By Michael Engle, Chief Strategy Officer, 1Kosmos, and Nick Roquefort-Villeneuve, Director of Marketing, 1Kosmos

Three Workforce Authentication Challenges

1. Leveraging Passwords

Some employees have no problem remembering different usernames and passwords.  And then some specify it incorrectly three tries, before they’re locked out,  and then they start speed dialing the Helpdesk. And a few choose to rely on the good old post-it note they stick on their monitor, openly and publicly.

To make matters worse, IT departments insist on complex formats for passwords: between eight and sixteen characters long with at least one uppercase letter, one number, and one special character. How is anyone going to memorize that type of password? Moreover, IT also enforces a password change every 30 or 60 days. For many folks, those requirements compounded by multiple systems can be overwhelming, resulting in a proliferation of the infamous post-it notes and Help Desk calls. To get round this challenge, some use the same password for multiple logins or services.

This ecosystem creates inefficiencies, such as loss of productivity and increased costs. Did you know, for example, that replacing one password can cost up to $70? Yes, that’s what it can cost in human capital and machine resources to handle one password reset request!

2. Leveraging 2FA and MFA Solutions

To avoid accounts from being compromised because a password was accidentally “stolen” and to strengthen the level of user authentication, many organizations have implemented two-factor authentication (2FA) or even multi-factor authentication solutions. That’s when you submit your username and password, and then you receive, for example, a text message prompting you to enter a code online.

Those solutions certainly make it slightly harder to compromise an account, however, they’re not foolproof. Ultimately, any hacker can steal a username, a password, and a mobile number stored inside a company’s centralized system. There are also MFA solutions that necessitate a piece of hardware like a security key (a hardware token like Google Titan), but that comes at a cost:  Pay for each physical token and allocate resources for the hardware’s maintenance. The security key can also be lost or stolen.

3. Leveraging Some Passwordless Solutions

To mitigate the risks MFA solutions incur, biometrics have been added into the mix. This is what passwordless applications offer with the following biometric features:  Touch ID, Face ID, or the more advanced iris recognition. A login page, a QR code to scan from a mobile application, a biometric-based authentication, and the employee is in. No more username and password needed! The mobile phone is something the employee has, and the biometric data is something the employee is. The problems with those solutions are high implementation costs and heavy data storage. For example, facial recognition requires top-quality cameras and advanced software to ensure accuracy and speed. Moreover, the high-quality images required for facial recognition take up a significant amount of storage.

So, is there an alternative?

Workforce Authentication Best Practices

A robust contact-free authentication solution for the workforce should focus on identity proofing and therefore be built on three identity pillars: Enrolling, authenticating and verifiable credentials. Each pillar needs to interact with one another to ensure that identity remains the number one priority. This is the core architecture of the BlockID platform.

1. Enrolling with Claim Triangulation

An employee’s enrollment should consist of triangulating a given claim with a multitude of company or government-issued documents and sources of truth, including advanced biometrics.

For example, by enrolling an employee’s driver’s license and passport (government-issued documents), we are able to verify, in real-time, the validity of each document by querying the proper databases (sources of truth) and triangulate several claims (first and last name, address, date of birth, photos) simultaneously, prior to adding an extra source of truth to our ID proofing process: a liveness test. The liveness test is performed to verify if the biometric traits of the employee are from a living person rather than an artificial or lifeless person.

We leverage more sources of validation, such as passport chips to validate the fact that the passport scanned during the enrollment process matches digitally signed data. We can also introduce credit cards, bank accounts or loyalty programs, among others, to reach the highest level of identity assurance per the NIST 800-63-3 guidelines, or IAL3.

2. Authenticating

BlockID uses advanced biometric authentication as a security process that relies solely on the unique biological characteristics of the employee to verify that he is who he says he is. Our advanced biometric authentication technology, using a liveness test, compares biometric data capture to stored, confirmed factual data in the BlockID Blockchain Ecosystem. A liveness test offers the added benefit of requiring users to capture a live video of themselves, which has a frightening effect on criminals who’d rather not share their face with the company they are targeting.

The BlockID authentication process reaches the highest level of authentication assurance per the NIST 800-63-3 guidelines, or AAL3.

3. Verifiable Credentials

The verification process leverages the attributes BlockID triangulates during the enrollment phase as well as verifiable credentials (in their digital form) that users can share with third parties and with explicit consent.

A verifiable credential is a credential that was issued by a trusted authority for, and only for, the user. It is a tamper-evident credential based on W3C standards and has authorship that can be cryptographically verified. Schematically, issuers create verifiable credentials, users can store some of them, and verifiers ask for proof-based upon them. When identity needs to be confirmed, the user chooses those credentials that must be verified.

