What would you bet on the security of your corporate network?
For most IT professionals, the answer is ZERO, NADA, ZIP, ZILCH.
We recently surveyed more than 300 IT professionals, and their responses indicate an overwhelming lack of confidence in the security of their corporate networks. This was particularly apparent when IT pros were asked how much of their own money they would stake that their networks will not be breached in the coming year.
The majority (70%) of respondents were only Somewhat or Not At All Confident that an unauthorized person could not gain access to their network. And when asked if an expert hacker would be capable of infiltrating their network, 84% thought it was at least possible.
So, we asked IT professionals to put their money where their mouth is. How much of their own money would they be willing to bet that their company’s network will NOT be compromised in the next 12 months? The majority (58%) would bet $0.
It’s easy for a person to say that their network is secure, but when we asked them to make a bet using their own money they simply would not do so unless these further protections were put into place.
So, what’s driving all of this uncertainty? More than half of respondents cited malware, including root-kits, zero day exploits, and man-in-the-browser attacks as putting their networks at risk. Other key concerns include: Use of personal devices to access company resources (BYOD), the sheer volume of attacks, and widespread use of remote network access.
Perhaps one of the most unsettling insights to come out of the survey is the fact that only a quarter of IT professionals were confident that they would know if their network had been infiltrated.
Recently, a number of high-profile instances of attackers lurking undetected within corporate networks, sometimes for years, have come to light. In one such case, the email of Nortel executives was compromised for nearly a decade, allowing an attacker to access trade secrets and other sensitive information sent via email.
Knowing when an attacker is attempting to infiltrate your network is critical, particularly if the attacker been able to breach your first line of defense. For 87% of IT pros, receiving a real-time alert by phone call, text or e-mail any time someone attempted to log in with a stolen password increased their confidence in the security of their network. For one-third, this would have a significant impact on their confidence level.
A similar number of IT professionals, indicated that verifying user logins through an out-of-band phone call would increase their confidence.
Given the increased confidence out-of-band authentication and the real-time fraud alerts out-of-band methods can provide, we asked respondents whether having these tools in place would impact their willingness to bet on the security of their networks – 78% answered in the affirmative.
This lack of confidence in current security controls is driving adoption of out-of-band authentication from PhoneFactor. Nearly half (45%) of all respondents indicated that their company was planning to increase their use of out-of-band authentication over the next two years.
PhoneFactor provides strong protection from malware, fends off increasingly prevalent attacks, and shores up security for increasingly mobile workforces and the many devices that are used to access company networks.
If you aren’t willing to bet a dime on the security of your network, you are still taking a gamble. Put the odds in your favor with out-of-band authentication with real-time fraud alerts.
Video: When Not Knowing Is Not Good Enough
Do you know who is on your network now? With poor user password practices, cloud security uncertainty, user resistance to stronger authentication, and increasingly sophisticated threats, it is hard to ensure that only authorized users are accessing your sensitive data and applications. PhoneFactor can help. By verifying account logins with an automated phone call, text message, or smartphone app, PhoneFactor can stop an attack and prevent future ones. Watch this PhoneFactor video to find out how.
Now Android Users Can “App Authenticate” Too
Following the launch of its authentication app for iPhones and iPads last December, PhoneFactor recently released a version of the app for Android smartphones and tablets. By adding support for Android devices, the PhoneFactor App now ensures that iOS users are not the only hip people “App Authenticating” around the office, house, coffee shop, or wherever their busy lives takes them. Smartphones and tablets have become an extension of daily life for hundreds of millions of people worldwide. As of late 2011, there were more than 440 million iOS and Android devices in the field. By leveraging the devices, which millions of users already carry with them, PhoneFactor provides simple, secure, and cost-effective multi-factor authentication. The PhoneFactor authentication app works by pushing a notification to the user’s smartphone or tablet. Instantly, an alert pops up on the user’s device. The user simply taps “Authenticate” (or enters a PIN and taps “Authenticate”) in the PhoneFactor App to verify account logins and transactions. The PhoneFactor App provides strong, out-of-band protection from today’s most sophisticated threats. And it’s easy for IT to set up and easy for your employees and customers to use. |  |
The most trusted device your users own can be used to establish trust when accessing your network. If you haven’t “App Authenticated” yet, click here to give it a try.
Video: See PhoneFactor In Action with HealthCast and Citrix
Securing access to electronic health records is essential to protecting patients’ privacy. This video looks at how PhoneFactor, in conjunction with HealthCast and Citrix, can provide simple, secure remote access for physicians. During the video, the HealthCast team demonstrates how a “doctor” is authenticated by PhoneFactor into his hospital’s published desktop through an iPad and then roams that same session to a PC or thin client in the hospital.
