Nic Sarginson, Principal Solutions Engineer at Yubico, discusses the key regulatory changes in the UK & EU and the pressures being placed on regulators/ policymakers to protect the public from the risks associated with this “new normal”
As technology evolves, so too must regulation if organisations are to be equipped to mitigate the threat of increasingly frequent cyberattacks. The General Data Protection Regulation (GDPR) shook up data privacy and protection, with its emphasis on security and measures that regulate how companies manage data and customer communications. In some industry sectors, regulations and frameworks mandate authentication to secure access and control for sensitive and critical assets. Yet, not all authentication provides equal protection in the face of rapidly evolving cyber threats.
Over 47% of organisations surveyed by Cisco in 2020 said they believe their security programmes are most successful in meeting compliance regulations. This level of confidence outstrips belief in their programmes to manage top risks (42% and avoid major incidents (43%). Clearly, the punitive nature of regulation piles pressure on organisations to meet prescribed standards. However, security programmes must also adapt to manage and mitigate risks if organisations are to keep data and assets cybersafe.
The profile of an attack
To begin, organisations must understand the range of threats they face and how cyberattacks unfold.
Credentials, being the forms of verification people use to gain access to digital services, applications and systems, are the most sought-after data in the initial phase of a cyberattack. Once breached, they provide a route for cybercriminals to potentially move throughout a system, compromising more data.
Cyberattacks are often multi-step, for example, stolen credentials may be the route in to deploy malware. Unfortunately, there is a range of ways for credentials to be stolen and so prevention methods must safeguard against the following:
Password spraying
This occurs when common passwords are tried against a large number of accounts. Users are often inexperienced when it comes to creating strong passwords, while cybercriminals are expert at discovering and abusing passwords that are commonly chosen.
Phishing
Phishing is a form of social engineering attack in which targeted individuals receive a message, often an email, designed to appear to come from a trusted source. Once convinced to click on the invitation to login, the user may be sent to a fake site where they will inadvertently give their username and password to the phisher.
Credential stuffing
This utilises details acquired through phishing or other means to attempt logins across a range of digital services, often using an automated system or program. These types of attacks can prove successful because people use their username/password combinations on more than a single account or service.
Man-in-the-middle (MitM)
Often sophisticated, this attack is a form of eavesdropping to spy, sabotage, or capture data – particularly credentials.
SIM swap
SIM swap involves an attacker tricking a mobile provider into changing a victim’s phone number to a SIM card that they control. Then communications, such as one-time passcodes meant for the genuine user, are actually picked up by the cyber attacker.
Strong authentication to counter modern threats
Basic authentication such as a username and password or even common forms of 2FA like SMS are inadequate to protect data, systems and applications against today’s cyberthreats.
Some industry regulations are beginning to spell out authentication minimums for access and control, while others rely on frameworks to provide guidance. The International Organization for Standardization (ISO), for example, outlines requirements for an information security management system (ISMS), with ISO 27001 detailing the requirement for access controls and ISO 27002 introducing cryptographic controls.
Meanwhile in June this year, the EU Commission announced plans for revised electronic IDentification, Authentication and trust Services (eIDAS) regulation. The regulation makes provision for secure, seamless electronic interactions between people, businesses and public authorities, for example through national electronic ID schemes, electronic signatures and website authentication.
Protecting citizens and services
Government employees and contractors are prime targets for hackers because of the information they have access to. National and local government systems contain sensitive data such as social security numbers. In healthcare, medical staff need safe and secure ways of accessing highly sensitive electronic health records, while education systems hold financial and other data attractive to identity and cyber thieves.
With a high proportion of cyberattacks focusing on credential theft, strong authentication holds the power to drastically reduce the impact. The traditional username and password combination, and forms of 2FA that rely on ‘shared secret’ protocols such as recovery questions and one-time passcodes, can be susceptible to phishing and other remote attacks.
Strong two-factor authentication (2FA) and multi-factor authentication (MFA) require that a user provides more than just remembered details (which can be stolen) to verify their identity. To protect citizen data and promote the continuing, uninterrupted provision of public sector services, organisations should deploy security programmes that both comply with regulation and incorporate strong authentication to thwart attacks. Additional verification through, for example, hardware-based authentication, helps counteract the risks associated with compromised credentials. These new hardware-backed security devices are leading the way in eliminating phishing and MitM attacks, protecting users from having their credentials compromised and organisations from being breached.
