Are Your Passwords Simply Hacker Keys?

The Guardian recently posted a story headlined "Cyber-attack on UK Parliament: Russia is the suspected culprit." A sustained attack on members of the UK Parliament, included Theresa May, the prime minister, and her cabinet ministers. The attack sought to gain access to accounts protected by weak passwords. Fortunately, relatively few accounts were breached. Before this attack, I imagine there was lots of grumbling about the IT security and why "123456" was not an acceptable password. "The parliamentary network has been compromised, as a result of the use of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service." No one likes strong passwords. There's an inverse correlation between convenience and security. Increased security of systems, devices, and applications means less convenience for the end user. Biometrics dramatically narrows this gap by increasing system protection with a transparent, convenient solution. Biometric user verification should play a key role in your overall cyber security strategy.

The Guardian recently posted a story headlined "Cyber-attack on UK Parliament: Russia is the suspected culprit."

A sustained attack on members of the UK Parliament, included Theresa May, the prime minister, and her cabinet ministers. The attack sought to gain access to accounts protected by weak passwords.

Fortunately, relatively few accounts were breached. Before this attack, I imagine there was lots of grumbling about the IT security and why "123456" was not an acceptable password.

"The parliamentary network has been compromised, as a result of the use of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service."

No one likes strong passwords.

There's an inverse correlation between convenience and security. Increased security of systems, devices, and applications means less convenience for the end user.

Biometrics dramatically narrows this gap by increasing system protection with a transparent, convenient solution.

Biometric user verification should play a key role in your overall cyber security strategy.

Is Your IT System As Safe As King Arthur's Castle?

Moated castle Bodiam near Robertsbridge in East Sussex, England was built in 1385 to defend the area against French invasion during the Hundred Years' War.

Moated castle Bodiam near Robertsbridge in East Sussex, England was built in 1385 to defend the area against French invasion during the Hundred Years' War.

Are your information systems and data as well protected as King Arthur's Castle? In medieval times castles defended the monarchy, people, and treasure from enemy attacks. These structures integrated defenses such as moats, high stone walls, and ramparts from which to launch resistive action.  The design intention was to stop or at least slow an invader’s assault. However, all of these efforts were for naught if an inside confederate simply opened the gates.

Protecting your information systems infrastructure requires a similar strategy but using different tools. Firewalls, anti-intrusion software, IP address and packet analysis, as well as other tools/methods, serve as the moat, drawbridge, and stone walls. But user access credentials are the front gate. 

"81% of hacking-related breaches leveraged either stolen and/or weak passwords" according to the respected Verizon 2017 Data Breach Investigations Report*. 

You have probably deployed stronger password requirements or even added multi-factor, two or three-step authentication. While these can increase your cyber security, these measures often frustrate the users. Inconvenienced users lead to complaints to IT and management, reduced use of applications and even exploring ways to defeat your safeguards. Four out of five breaches result from someone inside opening the gate.

Now is the time to consider face recognition user authentication as four out of five breaches result from someone inside opening the gate. Face recognition can simultaneously verify the user while they enter a username/password combination. Now the login process transforms from 2-3 steps into one. 2-3 seconds instead of 10-15 seconds. And face recognition can re-verify the user every few seconds adding extra shielding to your systems and data.

If you handle financial, medical, legal or other confidential data in your systems, attackers test your defenses daily. 

Don’t make it easy for them to walk through the front gate.  

*http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

30 Milliseconds

face recognition

‘Tis the start of high school reunion season when many of us confront the prospect of revisiting our past. Walking into the old school gym, classmates from the yesteryear approach and greet you. How quickly will you recognize them? Brain scientists tell us 30 milliseconds or less. 

"Within 30 milliseconds of looking at a face," says Penn State researcher Suzy Scherf, "you can figure out the age, the sex, and whether you know the person or not." Remembering their name remains a struggle!

Ms. Scherf explains much more her study but consider the value to our self-preservation of this capability. It protects us from enemy tribes, predatory strangers, crooked politicians as well as obnoxious old classmates.

Today, some computer programs can recognize a face with a high degree of accuracy.To a small extent replicating our brain's ability in the virtual world. This technology offers enormous benefits for cyber security. But not all programs are equal in recognition, encryption, and authentication. Many can be spoofed, bypassed or defeated.

