• Advertise
  • Subscribe
  • Forums
  • Buyer's Guide
  • Contact Us
  • Connect on LinkedIn
    1. Cybersecurity
    2. Information Security

    Two-Factor Cyber Protection

    Sept. 10, 2015
    How strong authentication will help keep your customers from becoming the next data breach
    Photo: Bigstock
    Strong authentication will help keep your customers from becoming the next data breach.
    Strong authentication will help keep your customers from becoming the next data breach.

    As data breaches persist across organizations in just about every vertical market, security systems integrators should be looking at cybersecurity as the next big frontier. Whether you already have a cybersecurity offering or want to add one, the key element for data breach avoidance is two-factor — or strong — authentication.

    To open up new cybersecurity business opportunities, systems integrators should first become a trusted advisor to current and potential customers on how data breaches occur, and the steps they can take to protect their organization with two-factor authentication technology. Then they should incorporate a robust two-factor authentication solution into their cybersecurity offering — a critical step that all organizations looking to avoid becoming the next data breach need to take.

    Step 1: Become a Trusted Data Breach Educator

    In all likelihood, data breaches are a top-of-mind concern within all organizations. For integrators, opening up business opportunities around cybersecurity starts with becoming a trusted educator on how these breaches are occurring and how they can be mitigated.

    Data breaches occur frequently — often undetected for months or years — with thousands and sometimes millions of records containing sensitive information stolen. They are happening across all vertical markets, so your customers are definitely at risk. Most recently this past June, there was the breach within the federal government at the U.S. Office of Personnel Management (OPM), which compromised 21.5 million records.

    Over the past year, additional breaches reported across business, medical/healthcare, financial, educational, and government/military sectors — just pay attention to the news and you will see reports of a new breach or vulnerability on a nearly daily basis. Some of the major breaches that have recently hit the news include: Anthem (80 million records); Home Depot (56 million credit and debit cards); Sony Pictures Entertainment (intellectual property stolen and leaked); Auburn University (364,012 records); and Morgan Stanley (350,000 records).

    These are just some of the major breaches reported; however, small and mid-sized organizations suffer from breaches just the same. The costs of a breach are huge: according to the Ponemon Institute’s 2014 Cost of Data Breach Study: Global Analysis the average cost to a company was $3.5 million in U.S. dollars — 15 percent more than what it cost in 2013.

    When examining the anatomy of these data breaches, we find that upwards of two-thirds of them occur because of some sort of stolen or hacked credential, according to the 2015 Verizon Data Breach Report.

    Here’s how the infiltrations work: cybercriminals use relatively unsophisticated practices like email phishing attacks that insert malware into systems to obtain employee username and password credentials. If an employee falls for any of these attacks, hackers can steal passwords and gain an entry point into the IT infrastructure. This is when the real trouble starts. After obtaining this first credential, criminals are now more often moving laterally through an organization’s systems, expanding to more valuable targets, such as system administrators and other so-called “privileged” accounts, and eventually creating their own system administrator identities. Then they have free reign over the system, with the ability to copy files with personal employee information, customer information and other valued intellectual properties.

    Why Two-Factor Authentication is so Important

    The way to intercept cybercriminals from moving laterally within an organization is by requiring — at a minimum — two-factor authentication for any employee accessing privileged accounts, any creation of new accounts, as well any changes to the system; and at a maximum for all employees and contractors with access to company systems.

    Two-factor or strong authentication adds “something you have,” such as a smart card, to system logon and authentication. By using two-factor authentication, a hacker who steals passwords or attempts to create their own admin accounts will be stopped in their tracks without the second factor strong authentication device associated to the identity they want to use.

    The recent OPM breach was unfortunately a case where two-factor authentication was not in widespread use. OPM Director Katherine Archuleta confirmed that it was compromised employee credentials stolen from a government contractor that provided hackers with access to the federal human resources agency’s servers. These employees were not using Personal Identity Verification (PIV) cards, the smart card-based two-factor authentication credential required by the federal government for log on to federal IT systems and networks; in fact, the OPM had reported that only one percent of its employees and contractors were using the cards, according to the 2014 FISMA Report.

    Government data breaches that have been reported could likely have been thwarted had employees and contractors been using PIV strong authentication. According to Trevor Rudolph, chief of the eGov Cyber Unit for the Executive Office of the President (EOP) and the Office Management and Budget, who spoke at the recent Smart Card Alliance Government Conference: “The number-one mitigation [for breaches] is implementation of PIV. Every time,” he said.

    According to analysis by Rudolph’s organization, 52 percent of the incidents involving social engineering, phishing and malware could have been prevented by the use of PIV strong authentication. With this information, security systems integrators have a good foundation for starting an open educational dialogue with customers about how data breaches are occurring and why implementation of two-factor authentication is an essential step to breach avoidance. Next, they can incorporate a robust two-factor authentication solution into their cybersecurity offering.

    Step 2: Create a Cybersecurity Offering

    Systems integrators wanting to get off the ground running with two-factor authentication should first decide what the second factor — the “something the employee has” — should be in their offering. There are many options available, but not all solutions provide the necessary levels of protection to defend against a breach.

    The second factor in a two-factor authentication system comes in many flavors — smart cards, one-time password tokens, SMS, email and mobile solutions are all available. It is important to for integrators delving into a new cybersecurity offering to incorporate the method that provides the highest levels of protection.

    The recent Verizon study cautioned, “When implementing two-factor authentication solutions, you should be wary of SMS, telephone or email-based solutions” because they “have known vulnerabilities and can be intercepted or even redirected.”

    Instead, the best choice is to follow the lead of the federal government and incorporate a two-factor authentication solution that uses smart card technology. Smart cards support everything needed for two-factor authentication by securing storing authentication tokens, storing password files, PKI certificates, one-time password seed files, and biometric image templates, as well as generating asymmetric key pairs.

    The technology is available in multiple form factors for convenience — a plastic card (with contact or contactless communication capabilities, or both, and optionally a display and keypad), a USB device, or a secure element (SE) that can be embedded in a mobile (or other) device.

    For implementation, smart cards are a good solution because provisioning, deploying and using them is very straightforward, with all leading IT infrastructure suppliers, including Microsoft, IBM, HP, Computer Associates, Citrix, Adobe and many more offering full support of the use of smart card-based two-factor authentication.

    To offer two-factor authentication with smart cards, systems integrators will need to establish partnerships for some or all of the following elements of the system:

    • The physical credentials: plastic card, USB or SE. There are also possibilities for enabling a single smart card for both physical and IT access control.
    • Readers for endpoint devices such as PCs and laptops. Physical smart cards will need to be inserted into a contact reader, while mobile credentials will require a contactless reader.
    • A system for credential issuance and management.
    • A server for credential authentication, which sits beside the existing network components and will manage the verification of the smart card certificate.
    • Integration of solution with applications and identity management, access control and single sign on systems.
    • Help developing workflows and training for support teams to manage, reissue and revoke credentials and handle exceptions like lost or forgotten credentials.

    There are a wide range of service providers in the market; many are members of the Smart Card Alliance. The computer and network security hardware and software sections of the SecurityInfoWatch Buyer’s Guide is a good first step to finding a partner.

    Randy Vanderhoof has been the executive director of the Smart Card Alliance (www.smartcardalliance.org) since 2002.