Browsing category

Data Protection

Data Protection, Penetration Testing, Security Services, Vulnerabilities, Vulnerability Analysis, Vulnerability Management,

Vulnerability Assessments Versus Penetration Tests: A Common Misconception

X-Force Red is an autonomous team of veteran hackers within IBM Security that is hired to break into organizations and uncover risky vulnerabilities that criminal attackers may use for personal gain. Our team recently unveiled new statistics collected from its penetration testing engagements. One statistic that stood out, although not surprisingly, was that out of 1,176 phishing emails sent to employees within five organizations from October 2017 to November 2018, 198 people clicked on the malicious link inside the email and 196 people submitted valid credentials.

While those numbers do not appear significantly high, they still show that criminals had 196 unique opportunities to move around inside a target organization and access sensitive data. And considering one set of valid credentials is all it might take for a criminal to launch an attack, 196 of them is a gold mine.

These security mistakes are the types of vulnerabilities that can be identified by penetration testers. On the other hand, vulnerability assessments, which typically require an automated scanning tool, are designed to identify known system vulnerabilities. However, despite those differences, some vendors, cybersecurity professionals, marketing teams and others often use the terms “penetration testing” and “vulnerability assessment” interchangeably, mixing two completely different security engagements.

It’s a misconception that should be corrected so that security professionals understand exactly what they are buying and receiving and how that investment will help solve the challenge at hand. If they are unwittingly misled into buying the wrong solution for their environment, a critical unknown vulnerability exposing a high-value asset could be missed.

A Q&A With X-Force Red Penetration Testing Consultant Seth Glasgow

Seth Glasgow, an X-Force Red penetration testing consultant, has participated in many conversations with clients and security professionals where he has had to clarify the difference between vulnerability assessments and penetration testing. I chatted with Seth about the misconception, including how it came to be and what the difference is between penetration testing and vulnerability assessments.

Question: Seth, thank you for chatting with me about this topic. Can you provide more details about how some in the industry use penetration testing and vulnerability assessments interchangeably?

Glasgow: Sure, Abby. Some vendors, security professionals and others in the industry believe penetration testing is a substitute for vulnerability scanning, or vice versa. Basically, they say they don’t need both; they need one or the other. Sometimes, the two names alone cause confusion. Some may say “vulnerability testing” or “penetration scanning.” Others may say they offer penetration testing, but it’s really just an automated scan that can find known vulnerabilities. It does not involve actual manual testing.

To cover all your bases, it’s best to use a combination of manual penetration testing and vulnerability assessments. I like to compare it to clubs in a golf bag. Not every club is needed for every shot, but to play the whole game, you need all of them.

I like that analogy. How do you think this mixing of the two terms came to be? Was it marketing-related where marketers used the same language to describe the different solutions?

Glasgow: There are a few reasons, none of which began with marketing. One is related to compliance. Some mandates lump penetration testing and vulnerability assessments into one requirement, which muddies the water. At a technical level, the conversations are like a game of telephone. Information is repeated in the wrong context, and before you know it, a vendor is offering to sell a low-cost “penetration test,” but it’s really an automated scan. Also, in the past, the two terms could have been used interchangeably based on the threat and vulnerability landscape at the time. Whereas today, the two are very different and solve different problems.

Can you provide an example of how the evolution of the industry has caused significant differentiation between the two?

Glasgow: Sure, I have a couple examples. In the past, before the cloud became popular, most companies worked with physical servers. A vulnerability assessment, which involved scanning servers before they went into production, was often all that was needed to find critical vulnerabilities and make sure they were patched. After all, the servers were managed locally, making it somewhat easier to control the security around them (such as who can access them). Today, an increasing number of companies are migrating to the cloud, which has a large variety of other security implications. At a minimum, this means more server configurations need to be set up, and there can be less control and visibility into who’s accessing which data from which network. In this new security environment, penetration testing is essential in identifying configuration and access control vulnerabilities and can link those vulnerabilities together to show how an attacker could leverage them to compromise a cloud environment.

Another example is with the Payment Card Industry Data Security Standard (PCI DSS). Companies could comply with older versions of the standard by just doing a vulnerability assessment and possibly a light penetration test. However, in the PCI DSS version 3.2, the requirements specify companies implement a penetration testing methodology (see requirement 11.3) and say companies must “validate segmentation,” which can only be done by performing a manual penetration test.

So, what is the difference between the two? Can you break it down for us?

Glasgow: Whereas vulnerability scanning is 10 miles wide and one mile deep, penetration testing is 10 miles deep and one mile wide. Vulnerability assessments involve automated scanning, which cast a wide net across the entire network. Scanning evaluates every in-scope system to identify known vulnerabilities. Vulnerability assessments review systems for patching and security configuration items that represent security risk. They also include confirmation that the vulnerabilities are real and not false positives; however, they do not include exploitation of the vulnerability. Frequent assessments are important because they enable companies to understand what their attack surface looks like on a regular basis. The vulnerability landscape is constantly evolving as new discoveries are made and patches are released. I could scan a system today and have a clean bill of health, but I could scan that same system next month and find critical vulnerabilities.

Penetration testing is a manual exercise that focuses on identifying and exploiting vulnerabilities within the in-scope networks and applications. It can assess all facets of the security of a company, including networks, applications, hardware, devices and human interactions. The facets to test are decided prior to the engagement. Testing involves hackers actively exploiting vulnerabilities, emulating how a criminal would leverage and link vulnerabilities together to move laterally and/or deeper into the network to access the crown jewels. As testers, we are less concerned about vulnerabilities we cannot exploit, or those that don’t lead to anywhere valuable.

For example, let’s say you have a webpage that hosts an online brochure and has minimal user engagement. A vulnerability assessment will treat that page the same as if it were a webpage with a high level of user engagement. A penetration test would not focus on that page because the testers know it wouldn’t lead them to a highly valuable place. They may be able to use information from the brochure to move elsewhere within the network; however, they would focus on other components that would give them the most access.

Think of it this way: A vulnerability assessment identifies if the office doors in a building are unlocked. A penetration test identifies what criminals would do once they are inside the office.

Chart demonstrating characteristisc of vulnerability assessments vs. penetration testing

Figure 1: Top differentiators between vulnerability assessments and penetration testing (source: X-Force Red)

I have one final question: If I am a cybersecurity leader looking for penetration testing services, which red flags should I look for that may indicate a vendor is actually offering a vulnerability assessment but says it’s a penetration test?