Daily cyber attacks risk finances, reputation and well being, as well as disrupting business and government. Protecting our 'virtual life' has become critical. 

Consider face recognition technology to augment other authentication methods for device and system access to confidential, protected and regulated information. 

There is NO defense against a hacker who has access to a connected, logged in device

In a large American city recently police officers raced to a home after a 911 call. At the scene, a frantic citizen shouted to them that inside the house a murder was imminent. As the officers opened the front door to enter, they were surprised by a man who ran past them. To their dismay, he jumped into a running police cruiser and sped away.  Dumbfounded, they called for backup. They found the car abandoned within 30 minutes, but the perpetrator had escaped on foot. He is still at large.

Fortunately, the car thief was no hacker, just a guy who needed a swift get away and the running prowl car was handy.

Imagine if the perpetrator were a hacker and he stole the car with the purpose of changing arrest records or worse.  Inside the car, he would have found a laptop logged into the city’s police dispatching application, the state-wide criminal database and other highly sensitive systems. The 30 minutes he had the car would have been plenty of time to change criminal records, insert malware, viruses or ransomware, or download protected confidential information. 

Always remember that there is NO defense against a hacker who has access to a connected, logged in device. It’s the easiest way to breach your systems.

Securing network connected devices should be the first fundamental of cyber security. Doing so means managing the biggest risk to your digital assets: the end user.  

That’s right, you and me. We leave laptops and desktop PCs logged in because it’s easier than re-entering the password over and over throughout the day. We write down our passwords on a Post-it note and hide it under the keyboard. We leave secure NFC key fobs at home.  And of course, we complain about the burden the IT folks put on us in the name of security. “What’s wrong with using the last four digits of my social security number as my password!” we ask. We, the users, are the weakest link. 

To protect yourself and your organization you must employ security methods that your users will embrace. Otherwise, your most secure and sensitive information is open to anyone who can sit in front of a network device. 

Biometrics provide greater security and user adoption. Consider such tools as part of your cyber security policies and methods. Face recognition, voice command, fingerprint and palm prints, iris scan and even heart rate monitoring applications are being deployed to thwart the risk of the end user leaving an unattended logged in PC.  

Make sure your cyber security policies, methods, and tools account for internal threats as well as outside evil. After all, to some people, a running police car is an invitation, not a deterrent.

The Risk Of Mobile Banking: Stolen Logged In Device

Bob enjoys watching his local minor league baseball team. At a recent game, he watched the boys of summer play their arch rival.  In the bottom of the 5th, with two men on, two men out, the team’s best hitter steps to the plate. Bob planned to head to the concessions for hot dogs and beer after the inning, so he took out his phone and logged into his mobile banking app. He needed to have enough on his debit card to cover his snacks. 

Suddenly, the crack of the bat and a blast across the fence scored three runs! Bob set his phone down to stand and cheer his team. After the excitement, he looked around and discovered his phone was gone! 

Now a bad guy has complete access to his bank accounts.

Consider, what could a thief do with a stolen phone logged into your mobile banking app? Transfer funds out to another bank, set up a bill pay recipient and empty the account, or cause other problems? How long would it remain logged in? What safeguards protect the account holder and the institution? 

Just to check, take out your phone and log in to your mobile banking app and scan the functionality as if you were a hacker. How could a hacker steal money from the account? 

A logged in device remains the easiest hack into your systems. And getting a user name and password is not that difficult. The annual Verizon Databreach Investigation Report once again shows "63% of confirmed data breaches involved weak, default or stolen passwords." http://www.verizonenterprise.com/verizon-insights-lab/dbir/

Biometric user verification can significantly enhance the protection of your mobile apps. It offers the two critical features for maximum protection that simple credentials miss:  transparency to the user and continuous security.

Superior applications deliver functionality that is invisible and non-intrusive to the end user. Logging in should appear as a single step, with multi-factor protection running in the background giving a fast and secure user experience. 

Continuous security verifies the user multiple times during the session ensuring security if even the device falls into the wrong hands. While a user name and password allows access to the app, it can't guarantee the actual user identity.  Biometrics can.

Consider biometric user authentication to increase your cyber security. Don't let inferior mobile device security ruin the ball game for you.