In a world where devices can have inherent security flaws, how do we make authentication safer?
Traditional cybersecurity measures are being re-examined as new technology, such as internet of things (IoT) devices, creates a larger attack surface and cybercrime incidents become more sophisticated, innovative and damaging.
Based on the context, a trusted device could be your mobile phone, work computer or other device in regular use, and many people use trusted devices to bypass authentication processes that could slow them down on a day-to-day basis.
In the light of events such as Meltdown and Spectre, many are worried about the integrity of their devices and are wondering if the concept of a ‘trusted device’ is still useful.
Siliconrepublic.com spoke to vice-president of cyber strategy at biometrics firm Biocatch, Uri Rivner, as well as Mike Fumai, president of endpoint security firm AppGuard, about the need for new kinds of authentication.
Trust decisions confuse users
Fumai said: “Trust decisions have been left to end users that don’t even know what questions they should be answering.” This is despite efforts such as the Trusted Computing Group’s TPM 2.0.
Fumai continued: “Consider a computer end user logging onto an internet-facing server. The server received the password, but it was sent from an unknown computer, from a different country, at an odd time and day.
“Clearly, from the server’s perspective, if it had one, trust is not simply a matter of yes or no. Trust is nuanced. Even if the password were sent from a familiar computer, same country and at a normal time, how can the server know there isn’t malware on that computer?
“There can only be trustworthy devices if there is a trust infrastructure that does not depend on the knowledge and skills of the people using the devices.”
Rivner noted that bad actors often use a combination of social engineering, malware and remote access to perform operations from the trusted user device, be it a PC or a mobile device.
A plethora of vulnerabilities
“PCs are notoriously prone to attacks, and the number of infected PCs keeps rising due to effective drive-by-download infections where a user with an unpatched machine goes to a compromised website,” Rivner said.
Mobile devices, while less at risk, are far from exempt, with more malware and social engineering attacks targeting these devices than ever before.
Fumai explained the weakness in systems such as NFC and Bluetooth in terms of trust establishment protocols: “Adversaries exploit their weaknesses by design. For example, they can impersonate a device such as a critical medical monitor.”
How are IoT devices creating new attack vectors?
As well as traditional targets such as mobile devices and PCs, the boom in IoT devices is creating its own suite of problems.
As Rivner noted, the number of connected devices is overwhelming, with the potential there for them to be used as botnets to launch denial-of-service attacks, send massive email infection campaigns and more.
The low-price, mass-volume presence of IoT devices, combined with unsophisticated software with multiple vulnerabilities, creates a rich target environment for attackers. Fumai said each device can be viewed as a potential attack platform. “A single device amongst so many can do subtle things that go unnoticed. Or, they can do terrible things that cannot be missed.”
There are swathes of positives when it comes to IoT devices and their potential for the world, but it needs to be done thoughtfully, Fumai concluded. “We need the manufacturers, service providers and the regulators of our society to be diligent and vigilant regarding mundane things such as authentication, key management, secure communication, remote attestation, secure development life-cycle practices, application security testing and more.”
Look to the future
Rivner predicts that there will be some cyberattacks carried out on blockchain technology in the near future as criminals adjust to distributed ledger procedures, as well as the possibility of chatbot fraud cases occurring, particularly with banks using the technology.
As IoT has accelerated into becoming mainstream, enterprises will need to be ready for the transformation, Fumai warned. Attackers strike with malware-less attacks using legitimate utilities already installed to do harmful actions. “Enterprises need to rapidly adapt as traditional ‘detect and react’ technologies are rapidly becoming obsolete. They basically are looking for something that isn’t there.”
Advice for CISOs
Traditional cyber-defence methods have been failing for years, according to Fumai. The ‘detect and react’ method of dealing with threats is “costing the enterprise more each year to sustain”.
Fumai explained that to justify shifting to a more prevention-oriented way of thinking, “one needs to have a clear idea of what the current ‘detect and react’ posture costs, and what it likely will cost in the years to come”. He recommends building a labour breakdown to track the hours spent by your IT or security personnel in the different areas of your cybersecurity programme.
It’s not as linear as it seems and, by creating the breakdown structure, insightful correlations can be uncovered, which can help quantify and prioritise investments in areas such as employee-readiness training and endpoint compromise prevention.
Authentication needs to get more dynamic
“Wherever authentication is weak, no other security function can succeed. What good is encryption if anyone can impersonate someone authorised to have the encryption key?” Fumai questioned.
There are many additional kinds of authentication, from iris scanning, fingerprints, facial recognition and touchscreen patterns, to dynamic things such as facial gestures, keyboard usage patterns, voice patterns and more. Rivner noted an increased interest from business for continuous authentication options: “When an intruder or threat is inside the user’s account, an anomaly is detected in real time and the intrusion can be prevented.”
Each has strengths and weaknesses, noted Fumai, adding: “We shouldn’t rely on any singular one. Instead, we should always seek a combination. We mustn’t limit authentication to a Boolean state either. We should be more probabilistic.”
He said that authentication must be thoroughly integrated with all other aspects of security. Hackers tell their peers to attack the implementation, not the algorithm.
“Any gap or disconnect is an opportunity for a hacker to exploit. What good is perfect authentication if a hacker can wave his hand while saying, ‘These aren’t the droids you’re looking for’?”