Glasgow: Be wary of the timeline. A good penetration test doesn’t adhere to a strict timeline, but it should take at least a week’s worth of work. And that’s on the low end. If a vendor is saying they can perform a test with a much quicker turnaround, that’s a sign they are probably going to use an automated scanning tool and quickly send you a report of all the findings. Also, ask about the deliverable. What kind of information will be in the findings report? If it’s a spreadsheet with scan results, that’s a sign it’s a vulnerability assessment. A penetration testing report typically includes the findings, a detailed narrative of what the testers did and remediation recommendations.

The report should also include the types of testing performed to help ensure security professionals know where remediation emphasis should be placed to make a network more difficult for hackers to gain access, maintain access and exfiltrate data.

Download the free white paper, “Penetration Testing: Protect Critical Assets Using an Attacker’s Mindset,”

The post Vulnerability Assessments Versus Penetration Tests: A Common Misconception appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Abby Ross

March 22, 2019
Cybersecurity Legislation, Data Protection, General Data Protection Regulation (GDPR), Incident Response, Incident Response (IR), Incident Response Plan, Network Security, regulatory compliance, Threat Detection,

Breaking Down the Incident Notification Requirements in the EU’s NIS Directive

Our society relies on the availability, security and reliability of network and information systems (NIS). Various security frameworks provide standards and guidance as to which measures organizations should implement to protect IT systems and increase resilience. However, since such recommendations are not ingrained as actual laws in most countries, these best practices and guidelines are often followed solely on a voluntary basis.

This is contrary to the European Union (EU)’s NIS Directive; a legislation that sets a range of network and information security requirements to augment IT security across all EU member states. While the directive covers a few different domains, including preparedness, cross-EU collaboration and incident response (IR), one of its main pillars focuses on breach notification requirements.

In this post, we will focus specifically on the aspects of incident notification contained in the NIS Directive as they apply to operators of essential services (OES).

Regulations Versus Directives

The NIS Directive is a different type of legal act compared to, say, the General Data Protection Regulation (GDPR). The latter is immediately applicable and enforceable by law in all member states. A directive is somewhat different.

While it also applies to all member states, instead of being immediately applicable, it sets goals, requirements and results that must be achieved. It is then up to each member state to devise its own laws on how to reach these goals and what types of penalties noncompliance will carry. The NIS Directive also sets a floor. There can be greater requirements applicable based on the organization’s industry sector and member state(s) it operates in.

This legal status reveals one of the possible issues with a directive: Whereas a regulation is direct law, a directive needs to be transposed into local laws by each member state. These transpositions can result in differences in the implementation of the directive into law, in some cases complicating matters for organizations that operate across borders.

Variance in Incident Notification Definitions

One of the articles in the NIS Directive that has received a lot of attention is Article 14, which outlines requirements for security and incident notification. It stipulates that member states must ensure that OES notify the national competent authority and the national computer security incident response team (CSIRT) in case of an incident that significantly impacts the continuity of an essential service. This is not entirely new — depending on the type of activity or sector, there are already requirements for incident reporting in Europe, including Article 13a of the Telecom Framework Directive.

An additional element of complexity is that, according to Article 5, the identification of OES per sector needs to happen individually within each member state. Although organizations might give input to this process, the actual identification is out of their hands. This process is another way by which the directive could result in various interpretations that end up adding complexity.

The Benefits of Incident Notification

One of the drivers for notification in the context of the directive is to be compliant with legal requirements. However, if the starting point of your organization is to only comply with the bare minimum of these notification requirements, then you will miss out on the opportunities provided by the directive.

Additionally, the bulk of these requirements, including notification and detection capabilities, should already be covered in large part by your existing security environment. If this is not the case, you can use the NIS Directive as a wake-up call to improve your security posture.

From a policymaker’s point of view, the notification requirements can help better identify the challenges within a sector and propose mitigation measures that are based on actual facts and figures. These facts and figures can then be used by CSIRTs (or a responsible authority) to provide more relevant warnings and situation reports together with sector-specific threat intelligence. Similarly, this information can also be used to evaluate cross-border impact of incidents or threats and optionally notify other member states.

Breaking Down Notification Requirements

Now, let’s dive into some details of the NIS Directive. There are essentially three main parts to the notification requirement.

First, prior to notification, organizations need to be able to detect security incidents — i.e., they must possess appropriate detection capabilities. The second part involves defining what a significant incident is and what risks, either directly or indirectly, can have significant impact on an essential service. The last part of the notification requirement involves understanding when, what, how and to whom organizations must report incidents.

First Things First — Detection

Every notification starts with proper detection of an incident. You can find guidelines on detection capabilities in a reference publication from the NIS Cooperation Group on security measures.

The core principles for these security measures include being effective, tailored, compatible, proportionate, concrete, verifiable (evidence of the effective implementation of security policies) and inclusive (includes all security domains that may contribute to reinforcing cybersecurity).

Applying NIS measures to the domain of detection and resilience can be done by:

  • Setting up a detection system to analyze files and protocols — this can include, for example, network intrusion detection systems (NIDSs) or malware sandboxes;
  • Enabling logging on critical systems (log entries should include time stamps);
  • Collecting the logs centrally; and
  • Conducting log correlation and analysis on the events coming from critical systems.

All of the above actions can also be automated with a security information and event management (SIEM) solution.

After Detection — Defining Incidents

But what, exactly, is a security incident? Article 4 defines it as any event that has an actual “adverse effect” on the security of network and information systems. As a side note, the directive does not include a definition of what is covered by “adverse.”

Based on the information from the NIS Cooperation Group, we can combine the definition of an incident with the definition of security of network and information systems. This would redefine an incident to be any event that affects the authenticity, confidentiality, integrity or availability of network and information systems, and has a significant impact on the continuity of the essential service itself.

What Is a Significant Incident?

A set of three parameters from Article 14 of the NIS Directive can be used to determine what is considered a significant incident:

  • The number of users that are affected by the disruption of the essential service.
  • The duration of the incident.
  • The geographic spread of those affected by the incident.

Additionally, the parameters from Article 6 are also helpful in defining what qualifies as a significant incident:

  • What is the dependency of other OES on the service affected by the incident?
  • What is the impact (degree, duration) on economic and social activities or on public safety? In particular, the impact on social activities can be hard to measure for OES.
  • How large is the market share of the affected service?
  • What is the geographic spread that could be affected?
  • How important is the affected element for maintaining a sufficient level of service?

In general, these parameters are most often already included in what OES are accustomed to using to define crises within their services that are unrelated to IT.

