Virtualization Technology News and Information
Article
RSS
Forcepoint 2019 Predictions: A Counterfeit Reflection

Industry executives and experts share their predictions for 2019.  Read them in this 11th annual VMblog.com series exclusive.

Contributed by Nico Fischbach, Global Chief Technology Officer, Forcepoint

A Counterfeit Reflection

To an attacker, the successful theft of legitimate credentials must feel a bit like winning the lottery. End-users are locked out of their accounts, access to third-party cloud services such as Dropbox and Microsoft Office 365 is cut off, critical data downloaded or wiped entirely. The soaring number of breaches reveal one simple truth: email addresses, passwords, and personal information (favorite color, pet name) are no longer sufficient to protect identities online.

In hijacking an end-user's identity, phishing still reigns supreme, taking first place in a 2017 study conducted by Google, the University of California, Berkeley, and the International Computer Science Institute. From 2016 to 2017, researchers calculated there were more than 12.4 million victims of phishing, advising the hardening of authentication mechanisms to mitigate hijacking.

While credential theft is the oldest (and most effective) trick in the book, it does not mean that attackers are not coming up with new tricks. Two-factor authentication (2FA) adds an extra layer of security, but even this method has a vulnerability: it is usually accomplished through cellular phones.

In 2018, Michael Terpin, a co-founder of the first angel investor group for bitcoin enthusiasts, filed a $224 million lawsuit against a telecommunications company, claiming the loss of $24 million worth of cryptocurrency as a result of a "SIM swap." Attackers used phishing and social engineering tactics to trick a customer service representative into porting Terpin's phone number to an untraceable "burner" phone. Once this exchange took place, the crime became as simple as clicking a "Forgot Password?" link.

Moving past 2FA, biometric authentication uses data more unique to each end-user. At first, the possibility of verifying a person's identity via physiological biometric sensors seemed like a promising alternative to 2FA. Fingerprints, movements, iris recognition- all of these make life difficult for attackers seeking to access resources by stealing someone else's identity.

But in recent years, even biometric authentication has begun to unravel. In 2016, researchers at Michigan State University uncovered cheap and easy ways to print the image of a fingerprint using just a standard inkjet printer. And in 2017, researchers at New York University's (NYU) Tandon School of Engineering could match anyone's fingerprints using digitally altered "masterprints."

Facial recognition has gone mainstream thanks to Apple's release of its iPhone X, which uses a flood illuminator, an infrared camera, and a dot projector to measure faces in 3D, a method they claim cannot be fooled by photos, videos, or any other kind of 2D medium. But the reality is that facial recognition has serious vulnerabilities-and that is why we think hackers will steal the public's faces in 2019. In fact, it has already happened, albeit only at the behest of researchers. In 2016, security and computer vision specialists from the University of North Carolina defeated facial recognition systems using publicly available digital photos from social media and search engines in conjunction with mobile VR technology.

While passwords may change, physical biometrics are genetic and specific to each person. By the same token, behavioral biometrics provide a continuous authentication layer by incorporating a person's physical actions, including keystroke, mouse movement, scroll speed, how they toggle between fields, as well as how they manipulate their phone based on the accelerometer and gyroscope. It is simply impossible for imposters to mimic these actions.

The combination of behavioral biometrics with strong authentication, either based on advanced technology like FaceID or 2FA, is a more sensible approach. Organizations can identify intruders who hijack open-work with at-login and in-use/continuous authentication, paving the way for risk-based approaches to trigger authentication checkpoints when risk levels rise.

##

About the Author

 

Nicolas (Nico) Fischbach serves as Forcepoint's global CTO, where he oversees technical direction and innovation. Before joining Forcepoint, he spent 17 years at Colt, a global B2B service provider, and was responsible for company-wide strategy, architecture and innovation. He ran global network security engineering and operations for eight years, building Colt's first Security Operation Center and deploying the first DDoS mitigation solution in Europe. In 2009, he joined the Office of the CTO to build and lead the company-wide strategy and architecture groups covering infrastructure and product R&D for all networks, platforms, cloud stacks, OSS and security.  Nico also focused on bridging technology strategy, customer relationships and open innovation, with the goal to drive non-adjacent and "beyond the roadmap" portfolio evolution.
 
Nico is a recognized authority on service provider security as well as on next-generation network and cloud architectures, holding a master's degree in networking and distributed computing from Pierre and Marie Curie University, a master's degree in computer science from Institute of Information Technology and a bachelor's degree in computer science from the Robert Schulman University Institute of Technology. He also sits on the advisory board of Versa Networks and is a member of The Honeynet Project, a research organization dedicated to internet security.

Published Friday, December 07, 2018 7:23 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<December 2018>
SuMoTuWeThFrSa
2526272829301
2345678
9101112131415
16171819202122
23242526272829
303112345