Keys to the Digital Kingdoms
Credentials work as the keys to the digital kingdoms, if organizations are still in two minds about implementing the employee credential security, then the Verizon-2015-Data-Breach-Incident-Report needs to be studied carefully to make the decision-making ability clear. Half of the web-attacks in 2014 were by stealing the credentials and gaining access to the organization’s data (this is as per a report analyzing 80,000 security incidents and 2000 confirmed breaches of data). And the astonishing part in this is that 95% of the credential theft was made possible through the mobile device outside the company firewalls. Be it Target or eBay, all the high-profile data breaches have, as a matter of fact, been due to stolen or compromised credentials. Then there is nothing wrong with the report saying that credentials are literally the keys to the digital kingdoms and for the attackers, it is a high-value target always on the verge of being stolen. And if organizations think that they have to worry only about the employees’ credentials then they are in for a lot more trouble. They need to ensure that the vendor’s and partner’s credentials into their system are as well managed as the employees’, here is why:
- A contractor that federal agencies used to conduct background checks was the reason for the massive data breach at the U.S Office of Personnel Management. The credentials are the keys to the digital kingdoms and hackers were able to get the credentials through him needed to access the sensitive employee data held by the OPM.
- The network credentials stolen from an HVAC subcontractor who worked at several Target locations were responsible for the data breach at Target.
- Now more and more organizations like Home Depot, CVS, and Costco have squarely laid the blame on third-party vendors as the culprits in data breaches and this may happen accidentally or intentionally.
Nearly two-thirds of web-attacks now are where the thieves target one source just to set up an attack on a different target. This methodology known as Strategic-Web-Compromise is on the rise and it would be foolish of the smaller organizations to think that they would not be the bait. According to the Verizon reports, there is an uptick in the secondary attacks hence; very few industries escape the attention of criminal empires. And if you are thinking about a solution in the form of improved authentication with the second factor like a hardware token or mobile app, then you are heading in the right direction. We couldn’t agree more on it.
In Multi-Factor Authentication (MFA), the user will need to prove his credential in more than one form. The best example is to enter an SMS generated code within the specified time limit. Today, new MFA technologies use mobile devices such as phone and watch to supply the authentication code because it is much easier to implement it and is cost-effective in making it simple to integrate it into a single sign-on environment thus providing a superior user experience. On a mobile-based MFA, the users have to just follow a prompt or enter a code provided by the MFA app on their cell phone or watch. Once this second-factor is authenticated, the user can access their apps and files.
Now, the question arises if the MFA really makes a difference. The answer is a sure yes. As per a Verizon report, the percentage of security breach incidents could have been stopped if the organizations had their MFA in place. Verizon identified 10 critical security protocols that will stop a confirmed attack on organizations if implemented. The two-factor authentication tied up with the patching web services and topped the list. This shows how powerful the MFA implementation is and wherein the organizations can plug in a huge security loophole immediately.
Security for credentials can be provided through IAM solutions, CASB solutions, SSO, MFA and federated identity solutions. The best step would be to search for an efficient third-party cloud security solution provider so that the company’s confidential data is never compromised. Don’t be a statistic or a fodder for the next breach report in Verizon. Find your way out for the credential theft and implement the needed cloud data security solutions and win the battle against data attacks.