Passwords are the most common authentication tool used by enterprises, yet they are notoriously insecure and easily hackable. But even when passwords are secure, it’s not enough. Recently, hackers leaked 87,000 Fortinet VPN passwords, mostly from companies who hadn’t yet patched a two-year-old vulnerability.

At this point, multi-factor authentication (MFA) has permeated most applications, becoming a minimum safeguard against attacks. End users tend to be careless with passwords, frequently reusing or sharing their passwords.

Jump to:

• What is multi-factor authentication?
• Rise of multi-factor authentication
• MFA can be hacked
• MFA use cases and considerations
• Where to look when MFA isn’t enough
  • Zero trust network access
  • Passwordless access
  • Privileged access management
  • Identity access management

In fact, 62 percent of professionals admitted to sharing passwords over text messages or email and 46 percent said their company shares passwords for accounts used by multiple people. When this is happening, it’s clear that organizations either aren’t using MFA or are finding ways around it.

Clearly, MFA can’t work for everything. Let’s take a look at some best practices for using multi-factor authentication and where you should look when it doesn’t fit the bill.

What is multi-factor authentication?

Multi-factor authentication, or MFA, is simply an umbrella term for verifying the identity of end-users with a password and at least one other form of authentication. Initially, security vendors only offered two-factor authentication. Two-factor authentication, called dual authentication or 2FA, added another level to a User ID and password. Since then, security vendors have introduced new methods for authentication, which can be layered to create a multi-factor authentication solution.

MFA incorporates at least two of three authentication methods, according to the PCI Security Standards Council:

• Something you know
• Something you have
• Something you are

An MFA security solution may also incorporate additional factors, such as geolocation data or a time component. Many services now send alerts or require additional authentication when you log into their service from a new device.

There are several options for achieving each method of authentication. Typically, “something you know” is simply a user ID and password, but MFA solutions can also require the end-user to submit a PIN or the answer to a secret challenge question, like the ones you often have to answer on your bank’s website.

“Something you have” traditionally required the use of tokens. A token acts as an electronic cryptographic key that unlocks the device or application, usually with an encrypted password or biometric data. Tokens are generally referred to as either “connected” or “disconnected.” Connected tokens are stored on hardware that holds a cryptographic certificate, key, or biometric data, such as an SD card on a phone, a USB token, tokens kept on smart cards, or an employee key fob. Disconnected tokens are generally only good for one use and can be delivered via RFID or Bluetooth, or users can manually enter them into the computer.

As websites have adopted MFA, “something you have” has expanded to mean the end user’s credit card or mobile phone, called mobile authentication. In mobile authentication, a one-time password (OTP) or PIN is generated and sent to the end user’s smartphone via text, although an added layer of security can be added by using an OTP app, a certificate, or a key stored on the phone. Mobile authentication is often seen as a cheaper and easier alternative to biometric authentication.

Biometric authentication

Identification by “something you are,” or biometric authentication, relies on either physical or behavioral characteristics. Physical characteristics include retina scans, iris scans, facial recognition, fingerprints, voice recognition, hand geometry, earlobe geometric, or hand vein patterns. Behavioral characteristics include keystroke dynamics, such as measuring the way a user types, how fast, or the amount of pause on a given key. While biometrics can require special equipment, some solutions simply leverage the sensors in smartphones.

Biometrics offers the most secure method of authentication, but there are problems. For example, some people’s fingers don’t always have enough minutiae points for the scanner to pick up, as is the case with workers who do heavy manual work with their hands, burn victims, or people with skin diseases. Attackers can also trick scanners simply by capturing the fingerprint. For more on the pros and cons of biometric solutions, as well as a list of select Biometric vendors, see Biometric Authentication: How It Works.

Passwords alone won’t cut it

The unfortunate reality is that many people are lazy with their passwords, and even when they aren’t, brute force attacks can crack many passwords in less than a day. And social engineering can crack even more considering how many people include the names of their families and birthdays. MFA is the bare minimum for securing networks and applications because passwords alone can be too easily hacked.

Two-factor authentication

The most common form of MFA is two-factor identification, sometimes referred to as dual authentication, two-step verification, or 2FA. Two-factor authentication combines a user ID, password, and at least one of two other methods for ensuring user identification. A common approach to 2FA is to require a one-time password (OTP) sent via SMS to a cell phone or a credit card number.