The actual criteria, thresholds and parameters for determining substantial incidents are defined by member states. This can include the parameters defined in the NIS Directive, possibly extended with other states or by sector-specific criteria.

The Directive’s Notification Timeline

According to Article 14, organizations need to notify without undue delay, although this timeline can be shortened or specified based on the member state. The term “undue” can also be subjective, but in most cases, this means the organization must send a preliminary notification whenever an incident is first detected, even if all the details are not available yet. The goal is to raise awareness. As your investigation progresses, you can provide intermediate follow-ups, and when the incident is closed, you can provide a full report.

It’s fairly simple to implement this step. Your IR plan should already include a notification and escalation path for certain types of critical incidents during the detection and analysis phases. It should also foresee a final incident report as part of the lessons-learned phase.

In essence, this requirement is an extension of an already established IR plan and recovery process.

Where to Report?

Each member state is free to choose its own reporting framework. This can be the national authority, sectorial authorities or a combination of both in addition to notifying the national CSIRTs.

As an organization, it is important to identify to whom you have to report, exchange contact details between your security team and the notification body, and establish and test this communication process.

Use the NIS Directive as an Opportunity

Similar to the GDPR, you can approach this directive as a roadblock or a nuisance, or you can consider it an excellent opportunity to improve your security posture. The fact that some security requirements are legal requirements can help you further establish your security program.

There are many articles in the directive to take into account, but you should start by focusing on the following:

  • Article 4, which defines a security incident;
  • Article 5, which mandates that member states should identify OES;
  • Article 6, which sets additional parameters to define significant incidents; and
  • Article 14, which requires you to implement security measures and notification processes. This article also contains the three base parameters to define what is a significant incident and describes the accepted delay for notifications.

Unfortunately, despite the fact that the bulk of the NIS Directive has been well-known for quite some time, not all EU member states have finalized the phase of transposing the recommendations into actual laws.

If this is the case for your environment, you might benefit from the situation and provide your lawmakers with input for security measures that would actually improve the level of security for network and information systems in your sector.

The post Breaking Down the Incident Notification Requirements in the EU’s NIS Directive appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Koen Van Impe

March 14, 2019
Computer Security, Data Breach, data leak, Data Leaked online, Data Protection, email, Security Hacker, Vulnerability,

800 Million Emails Leaked Online From Worlds Largest Email Verification Service

Verifications.io

Researchers discovered the 150GB volume of biggest and most comprehensive email unprotected MongoDB that leaked 800 Million Email data online that belongs to Verifications.io. The leaked email contains sensitive information including personally identifiable information (PII) and the complete data being available in public that can be accessed by anyone on the internet. This Database exactly […]

The post 800 Million Emails Leaked Online From Worlds Largest Email Verification Service appeared first on GBHackers On Security.

March 10, 2019
Application Security, Blockchain, Data Privacy, Data Protection, Data Security, Encryption, Encryption Keys, IBM Security, Identity & Access, Identity and Access Management (IAM), Identity Governance, Penetration Testing, Security Services, X-Force,

Blockchain: Making the Reward Much Greater Than the Risk

What is the first thought that comes to mind when someone mentions blockchain? Many of you may say bitcoin, which is what’s to be expected considering bitcoin was the first major cryptocurrency that made blockchain a household name. However, bitcoin is only one among a large variety of cryptocurrencies, and while it was the first large-scale implementation of blockchain technology, it is merely one application of many uses by which blockchain can aid society and commerce.

Blockchain technology provides a means to store data in a distributed ledger. The data is stored within a block, where it is digitally recorded and linked together with other blocks, forming a chain. The chain provides the entire history of all recorded data. Data is committed to the chain in the form of transactions. The transactions are only added after they have been validated by the blockchain network’s consensus protocol, so that there is only one version of the truth. Any data stored on the blockchain is “immutable,” meaning it cannot be changed. Also, all network participants have a copy of the data, meaning everything is transparent and everyone has the same version of truth.

The first major implementation of blockchain technology was introduced in 2008 with the release of bitcoin, but it’s only during the past few years that enterprises have come to grasp the technology’s potential. This is happening because the past decade has seen a tremendous reduction in the costs of secure storage, computation power and communications. As a result, more innovation makes its way into mainstream markets, served to average consumers.

The same applies to the business realm. Nowadays, we are starting to see more blockchain adoption across many industries, including financial, food services, healthcare, aviation, automotive and logistics. In 2017, the blockchain market was valued at $708 million. Two separate reports have estimated that by 2024–2025, the market could be valued between $20 to $60 billion. This significant growth represents up to an 8,300 percent increase in the span of less than 10 years.

We are still in the early stages of exploring this technology, and it will take time to fully realize its applications and potential. For example, it took almost 10 years for computers to reach an adoption rate of 80 percent. For enterprises, blockchain technology at scale has only been around since late 2015. So what does this mean, exactly? As we watch a new technology emerge and steadily grow, people who love to be on the cutting edge of technology are excited about the endless possibilities blockchain affords. That said, with new technology also comes new challenges, especially regarding security.

Big Implementations, Limited Experts

The people who deeply understand blockchain infrastructure are typically blockchain developers and architects, whose numbers are increasing, but are still few and far between. If you layer on blockchain security expertise, you will find that number to be even smaller. Hardly any published information or guidance exists about blockchain security.

So what are the implications of developing these full-fledged solutions with little knowledge about the potential attack vectors and risks that could bring the entire system crashing down? Inherently, the decentralized nature of blockchain, coupled with consensus protocols, helps to address some security needs, but the consequences can be dire if security isn’t fully explored.

Blockchain Is Code, and Code Can Be Flawed

As previously mentioned, at its core, the blockchain concept is simple: It is a distributed, immutable, cryptographically assured ledger that can have applications, often called “smart contracts,” interface with it.

A smart contract is made up of numerous lines of code, which are stored within the blockchain. These contracts automatically execute when predetermined terms and conditions are met. They are small programs that replicate processes or business logic and can be used to enforce an agreement between multiple parties in such a way that they can be certain of the outcome without any need for an intermediary.

For example, smart contracts may be used in the healthcare industry. Users’ data, such as blood pressure and other metrics, could be published to a chain, and once a metric rises above a specified threshold, the smart contract could execute actions such as notifying the user and/or processes such as further consultations with specialists to resolve their health problems. A flaw capable of compromising smart contracts could allow an attacker to modify critical details in the code. In the above example, what happens if an attacker is able to affect the business logic or introduce additional code to perform unintended actions?