The BlockID verification process eliminates all tedious back-and-forth communication between verifiers and issuers, since the verifier no longer has to contact the issuer to confirm the credential, thus reducing data verification costs in the process. This mechanism infers that the user remains in control and keeps ownership over his or her identity, by electing what they want to disclose, and to whom they wish to disclose it.

4. Employee Data Stored Encrypted in a Decentralized Ledger

BlockID leverages the BlockID Private Blockchain Ecosystem to store employees’ encrypted data. The benefits of using a decentralized system are multiple, from being virtually uncompromisable to initiating peer-to-peer transactions while ensuring the immutability of the data stored. Such a system promotes transparency and consequently creates trust between employers and their employees who need to access corporate systems and applications. Employees own their data and choose to share only the information that is required to access a specific solution. And it is W3C compliant.

Conclusion

BlockID is the next generation contact-free authentication solution for the workforce that leverages advanced biometrics and distributed ledger technology. The application unifies physical and logical access, allowing all employees to use a single smartphone app for all kinds of accesses, whether it is to enter a highly secure data center through a mantrap, to log into Unix or Salesforce or to unlock a workstation without connectivity.

ADVERTORIAL

About the Authors

Michael Engle is the Chief Strategy Officer at 1Kosmos. He is a seasoned information technology executive, leader, and entrepreneur. Engle is an expert in information security, business development and product design/development. He has experience running large teams and multi-million-dollar projects for a Fortune-100 bank as well as working with startups that need to set direction and go from “zero to one” as it is now commonly called. As a co-founder of Bastille Networks, he helped raise over $40 million in VC to create a powerhouse in the RF security sector. As a Senior VP at Lehman Brothers, Engle was instrumental in designing and implementing the bank’s security program.

Nicolas Roquefort-Villeneuve, a French and American bi-national, is the Director of Marketing at 1Kosmos. He is an influential technology and communication marketing executive and an entrepreneur at heart. Roquefort-Villeneuve has 22 years of marketing experience with Fortune 100 companies (Mattel, E*Trade), startups, and as an independent consultant. He is also an award-winning documentary filmmaker. In the last three years, Roquefort-Villeneuve has become an expert in marketing new technologies such as Blockchain. He has earned a MSc in Econometrics from the Université Paris 1 and an MBA from the University of San Francisco.

Disclaimer

CISO MAG did not evaluate/test the products mentioned in this article. The facts, opinions, and language in the article are entirely those expressed by the authors and do not reflect the views of CISO MAG.  

The post How to Leverage a Contact-free Authentication Solution for the Workforce appeared first on CISO MAG | Cyber Security Magazine.

By AJ Yawn, Cloud Security Expert

This finding from the survey may sound a lot like DevSecOps, a concept in the security industry that is gaining more and more traction as teams embed security into the software development lifecycle. DevSecOps is Security + DevOps (Development + Operations) running together as a single, cohesive unit. The underlying principle of DevSecOps is to unite security teams and application developers, creating a collaborative environment where security is a shared responsibility in the continuous integration/continuous deployment (CI/CD) pipeline. DevSecOps is often focused on adding new security tools to integrate security in the software development lifecycle. The DevSecOps mentality does not have to be restricted to just the development teams, this mentality shows itself through three cultural security shifts in organizations.

Integrating Security Early

As security practitioners, we should aim to add security as a cohesive component of every part of the organization. The results of this survey show that technologists understand the benefits of integrating security and privacy at the beginning of the cloud migration process. Early inclusion of security and privacy will ensure infrastructure choices, availability planning, and compliance risks are examined before any business decisions are made.

It can be argued that cloud migration should not be the trigger to integrate security as an integral part of all organizational processes. Adopting a security-first culture allows organizations to implement the DevSecOps culture whether they are migrating to the cloud or not. There are a couple of actions that organizations can implement to ensure that security, privacy, and compliance are embedded in all organizational processes.

Making Security Everyone’s Responsibility

One of the reasons organizations implement DevSecOps is to prevent a security incident or event from occurring. DevSecOps is a cultural shift, not just a series of tasks or checkboxes to complete as you move through your CI/CD pipeline. This requires organizations to adopt the mind of a security practitioner which means everyone in the organization acknowledges that it is not a matter of if a vulnerability or flaw will be identified, but a matter of when. Assuming you will be breached or hacked changes the conversation internally and influences decision making on tools, technologies, and migration strategies. This shift in thinking will encourage security-conscious individuals outside of the security team to look forward to finding flaws and reporting them to the security team.

The development and growth of security-conscious employees in every department is an indicator of a strong security culture.