Twitter, Google, Microsoft, Apple, Facebook, and Amazon all use SMS to support two-factor authentication, although they can also use push notifications on smartphones. Two-factor authentication is also being deployed for mobile security and by Internet of Things companies such as Nest to secure IoT devices.

Rise of multi-factor authentication

In recent years, more companies have turned to multi-factor authentication solutions to address their security and compliance concerns. A 2021 survey found that approximately 49 percent of businesses adopted MFA in reaction to the COVID-19 pandemic. With more employees working from home, their data was more at risk from weaker networks and personal devices.

Stratistics MRC estimates that the global multi-factor authentication market will reach $13.59 billion by 2022, spurred largely by growth in e-commerce, the increase in online transactions, network security threats, and legislative compliance. Banking, financial services, and insurance industries constitute the largest share of adopters, with North America leading adoption, according to Orbis Research.

But despite early adoption rates, businesses are neglecting their cloud environments when it comes to MFA. According to Alexander Weinert, Director of Identity Security at Microsoft, only 11 percent of enterprise cloud users have adopted MFA. And because attackers look for the path of least resistance, that leaves the other 89 percent extremely vulnerable.

MFA can be hacked

While MFA can prevent a lot of attacks, motivated bad actors aren’t going to let one extra layer of protection stop them. And it’s not hard for them to use social engineering to get around it, or else phishing attacks wouldn’t be so popular.

One way attackers have started to circumvent MFA is by calling victims and convincing them that someone has hacked their account. They tell the person they’re going to initiate a password reset on their end. When the victim receives a one-time password, they read that code to the attacker. Then, the attacker has everything they need to take over the account for good.

Alternatively, attackers can intercept text messages or emails meant to deliver your one-time passcodes, preventing you from knowing that anything was amiss. Through channel-jacking, attackers can use a software-defined radio to route incoming messages away from the intended recipient and into their own devices.

MFA use cases and considerations

MFA isn’t just for e-commerce sites or employees. Before adopting a multi-factor authentication solution, consider these other scenarios and issues:

B2B vendors

In 2017, New York State introduced new financial regulations requiring banks, insurance companies, and other financial services companies to establish and maintain cyber security programs that meet specific standards — including examining security at third-party vendors. Yet 32 percent of IT professionals don’t evaluate third-party vendors for security, according to a NAVEX Global survey. Don’t be one of them.

Security experts advise IT professionals to protect the entire information pipeline since even fourth-party vendors can present a security risk. One way to mitigate the risk is to require that vendors include multiple authentication methods. Be sure to outline the restrictive use of access and any repercussions for unauthorized or negligent behavior.

VPN Authentication

More employees are accessing enterprise applications and data remotely, which poses a security risk even with VPNs. Be sure to include VPNs when evaluating MFA solutions. However, as we’ve seen, MFA can be hacked, so employ other security methods with your VPN security in addition to MFA, like zero trust and least privileged access.

MFA for services

VPNs and traditional log-ins aren’t the only way hackers can access corporate data, of course. That’s why companies should consider two-factor authentication for services, advised Veracode co-founder and CTO Chris Wysopal.  “If you’ve implemented two-factor authentication for remote access to your company, why aren’t you implementing two-factor authentication with all the services you’re using that also have access to your company’s data?” Wysopal told eSecurity Planet. “Try to keep parity with what you already thought was a good idea to do to yourself.”

We saw the effect third parties can have on data vulnerabilities with the SolarWinds breach in 2020. By accessing the SolarWinds network, the attackers gained a backdoor into thousands of networks using the service. MFA could potentially have added a layer of protection between the end-users and the threat.

Independence of the authentication

If security is a top concern, then look for a solution that offers out-of-band (OOB) authentication. Out-of-band authentication means that the authentication methods are delivered through a different network or channel, which adds another layer to the security. That might be as complex as requiring a physical token or as simple as sending a one-time password (OTP) via text to a smartphone.

One caveat: if the smartphone is also used to submit the OTP, you’ve lost the benefits of out-of-band, since the network is the same. That’s not a small issue, as many employees now use mobile devices to access corporate data, and smartphones can be lost or stolen fairly easily.

