaked by unprotected identities, the Breach Level Index shows that 67% of all data breaches can be categorized as identity theft. Identity proliferation has also given rise to password fatigue, ineffective administration and compliance risk.

Case in point, how many of you have left a company, only to retain your access credentials for the corporate webmail or cloud service? A recent joint Ponemon-Gemalto survey found that on average, companies today use 27 cloud apps. That’s 27 consoles from which to revoke or troubleshoot employee identities(!).

Unsurprisingly, to contend with this password pudding, four in ten IT decision makers have already implemented cloud single sign-on as an access management capability, according to the 2018 IAM Index. SSO shakes off the burden of passwords from users and sheds off hours of lifecycle administration for IT. Individuals can access all their 20 or 30 apps with a single username and password, and IT can define and enforce policies from a single pane of glass.

But there’s one caveat in the midst. While convenient for end users and efficient for admins, single sign-on does pose a security risk. If that single identity is compromised, hackers can access all of a company’s applications unfettered. Access management goes and takes SSO a step further. By letting you step up authentication before launching a single sign-on session, and even after launching it, you can elevate security where you think it’s needed. In this way, access management offers users the utmost convenience without sacrificing security.

Generally, access management combines four key capabilities: single sign-on, multi-factor authentication, access policies and session management. Working as a trusted identity provider, access management solutions centrally process authentication requests, relaying an accept or reject response to unaffiliated websites, such as Office 365, AWS etc. This kind of central identity verification elevates the level of assurance that a user is who they claim to be. When you log in to a new website with Facebook, Google or Twitter, that’s the new website using Facebook, Google or Twitter as their identity provider. (This kind of integration is performed using an API or an identity federation protocol such as OAuth).

I am confident that thanks to innovations like FIDO, Windows Hello, biometrics, Mobile PKI and contextual authentication, within a decade passwords will be minimized—if not altogether eradicated. Until then, specialized identity providers provide important advantages, such as taking extra precautions to secure your company’s hundreds, thousands or millions of identities. Using strong encryption and key management, an identity provider ensures that your identities and access credentials are kept safe.

Should a cloud service be hacked or a phishing campaign run amok, an identity provider will protect your company’s identities and render passwords insufficient to access your most important assets, keeping them confidential and intact. By providing strong authentication, for example in the form of a one-time passcode (OTP)—any attack against static passwords is rendered useless, since the perpetrator would still need to provide the OTP. Combined with contextual attributes, multi-factor authentication could even be used to eradicate passwords altogether.

Considering the mega breaches of cloud service providers (e.g. Yahoo) and their lack of expertise in protecting identities with things like hardware-based encryption and key rotation, enterprises would be well advised to leverage the best of all words—the quickest time to value with all flavours of cloud, and the best in security technology from expert identity and data protection providers.

If you’re concerned about keeping your data safe in virtual, cloud and hybrid environments, this is the time to get educated. Learn how to manage the new identity perimeter, or even try our data protection as a service solution now for free. With our latest cloud-protecting services, including SafeNet Trusted Access and Safenet Data Protection On-Demand, it’s never been easier.

View the original post at Gemalto.com.

The Cost of a Data Breach

Wednesday, May 2nd, 2018

How much does a data breach cost? So far, $242.7 million and counting if your company happens to be Equifax. That is how much the company has spent since its data breach that exposed sensitive personal and financial information for nearly 148 million consumers, according to its latest SEC filing. All because it left consumer information unencrypted and in the clear, which was highlighted in testimony before for the U.S. Senate Commerce Committee last year (watch the video below).

To put the size and scope of Equifax’s remediation efforts in comparison, in just seven months Equifax has spent nearly what Target spent ($252 million) in two years after its 2013 data breach. Equifax will likely continue to spend millions for the next several quarters on the cleanup.

For many years analysts and security professionals have tried to estimate what a data breach can cost a company. From the expense of having to upgrade IT infrastructure and security to paying legal fees and government fines – there are a lot of costs that are both tangible and intangible. In addition, there are the impacts to a company’s stock price and the erosion of customer trust (“Will they come back?”). For management teams, it can also have a very real impact professionally. For example, the chairman and CEO of Target resigned months after the data breach, and the CEO resigned of Equifax resigned within weeks of its data breach.

Many studies have been done to calculate the cost of a data breach, including the annual Ponemon Institute’s Cost of a Data Breach report which calculates the cost down to the data record. According to the latest Ponemon annual report, the average cost of a data breach is currently $3.62 million globally, which comes to $141 a record. In the U.S., the cost is almost double that at $7.35 million. But do these research reports actually gauge what a data breach will cost a company? At the end of the day, equating data breach damages to a “per record” cost makes data breaches just an actuarial exercise of acceptable risk.

And this kind of goes with the prevailing sentiment that data breaches don’t cost companies that much. The thinking goes like this. For the breached company, the stock price will take a hit, customers will be enraged and money will be spent notifying customers and upgrading security. But, eventually the company recovers and it’s back to normal. After all, so the thinking goes, what is a couple million dollars in IT upgrades and fines to a company that worth $50 billion.

This type of thinking must change because we are at a tipping point on the implications of data breaches. The costs have become more real to companies and the boards who run them. CEOs and other members of the management team are now losing their jobs because data breaches now have more potential to be more life-threatening, if not killers, for companies. Take for example the TalkTalk data breach, which caused the company to lose more than 100,000 customers, and the fact that Yahoo! had to lower its purchase price by $350 million in its acquisition by Verizon. The last and most important factor is that governments are now taking notice and doing something about it. The European Union’s General Data Protection Regulation (GDPR) is a prime example of this, and countries around the world are looking at it as the model for their own regulations.

If costs and risks of data breaches are increasing (and they are), companies need a radical shift in their approach to data security if they are going to more successful in defending sensitive data they collect and store. With organizations extending their business to being cloud- and mobile-first, their attack surface and the likelihood of accidental data exposure continue to grow. These trends all point to a consistent theme – security needs to be attached to the data itself and the users accessing the data. Only then can companies maintain control of their data in the cloud, manage user access to cloud apps, and keep it secure when it falls into the hands of adversaries. By implementing a three-step approach – encrypting all sensitive data at rest and in motion, securely managing and storing all of your encryption keys, and managing and controlling user access – companies can effectively prepare for a breach. It’s being done by many companies today and is also a requirement for transitioning from a strategy optimized for breach prevention to a strategy optimized for a “Secure the Breach” strategy.

Download Gemalto’s Secure the Breach Manifesto to get your company prepared.

Also, download Gemalto’s 2017 Breach Level Index Report and get insights into data breach incidents by industry, source, type and region.

View the original article by Gemalto.