The Evolution of Cyber Threats and Multi-Factor Authentication: A Conversation with Jim Tiller
The recent breach of the Office of Personnel Management (OPM), which compromised the personal information of an estimated four million current and former government employees, has once again raised questions of our preparedness to prevent, detect and respond to cyber threats.
Are security professionals doing enough to keep our networks and highly sensitive data secure? Do we have a full grasp of how cyber threats are evolving, and what we can possibly do to combat this dangerous rise in cyber attacks? Should multi-factor authentication be something all security professionals leverage?
To help answer some of these questions, the Access Granted editorial team sat down with Jim Tiller, Director of Security Consulting for the Americas at HP’s Enterprise Security Services. During our conversation, Jim discussed the current threat landscape, the solutions enterprises are currently investing in to better protect them from attack and the largest security challenges facing enterprises today.
Here is what Jim had to say:
Jim Tiller: It depends on who you ask in the enterprise – the business executives or the security professionals – because I think you’ll get different answers.
If you ask the board of directors or the senior executive team, the biggest challenge is minimizing the impact of a breach. Of course they think about stopping breaches – and invest in protective measures, which are very important – but there is an imminent threat, a sense that “it’s just a matter of time.”
It’s no longer about if you’re going to be compromised – it’s more about when. Many of the breaches that occur may go unnoticed for months – and in some extreme cases it can be years. A great deal of information can be stolen in that time. Business leaders are wondering what they need to do to minimize the impact – how to discover it and react to it effectively and quickly – because no one wants to be on the front page of The New York Times when it comes to an attack.
In summary, that’s the challenge that executives are focused on right now – figuring out what key steps they need to dramatically improve their ability to resist an attack, but more so what capabilities they need to identify an attack and to respond to it quickly to minimize the impact.
From a security professional perspective – the people in the trenches – it comes down to a couple of fronts. One is what kind of security they’re going to specialize in. There was a time when you can just be a security professional and were able to do anything from firewalls to risk and compliance. Today, a lot of different specialties have surfaced with a number of different certifications.
Another big challenge for security professionals is learning how to communicate security and its importance to the leadership in an effective way that really resonates. The ability to tell a story, to translate security to business needs and vice versa is extremely important.
Lastly, keeping pace. Keeping up with developments across threats, technologies, solutions, and methodologies, and just staying informed, is critically important. You have to know as much as possible of what’s going on to ensure you can be an effective professional.
Access Granted: How have we seen the security threat landscape evolve over the past few decades? What has changed? Are the targets the same or have they shifted? Is the sophistication of the attacks all that’s evolving or are we seeing security threats in general evolve in other ways?
Jim Tiller: Threats have absolutely changed. Have threats become more sophisticated? Absolutely. There’s been an exponential increase in sophistication and capability. But this evolution can be centered on three key areas: evolution of tools, organization and ecosystems, and the infrastructure to monetize hacking services as well as their bounty.
Talking about some of these really big-story hacks, when I think of sophisticated hackers, I think of sponsored actors going after foreign governments, agencies, suppliers, and especially people who work as part of these organizations, and, of course companies. These guys are hacking all day long because their superiors realize that information is power. Data becomes information, and information becomes power.
An example are the attacks on oil and gas industries some years ago, and really came to find out it was state sponsored entities working to obtain information about the location and studies of raw material sources. These attacks are very targeted and sophisticated in terms of gathering information and intelligence, and that intelligence can be useful in many ways… fiscally, terrorism, whatever, its intel.
The threats that we deal with on a daily basis however are driven predominantly by money. Bad actors are looking to monetize our information in some way shape or form. A lot of it is taking place here in the United States, Europe, parts of Africa, and of course China. As far as sophistication goes, I believe there’s a lot of sophistication when it comes to the software that’s being built, and it doesn’t take a brilliant person to execute these things.
