Authentication After the RSA breach: Sticking to Hard Tokens Could be a Mistake
Blogmaster Note: This was originally posted on September 20, 2011 to the ComputerWorld UK Security Blog.
The role of authentication as part of the CISO’s armory has been subject to some serious debate in recent months.
In the wake of the RSA data breach, and the subsequent news of customers’ compromised data, the ability of hard tokens to defend against the most sophisticated cyber criminals is subject to serious scrutiny.
Whilst the dust settles on these various arguments, I believe it’s time to examine the future of authentication tools. These remain the cornerstone of an integrated security plan and play one of the most fundamental security roles in verifying the identity of any individual or device requesting access to certain information.
The risks have been well debated. Perhaps we now need to examine the reality of the landscape or transaction in which we operate. Our focus should be set on what CISOs, CIOs and anyone tasked with ensuring the integrity of their organization’s data needs to consider.
The cost to business of the new threat landscape
There’s no escaping the fact that breaches do occur, with far-reaching ramifications including damage to brand image. There’s a quantifiable disruption to people, business and the loss of intellectual property and other sensitive corporate and client data. And in the end, the resulting legal consequences are costly.
As is now widely reported, cybercriminals are becoming increasingly adept at launching more sophisticated targeted attacks. In the “cyber arms race,” targets are not confined to large multinationals. Organizations of any size could find that their data is compromised. CISOs are now faced with a host of challenges that evolve on a daily basis. Today, fighting cybercrime requires keeping pace with advanced persistent threats (APT), man-in-the-browser (MITB) attacks, DNS poisoning and other sophisticated fraud techniques.
As such, the technology required to mitigate and minimize these challenges has distinct lifecycles; hackers find new ways to exploit vulnerabilities. For example, any cybercriminal who is intent on hacking into systems can now crack a username or password with relative ease.
Simply investing more money on the ‘old’ solutions will not protect against the most current threats such as Zeus, SpyEye or the cloning of HID cards and devices.
As seen with the compromise of tokens, organizations are at risk if they’re dependent upon a single authenticator or a hard token-only security strategy. Based on this, is there a future for hard tokens?
The root of the issue is that if a cybercriminal can gain access to the ‘seed file’, they can then replicate the token without having physical access to it. In effect, the attacker can simulate a physical hard token that was issued to an individual employee.
Organizations can no longer rely upon a single authenticator to protect access to their resources. These approaches are no match in stopping advanced online attacks. Organizations and financial institutions need to begin implementing layered security schemes, the core of which is a single, versatile authentication platform that integrates and manages all authenticators for an organization.
In contrast, many vendors offer bolt-on solutions that are tacked on to other pieces of software; once one is compromised the entire security infrastructure fails and the organization is at risk. By leveraging a single authentication platform, organizations may identify the problem and roll out a new authenticator in near real-time.
Reliable authentication solutions should support multiple authentication mechanisms, provide the flexibility to tailor authenticators to the type of transaction and user, and provide advanced measures if the primary authentication mechanism is compromised. These platforms also require interoperability with advanced technology, including physical, logical and mobile access, soft second-factor authentication and transaction verification.
The critical takeaway should be that organizations require a comprehensive and versatile authentication platform, not a handful of third party applications, plug-in and software clients bridged to another solution via unreliable ‘stove pipes’. This tactic is susceptible to advanced breaches or fraud attacks and will likely be defeated.
Strong authentication also needs to work across platforms and mobile devices. IDC now predicts that there will be some 1.19 billion mobile users by 2013, and whilst enterprise mobility offers great advantages, it also presents heightened risks, evidenced by the increased number of identity attacks on mobile platforms.
Device authentication now works across multiple platforms whilst new authentication approaches can also help organizations fight the advance of fraud techniques. This is best accomplished through out-of-band authentication capabilities with the inclusion of one-time-passcode (OTP) SMS and soft tokens. This also incorporates real-time transaction verification on a mobile device to help prevent online fraud.
In today’s cyberworld, threats are changing on a daily, hourly or even minute-by-minute basis, making fighting cybercrime a constant real-time battle. The good news is that technology is available to mitigate many potential attacks by the savviest of criminals.