What would you bet on the security of your corporate network?
For most IT professionals, the answer is ZERO, NADA, ZIP, ZILCH.
We recently surveyed more than 300 IT professionals, and their responses indicate an overwhelming lack of confidence in the security of their corporate networks. This was particularly apparent when IT pros were asked how much of their own money they would stake that their networks will not be breached in the coming year.
The majority (70%) of respondents were only Somewhat or Not At All Confident that an unauthorized person could not gain access to their network. And when asked if an expert hacker would be capable of infiltrating their network, 84% thought it was at least possible.
So, we asked IT professionals to put their money where their mouth is. How much of their own money would they be willing to bet that their company’s network will NOT be compromised in the next 12 months? The majority (58%) would bet $0.
It’s easy for a person to say that their network is secure, but when we asked them to make a bet using their own money they simply would not do so unless these further protections were put into place.
So, what’s driving all of this uncertainty? More than half of respondents cited malware, including root-kits, zero day exploits, and man-in-the-browser attacks as putting their networks at risk. Other key concerns include: Use of personal devices to access company resources (BYOD), the sheer volume of attacks, and widespread use of remote network access.
Perhaps one of the most unsettling insights to come out of the survey is the fact that only a quarter of IT professionals were confident that they would know if their network had been infiltrated.
Recently, a number of high-profile instances of attackers lurking undetected within corporate networks, sometimes for years, have come to light. In one such case, the email of Nortel executives was compromised for nearly a decade, allowing an attacker to access trade secrets and other sensitive information sent via email.
Knowing when an attacker is attempting to infiltrate your network is critical, particularly if the attacker been able to breach your first line of defense. For 87% of IT pros, receiving a real-time alert by phone call, text or e-mail any time someone attempted to log in with a stolen password increased their confidence in the security of their network. For one-third, this would have a significant impact on their confidence level.
A similar number of IT professionals, indicated that verifying user logins through an out-of-band phone call would increase their confidence.
Given the increased confidence out-of-band authentication and the real-time fraud alerts out-of-band methods can provide, we asked respondents whether having these tools in place would impact their willingness to bet on the security of their networks – 78% answered in the affirmative.
This lack of confidence in current security controls is driving adoption of out-of-band authentication from PhoneFactor. Nearly half (45%) of all respondents indicated that their company was planning to increase their use of out-of-band authentication over the next two years.
PhoneFactor provides strong protection from malware, fends off increasingly prevalent attacks, and shores up security for increasingly mobile workforces and the many devices that are used to access company networks.
If you aren’t willing to bet a dime on the security of your network, you are still taking a gamble. Put the odds in your favor with out-of-band authentication with real-time fraud alerts.
Next Page »
Video: When Not Knowing Is Not Good Enough
Do you know who is on your network now? With poor user password practices, cloud security uncertainty, user resistance to stronger authentication, and increasingly sophisticated threats, it is hard to ensure that only authorized users are accessing your sensitive data and applications. PhoneFactor can help. By verifying account logins with an automated phone call, text message, or smartphone app, PhoneFactor can stop an attack and prevent future ones. Watch this PhoneFactor video to find out how.
Next Page »
Now Android Users Can “App Authenticate” Too
Following the launch of its authentication app for iPhones and iPads last December, PhoneFactor recently released a version of the app for Android smartphones and tablets. By adding support for Android devices, the PhoneFactor App now ensures that iOS users are not the only hip people “App Authenticating” around the office, house, coffee shop, or wherever their busy lives takes them. Smartphones and tablets have become an extension of daily life for hundreds of millions of people worldwide. As of late 2011, there were more than 440 million iOS and Android devices in the field. By leveraging the devices, which millions of users already carry with them, PhoneFactor provides simple, secure, and cost-effective multi-factor authentication. The PhoneFactor authentication app works by pushing a notification to the user’s smartphone or tablet. Instantly, an alert pops up on the user’s device. The user simply taps “Authenticate” (or enters a PIN and taps “Authenticate”) in the PhoneFactor App to verify account logins and transactions. The PhoneFactor App provides strong, out-of-band protection from today’s most sophisticated threats. And it’s easy for IT to set up and easy for your employees and customers to use. |  |
The most trusted device your users own can be used to establish trust when accessing your network. If you haven’t “App Authenticated” yet, click here to give it a try.
Next Page »
Video: See PhoneFactor In Action with HealthCast and Citrix
Securing access to electronic health records is essential to protecting patients’ privacy. This video looks at how PhoneFactor, in conjunction with HealthCast and Citrix, can provide simple, secure remote access for physicians. During the video, the HealthCast team demonstrates how a “doctor” is authenticated by PhoneFactor into his hospital’s published desktop through an iPad and then roams that same session to a PC or thin client in the hospital.
Next Page »
Top Security Incidents of 2011
I’m sure everyone will agree that 2011 was a busy year in the field of data security! So as the year draws to a close (and hopefully slows down a bit for the holidays), it seems like the appropriate time to reflect on its events and begin the process of distilling our experiences into “lessons learned” that we can take with us into 2012.