But as with many powerful technologies, while blockchain is straightforward in concept, if improperly implemented, flaws and vulnerabilities can result in risk and security consequences. Think about what would happen if one could change the smart contract’s data before it is stored on the chain? Data on the chain is supposed to be trusted, right? What about a smart contract flaw that results in business logic not behaving as expected?

In the past few years, X-Force Red has seen a plethora of risks introduced into blockchain ecosystems where it was possible to abuse access controls at the user and administrative levels. For example, some vulnerabilities may enable attackers to inject malicious code into the network, effectively compromising all nodes.

Putting the technology aside, your standard everyday applications (i.e., web/mobile applications) still need to interface with the chain on some level. It has been possible for our penetration testers to compromise these components and pivot to backend systems where there is little to no security, giving an attacker the ability to insert data on the chain or execute any function that is exposed. Functions may include higher-privileged administrative access or accessing data that a user should not have access to. If that happens, how does an environment protect itself against malicious actions?

Raising the Bar on Blockchain Security

Security is about raising the bar high enough that attackers would be extremely hard-pressed to exploit any vulnerability. If they were to attack, they would make enough noise on the network to be detected and incident response procedures would hopefully slam the door shut. So, monitoring from both an application and network level is key to protecting blockchain implementations. Should an internal host be scanning your internal network? I think not!

Another precaution is to take a page out of the renowned television show, “The X-Files,” and trust no one:

  • Build a layered defense where each layer of the solution provides some level of distrust of all the layers above it.
  • Enforce strict access controls both at the application and blockchain layers to prevent overly permissive access and abuse.
  • Ensure there are strong governance controls and processes around the handling of all sensitive information, including key material. Should your certificate authority be disclosed to an unauthorized third party, then it’s game over; they would have full control of your blockchain environment.
  • Implement strong change control and a secure code review process to ensure all configuration settings and source code (i.e., smart contracts) are as secure as possible and do not contain any weaknesses that can be abused.

These are only a handful of basic actions that you can take to help protect the integrity, availability and confidentiality of your blockchain-enabled environment.

At X-Force Red, we have many experienced hackers with blockchain-specific skill sets to perform security assessments and penetration tests on anything within the blockchain technology and connected infrastructure.

IBM is an industry leader in blockchain technology and, as such, our X-Force Red hackers are exposed to numerous areas of the technology while working with leading experts in the field.

This all culminates into possessing a deep technical understanding and the ability to assess any blockchain-enabled solution from an end-to-end perspective. X-Force Red can review the environment from a design/architectural perspective and manually review smart contracts, access controls, configuration of critical components and more. We can also test all applications and technologies that interface with the blockchain, work with key stakeholders and developers to fully realize the potential risks they may face, and assist in reducing the risk of a compromise.

Learn more about X-Force Red’s blockchain testing services

The post Blockchain: Making the Reward Much Greater Than the Risk appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Christopher Thomas

March 5, 2019
Business Continuity, Chief Information Security Officer (CISO), CISO, cyber risk, Data Protection, Governance, Risk Management, Security Management, Security Spending, Security Strategy,

How Can CISOs Improve Board Governance Around Cyber Risk Management?

The pressure is on for corporate leadership to get a better handle on cybersecurity. But unlike other board governance processes that are a lot more mature (e.g., financial risks, market pressures), when it comes to cyber risks, boards need help — help that the chief information security officer (CISO) is uniquely positioned to deliver.

Boards want better insights into how cybersecurity management decisions are made and often complain of getting briefed with techno-babble and operational security metrics instead. How can CISOs better bridge the communications divide and improve the board’s ability to provide adequate oversight of cyber risks?

A recent report titled “Leveraging Board Governance for Cybersecurity,” issued by the Advanced Cyber Security Center (ACSC), a nonprofit effort to enhance cyberdefense and informed policymaking, helps shed light on the disconnect. Boards have a strategic role to play regarding cybersecurity, but are hampered by their limited understanding of cyber issues, the quality and frequency of the reporting they receive from management, and inadequate board governance structures that often hold back key information from the full board.

While some organizations have improved their board governance processes on cybersecurity issues, much of the work to drive progress falls on the shoulders of the CISO. The good news is that, unlike a decade ago, there is now a lot more information available to guide CISOs on key cybersecurity issues to take up with boards and, where appropriate, resources designed specifically for board directors — such as the National Association of Corporate Directors (NACD)’s “Director’s Handbook on Cyber-Risk Oversight.”

Engage Board Directors on Cyber Risks

A key finding from the ACSC report is that only 21 percent of boards said they had what can be described as a “full partnership” level of engagement regarding cybersecurity and digital transformation. What does a full partnership look like? It includes getting regular updates, engagement around cyber risk priorities, and actual discussions with feedback and consideration of cyber risks in both strategic and operational decision-making. Even when boards viewed security as an important issue, it was often given more of a cursory review; 53 percent of respondents reported that very few — 5 percent or less — full-board meetings focus on cybersecurity.

For CISOs, this provides an opportunity to ask just how well the board is able to provide strategic guidance for management’s risk decisions. Consider:

  • Have board-level discussions impacted cyber risk decisions?
  • Can the organization improve the way it frames strategic discussions to include key cyber risk concerns? Something more akin to the way the organization considers other risks and strategic decisions, such as financial risks or market growth?
  • Are cyber risks tied to investment decisions?
  • Is responsibility for cybersecurity embedded in all corners of the organization, and are cyber risks considered early on in the development and acquisition phases?
  • Is there a C-level committee — a steering committee of sorts — that meets regularly, at least quarterly?

Both the ACSC report and the NACD handbook advocate for these improvements to board governance processes, and CISOs should leverage these resources fully.

Ensure the Board Has Sufficient Security Expertise

The report echoed a common complaint among CISOs: “Most boards do not yet have sufficient expertise in technology or cybersecurity to serve as strategic thought partners on cyber risk.” Furthermore, 38 percent of respondents said their board viewed cyber risks as just “somewhat significant,” a dangerous indifference that, as recent breaches and ransomware attacks have shown, can bring an organization to its knees in the blink of an eye.

While CISOs may not be able to change whether boards consider recruiting directors with cybersecurity expertise, they can work to provide additional education and training to existing board members about how cyber risks can impact the business. Such cyber briefings could even include taking a tour of the data center or visiting one of the increasing number of cyber ranges or simulation centers.

CISOs should take stock of the current level of knowledge of the full board and work to improve the board’s cybersecurity expertise. Board members should receive consistent training and enhance their cybersecurity expertise, whether that is delivered by the CISO, by engaging external cyber risk advisers or through third-party assessments.