Top Security Incidents of 2011
I’m sure everyone will agree that 2011 was a busy year in the field of data security! So as the year draws to a close (and hopefully slows down a bit for the holidays), it seems like the appropriate time to reflect on its events and begin the process of distilling our experiences into “lessons learned” that we can take with us into 2012.
Of course, there isn’t room here to conduct a thorough examination of every significant event. Listing only the largest and most publicized events runs the risk of burying some of the more interesting items. So events are selected according to a combination of magnitude and ability to inform our thinking going forward.
“Tehran Bob”
In March we learned that the Comodo CA had been compromised via one of its small regional resellers and tricked into issuing fraudulent certificates for a variety of high-profile websites such as Google. An independent Iranian hacker claimed responsibility.
In August, an alert user detected that fraudulent certificates were being used in a massive man-in-the-middle attack conducted against Gmail users in Iran. He found that Google’s Chrome browser was giving warnings about the certificate appearing on Google’s own web sites. Word spread quickly that the Dutch CA DigiNotar had, in fact, been compromised for quite some time. In September DigiNotar earned the dubious distinction of being the first CA ever to be removed from browsers’ list of trusted roots for weak security.
What we learned:
- The security of every browser user in the world really does depend on every little CA reseller and sub-CA that we’ve never heard of before.
- Current certificate revocation systems are simply not effective.
- CA “pinning” can provide improved security, but currently only browser vendors have access to it.
- One person can make a difference.
Sony
After retroactively banning Linux from their customers’ previously-purchased PlayStation 3 systems and filing a lawsuit against researchers GeoHot and fail0verflow whose work was poised to re-enable it, all of Sony’s online systems (and then some) seemed to come under attack.
It started with DDoS attacks attributed to the Anonymous collective and went downhill from there. Other hackers found they could use a custom root CA to modify the messages exchanged between the PS3 and the PlayStation Network, reportedly enabling them to connect to internal developer systems. In unrelated attacks, account information was breached from several of Sony’s online systems including 77 million customer records from the PSN. The scope of the breach was so great that Sony was forced to shut down their PSN entirely for several weeks until it could be brought back online in a secure manner.
Estimates for the total cost of the attacks range from $170 million into the billions.
What we learned:
- Systems may run just fine, vulnerable, for long periods of time.
- The cost of an attack may be far in excess of the business value of the data itself. This overturns the conventional risk management guideline to not invest more to secure an asset than the asset itself is “worth.”
LulzSec
There was an old saying that English had no word which was a direct counterpart to the German word Schadenfreude, meaning “enjoyment which comes from the misfortune of others.” So perhaps it was inevitable that we would need such a word handy in describing the events of 2011. Fortunately, the same odd corners of the Internet that seemingly inspire this class of attacker have given us just such a word: lulz.
In mid-2011 a new hacking group named LulzSec appears on the scene, seeming to spring fully formed from the head(s) of Anonymous. Except that their activity is qualitatively different. Eschewing the blunt instrument DDoS tool of its progenitor (the Low-Orbit Ion Cannon), this group’s preferred modus operandi was penetrate systems and leak the largest amount of the most damaging information possible. To be sure Anonymous used this tactic, too, but LulzSec seemed to represent a refinement of it. They also skip the meta-political goals of Anonymous and instead project an image of a group seeking to shock us out of complacency and enjoying every minute of it.
What we learned:
- Attackers may not have the motivations that your security controls were designed to defend against (e.g. financial gain). They may be “in it for the lulz,” or something else entirely.
RSA
RSA is well known for two things: the amazingly useful public key encryption algorithm (which gave the company its name) and the RSA SecurID brand of hardware tokens for user authentication (which do not actually use the RSA algorithm). Today RSA is a subsidiary of EMC Corporation.
In March, the company disclosed that it had been the target of a successful cyber attack in which the attackers obtained some type of information which allowed them to reduce the protection provided by the tokens. Within a few weeks it was reported that this information had been used in intrusion attempts at US defense contractors, but there is little to suggest that the abuse is more widespread.
Many customers were disappointed in RSA’s reticence to share information about the attack, which would enable customers to make informed estimates of their own risk. Some were surprised that RSA would retain SecurID “key seed” data at all. (Ironically, the RSA algorithm is often used specifically to avoid sharing such secret keys unnecessarily.)
What we learned:
- We are dependent on our vendors.
- Even the most well-regarded technology companies can be “pwned” by an Adobe Flash 0-day.
- Continuous monitoring is essential.
- An attacker may seek to use you as merely a stepping stone in a larger plan.
Of course there were plenty of other noteworthy incidents from 2011 that there simply isn’t space here to discuss: the (former) Tunisian government’s man-in-the-middle attack on Facebook’s login authentication, the breach of Syria’s BlueCoat logs, kernel.org, and so on.
Perhaps 2012 will bring us less interesting times!
- Marsh
Subscribe in a reader.
