Moving beyond usernames and passwords

In recent months, you may have noticed an uptick in two-factor and multi-factor authentication prompts, which are being used to verify consumer and business accounts. These tools are gaining more traction to help consumers and businesses protect against identity fraud, data breaches, password skimming, and phishing/ransomware attacks.

Recent stats from the Identity Theft Resource Center (ITRC) show that about 92% of data breaches are cyber-attack-related, and data breaches in Q1 2022 were 14% higher than the same period in 2021.

The ITRC stats also show that in Q1 2022 alone, nearly half (154 of 367) of data breach notices didn’t include the nature of the breach and were designated “‘unknown”. This “unknown” amount was 40% higher than the “unknown” data breach causes for all of 2021.

So how can CISOs prepare their firms to thwart these cybersecurity attacks? They must stay on top of emerging technologies to combat evolving threats, system vulnerability, and bad actors, adapting to constantly changing circumstances.

Cyber hacks in 2022

Already, this year has proven to be full of corporate security exploits. One well-known group referred to as Lapsus$, operating out of South America, has committed several cyber hacks. The group was confirmed to be the perpetrators in the attacks against NVIDIA, Samsung, T-Mobile, and Vodafone.

In the T-Mobile case, Lapsus$ members hacked into T-Mobile’s network in March 2022 by compromising employee accounts, either via phishing or another form of social engineering. Once within the T-Mobile database of customer accounts, the cybercriminals sought to find T-Mobile accounts connected to the US Department of Defense and the FBI.

Lapsus$ also claimed responsibility for a cyberattack against Microsoft. The software giant confirmed that its internal Azure DevOps source code repositories and stolen data were hacked via an employee’s account but added that only limited access was granted.

Another recent breach took advantage of a company’s sales team via social engineering. A cybercriminal who pretended to be a member of the company’s corporate IT department reached out to the organization’s salespeople with requests for CRM log-in credentials. Ironically, this request was made under the guise of installing additional layers of security for the users and their critical systems to become more secure.

Unfortunately, at least one salesperson fell for the ruse, and the criminals were able to access their credentials, gain access to the company’s CRM system, and download targeted portions of the customer database. 

These types of attacks are becoming more common and are more difficult to solve given traditional access control methods.

Implementing multi-factor authentication

For CISOs, it’s become imperative to implement two-factor authentication (2FA) – at a minimum – for access to all computers, servers, infrastructure services, and business applications. Adding 2FA is helping keep hackers and cybercriminals at bay, preventing them from gaining access to systems. Although even these solutions can be circumvented by clever techniques.

Some companies use physical security keys for an additional layer of data protection. For example, physical security keys can help halt phishing attacks when multi-factor authentication is available. They are available in several formats, are easy to use, and generally are an inexpensive means for protecting data security.  

Other security measures that leverage existing employee devices have been introduced to combat the example above of the unsuspecting salesperson giving system log-in credentials away. For example, one company has developed a user and transaction specific QR code– a Nametag* code– that is matched to all employees in the company, including IT administrators. If a person in the company gets a request to share log-in details or some other critical data, this dynamic code verifies the request – the identity, intent, and permission to complete the transaction are all verified and approved. Without it, the request is not valid.

Solving the password problem

How do we solve the user password problem? Are technology solutions the answer? For example, can IT pros heighten data security by linking a person’s username/password to the physical proximity of their device? And are deeper levels around training, management, and user behavior necessary?

Opportunity abounds for innovation. A few start-ups are tying together behavioral biometrics for IT identity management* purposes. The platform assesses several factors about individuals, for instance, how a user walks, speaks aloud, types on their keypad, or moves a mouse. Individually, these factors might not be sufficient to confirm a user’s identity. But when several of these are combined, these characteristics can create a unique biometric that identifies a user with nearly 100% accuracy.

In an increasingly remote/hybrid work and volatile world, CISOs must protect access to data in multiple ways and strive to:

• Learn, understand and be vigilant to the types of evolving tools and tactics that cybercriminals are actively using.
• Have a cyber-attack plan or incident response playbook ready to go.
• Prepare containment and mitigation strategies and guidelines for events during (or after) an attack.
• Get up to speed on new AI-based technologies that can help minimize cybersecurity risks.
• Share data knowledge and security alerts with other businesses and government/cyber security communities to help others become more aware of potential threats and how to best mitigate these potentially damaging events.

With malevolent external forces on the rise and the war in Ukraine creating additional IT security pressure, it is paramount for CISOs to ensure that this most basic form of access is vigilantly guarded against new and ever-evolving security risks.

*Disclosure: Glasswing is an investor in these cybersecurity startups.

Cyberattacks, Data and Information Security, Risk Management