Of course, there isn’t room here to conduct a thorough examination of every significant event. Listing only the largest and most publicized events runs the risk of burying some of the more interesting items. So events are selected according to a combination of magnitude and ability to inform our thinking going forward.
“Tehran Bob”
In March we learned that the Comodo CA had been compromised via one of its small regional resellers and tricked into issuing fraudulent certificates for a variety of high-profile websites such as Google. An independent Iranian hacker claimed responsibility.
In August, an alert user detected that fraudulent certificates were being used in a massive man-in-the-middle attack conducted against Gmail users in Iran. He found that Google’s Chrome browser was giving warnings about the certificate appearing on Google’s own web sites. Word spread quickly that the Dutch CA DigiNotar had, in fact, been compromised for quite some time. In September DigiNotar earned the dubious distinction of being the first CA ever to be removed from browsers’ list of trusted roots for weak security.
What we learned:
- The security of every browser user in the world really does depend on every little CA reseller and sub-CA that we’ve never heard of before.
- Current certificate revocation systems are simply not effective.
- CA “pinning” can provide improved security, but currently only browser vendors have access to it.
- One person can make a difference.
Sony
After retroactively banning Linux from their customers’ previously-purchased PlayStation 3 systems and filing a lawsuit against researchers GeoHot and fail0verflow whose work was poised to re-enable it, all of Sony’s online systems (and then some) seemed to come under attack.
It started with DDoS attacks attributed to the Anonymous collective and went downhill from there. Other hackers found they could use a custom root CA to modify the messages exchanged between the PS3 and the PlayStation Network, reportedly enabling them to connect to internal developer systems. In unrelated attacks, account information was breached from several of Sony’s online systems including 77 million customer records from the PSN. The scope of the breach was so great that Sony was forced to shut down their PSN entirely for several weeks until it could be brought back online in a secure manner.
Estimates for the total cost of the attacks range from $170 million into the billions.
What we learned:
- Systems may run just fine, vulnerable, for long periods of time.
- The cost of an attack may be far in excess of the business value of the data itself. This overturns the conventional risk management guideline to not invest more to secure an asset than the asset itself is “worth.”
LulzSec
There was an old saying that English had no word which was a direct counterpart to the German word Schadenfreude, meaning “enjoyment which comes from the misfortune of others.” So perhaps it was inevitable that we would need such a word handy in describing the events of 2011. Fortunately, the same odd corners of the Internet that seemingly inspire this class of attacker have given us just such a word: lulz.
In mid-2011 a new hacking group named LulzSec appears on the scene, seeming to spring fully formed from the head(s) of Anonymous. Except that their activity is qualitatively different. Eschewing the blunt instrument DDoS tool of its progenitor (the Low-Orbit Ion Cannon), this group’s preferred modus operandi was penetrate systems and leak the largest amount of the most damaging information possible. To be sure Anonymous used this tactic, too, but LulzSec seemed to represent a refinement of it. They also skip the meta-political goals of Anonymous and instead project an image of a group seeking to shock us out of complacency and enjoying every minute of it.
What we learned:
- Attackers may not have the motivations that your security controls were designed to defend against (e.g. financial gain). They may be “in it for the lulz,” or something else entirely.
RSA
RSA is well known for two things: the amazingly useful public key encryption algorithm (which gave the company its name) and the RSA SecurID brand of hardware tokens for user authentication (which do not actually use the RSA algorithm). Today RSA is a subsidiary of EMC Corporation.
In March, the company disclosed that it had been the target of a successful cyber attack in which the attackers obtained some type of information which allowed them to reduce the protection provided by the tokens. Within a few weeks it was reported that this information had been used in intrusion attempts at US defense contractors, but there is little to suggest that the abuse is more widespread.
Many customers were disappointed in RSA’s reticence to share information about the attack, which would enable customers to make informed estimates of their own risk. Some were surprised that RSA would retain SecurID “key seed” data at all. (Ironically, the RSA algorithm is often used specifically to avoid sharing such secret keys unnecessarily.)
What we learned:
- We are dependent on our vendors.
- Even the most well-regarded technology companies can be “pwned” by an Adobe Flash 0-day.
- Continuous monitoring is essential.
- An attacker may seek to use you as merely a stepping stone in a larger plan.
Of course there were plenty of other noteworthy incidents from 2011 that there simply isn’t space here to discuss: the (former) Tunisian government’s man-in-the-middle attack on Facebook’s login authentication, the breach of Syria’s BlueCoat logs, kernel.org, and so on.
Perhaps 2012 will bring us less interesting times!