A security-first culture eliminates the blame game from cybersecurity-related issues and encourages a culture of fact-finding, issue-spotting, and investigation. We are no longer asking “who wrote this code?” when a vulnerability is discovered. This cultural shift means we are now asking:

1. How do we fix this?
2. How do we stop this vulnerability from occurring in the future?
3. Can we automate the fix?

Those questions are application security specific however it is important to reiterate this is much more than just securing your application and integrating security tools into your CI/CD pipeline. A cultural shift involves all employees and departments considering the security implications of their processes and actions. For example, in a mature cybersecurity environment, the human resources (HR) team is educated on the implications of onboarding processes and procedures on your cybersecurity compliance assessments. This understanding facilitates an open line of communication between HR reps and security team members. This open line of communication facilitates collaboration on potential solutions that can alleviate the manual aspect of HR teams monitoring and proving compliance with cybersecurity regulations and frameworks. With the end goal of an automated security and compliance monitoring process that ensures new hires are onboarded according to your applicable compliance standards (i.e. background checks performed, access request created, security awareness training completed, etc.).

Automating Everything

Security automation has become increasingly important due to the thousands of threats facing organizations daily. It is virtually impossible to manually identify, protect, detect, respond, and recover to security events or incidents.

Automation will not work without a deep understanding of the business processes and risks security professionals are trying to automate. For this reason, the cultural shift described above is imperative to begin before implementing automation strategies. Automation makes security easy and reduces the burden on understaffed and under-resourced security teams.

When considering automation strategies, security practitioners must adapt security to the business processes and not expect business units to adapt to security. Security must remain an enabling function not a blocking function for automation to work. Security in the cloud requires and encourages automation of key security controls.

As organizations undergo annual compliance assessments, they should aim to make security controls programmable and automated wherever possible. Multifactor authentication (MFA) flaws and public storage services (specifically AWS S3 buckets) are two common risks facing organizations that would best be addressed through automation. For example, on AWS a simple, automated Force MFA and S3 Bucket Security configuration would significantly reduce two key security risks facing the organization without requiring the security team’s manual intervention.

An “automate everything” mentality encourages your organization and security professionals to consistently identify simpler and better ways to perform key functions.

Making Security Easy

Implementing security, privacy, and compliance earlier in the process for all projects, including cloud migrations, makes security easier for everyone involved. It makes sense that over two-thirds of survey respondents believe this is a top security concern when migrating to the cloud. It also makes sense to begin taking the initial steps to integrate security within your overall organizational culture encouraging a relentless focus on automating security.

About the Author

AJ Yawn is a cloud security subject matter expert that possesses over nine years of senior information security experience and has extensive experience managing a wide range of compliance assessments (SOC, ISO 27001, HIPAA, etc.) for a variety of SaaS, IaaS, and PaaS providers. He has earned several industry-recognized certifications, including the CISSP, AWS Certified Security Specialty, AWS Certified Solutions Architect-Associate, and PMP. AJ is involved with the AWS training and certification department, volunteering with the AWS Certification Examination subject matter expert program.

Disclaimer

CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.

The post 3 Signs That Your Company Has A Security First Mindset appeared first on CISO MAG | Cyber Security Magazine.

“A number of trending social media topics seem like fun games, but can reveal answers to very common password retrieval security questions. Fraudsters can leverage this personal information to reset account passwords and gain access to once-protected data and accounts,” the release stated.

The FBI also cited examples wherein people are sharing  their high school photo, with information such as  the name of their schools, mascots, and graduation years — all of which are answers to common password retrieval security questions.

Other examples include:

• Posting a picture of your first car
• Answering questions about your best friend
• Providing the name of your first pet
• Identifying your first concert, favorite restaurant or favorite teacher
• Tagging your mother, which may reveal her maiden name

Enable Multi-Factor Authentication

Apart from  encouraging people to curb the sharing of personal information online, the FBI also urged individuals to enable two-factor or multi-factor authentication when available. “Multi-factor authentication is required by some providers, but is optional for others. If given the choice, take advantage of multi-factor authentication whenever possible, but especially when accessing your most sensitive personal data — to include your primary email account, and your financial and health records,” the FBI added.

The FBI also gave similar advice on dealing with IoT devices earlier. It recommended IoT users to isolate their primary connected devices like laptops or smartphones on a separate WiFi or LAN network. “Your fridge and your laptop should not be on the same network,” the FBI said in a post.

The FBI advised to use two internet gateways. One for the devices that store sensitive data and another for digital assistants like home security devices, smartwatches, gaming systems, fitness trackers, thermostats, and smart light bulbs, etc. It also recommended changing the factory-set default passwords.

The post Social Media Trends Can Lead to Cyber Fraud: FBI appeared first on CISO MAG | Cyber Security Magazine.

By Brian Pereira, Principal Editor, CISO MAG

Here are 4 things to secure in your IT infrastructure while working from home:

Secure network connections

Home network connections are mostly wireless, and we know that wireless connections are not as secure as wired (Ethernet) connections. If your home router has a weak password or the default one, it could be hacked by a tech-savvy neighbor. Even Bluetooth connections can be hacked (Bluesnarfing attacks).