Link Cybersecurity Investments to Measurable Business Outcomes

One of the key roles of the board is to ensure that cybersecurity investments are appropriate for the levels of risk faced by the organization. As part of their broader involvement to ensure an effective digital transformation, boards should review the organization’s cybersecurity budget.

While most security budgets have grown in recent years, they are still too often tied to a fraction of overall IT budgets instead of being considered independently for their ability to support and balance the organization’s growth strategy with the risks it faces. CISOs should keep in mind that bigger budgets will mean bigger asks by management and the board, so it is important for CISOs to be seen as good stewards of their organization’s cybersecurity investments.

Boards often ask, “How do we know when we’ve done enough?” That’s why investments in personnel, process improvements and technology should be directly linked to measurable outcomes — the expected impact on cyber risks — and also tracked in terms of helping the organization achieve its business objectives. Every security dollar should be spent with an eye toward supporting the organization’s overall business and security strategy and helping to balance risks with rewards.

Find the Best Risk Metrics for Your Organization

Another striking element of the ACSC report is the largely operational nature of cybersecurity metrics and measures being reported to boards today. Examples of these operationally focused metrics include the number of attacks stopped, number of machines patched, number of breaches per period, percentage of systems in compliance and security budget as a percentage of IT budget. Unfortunately, such metrics and measures do very little to help top management and boards make informed risk judgments.

Operational metrics have their value for CISOs during internal discussions with their teams and, to a limited extent, for discussions with management. But CISOs and boards should come together to agree on better risk metrics that are relevant to directors to help establish trust and engagement, and to improve the board’s ability to make informed risk judgments. This is also an opportunity for CISOs to work with legal counsel to determine if the security strategy is aligned with the organization’s duty to protect the information it is entrusted with.

CISOs Should Help Reshape Board Governance Around Security

It is undeniable that CISOs have a lot on their shoulders since they are tasked with operational responsibilities while also playing an increasingly strategic role. The CISO can be a partner in reshaping the board’s level of engagement around cyber risks by providing regular training and education, more directly connecting security investments with the expected benefits for the organization, and reporting with more strategic and less operational metrics.

The post How Can CISOs Improve Board Governance Around Cyber Risk Management? appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Christophe Veltsos

February 28, 2019
Artificial Intelligence (AI), CISO, Cloud, Cloud Security, Connected Devices, Cyberattacks, Data Privacy, Data Protection, Healthcare, healthcare security, himss, Incident Response (IR), Information Sharing, Quantum Computing, Risk Management, Security Conferences, Threat Response, Watson, X-Force,

Recapping IBM Think 2019 and HIMSS19: The Shared Landscape of Global Security

With IBM Think 2019 and HIMSS19 in the books, it’s worth making time for a quick debrief. Which topics resonated the most with attendees? Where did conference themes and discussions overlap? And what’s on the horizon for global cybersecurity this year and beyond?

Key Takeaways From Think 2019 and HIMSS19

According to IBM CEO, President and Chairman Ginni Rometty in her Think opening address, “chapter two” of digital transformation has arrived. For Rometty, this next chapter is scalable, driven by artificial intelligence (AI) and embedded across the enterprise. But without information architecture, she noted, “there is no AI.”

Trust underpins every aspect of effective digital transformation. This ties into IBM’s biggest push during the conference: Watson Anywhere. Built on the open-source orchestration engine Kubernetes, the microservices-based Watson Anywhere empowers organizations to run AI across the cloud environment of their choice, in effect democratizing AI technology to meet consumers along the path of their digital transformation journey — wherever they may be.

HIMSS19, meanwhile, had a clear focus on patient data, specifically the development of interoperability rules that prevent data blocking and empower effective information sharing. But there was also significant overlap with IBM’s initiatives; as Healthcare Dive reported, cloud and AI innovations were on full display at the Orlando event. Even more telling was the conference’s tag line, “Champions of Health Unite,” which speaks to the democratization and rapid uptake of healthcare technology, in turn allowing patients to manage their own healthcare experiences.

Hot Topics in San Francisco and Orlando

In San Francisco, IBM thought leaders, innovators and industry front-runners provided hundreds of great sessions for attendees, covering topics from AI acceleration to quantum computing and innovative security. Highlights included:

  • Accelerating the Journey to AIWhile 80 percent of organizations recognize the strategic potential of AI, just 19 percent understand what’s required to convert potential into profitability. State of New Jersey Judiciary CIO Jack McCarthy was joined by IBM Cloud and Cognitive Software Senior Vice President Arvind Krishna and other experts to help attendees develop a prescriptive approach to AI development across any cloud.
  • Innovation Doesn’t Happen Without Security. And Security Needs InnovationGlobal security challenges demand innovative technologies capable of doing more than responding to threats as they occur. But the innovation required to stay ahead of your competition isn’t possible without a solid security foundation. In this session, IBM Security General Manager Mary O’Brien, Westfield Insurance CISO Kevin Baker and former professional racecar driver Danica Patrick tackled the cyclical challenge of security, innovation and IT evolution.
  • The Journey to Cloud Community CrowdChat — In a more free-form session, the #Think2019 conference community CrowdChat tackled the challenge of cloud transition. According to Silicon Angle, chat participants highlighted both emerging needs for cloud-native tools capable of delivering “unprecedented flexibility” and commensurate security practices that drive both effective application development and DevOps processes.
  • Access the Future Today: Quantum ComputingWhile quantum computing has largely been confined to high-level enterprise use, this IBM session — led by Dr. Dario Gil, director of IBM Research — spoke to the development of road maps for mainstream adoption of cloud computing and how businesses could benefit from quantum solutions in the near term.

At HIMSS, meanwhile, hot conference topics included:

  • Patient-Centric Health Information ExchangeDisparate health information management systems are causing problems for physicians and patients alike. In this session, IBM Blockchain Solutions Architect Shahryar Sedghi and AT&T Director of Healthcare Solutions Thyge Knuhtsen helped define the requirements for patient-centric healthcare interoperability resources that leverage tools such as blockchain to “liberate” personal healthcare data.
  • Combating Cyberattacks with a Security ResidencyJennifer Kady, director of IBM Security solutions for the U.S. public sector, tackled the increasing risk of cybersecurity incidents with a new solution: security “residencies” that help train healthcare IT teams to effectively respond in the event of an attack.
  • Mitigating the Next Generation of Risk: Connected Medical DevicesThe use of connected medical devices is on the rise, but just 51 percent of device manufacturers follow FDA guidance to mitigate risks. This session focused on the development of programmatic, end-to-end security approaches to secure both IT assets and medical devices.
  • Reactions from the Field: AIThree industry leaders came together for a discussion of healthcare AI in the field. What’s working, what isn’t and what needs to change? From streamlining workflows and eliminating repetitive tasks, cloud-based AI has real potential for healthcare if companies can leverage clean, normalized “good data” to make accurate predictions and take critical action.

