Industry executives and experts share their predictions for 2019. Read them in this 11th annual VMblog.com series exclusive.
Contributed by Nico Fischbach, Global Chief Technology Officer, Forcepoint
A Counterfeit Reflection
To
an attacker, the successful theft of legitimate credentials must feel a bit
like winning the lottery. End-users are locked out of their accounts, access to
third-party cloud services such as Dropbox and Microsoft Office 365 is cut off,
critical data downloaded or wiped entirely. The soaring number of breaches
reveal one simple truth: email addresses, passwords, and personal information
(favorite color, pet name) are no longer sufficient to protect identities
online.
In
hijacking an end-user's identity, phishing still reigns supreme, taking first
place in a 2017 study conducted by Google, the University of California,
Berkeley, and the International Computer Science Institute. From 2016 to 2017,
researchers calculated there were more than 12.4 million victims of phishing,
advising the hardening of authentication mechanisms to mitigate hijacking.
While
credential theft is the oldest (and most effective) trick in the book, it does
not mean that attackers are not coming up with new tricks. Two-factor
authentication (2FA) adds an extra layer of security, but even this method has
a vulnerability: it is usually accomplished through cellular phones.
In
2018, Michael Terpin, a co-founder of the first angel investor group for
bitcoin enthusiasts, filed a $224 million lawsuit against a telecommunications
company, claiming the loss of $24 million worth of cryptocurrency as a result
of a "SIM swap." Attackers used phishing and social engineering tactics to
trick a customer service representative into porting Terpin's phone number to
an untraceable "burner" phone. Once this exchange took place, the crime became
as simple as clicking a "Forgot Password?" link.
Moving
past 2FA, biometric authentication uses data more unique to each end-user. At
first, the possibility of verifying a person's identity via physiological
biometric sensors seemed like a promising alternative to 2FA. Fingerprints,
movements, iris recognition- all of these make life difficult for attackers
seeking to access resources by stealing someone else's identity.
But
in recent years, even biometric authentication has begun to unravel. In 2016,
researchers at Michigan State University uncovered cheap and easy ways to print
the image of a fingerprint using just a standard inkjet printer. And in 2017,
researchers at New York University's (NYU) Tandon School of Engineering could
match anyone's fingerprints using digitally altered "masterprints."
Facial
recognition has gone mainstream thanks to Apple's release of its iPhone X,
which uses a flood illuminator, an infrared camera, and a dot projector to
measure faces in 3D, a method they claim cannot be fooled by photos, videos, or
any other kind of 2D medium. But the reality is that facial recognition has
serious vulnerabilities-and that is why we think hackers will steal the
public's faces in 2019. In fact, it has already happened, albeit only at the
behest of researchers. In 2016, security and computer vision specialists from
the University of North Carolina defeated facial recognition systems using
publicly available digital photos from social media and search engines in
conjunction with mobile VR technology.
While
passwords may change, physical biometrics are genetic and specific to each
person. By the same token, behavioral biometrics provide a continuous
authentication layer by incorporating a person's physical actions, including
keystroke, mouse movement, scroll speed, how they toggle between fields, as
well as how they manipulate their phone based on the accelerometer and
gyroscope. It is simply impossible for imposters to mimic these actions.
The combination of behavioral biometrics with strong
authentication, either based on advanced technology like FaceID or 2FA, is a
more sensible approach. Organizations can identify intruders who hijack
open-work with at-login and in-use/continuous authentication, paving the way
for risk-based approaches to trigger authentication checkpoints when risk
levels rise.
##
About the Author
Nicolas (Nico) Fischbach serves as Forcepoint's global
CTO, where he oversees technical direction and innovation. Before joining
Forcepoint, he spent 17 years at Colt, a global B2B service provider, and was
responsible for company-wide strategy, architecture and innovation. He ran
global network security engineering and operations for eight years, building
Colt's first Security Operation Center and deploying the first DDoS mitigation
solution in Europe. In 2009, he joined the Office of the CTO to build and lead
the company-wide strategy and architecture groups covering infrastructure and
product R&D for all networks, platforms, cloud stacks, OSS and
security. Nico also focused on bridging
technology strategy, customer relationships and open innovation, with the goal
to drive non-adjacent and "beyond the roadmap" portfolio evolution.
Nico is a recognized authority on service provider security as well as on
next-generation network and cloud architectures, holding a master's degree in
networking and distributed computing from Pierre and Marie Curie University, a
master's degree in computer science from Institute of Information Technology
and a bachelor's degree in computer science from the Robert Schulman University
Institute of Technology. He also sits on the advisory board of Versa Networks
and is a member of The Honeynet Project, a research organization dedicated to
internet security.