Diving into the magic of two-factor authentication
With data breaches increasing in frequency and severity globally, many enterprises and government institutions failed to escape the fate of becoming the headline. In January 2017, a desktop computer containing voter data was stolen from the Commission on Elections (COMELEC) of the Philippines.
Earlier this year, the Ministry of Defense (Mindef) and two of the biggest universities in Singapore fell prey to separate episodes of cyber espionage. While no classified government data was reported stolen, cyber security took the national spotlight as fear of further attacks rippled across the city-state.
Cyber security incidents that lead to downtime or data thefts are announced almost daily, and there's no knowing who could be next. What is likely is that businesses in the Asia Pacific region will be hit hard – Telstra has found that nearly six in 10 organisations in Asia (59 percent) detected a security breach that interrupted business at least once a month. Businesses have accepted they will likely be the next victim. Conversations are transitioning from “how can I avoid a breach?” to “how can I protect myself and minimise the damage?”
The 2017 Verizon Data Breach survey revealed that 81 percent of data breaches involved either stolen passwords (including passwords that are easy to guess). A hacker who manages to gain usernames and passwords, as in the Mindef instance, could use this information to ultimately obtain more privileged access that leads directly to materials that can be used for cyber espionage.
What compounds the impact of security breaches is the fact that users consistently use similar or even the same passwords for multiple online accounts such as iTunes, Facebook, and even online banking.
In the Cyber Security Agency of Singapore’s Cybersecurity Public Awareness Survey, 31 percent of respondents said they used the same passwords for work and personal accounts. This is human nature – there is less risk of losing access to favourite services if the password used is just one of a handful, but it also means that a single stolen password can be used to compromise more than one account.
Accepting some inconvenience in exchange for better security should be easy enough for individuals. For example, they can use a different password for each online account they own. They can prevent websites from saving passwords, typing them in each time access is needed. Users should also opt to use two-factor authentication where it is offered.
Two-factor authentication is the practice of requiring additional assurance that you really are who you claim to be when logging on. A password (the first factor – something the user knows) is initially required, followed by a second factor that comes from something that the user possesses.
This practice makes it difficult to hack into an account if the user name and the password are both known. An ATM card used with a PIN to withdraw money is an example of two-factor authentication. A one-time password (OTP) is another easy way to implement two-factor authentication. The OTP, typically a random eight to 10-digit number generated with a hardware token, through a mobile app, or sent by text message to a mobile phone, is considered the second factor as it usually requires a separate device to be present.
Businesses need to make drastic changes to avoid the repercussions of security breaches, which can include damaged corporate reputations and even lost revenue. The Cybersecurity Bill released by The Cyber Security Agency in Singapore imposes hefty fines for failing to conduct regular risk assessments and secure personal information, for example. Yahoo’s breach disclosures, the last as recently as December 2016, have led to a US $350 million decrease in the valuation and delays in the closure of the acquisition by Verizon.
In addition to enhancing the security of users’ credentials with two-factor authentication, more effective privileged account management can also greatly mitigate risk and reduce the exposure surface for businesses. Hackers can use compromised passwords to gain access to a corporate account and then through social engineering tactics, work on obtaining a more privileged account.
Most privileged accounts, such as those of system administrators and senior management, offer access to parts of the corporate network where sensitive information is likely to reside. Eliminating questionable practices such as the sharing of privileged accounts, monitoring what administrators do with those credentials, and implementing a “least privilege” model where everyone is issued only the permissions necessary to do their job and no more –are key. After all, even if a user account is compromised, without the privileged access that is the real target, the potential for damage is dramatically minimized.
When a breach occurs, hackers may have used a wide range of methods to gain access. And while we may not know whether the organisations named here lacked two-factor authentication or practised weak privileged account management, what is certain is that strengthening authentication and locking down privileged accounts are both key actions that can reduce vulnerability for businesses. Such technologies and practices should certainly be implemented as known ways to mitigate cyber attacks.
Article by Lennie Tan, vice president & general manager, One Identity, Asia Pacific & Japan.