The Future of Global Security

Cybersecurity is now a serious global concern. For healthcare organizations, this is reflected in the $1.4 million it costs to recover from “average” cyberattacks, according to HealthITSecurity, and worrisome data from Proofpoint that shows health-focused email attacks are up 473 percent over the last two years. For IBM, AI-driven digital transformations aren’t possible without the solid foundation of innovative security and consumer trust.

Taken together, the topics and keynotes from both conferences suggest three emerging trends for cybersecurity in 2019:

  • Intelligence-driven response — Innovation drives success, and security is no exception. The rise of any-cloud AI makes innovative, intelligence-led incident response (IR) an attainable goal, and one that will quickly become necessary as threat actors leverage their own versions of AI to compromise global targets.
  • Personalized accountability — Patient healthcare data is an incredibly valuable resource. While the shift to “unblocked” data offers more granular control for patients and caregivers alike, it also speaks to the need for increased accountability; from connected devices to security readiness, enterprises must be prepared to defend data both at scale and in-situ.
  • Open data defense — Interoperability is critical for healthcare data, and data sharing is paramount for advanced AI systems. As data becomes more “open,” organizations must leverage advanced solutions such as quantum computing and IBM X-Force residencies to help defend this critical resource.

We’re only a few months into the year, but HIMSS19 and Think 2019 have already helped shape this year’s focus on enterprise transformation, innovation and global cybersecurity.

The post Recapping IBM Think 2019 and HIMSS19: The Shared Landscape of Global Security appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Douglas Bonderud

February 28, 2019
Bring-Your-Own-Device (BYOD), Business Email Compromise (BEC), Data Privacy, Data Protection, Endpoint, Endpoint Security, Network, Network Security, Phishing, Security Testing, Security Training, Social Engineering, social media,

When Combating Emerging Social Media Attacks, Don’t Try to Swim Against the Current

The greatest threats to the enterprise are often those that use social engineering to extract information or data from employees. For threat actors, this tactic rarely requires any technical know-how, so the barrier to entry is low.

To make matters worse, the rapid rise in social media use lowers this barrier even further. Regardless of whether your enterprise has rules in place to limit social media use, you can’t stop employees from using social media 24/7. As threat actors continue to leverage social media attacks as a launchpad to infiltrate enterprise networks, what are some defensive tactics organizations should be aware of?

Before we get into specifics, it’s critical for the enterprise to recognize that as social media use increases, the threat of attacks carried out via social media escalates as well.

Understanding Attackers’ Social Media Tactics

The first thing organizations should be concerned about is the ease with which a bad actor can target employees through social media.

“It’s not that difficult with a little bit of information going in,” said Paul Bischoff, privacy advocate at Comparitech.com. According to Bischoff, a threat actor only needs to know the name of one person who lists a target employer in his or her profile.

If it’s a big company, the attacker may not even need to know a specific person’s name — they can simply take a guess at common names. Now that the threat actor has their target, they have several options. One is to try hacking the account, possibly by using passwords leaked in data breaches at other companies. Or, they can attempt to establish contact with the target and use a phishing attack to get the information they need, such as getting access to a business email account. They could even try to add the mark as a friend or hack an existing friend’s account to impersonate them and communicate with the original target.

Using social media can help threat actors evaluate their targets both inside and outside of the workplace. People share a lot of personal information on social media, which often includes valuable nuggets of data about their work life. While the ubiquity of social media is relatively new on the technology timeline, social engineering is a scheme as old as time.

In our hypothetical hacking situation, if access to the employee’s accounts is compromised, the next step for the attacker can be to infiltrate the target’s corporate network. Depending on the network, the starting point is often getting access to business email, according to Bischoff.

“If a hacker manages to break into someone’s email, they can wreak havoc,” Bischoff added. “Not only are they privy to existing emails, but they can write new ones. Furthermore, an email account is often where two-factor authentication PINs, password reset links and other sensitive account information is sent for all sorts of online accounts.”

Once the threat actor logs in to a victim’s email account, they can buy themselves time by taking steps to lock the target out by changing the password and/or recovery email address. Because these problems can take a while to resolve, attackers typically have some leeway to work their way up the food chain, impersonating victims and sending convincing phishing emails to others in the company.

Exploring Some Simple Prevention Techniques

One prolific method that threat actors use as a stepping stone to access sensitive corporate data is profile cloning, in which fake Facebook (or Instagram or another social network) profiles are created by using duplicate photos and relevant data stolen from a targeted user’s real social media profile.

“Facebook cloning can be used to establish contact with the target by impersonating an acquaintance,” said Bischoff. “The hacker might even clone an existing friend’s profile — would you notice if someone who didn’t post much on Facebook added you as a friend a second time? Facebook mitigates this by showing how many mutual friends you have with anyone who sends you a friend request, but not everyone pays attention or cares.”

To thwart these types of attacks, Bischoff advised employees to not post an employer on their social media profiles. If they must, instead of selecting from the drop-down list of existing employers that appears when you start typing, they can “create” a new employer. This prevents the employee from showing up on the threat actor’s list when they target that specific company.

Additionally, as security experts have mentioned repeatedly, it’s critical to educate employees on common phishing tactics and even consider testing this in real-time with practice phishing emails. With 27 percent of users failing a phishing test, according to a 2018 study, we must continue educating and testing teams across the organization and providing role-based education and awareness sessions. Finally, Bischoff suggested establishing rules that require a second form of identity verification to share certain information.

“For example, if someone requests a password to use the office VPN, that person should also verify the request in person or by phone, and be sure not to use a phone number listed in the email,” Bischoff said.

Stand United to Fend Off Emerging Social Media Attacks

I’m not suggesting that you dictate how and when your employees use social media — a fool’s errand if there ever was one. Especially in this bring-your-own-device (BYOD) era, social media use, even at work, is only going to keep rising. I distinctly recall the arduous task of trying to monitor social media use in the early days of Facebook, and can’t imagine how difficult it would be for IT decision-makers today.