Look at the recent event in Japan. They suffered a huge attack – millions of records were stolen – and what it came down to was really good phishing. Anyone with some basic knowledge and motivation can find and download software to help you build your phishing email, you can get the right sort of droppers and whatnot, and off you go. It’s really not difficult. In this case, the sophistication is in the tools and technology, which have become extraordinarily effective.
The question is – are attacks getting more sophisticated or do we need to improve our security? Of course, it’s a bit of both.
A lot of these (hackers) are getting good and the tools they’re using are improving dramatically. Many of these tool developers are very smart, and they’re putting that technology to use. With a little time and effort, they can really cause some problems. Then combine that with how the threat community is no longer lone wolves – there are entire ecosystems of people who play specific roles in the firing solution. And these hacking ecosystems are mirrored by complex and rapidly changing dark markets making it very easy to monetize information, such as credit cards and identities, all the way to intel.
These dramatic improvements continue in the threat space while big innovations in our world have simultaneously created layers upon layers between the data and the user. For example I can use my smartphone to do things that were unheard of a decade ago, but that comes with the cost of complexity. That complexity – security’s nemesis – creates a multi-faceted, technically intricate environment working like camouflage for the bad guys. With threats becoming more capable, they have the ability to tap into anyone of those layers undetected – or certainly very difficult to detect.
It’s a very interesting relationship – the attacker and the protector, and it takes two to tango, so we need to recognize all these contributors, to both sides of the attack equation.
Access Granted: What do we see enterprises most interested in as far as security technology and trends? What are the hot things that people are currently spending their IT and security dollars on, and why do they view those things as important right now?
Jim Tiller: I see a lot of re-emphasizing and investment in threat detection and response capabilities. As threats are increasing and becoming more embedded, they can come into our environment undetected and stay there, so there’s a lot of emphasis on detection.
Equally important is identity and access management. Yes, there’s a lot of energy being focused on the fortification of the infrastructure, and the endpoint, and this is money well spent. But, strategically, the big elephants in the room are threat detection and response – and equally important – identity and access management.
Access Granted: Why would multi-factor authentication be important for an organization today, and what should be some of the things organizations look for when considering multi-factor authentication?
Jim Tiller: First and foremost, there have been some interesting studies on the use of passwords – and I find passwords to be a unique window into the human psyche as a point of interaction between people and machines – two things that can’t be more different. And at its core, that’s why passwords alone just don’t always work.
There has been research on how often you should change a password and how much password history you should have, and so on, to improve security and that machine to human problem. The fact of the matter is, passwords are really the number one weakest link for security.
On a broader level, and reasoning for multi-factor solutions, is a person can log in valid credentials and do valid things – but there is no easy way to prove it is the intended person using those credentials. We have solutions where we can monitor what people are accessing and using, but we’re not entirely sure it’s actually that specific person who is logging on. There’s no guarantee you are who you say you are.
Multi-factor authentication is helpful because it creates another attribute to the authentication process. The extra layer of security adds a level of credence and confidence that people are who they say they are because the information used to log on is something unique to that individual.
How that additional factor is managed is the really big part. Two-factor authentication alone isn’t a perfect technology, they can be defeated depending on the solution and, importantly, how they were implemented. Also, we’re still using the same presumed trusted conduit. With greater complexity and layers to the system, offering more opportunities to the attacker to get access to the transaction, the trust of the system we’re using for all these session services comes into question.
The right multi-factor authentication solution can get closer to the human experience and takes the psychology out of the password-problem. Make it easier for the user, not just seamless, and leverage two different environments to facilitate a single transaction – out of band scenarios – which has always been the desired space. Then you’re introducing a compelling second factor, because you can associate that person with that particular device, system, transaction and even data through a multitude of information that is unique to them and even their environment.
For additional information about Authomate’s strong authentication solutions that are also easy-to-use, go to www.authomate.com. To try out Authomate’s StrongPass solution – which combines strong security with a simple user experience – click HERE.