New Trends in Cyber Security (Part 2)
This is part 2 in our series on new cybersecurity trends. You can find part 1 here.
We now live in a world of connected watches, doorbells, kitchen appliances, and even cars. All of which can provide new entry points to our secure networks. IoT devices have unique security challenges as they often have limited storage, processing and power available. This means heavy security applications are a no go. You can’t simply install the latest malware, antivirus or deep threat endpoint protection as these devices simply don’t have the capacity. This means IoT devices usually need to be quarantined to isolated networks with access to critical networks limited by firewalls. IoT devices are here to stay as manufacturers rush to connect everything device imaginable to wireless networks. And the task of securing this growing number of devices will only become more challenging.
SFA to MFA
According to TeleSign, 73% of online accounts use duplicate passwords — meaning the same password is used for multiple sites or accounts. Using the same passwords over and over again creates a domino effect after a breach — as one account is hacked, access to remaining accounts is easily gained. Single factor authentication (SFA) relies solely on one factor, such as a password, for user identification. Insecure or duplicate use of passwords isn’t an inherent problem with SFA — it’s a problem with us as humans wanting things to be easy. In multi-factor authentication (MFA) things can be secure and easy! MFA requires the user to present two or more pieces of identity evidence also called factors. The evidence must be either:
- Knowledge – something only the user knows (password, PIN, secret question)
- Possession – something only the user has (security token, FOB)
- Inherence – something the user and only the user is (fingerprint, facial recognition, voice, iris scan)
Two-factor authentication (2FA) is a step in the right direction from SFA and 2FA is technically a subset of MFA by definition. However, the trend in security is to move beyond the limits of SFA and 2FA into the deeper levels of MFA security by opening up user authentication to more factors and more depths of security. In MFA a user can know a password, pass a device token, perform an iris scan, and relay device location data which provides 4 factors to authentication and only two of those required any effort by the user. We have seen a significant trend in the adoption of MFA in further securing networks and systems and expect the trend to continue as more MFA systems become MFA compatible.
Even with MFA security protocols in place, phishing remains a real threat to the security of any network or system. Phishing aims to trick the user into sharing private information by pretending the recipient is someone they are not. Often the goal of a phishing attack is to collect authentication credentials such as usernames and passwords or financial information such as bank accounts or credit card numbers. Phishing attacks can be targeted at one high profile individual or company or broad-based with the goal of targeting anyone who takes the bait. According to APWG’s Phishing Activity Trends Report for Q3 2019, phishing attacks are at their highest level in 3 years. Attacks are most often looking to collect usernames and passwords and often deployed using hijacked business emails and sent out to the hijacked accounts contact list. According to Verizon’s 2019 Data Breach Investigation Report, phishing is the top threat action variety in data breaches with almost 1/3 of data breaches involving phishing.