Story image

Diving into the magic of two-factor authentication

02 Oct 2017

With data breaches increasing in frequency and severity globally, many enterprises and government institutions failed to escape the fate of becoming the headline. In January 2017, a desktop computer containing voter data was stolen from the Commission on Elections (COMELEC) of the Philippines.

Earlier this year, the Ministry of Defense (Mindef) and two of the biggest universities in Singapore fell prey to separate episodes of cyber espionage. While no classified government data was reported stolen, cyber security took the national spotlight as fear of further attacks rippled across the city-state.

Cyber security incidents that lead to downtime or data thefts are announced almost daily, and there's no knowing who could be next. What is likely is that businesses in the Asia Pacific region will be hit hard – Telstra has found that nearly six in 10 organisations in Asia (59 percent) detected a security breach that interrupted business at least once a month. Businesses have accepted they will likely be the next victim. Conversations are transitioning from “how can I avoid a breach?” to “how can I protect myself and minimise the damage?”

The 2017 Verizon Data Breach survey revealed that 81 percent of data breaches involved either stolen passwords (including passwords that are easy to guess). A hacker who manages to gain usernames and passwords, as in the Mindef instance, could use this information to ultimately obtain more privileged access that leads directly to materials that can be used for cyber espionage.

What compounds the impact of security breaches is the fact that users consistently use similar or even the same passwords for multiple online accounts such as iTunes, Facebook, and even online banking.

In the Cyber Security Agency of Singapore’s Cybersecurity Public Awareness Survey, 31 percent of respondents said they used the same passwords for work and personal accounts. This is human nature – there is less risk of losing access to favourite services if the password used is just one of a handful, but it also means that a single stolen password can be used to compromise more than one account.

Accepting some inconvenience in exchange for better security should be easy enough for individuals. For example, they can use a different password for each online account they own. They can prevent websites from saving passwords, typing them in each time access is needed. Users should also opt to use two-factor authentication where it is offered. 

Two-factor authentication is the practice of requiring additional assurance that you really are who you claim to be when logging on. A password (the first factor – something the user knows) is initially required, followed by a second factor that comes from something that the user possesses.

This practice makes it difficult to hack into an account if the user name and the password are both known. An ATM card used with a PIN to withdraw money is an example of two-factor authentication. A one-time password (OTP) is another easy way to implement two-factor authentication. The OTP, typically a random eight to 10-digit number generated with a hardware token, through a mobile app, or sent by text message to a mobile phone, is considered the second factor as it usually requires a separate device to be present.

Businesses need to make drastic changes to avoid the repercussions of security breaches, which can include damaged corporate reputations and even lost revenue. The Cybersecurity Bill released by The Cyber Security Agency in Singapore imposes hefty fines for failing to conduct regular risk assessments and secure personal information, for example. Yahoo’s breach disclosures, the last as recently as December 2016, have led to a US $350 million decrease in the valuation and delays in the closure of the acquisition by Verizon.

In addition to enhancing the security of users’ credentials with two-factor authentication, more effective privileged account management can also greatly mitigate risk and reduce the exposure surface for businesses. Hackers can use compromised passwords to gain access to a corporate account and then through social engineering tactics, work on obtaining a more privileged account.

Most privileged accounts, such as those of system administrators and senior management, offer access to parts of the corporate network where sensitive information is likely to reside. Eliminating questionable practices such as the sharing of privileged accounts, monitoring what administrators do with those credentials, and implementing a “least privilege” model where everyone is issued only the permissions necessary to do their job and no more –are key. After all, even if a user account is compromised, without the privileged access that is the real target, the potential for damage is dramatically minimized.

When a breach occurs, hackers may have used a wide range of methods to gain access. And while we may not know whether the organisations named here lacked two-factor authentication or practised weak privileged account management, what is certain is that strengthening authentication and locking down privileged accounts are both key actions that can reduce vulnerability for businesses. Such technologies and practices should certainly be implemented as known ways to mitigate cyber attacks.

Article by Lennie Tan, vice president & general manager, One Identity, Asia Pacific & Japan.

Ping Identity offerings accelerates cloud MFA and SSO adoption
90% of respondents trust MFA as an effective security control to protect identity data in public clouds, yet only 60% of organisations have formally adopted it.
Trend Micro introduces cloud and container workload security offering
Container security capabilities added to Trend Micro Deep Security have elevated protection across the DevOps lifecycle and runtime stack.
Veeam joins the ranks of $1bil-revenue software companies
It’s also marked a milestone of 350,000 customers and outlined how it will begin the next stage of its growth.
Veeam enables secondary storage solutions with technology partner program
Veeam has worked with its strategic technology alliance partners to provide flexible deployment options for customers that have continually led to tighter levels of integration.
Veeam Availability Orchestrator update aims to democratise DR
The ability to automatically test, document and reliably recover entire sites, as well as individual workloads from backups in a completely orchestrated way lowers the total cost of ownership (TCO) of DR.
Nuix eyes legal sector as eDiscovery demand skyrockets
eDiscovery must encompass so much more than email and documents. If you haven’t looked at text messages and online chats, digital images, mobile devices, data in the cloud and social media, you’re not getting the whole story.
EXCLUSIVE: Forcepoint global channel chief talks strategy
As a solution sold 100% via the channel, cybersecurity solutions company Forcepoint places a strong emphasis on its partner relationships.
Salesforce continues to stumble after critical outage
“To all of our Salesforce customers, please be aware that we are experiencing a major issue with our service and apologise for the impact it is having on you."