02/08/2015 / 0 Comments
As news reports revealed recently, U.S. investigators now have evidence that the hackers who compromised Sony’s computing networks and stole its confidential data gained access to its systems by stealing system administrator credentials.
In a CNN news report, one U.S. official explained that the ability of hackers to access the passwords of a high-level Sony IT employee gave them the “keys to the entire building”.
Unfortunately, while the Sony case is unique in its ties to the planned release of a controversial film, the credential and authentication vulnerability that hackers exploited is something that thousands of companies share worldwide and that has enabled countless other data breaches, including recent attacks against Target, Home Depot, and even Swiss banks.
So how can your company identify this vulnerability, address the risks and threats it entails, and avoid a catastrophic loss of confidential data, similar to what Sony suffered?
The keys to avoiding data breaches can be found in encrypted software keys and, specifically, in authentication security that uses asymmetric or public key cryptography.
Properly engineered authentication with public key cryptography physically eliminates passwords and sensitive credentials from the user login process for websites, applications, systems, and networks. It replaces password-based authentication with next-generation cryptography that makes it physically impossible for attackers to compromise your user logins, steal user credentials, and use them to access your data.
Quite simply, if Sony had been using public key cryptography to protect its administrator accounts, the attack against it would have never been possible. But, unfortunately, like most other companies around the world, Sony was still using outdated and highly vulnerable password-based authentication, which is now widely discouraged by data security experts and tech industry leaders.
If you are using password authentication methods, your company, user credentials, and confidential data are all prime targets for attackers. Forward-thinking organizations that are keen to protect their reputations and avoid disastrous data security breaches must rethink traditional authentication, and they must deploy better approaches.
Continuing to use passwords and other sensitive credentials for authentication invites a number of potentially dangerous security risks, and cybercriminals have already deployed a wide variety of attack methods that can exploit these weaknesses. Whether they use brute force hacking, phishing, malware, or other methods, hackers can easily defeat password-based authentication security, no matter how complex or unique your passwords are.
Moreover, even if you use two-step verification or two-factor authentication and require one-time codes (OTCs) or one-time passwords (OTPs) to verify user identity and access your accounts, your logins and data are still highly unsecure.
Of course, deploying two-step verification or two-factor authentication is an important step toward improving your user account security because it adds an extra layer of protection and requires a second authentication factor, beyond a password, which technically makes it more difficult for hackers to compromise your user logins. However, most two-step or two-factor solutions and technologies use methods that are highly vulnerable and already obsolete.
Man-in-the-middle attacks and SIM card cloning have already been used to bypass OTC and OTP two-factor authentication in high-profile data breaches, including the case involving online banking provided by Swiss banks and other financial institutions in Europe.
These attacks capitalize on the use of outdated methods and infrastructure, such as the requirement for authentication that users must receive OTCs or OTPs on their mobile device and then enter them through the same login interface as the ID and password.
This misguided approach provides an opportunity for attackers to intercept or redirect the OTC or OTP when it is entered through the login mechanism, which is exactly how hackers compromised these credentials in their successful hacking against online banking services.
Quite simply, if your login process involves the entry or transmission of any sensitive credentials through your login interface, including OTCs or OTPs, then there is little to prevent attackers from compromising your user credentials and potentially stealing your company data.
The OTC or OTP approach also means that passwords are still used, and they can likewise be stolen in transit, or they can be stolen by hacking the authentication server, which makes the server an obvious target for attacks. By offering the tantalizing possibility of obtaining entire databases of ID and password combinations by hacking into your server, attackers have every incentive to target companies that use outdated technologies like this and continue to store sensitive credentials on their servers.
The only way to eliminate the incentive and the means for attackers to target your company and to compromise your user logins is to choose a two-factor authentication solution with public key cryptography. Applying this technology removes passwords from the login process and does not require entry or transmission of confidential credentials during the login process. Importantly, this authentication method does not store sensitive credentials on a server in order to verify identity and authenticate, so it also eliminates the incentive for hacking the server and trying to steal passwords.
With next-generation authentication using public key cryptography, your company can provide a simple login that only requires the entry of a non-confidential user ID, and you can provide quick and completely secure two-factor authentication using encrypted software key pairs and a simple mobile app. This ensures that no passwords are used and that no confidential credentials like OTCs or OTPs are ever entered through the login process, transmitted between devices or servers, or stored on the authentication server.
With no sensitive credentials to steal, there is physically no means for attackers to target or compromise your login and authentication security, and this means that they can never use stolen credentials to gain access to your company data. You can rest assured that your data will stay on your servers, where it belongs, and that your company stays out of the news headlines and never becomes the victim of a Sony-type hack.
To find out more about public key cryptography and how this next-generation technology can protect your company, contact SecSign Technologies to request a free consultation.
Want to learn more about SecSign’s innovative and highly secure
solutions for protecting your user accounts and sensitive data?
Use our contact form to submit your information, and a SecSign sales representative will contact you within one business day.
If you need assistance with an existing SecSign account or product
installation, please see the FAQs for more information on the most common questions. You don’t find the solution to your problem? Don’t hesitate to contact the
I am Interested in