BYOD Passwords Hacking Cloud Compliance Reviews Privacy

Current Filter: Security>>>>>Feature>

PREVIOUS

Filtered Articles:3 of 95   Current Article ID:6495

NEXT



The human factor

Editorial Type: Industry Focus     Date: 03-2016    Views: 3254      












The barriers that keep any organisation safe from attack are often guarded by nothing more than a single factor of authentication. Just one weakness and the whole business can be breached.

Social engineering leverages trusting humans to gain access to sensitive information. And sensitive information is often guarded only by a single factor of authentication - a password, something that a person knows. Attackers need only fool a person into divulging that information to breach an entire company." With those chilling words, Thu Pham, information security specialist at Duo Security, reveals the fragile barriers that keep organisations safe - and not so safe.

"That's why using two-factor authentication provides a much stronger defence against social engineering and the pitfalls of human error," she adds. "Combining something you know (a password) with something you have (a smartphone) makes it impossible for external attackers to access your applications with only a password.

"Your users must physically approve a push notification to their phone to verify their identity and log in successfully, after initially entering their password. If they receive an unprompted two-factor push notification, they can reject and report the attempt as fraudulent - and block the attacker from accessing their accounts."

Two-factor authentication is important to apply across every single account in an organisation - not just the administrative or privileged accounts, she continues. "Malicious hackers often find a foothold within a company's network through a user with lesser privileges, then find a way to move laterally to access their target data, making it critical to protect every single user.

"Another authentication control that can further reduce the risk of a security incident, due to human error, is the use of a password manager. Instead of relying on a static, weak or default password, a password manager can generate a unique password at every login. Password managers can also reduce the use of the same password across many different websites. They can also be easily integrated with two-factor authentication for additional access security."

On the administrative side, enterprises can use endpoint solutions that monitor and block authentication attempts based on refined parameters, such as location and network type. "By creating an authentication policy that blocks login attempts from certain countries, companies can ensure only their legitimate users can access sensitive data," she points out. "Organisations can further protect their data from login attempts from anonymous networks like Tor by creating authentication policies that only allow users on trusted networks to access their applications.

"The combined use of password managers, two-factor authentication and refined authentication policies can significantly reduce the risk of compromised data due to human error within an organisation by closing different security gaps from many different angles."

It's well known that many successful IT breaches start with human error. Whether that's clicking on the wrong link, opening an attachment on an unexpected email or picking up that USB stick in the car park and plugging it into your machine. "The actual mechanism doesn't really matter. The fundamental objective has been achieved, the hacker has some malicious code inside your network and it was human error that got it there," says Brian Chappell director, Technical Services EMEAI & APAC, BeyondTrust.

GROWING MENACE
Recent statistics indicate that phishing attacks, malicious attachments and other social engineering techniques are growing and are still being successful. While there are mechanisms that can be put in place to tackle malware coming into the environment through the network, these are not 100% effective. "There are several ways to approach the human element in IT Security, first and foremost must be communication and education," he adds. "We have to keep our staff apprised of the risks and have them understand how to be safer in their work (and play).

"Beyond that, we can take technical measures (IT Security is always a two-sided coin, human and technology, there is no tech only answer), we can use effective vulnerability management solutions to ensure that those vulnerabilities with known exploits are fixed first. Those are the low-hanging fruit from a hacker's perspective and without them they are likely to move on to the next target.

"We can also implement best practices, such as least privilege," says Chappell. "By reducing every user to a standard user and eliminating any direct privileged account access, you then eliminate most of the remaining exploit opportunity (over 80% of known vulnerabilities in Windows 7 require the user to be an admin or equivalent to properly exploit).

"Finally, by establishing an effective privileged password management solution that allows users necessary access to privileged accounts through a secure environment that never reveals (and actively rotates) the passwords, you lock out opportunities for most lateral movement as a pass - the-hash attack can't work in that scenario. The password has changed.

"Each of these layers is relatively easy to implement, has no dependencies and provides a step toward a more secure environment where human error need not result in business impact."



Page   1  2  3

Like this article? Click here to get the Newsletter and Magazine Free!

Email The Editor!         OR         Forward ArticleGo Top


PREVIOUS

                    


NEXT