The lure of social media is too much to fight against. Instead of pushing back, we need to work with what we’ve got and do our best to educate employees about potential social media attacks. Make employees part of the process instead of restricting their online behaviors, and arm them with knowledge that can help them become a layer in the organization’s security shield.

“A chain is only as strong as its weakest link,” said Bischoff. It’s all about strengthening the links.

The post When Combating Emerging Social Media Attacks, Don’t Try to Swim Against the Current appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Mark Stone

February 27, 2019
Artificial Intelligence (AI), Business Email Compromise (BEC), Credentials Theft, Data Protection, email, Network, Network Security, Phishing, Phishing Attacks, Risk Management, Security Awareness, Security Training, Social Engineering, Social networks, spear-phishing, Threat Detection,

Workplace Expectations and Personal Exceptions: The Social Flaws of Email Security

Even though they’ve been around for quite some time, phishing attacks continue to climb. According to Proofpoint’s 2019 “State of the Phish Report,” 83 percent of businesses experienced a phishing attack and 64 percent of security professionals encountered spear phishing threats in 2018. New vectors are also emerging: As noted by Forbes, software-as-a-service (SaaS) credential theft, messaging app attacks and malicious link embedding within shared files are all on the horizon for 2019.

The data begs the question: What’s wrong with email security? For years, thought leadership articles and information security experts alike have been recommending commonsense best practices that should curtail email attack efforts. Don’t click on unknown links. Don’t open unsolicited attachments. Use automated detection tools. And yet phishers are hauling in bigger catches than ever before, expanding their operations to include new threats and grab more data.

I believe the problem is tied to phishing’s fundamental premise: Social barriers are far easier to break than their technological counterparts. By exploiting critical social flaws — specifically, workplace expectations and personal exceptions — attackers can gain the upper hand.

Email Still Reigns Supreme

Despite recent challenges from up-and-comers such as social messaging apps and unified collaboration tools, email still reigns supreme in the workplace. As noted by CMS Wire, “There appears to be a general consensus that while social networks are useful to achieve work-related goals, email remains the undisputed communications tool in the enterprise.”

Email is timely and transparent — users can quickly send and receive information while creating a digital paper trail. Unlike some messaging apps, users can include attachments and draft longer responses and, since email exists outside of most collaboration continuums, employees can temporarily take a break from their inbox.

But that’s not the whole story. For better or worse, corporate email itself is a kind of social network. As Nathan Schneider, a professor of media studies at the University of Colorado, told The New York Times, “Email is the most resilient social network on the internet.” While it lacks the bells and whistles of social media platforms and the intimacy of face-to-face communication, email has evolved its own set of social rules around usage, etiquette and response times. For example, users are expected to create clear subject lines, reply to all emails (even if received in error), limit the amount of humor and restrict the use of punctuation such as exclamation marks, as noted by Inc.

The rise of interactive business email compromise (BEC) attacks also speaks to the social nature of email. New BECs don’t start with malicious payloads, but instead leverage short social messages to compel employee replies and create a compelling, albeit fake, interactive dialogue before dropping infected documents.

Simply put, email is the biggest, most used social network in the enterprise — and that’s not changing anytime soon.

The Psychology of Urgent Requests

The fundamentally social nature of email leads us to our first security issue: expectations.

Consider common phishing security advice that warns against emails marked “urgent” or “DO NOW.” Why the focus? Because humans are naturally conditioned to meet social norms and feel substantial pressure to conform. According to the Havard Business Review, “Throughout our careers, we are taught to conform — to the status quo, to the opinions and behaviors of others, and to information that supports our views.” What’s more, as noted by Psychology Today, this conformity is accelerated in a small group setting — such as a corporate team or enterprise department — and further enhanced, according to Psych Central, by neurotransmitters such as dopamine that are produced when humans are part of a social group.

As a result, when it comes to well-written phishing emails that are purportedly coming from CEOs or HR mangers, staff are preconditioned to reply ASAP with requested information — even if they’ve had previous security training. Social pressure almost invariably trumps learned email security.

It Won’t Happen to Me!

While socially driven email networks increase the likelihood of faux-insider messages getting through the security chain, what about outside attacks? Much time and attention has been devoted to educating employees about the telltale signs of external phishing attempts, such as emails purportedly from financial institutions, government agencies or new business contacts.

Here, another facet of human social interaction is at work: Our natural disposition to believe we’re better than everyone else. It’s called the superiority illusion and, as noted by Scientific American, causes most people to think they’re better than average at most things, such as the ability to spot and prevent phishing attacks.

Since it’s impossible for the majority of people to be above average, the result is that advanced spam and phishing campaigns that make it past initial defenses may get overlooked by overconfident employees who assume they would recognize any sign of these attacks. It’s the old “it won’t happen to me” argument: Users presume they’ve got all the knowledge they need to spot attacks and if they’re victimized, there’s no way anyone could have seen it coming.

Evolve Your Email Security Strategy

What does this mean for companies looking to prevent phishing attacks?

First, there’s no need to ditch current security training. But, as CSO Online pointed out, it’s also a good idea to educate users on how not to craft an email. Don’t be your own worst enemy by sending unexpected, hastily typed emails with “URGENT” in the subject line.

Fundamental shifts in email security, however, require a rethinking of current best practices. To handle social expectation issues, companies must adopt top-down cultural change that prioritizes safety over speed. This is easier said than done when CEOs need hard data for stakeholders or chief financial officers (CFOs) are handling financial fluctuations in real-time, but giving staff time to double-check message origins and intentions before replying goes a long way toward reducing the number of reeled-in employees.

For security professionals, this means developing the ability to present potential phishing losses as line-of-business issues. In practice, this requires leading with context: How are current security issues impacting strategic objectives such as cost savings, customer confidence and regional performance? This can help shore up the notion that time lost to double-checking email requests via phone calls, face-to-face meetings or other methods is preferable to the monetary loss associated with successful attack campaigns.

Dealing with exceptional behavior, meanwhile, starts with a layered email security approach that eliminates obvious phishing attempts before they hit inboxes. Another key component of this defensive strategy is artificial intelligence (AI). AI-based tools capable of analyzing enterprise communication patterns and spotting inconsistencies already exist. Making them applicable to “above-average” phishing finders means leveraging a kind of low-key notification process, in turn aligning with user beliefs about their own ability to recognize phishing attempts.

Address the Human Components of Phishing

Email remains the top enterprise communication method and the obvious choice for attackers looking to compromise business networks. While current email security solutions can help mitigate phishing impacts, companies must recognize the role of corporate email as a social network to address the critical human components of this risk: social expectation and the superiority exception.

