Humans are often literally the weakest link. Cybercriminals have increasingly targeted users as a preferred attack vector, and for good reason. We click on links, we fall for scams, we unknowingly provide our credentials to attackers, simply stated “to err is human.
Passwords are protecting ~40% of our assets and 81% of breaches involving weak or stolen passwords, so many attackers are simply walking in the front door undetected because they possess valid credentials. Whether an attacker phishes credentials, buys them on the dark web or guesses them, it’s a path of least resistance. We need to do a better job beyond just using credentials for access.
Attackers go undetected for ~99 days, which is plenty of time to recon and exfiltrate whatever prize they are after. With the average cost of US breach now reaching $7.3M, the urgency to improve security is high. But despite increased security spending in 2017, $90B, breaches rose 40%. Bottom line…what we are doing, as a whole, is not working!
Many are in a rush to deploy 2FA and have on average covered 60% of assets, but a growing number of methods are being bypassed by attackers. To read more about which 2FA methods are being exploited, Identity 101: Why Two-Factor Authentication Is Not Enough.
Long complex passwords, changing password frequently, educating users on typical phishing scams, 2FA that forces multiple daily disruptions, 2FA that is vulnerable to bypass by attackers… collectively these approaches are not having the desired effect. We have to look beyond traditional methods.
Adaptive authentication, risk-based authentication, zero-trust authentication, they are rooted in the same concept – look at hard to disguise characteristics to help determine the legitimacy of your users. By checking location, device, IP address, account type, and behavior, we get a more well-rounded and complete view of a user trying to access our system and data.
Say for example an attacker has stolen credentials and has taken over an employee’s phone for 2FA verification. That attacker would be able to traverse both passwords only and 2FA protected assets. But if we check….
Location, we may see that this attacker is coming from an unauthorized geography, one where we don’t have any employees, contracts, partners, or customer.
A device, we may notice that it’s not recognized and/or the phone has been recently ported.
IP address against our threat service feeds, we may see that this access request is coming from an anonymous proxy or that the IP address was involved in a previous nefarious activity.
Account type tells us how attractive a particular user is to an attacker so we can interrogate access request from those accounts more. (e.g. sensitive or privileged access)
Behavior can tell us many things, particularly if certain behaviors are out of the ordinary for a particular user.
All of these threat checks would help to unmask an attacker where previous efforts, password, and 2FA, failed. SecureAuth + Core Security offer more threat checks than any other vendor. This heightened security can actually have a more positive user experience too. Because we are evaluating so many characteristics about a user, if no red flag shows up, we can let them through without a 2FA step. In fact, out of the 617 million authentications we protected last year, 90% didn’t have to take a 2FA step to verify who they were.
Raising security and improving the user experience without requiring a human burden, that’s phish-proofing your users and your organization. The more we can remove humans from the authentication process, the better.