To secure your home Wi-Fi, get out the router manual (or download it from the Internet). Look for the default router ID and password. The ID could be “Admin” and the default password could also be “admin”. Now load your browser and type the following in the address bar: 192.168.1.1  You should then see your router’s login page. Log in using the default credentials. Then head to the “change password” section and type in a new password. Read the guidelines for the password as mentioned in the manual. Also opt for strong wireless security standards like WPA-2 and AES.

Use strong passwords

Users tend to use a common password across services. If even one of those services is hacked, then the user’s account on the other services becomes vulnerable. So, maintain different passwords.

According to Microsoft, 30 percent of reused or modified passwords can be cracked within just 10 guesses.

If the browser (or an extension) offers to “remember” passwords, decline that request. Should you opt for a password manager then do keep a different master password.

When creating a new password, do not include a complete word in the password string. Hackers use password dictionaries that run multiple word combinations until the real password is matched. This is called “brute force” hacking. Passwords should be a minimum of 8 characters. Use a mix of upper- and lower-case letters, numbers and special characters.

And if the service offers the option for password thresholds, then use it. That’s the number of tries you can attempt for entering a password. Notice that online banking services already enforce this. If you forget your password and enter it wrong three times, you are locked out of your bank account. A call to your bank, with authentication checks will reset the password. But that’s a process implemented by the bank. Windows 10  also offers account lockout thresholds.

Use multi-factor or two-factor authentication

Email services like Gmail offer multi-factor authentication and two-factor authentication (2FA) for verification, but few Gmail users make use of this feature.

A Google report in 2018 suggested that less than 10% of Gmail users employ two-factor authentication, which is considered one of their best security features.

An organization can also set two-factor authentication for services on the company portal, or for corporate email.

With 2FA, you can opt to receive an SMS code on your mobile device whenever you try to log in. Gmail also lets you use one of your devices for authentication. For instance, you can tap your mobile phone screen (Push to Verify) after receiving an authentication message from Google. A third way is to use a hardware token like Google Titan Security Key or Yubikey (Yubico). And a fourth method is to use an authentication app like Google Authenticator. There are other methods for 2FA and it depends on what the service offers. Even social media sites like Twitter, LinkedIn and Facebook offer multi-factor authentication. Banks have enforced 2FA for many years (mainly through hardware tokens).

Secure mobile devices

There are four main things to secure: the mobile OS, the apps, the data and the device itself (physical security). Potential threats include data theft, stolen user credentials, malicious apps, inadequate user configurations, security vulnerabilities in the mobile OS and apps – and stolen devices.

You’d be shocked to learn about the things mobile malware can do – a hacker can activate your phone’s microphone and eavesdrop on conversations, for instance.

To secure the apps and the OS, update these often. Download apps only from authorized marketplaces (Google Play Store or Apple App Store). And ensure that the apps are verified (look for the “Verified by Google Play Protect” badge on the Play Store when downloading apps for Android phones). You can also scan all your installed apps later to verify them.

Don’t try to jailbreak your Apple phone or “root” your Android device. If you do that, the device becomes a threat to the networks and other devices it connects to. Malicious or unauthorized apps set up “backdoors” on jailbroken devices.

Mobile devices do not have firewalls, so install a firewall app (or a mobile security suite) to scan all traffic between the apps and their corresponding servers.

Disable the Bluetooth visibility/discovery mode. Use a Bluetooth PIN when pairing your phone with another user’s phone in public. And keep a watch on all the devices that have paired with your phone via Bluetooth. Remove old or unknown devices from the list.

Backup your contacts and data to an online service like Google Drive, Apple iCloud, or Microsoft Onedrive.

Physical security – Your mobile phone and laptop are likely to contain important data related to your work, your company’s policies, product information, email, customer data and other sensitive data.

To protect mobile phones, note down the IMEI number and install a SIM Lock (ask your service provider about this). Also, enable the device tracking feature – for Apple devices it is Find my iPhone and for Android, it is Android Device Manager. Encrypt your phone by putting a screen lock and enabling the encryption features.

For laptops, encrypt the drive using Bitlocker (Windows) or FileVault (Apple). Store the recovery key outside the device (on a pen drive or online).

Conclusion

Data security is a shared responsibility — both the employee and the organization are custodians of an organization’s data. Employees working from home need to take adequate steps, like those described in this article, to protect data and endpoints. There are other security measures to be taked, such as operating system and application security, both of which will be discussed in the next article. Meanwhile, stay indoors and stay safe.

Part-2: Application and OS Security

The post What Every Employee Can Do Now to Strengthen Security at Home (Part-1) appeared first on CISO MAG | Cyber Security Magazine.