Subscribe

Loss of identity

Data breaches and identity theft are becoming all too common.

By Ilva Pieterse, ITWeb contributor
Johannesburg, 18 Nov 2015

Although data breaches in South Africa increased by 30 percent last year, there are still relatively few listed, says the latest Gemalto Breach Index Report (BIR). Despite there being a rise, Neil Cosser, Gemalto identity & data protection manager for Africa, says the total amount of actual breaches could, in fact, be much higher. "South African companies generally don't disclose data breaches unless forced," he says. "This means most companies hold on to a false sense of security, believing data breach incidents in the country are relatively low."

Another problem, Cosser points out, is the fact that many organisations, even the most advanced, security-focused ones, will take months before they detect a data breach, and some will never be detected at all.

Orange Business Services Sub Saharan Africa's senior security specialist Herman Visser concurs. "Data breaches are on the rise and businesses still consider security as a last resort. Many customers only respond when the companies' networks have been breached, that's if they even know about the breach or data theft in the first place," he says.

This rings even more true for local companies that often don't have access to the same skill-sets or healthier budgets of their overseas counterparts.

However, even having the budget doesn't exclude South African companies from being breached. New Year's 2011 saw Postbank falling victim to a breach that resulted in R42 million being stolen by cyber criminals. Ironically, the incident is said to have taken place just a few years after Postbank had spent over R15 million upgrading its fraud-detection service.

J2 Software's senior security specialist Kevin Halkerd recounts how, in this scenario, stolen credentials were used, and the fraudulent activity occurred off-site.

"If there had been a robust identity and access management (IAM) strategy in place, with strong controls (including who can access what data, when they can access it, and from where), it's very likely that the heist would never have occurred. Had there been an effective audit and reporting mechanism built on top of that strategy, it would have been identified in play had the criminals managed to bypass controls set in place," he says.

The privileged user

Halkerd calls this the `trust, but verify' approach, and believes it is integral to IAM. "This methodology could mean the difference between an Ashley Madison breach type event (now widely reported as an inside job, by an authorised user), or a quiet mitigation with no data loss or negative press.

The privileged user (or privileged identities) is starting to come under fire by auditing houses, and as CA Southern Africa BU manager: security, Michael Horn likes to remind us: "You might be hacked, but you will be audited."

The issue of the privileged user can be largely remedied with Identity Risk Analytics (IRA). "As your organisation expands, roles and entitlements can start to overlap and proliferate. And as `entitlement creep' occurs, policy violations and overall risks abound. Identity Risk analytics can provide key information to help you identify and remediate these threats quickly," Horn says.

According to an independent report by Ponemon Institute (What You Don't Know Will Hurt You: A Study of the Risk from Application Access and Usage, June 2015), privileged users and identities account for 18 percent of user-based threats.

The report also shows monitoring is mainly done by manual or home-grown systems (36 percent) and focuses on privileged users (20 percent). Only 25 percent use a commercial system that focuses on privileged users (12 percent) or focuses on privileged and application users (13 percent).

"It's far more difficult to manually track the activities of thousands, or tens of thousands of business users, as opposed to a few dozen administrators. To be effective, a comprehensive, automated monitoring system would help detect abusive or negligent behaviour."

Organisations must be careful not to place too much weight on monitoring systems, though. Although Cosser believes in monitoring, he says it's not enough. "Monitoring will tell you that something is going wrong or has gone wrong, but it doesn't give you the mechanism to prevent it. By the time the monitoring has identified the problem, your data is already stolen."

Shadow IT

Horn believes the popularity of cloud is further exacerbating IAM challenges. "The role of shadow IT - those IT workers beyond your organisation's boundaries - is moving the boundary beyond the firewall. In this case, the identity becomes the perimeter - your credentials and entitlement travels with you. ID management solutions should span across both on-premise and cloud-based offerings, effectivity creating identity-as-a-service."

There are many ingress points available in today's enterprise networks. According to Visser, with many customers enabling a mobile workforce and also allowing third parties access to resources within the network, it's critical that the IAM services are clearly defined, implemented and policed across the entire enterprise. "The protection is only as good as the weakest security policy and structure setup to control access to critical business IT and data resources," he says.

As such, the issues relating to the deployment of unauthorised or vetted infrastructure and services - shadow or stealth IT - also needs to be carefully monitored and controlled and rapid response to this addressed.

Biometric solutions as an additional access and identity authentication mechanism are becoming increasingly prevalent. This can largely be attributed to consumer demand.

"Biometrics allows for a user to be verified and given access to a device like a mobile phone, laptop and network VPN via the user's fingerprint, palm print and facial recognition. These user attributes are also stored in the IAM system and are specific to each individual. The biometric scanners are also used as a physical access method to buildings and datacentres," says Visser.

"Orange has noted varying uptake in the use of biometrics within our global multinational customer base," he says. "Cost and complexity to manage were previously a concern but the technology is now becoming rapidly prevalent as one of many mechanisms used in addressing ID and access control and management."

According to Horn, biometrics is becoming increasingly popular because of smartphones putting a biometric fingerprint reader in everyone's hand. He believes this will change the IAM landscape significantly over the coming years.

Why optical fingerprint readers don't work

Lumidigm, a multi-spectral imaging fingerprint reader technology, is starting to gain ground in the biometrics space, and has replaced traditional optical readers in banks throughout South Africa.

It's not difficult to see why, according to Bytes' divisional director: identity management, Nick Perkins. "Optical fingerprint readers don't only fail to capture or read flawed fingerprints, but are vulnerable to misuse," he says.

The challenges associated with traditional fingerprint readers include:

1. Flawed or faded fingerprints are rejected

Optical fingerprint readers, which scan fingerprint details and capture an image, tend to be very finicky. Since fingerprint matching relies on having as much unique detail available as possible, faded or damaged fingerprints, or the presence of moisture or dirt, are often rejected. "The moisture or dirt on someone's hands will run between the fingerprint ridges, which will smooth out the image that is placed on the fingerprint reader's sensor," Perkins explains.

Furthermore, people are used to having ink-based fingerprints done, which means they will habitually press down too hard on the sensor, which also obscures fingerprint detail.

2. They use unreliable methods to detects 'liveness'

While some optical readers have 'liveness'-detection capabilities, it's not a standard feature. And even so, the fingerprint 'liveness' is determined through algorithms that look for light reflections on the surface of the skin, which is supposed to indicate moisture. "However, it's possible to stimulate the presence of moisture, and criminals have found a way to work this feature into their spoofed fingerprints," says Perkins.

3. They are vulnerable to spoofing

Spoofed fingerprints are made by criminals in an attempt to trick a fingerprint reader. A copy of the fingerprint can easily be obtained from the glass of the reader itself, and criminals use it to make a `fake finger' out of a variety of materials including wood glue, silicone, and clay. "Some optical fingerprint readers can even be fooled with a fingerprint printed on a piece of paper," warns Perkins.

These flaws open up all the avenues the biometric reader is supposed to be protecting the user against, but multi-spectral imaging circumvents these issues.

This technology works by shining different light sources onto the finger at the same time, and captures the sub-dermal vein pattern that sits underneath the fingerprint. "It doesn't matter what the outside of the fingerprint looks like - whether faded, damaged, dirty, or wet - multi-spectral imaging looks beyond that. It's able to catch very high-quality and clear fingerprint images, making it much more accurate than traditional technologies," Perkins concludes.

Share