The post Workplace Expectations and Personal Exceptions: The Social Flaws of Email Security appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Douglas Bonderud

February 21, 2019
Cloud, Cloud Security, Cloud Services, Data Protection, Data Security, Encryption, Encryption Keys, Security Solutions,

Lessons from the Encryption Front Line: Core Components in the Cloud

This is the second installment in a multipart series about data encryption. Be sure to read part one for the full story.

Now that we understand the common threats facing organizations and how to select the right solution for data-at-rest encryption (DaRE), what’s the next step in your data encryption journey?

Encrypting data is the relatively easy part of the solution, but securely managing keys is a major challenge. According to the National Institute of Standards and Technology (NIST), “Keys are analogous to the combination of a safe. If an adversary knows the combination, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms.”

DaRE needs more than software to encrypt data, because the keys still need to be managed. Let’s dive deeper into the key management challenge, the core components needed to manage keys effectively and the open standards security teams should use in their cloud environments.

The Encryption Key Management Challenge

In DaRE solutions, symmetric encryption is used for speed, and the same key is used to encrypt and decrypt the data. The security of the system relies on the encryption key being kept secret. Most organizations now encrypt disks within a laptop. To start the decrypting process, a password must be entered manually, which is impractical for cloud environments with thousands of servers.

If the data is being decrypted after a system has started, the encryption software can use a secret key stored locally on the server, which will be in an obscured format that can be decoded. The risk here is that a privileged insider or threat actor could potentially decode the key and decrypt the data. Therefore, security teams need a way to protect their encryption keys.

Unscrambling the Encryption Solution Components

A typical cloud encryption solution has three core components: an encryption client, a key management server (KMS) and a hardware security module (HSM).

The encryption client performs the actual encryption using a data encryption key (DEK). Since it needs to be stored encrypted, the DEK itself is obscured using a key encryption key (KEK).

The KEK is obtained from a KMS, which contains many hundreds or thousands of keys in a database. Once again, the KEKs need to be encrypted using a master encryption key (MEK) because there is a risk that the KMS could be compromised. The MEK is stored in the HSM, which enables the security team to store a key in hardware that physically prevents tampering or loss of the MEK.

Creating an Open Encryption Solution

In the past, encryption solutions have been built around proprietary protocols, making integration difficult. That’s why OASIS defined a set of standards to improve interoperability between encryption and key management solutions from different vendors.

Over the past few years, vendors have increasingly adopted standard protocols for communication between the KMS and HSM, such as OASIS PKCS#11, as well as communication between the encryption client and the KSM, such as the OASIS KMIP protocol. Look for solutions that use these standards when putting together your encryption strategy.

Encryption Solutions Are Maturing

With a standard set of components that support open standards, encryption technology is gradually maturing to make implementation and encryption key management easier. In cloud environments, these components are often available in a lower-cost implementation known as bring-your-own-key (BYOK), which integrates with supported DaRE solutions. These solutions are now reaching high levels of assurance with HSMs offering FIPS 140-2 Level 4 in the cloud.

Depending on your needs, you can develop encryption solutions based on open standards from components you build and run yourself or source them as managed services from cloud providers.

The post Lessons from the Encryption Front Line: Core Components in the Cloud appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Mark Buckwell

February 19, 2019
Access Governance, Access Management, Authentication, Authentication Systems, Data Protection, Fraud Protection, Identity & Access, Identity and Access Management (IAM), Identity Governance, Identity Management, Multifactor Authentication (MFA), Password, Password Management, Password Protection, password reuse, verification systems,

Are Passwords Killing Your Customer Experience? Try Passwordless Authentication

Creating a seamless, secure experience for your legitimate users is a challenge. Most users are good and deserve a frictionless experience, but the less than 0.1 percent of users that are suspected to be rogue actors, according to IBM Trusteer research, spoil the party for everyone. These are the users who commit online fraud, steal data, bypass formal application programming interfaces (APIs) and skew site analytics. The rest of us can thank them for the frustration associated with tedious login rituals.

We’re drowning customers in a sea of passwords and expecting them to stay afloat. Passwords are not only a pain, but incredibly easy to hack. So how is the industry combating these issues related to passwords and the pains of usability? Shockingly, many organizations are still relying only on passwords as a form of authentication, and we know they’re failing. According to a Javelin Strategy & Research survey, 1 in 5 customers fails to authenticate. This could be due to multiple factors, one of which is forgetting their own password.

How Can Companies Go Passwordless?

Let’s take a step back and think about it: As a consumer yourself, how many online accounts do you have, and how many different passwords do you need to create to outsmart fraudsters? All these credentials are nearly impossible to manage.

If we know a large percentage of our users are legitimate, then let’s deliver the seamless but secure experience they expect and, in the end, help drive digital sales. So what does going passwordless really mean, and how is it possible?

The passwordless experience is based on identifying unauthorized access to web and mobile applications and sensitive operations. Organizations can identify these issues by using risk-based authentication and continuous trust validation technologies, which provide services such as behavioral analysis, device identification and authenticity, phone number and email intelligence, identity linkages, and session and network attributes to build this trust. These forces are what make passwordless authentication possible because they identify positive users and question the high risk users.

Examples of a Passwordless Customer Experience

How does this work in practice? Below are some examples of how passwordless authentication can transform and improve your customer experience.

  • A new customer registers on a site or application by confirming his or her email or phone. For subsequent logins, the customer is auto-enrolled as a trusted user.
  • A registered user accesses a site seamlessly after the system detects no threats or compromises on the trusted device.
  • A user accesses a service from a new device by confirming the email or phone number associated with the account and entering his or her credentials. After the device is labeled as trusted, it is auto-enrolled for seamless entry.
  • A user accesses a service seamlessly and browses with continuous authentication in the background until he or she reaches sensitive information. At this point, the user is prompted to enter his or her two-factor authentication (2FA) information before accessing this data.

If you go passwordless, you’re guaranteed to improve your customer experience. A system free of clunky passwords helps streamline customers’ buying journeys and distinguish between legitimate users and fraudsters. Most importantly, it enables your users to enjoy a seamless experience on any digital platform. So what are you waiting for? Now is the time to give your customers the experience they deserve and the security they demand with passwordless authentication.

Register for the Feb. 27 webinar to learn more

The post Are Passwords Killing Your Customer Experience? Try Passwordless Authentication appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kelly Lappin

February 18, 2019
Older Posts