Breaches and data thefts happen every day, but one incident uncovered in late July in Singapore points to a significant issue that merits some discussion.
SingHealth, the country’s largest healthcare group, discovered that the non-medical records of 1.5M patients had been breached, copied and stolen. The breach also included the outpatient records of another 160 people and the records of Prime Minister Lee Hsien Loong. Most files included national identification numbers, addresses, dates of birth and other information that could be sold and used for a variety of nefarious purposes. One industry expert called the stolen data an “identity thief’s goldmine.” Each individual record could be sold for as much as $100, compared to credit card data which only trades for $5-30 per record.
Here are two other significant aspects of the incident: First, the attack appears to have been initiated on June 27, but was not detected until July 4. While the technology agency that manages the IT systems for the Singapore health network was lauded for reacting quickly (most breaches go undetected for six months or more), the hackers had more than a week of unfettered access. They had time to take anything they wanted. The second significant aspect is that the attackers had obtained and used privileged account credentials. As a result, they could more easily cover their tracks and create additional entry points as they moved to other systems on the network undetected. This means traditional approaches to multi-factor authentication (MFA) would have likely been insufficient to contain the breach.
Both of these problems — delayed detection and the ability to easily maneuver to other systems — point to a need for something beyond standard MFA. Specifically, the dual control and session monitoring capabilities of an adaptive authentication technology could have stopped the attack before the data was stolen. That kind of evolved technology could have also limited navigation around the network once the system was breached.
If a dual control feature was deployed, any entry into the system would have required approval from one or more authorized users before access to sensitive data was allowed. Presumably, that would mean the person accessing the data would need to get an OK from their boss or the guardians of the data before accessing it — even if, as was the case in Singapore, valid credentials were presented at the point of log-in. With an authentication platform from Entrust Datacard, for example, when the person presented the credentials and requested access to the Singapore healthcare data, the system would send a mobile push approval request to one or more people responsible for the data.
At that point, access could have been denied for any number of reasons — for example, the user may not have the authority or the need to access the data. Or, the request could have come at a suspicious time of day or from an unknown device, this prompting least an identity challenge. In any of these circumstances, the request for access could have been denied. At a minimum, if the request seemed at all suspicious, those receiving the request could have issued a challenge to the user presenting the credentials. So, before accessing the data, the user — even though he or she had the proper credentials — would have to validate his or her identity using another method, such as a biometric scan.
The other potential game-changer in this scenario is session monitoring. In the case of the Singapore attack, this may have been even more effective than the dual control capability.
Session monitoring (or “continuous authentication”) looks at both transaction and user behavior monitoring and can be highly effective for addressing three key realities. First, some users with approved credentials can be motivated to steal data or sabotage systems. Second, legitimate sessions initiated by authorized users — with good intentions — can be hijacked by cyber criminals. Third, criminals can steal credentials through target attacks, such as phishing, and impersonate authorized users.
An adaptive authentication platform can be configured to continually monitor sessions, even after legitimate credentials are presented. If an authorized user exhibits unusual behavior, the system sends a mobile push authorization request to those responsible for the systems or the data. For example, before an employee starts downloading large files of sensitive data — or accessing records outside their normal scope of work — an adaptive authentication system will recognize the anomaly and trigger step up/risk-based authentication policies. The session can also be automatically terminated or suspended until the risk is mitigated.
The second problem addressed by session monitoring is hijacking. Often times, attacks occur when a legitimate access has been granted. Hackers jump into the middle of the session to steal data or break into the network. Standard MFA systems aren’t always effective in stopping this kind of attack. A platform with continuous authorization capabilities requires additional factors of authentication throughout the network and sends an alert as soon as it detects anomalous behavior.
The moral of the story is simple: hackers get smarter every day and find new ways to circumvent standard security measures. Those of us responsible for defending against cybercrime need to evolve at least as fast — and preferably faster — than the bad guys. And that’s the very nature of an adaptive authentication platform like IntelliTrust™. It’s built to learn and become smarter and more efficacious over time. So next time, instead of being congratulated for catching a hack in less than two weeks, an IT team can be appreciated for not making the news at all.
Want a little deeper insight into some key evolving security technologies? Watch this short video>> that features Gartner’s David Mahdi and Entrust Datacard’s Ryan Zlockie discussing how to build trust through adaptive authentication and modern identity.