- Marsh
Next Page »
Recent Analyst Insight Report Builds a Case for Out-of-Band Phone-Based Authentication
 | The Aberdeen Group recently released an Analyst Insight report, The Case for Phone-based Authentication: Jumping on the Out-of-Band Wagon, which creates a business context for why many businesses are re-evaluating their current authentication strategies. The report notes that business drivers, such as increased compliance guidelines, many highly publicized security breaches – particularly those in the security space such as RSA and DigiNotar, and the growing mobility of today’s workforce, are generating increased interest in out-of-band, phone-based authentication. |
“Arguably the most personal and indispensable of all mobile devices, the mobile phone is carried by virtually all demographic groups and represents the ‘new normal’ way of life for a mobile and wireless population,” notes Derek Brink, Vice President & Research Fellow, IT Security for Aberdeen and author of the Analyst Insight report.
According to the report, "For organizations looking to augment their existing username and password implementations with two-factor authentication, out-of-band solutions integrate easily with existing application and identity infrastructure, and provide the convenience of leveraging the mobile phones that most enterprise end-users already carry and use."
Click here to download the Aberdeen Analyst Insight report.
~Sarah
Next Page »
The PhoneFactor App vs Soft Token Apps
Most mobile authentication apps are just hardware tokens in disguise, displaying a one-time passcode that the user keys in during login. The PhoneFactor App takes a different approach.
PhoneFactor pushes a notification to the user’s smartphone or tablet. Instantly, an alert pops up on the user’s device. The user simply taps “Authenticate” (or enters a PIN and taps “Authenticate”) in the PhoneFactor App to verify account logins and transactions.
The PhoneFactor App offers a number of benefits over one-time passcode apps, including:
- Out-of-Band Authentication – By leveraging a separate device – the phone – PhoneFactor protects against malware running on the user’s computer. Passcodes from mobile apps, which are entered into the user’s computer, are not out-of-band and as such are vulnerable to attack.
- Real-Time Fraud Alerts – If an attacker tries to log in with stolen credentials or transfer funds from an account, the legitimate user receives a notification and can report fraud instantly from the PhoneFactor App.
- Transaction Verification – In accordance with the 2012 FFIEC Authentication Guidance, the app can be used to verify transaction details by displaying them in the PhoneFactor App.
- Ease of Use - With no one-time passcodes to enter, authenticating with the PhoneFactor App is quicker and easier. It works instantly with any enterprise or web application, including those running on the user’s phone.
- One App, Countless Uses – The PhoneFactor App can be enabled for multiple accounts. For example, a controller may use the PhoneFactor App to verify online banking transactions while also using it to authenticate to the company VPN.
For more information:
Watch The Video
Try The Online Demo
~Sarah
Next Page »
PhoneFactor Unveils an Innovative Authentication App for iPhones and iPads
The new PhoneFactor App harnesses the power of smartphones and tablets to provide unmatched convenience for users and out-of-band security for enterprises and banks. Here’s how it works:
Try it yourself:
Simply register for a demo account, download the PhoneFactor App from the Apple App Store, and enter the activation code provided on the demo registration screen.
~Sarah
Next Page »
PhoneFactor and Imprivata Team Up to Ensure That Protected Health Information Is Really Protected
They don’t call it Protected Health Information for nothing. Access to electronic medical records must be safeguarded by healthcare organizations. It is critical for regulatory compliance, but perhaps more importantly, it is essential to maintaining patient trust.
Securing access to patient records is vital, but so too is enabling convenient access to those records from a growing number of endpoint devices and locations. PhoneFactor and Imprivata, a leading provider of single sign-on and access management solutions for the healthcare industry, recently joined forces to guard Protected Health Information while enabling easy access for healthcare providers from both inside and outside the hospital walls.
Here’s how it works: Imprivata OneSign® and OneSign Anywhere™ provide authorized doctors, nurses, and other caregivers with fast and secure access to electronic medical records (EMR) and other applications. PhoneFactor provides an additional layer of protection by verifying access through an automated phone call or text message. The caregiver answers the call and presses # or replies to the text message to authenticate. This simple process provides the multi-factor security required by many regulatory agencies, including HIPAA and state pharmacy boards, yet is extremely easy to setup, manage, and use.
PhoneFactor integrates seamlessly with Imprivata via RADIUS and synchronizes with AD and LDAP servers to streamline user management. Easy, automated enrollment and self-service options are available through the phone and web. Learn more about PhoneFactor for Imprivata.
~Sarah
Next Page »
PhoneFactor Aids Customers in Accomplishing Strategic IT Objectives
PhoneFactor helps organizations meet their strategic IT objectives by providing stronger security, an improved user experience, reduced setup and management time, and a lower total cost of ownership. But don’t take our word for it. Here are the top three IT initiatives that our customers say PhoneFactor helped them achieve.
 | Customers also cited: |
Is Mobile Workforce Enablement one of your goals?
Watch the on demand webcast Strong Security for Remote Workers Is Just a Phone Call Away for valuable information on how to support your increasingly mobile workforce while ensuring the strong security necessary to prevent unauthorized access and meet regulatory mandates.
~ Sarah
Next Page »
