The Gartner IAM conference was such a whirlwind earlier in December. I was fortunate to attend a number of sessions from Gartner analysts and guest speakers. Let me break down some of the key takeaways that I learned:
1. Combining two authentication factors of the same kind does not increase security.
Are you implementing two-factor (multi-factor) authentication the right way? Authentication factors require a mixture of three main types of authentication: knowledge, possession, and inherence. If we ask someone to authenticate with two knowledge factors, is this really secure? It’s easy to hack two authentication factors if they are available for sale online.
2. Authentication is painful. We must take that pain away from legitimate users.
When we force our employees and customers to authenticate everywhere, and every time they interact with our systems, we inflict unnecessary pain. While an attacker may be using stolen credentials to impersonate us, 9 times out of 10 the authentication attempt is from a legitimate user. So how can we take that pain away? One way is to apply some adaptive techniques to user authentication.
At minimum we can establish trust with legit users based on a few criteria: is the login attempt from within the corporate network? Is the known user logging in from their registered machine?
If we can’t establish a user’s legitimacy, we can require additional authentication via their registered mobile device, or have them respond to an email. If their login attempt is from a network in a different country, or an untrusted WIFI network, we can mitigate risk entirely by blocking their authentication attempt.
(Ant Allan, Gartner: “Stop Counting Authentication Factors, Start Valuing Trust”)
3. We need to extend IAM to contractors, partners, and third parties.
Many high profile data breaches can be traced back to compromised credentials. One such breach affecting a large retailer involved credentials stolen from a third-party vendor. Those credentials were used to authenticate into the retailer’s network, install malware, and exfiltrate 40M credit and debit card numbers. So we must extend identity and access management to business partners, vendors, and customers (external users), not just to our workforce (internal users).
Just-in-time partner provisioning uses federation technologies like SAML to authenticate partners into host applications in real-time. It offers more automation than manual account setup, directory synchronization or self-service access requests.
For low-risk transactions, using a third party identity provider like a social network, can be an option for both enterprises, and for customers wishing to register on a site without creating a new username and password.
(Lori Robinson, Gartner: “TechInsights: The Perimeter Has Fallen: Identity and Access Management for Contractors, Partners, and Other Third Parties.”)
4. A very easy way to hack companies is through their customer service.
Here’s a social engineering trick: Call customer service, pretend to be an account holder, and get the password reset. It’s an all too common trick, according to investigative reporter Brian Krebs, who sat down for a “fireside chat” with Gartner VPs, Mark Nicolett and Ray Wagner.
As if to drive his point home, Krebs just wrote that his credentials at a popular payment service were stolen and reset, twice, on Christmas Eve. Somebody called customer service and requested a password reset on Krebs’ account using the last four digits of his social security number and the last four digits of an old credit card.
Customer service organizations need to be more aware of security risks and train their reps on the techniques criminals use to glean confidential information. Organizations themselves need to understand what constitutes better authentication and implement better security measures for high-risk transactions.
Remember the first nugget of wisdom? Knowledge-based information is up for sale on the Internet. So require stronger authentication using different factors. Read more about multi-factor authentication here.
5. We are no better than apes at detecting deception.
Detecting lies doesn’t come naturally for most of us, but there are specific behaviors and patterns we can learn to recognize. Since many cyber attacks come from insiders, spotting deception is a skill we could all use. Here are few things to look for when determining if someone is lying to you:
- Are they front-loading their story with too many words, and providing too much detail?
- Are they using non-contracted denials like “I did not …” ” instead of “didn’t…”?
- Can they tell the same story backwards? If they can’t, it’s probably not true
- Is their smile reflected in their eyes? If not, how sincere is the smile?
- Are they nodding yes while saying no?
(Guest Keynote: Pamela Meyer, Certified Fraud Examiner and Bestselling Author, “Three Patterns of Deception and a Radical Path to the Truth”)
- Mix your authentication types.
- Trust users you know based on context; simplify authentication for low-stakes transactions, and enforce stronger authentication for high-stakes transactions.
- Extend identity and access management to external users.
- Read the Krebs on Security blog!
- Look and listen for common patterns of deception.