Where to look when MFA isn’t enough

As threats adapt, so too do security tools. While MFA can do a lot to protect your network, it won’t be enough for every scenario. MFA can’t protect servers, for example, because they contain too much and have too many entry points. Unlike applications that generally have just one way in (the login screen), servers might have different points of access for admins than they do users or applications.

Additionally, MFA doesn’t work when you’re looking at spoofed login pages, CEO fraud, or links to malware. Because authentication doesn’t matter in these scenarios, it won’t prevent an attacker from stealing your information or infecting your device with malware. Instead, you need other security measures in place to block these actions.

So, what should you have in place when MFA fails?

Zero trust network access

Employees shouldn’t be able to put in a password and access every piece of information on a network. They should only get access to the data and systems they need, and even with that, they’ll need to verify their identity before gaining entry. Zero trust network access (ZTNA) guards both the interior and exterior of a business’s network and keeps sensitive data more secure.

Zero trust protects against internal attacks that MFA can’t stop. Unfortunately, internal employees sometimes seek to use company data for their own gain, and they don’t need to get around MFA because they set it up. But, if ZTNA is in place, the employee won’t be able to access as much data, and they won’t be able to do as much damage. Additionally, abnormal behaviors, like accessing data late at night or from a different location, might automatically lock their account until IT investigates – a feature that’s also useful for stopping account takeovers.

Passwordless access

Clearly, passwords aren’t as secure as we’d like, but what’s the alternative? Passwordless authentication works with information that the person has, like biometrics, or something they possess instead of something they know, as it is with password authentication. Key fobs are an example of passwordless access.

It’s easier for individuals to use, meaning they don’t resort to shadow IT practices, and the IT department gets greater visibility into each person’s activity. It can also lower operating costs by reducing the amount of helpdesk resources you spend helping users reset their passwords and the number of successful phishing attempts.

Privileged access management

Privileged access management (PAM) is similar to zero trust in that each employee only gets access to what they need to do their job, but its focus is only on the sensitive data, rather than the network as a whole. Each employee has a different account level depending on how IT expects them to interact with the data and systems the company uses. For example, while an accountant might have privileged access to financial information, they likely wouldn’t get customer records.

PAM limits the number of internal users that have access to sensitive information, so IT can better control its use. Additionally, it applies to both people and applications, helping to protect against third-party vulnerabilities. While PAM may include MFA as a part of authentication, it goes further in providing greater account control and security.

Identity access management

Identity access management (IAM), like PAM, ensures that employees only get access to the information and systems they need, but unlike PAM, it’s not only concerned with sensitive data. Instead, it encompasses all of the systems on the network and provides an audit trail for compliance purposes. IAM provides a single management console that IT can use to monitor the activity on each account and investigate strange behaviors.

IAM, too, often includes MFA, but it doesn’t rely solely on authentication to protect your data. Instead, it uses MFA as the first line of defense and then implements other features to protect beyond the perimeter.

Overall, MFA is a great tool to incorporate into your cybersecurity infrastructure, but it can’t be the only one. It will stop a lot of attacks, especially by bad actors looking for the path of least resistance, but you’ll need other security measures in place to stop motivated attackers. Zero trust, passwordless access, IAM, and PAM are all good options to consider.

The post Multi-Factor Authentication (MFA) Best Practices & Solutions appeared first on eSecurity Planet.

Endpoint security is still dominated by traditional anti-virus solutions, with Gartner ranking Symantec, Sophos, Trend Micro and Kaspersky as leaders in the field. But new next-generation endpoint security solutions are generating buzz as either replacements or supplements to existing security investments. These new solutions promise to stop zero-day attacks and ransomware, two big security threats that often slip by traditional anti-virus solutions.

The endpoint security solutions featured here use a variety of emerging approaches and technologies. In general, though, next-generation endpoint security relies on one of two methods to stop new attacks. Many use some form of advanced analytics — whether from a pre-determined analysis of malware or by learning your network — that monitors endpoint behavior and stops unusual events. Others leverage virtual sandboxes, whitelists or containers to ensure insecure endpoint activity remains cut off from the network.

To help cut through the hype, we’ve focused on how each endpoint security solution works and what’s unique about the company. We’ve also identified whether the solution tries to replace or complement existing security tools. You’ll find information on which endpoint OSes each supports and whether the tool can provide security analytics.

Bufferzone

http://www.bufferzonesecurity.com

How it works: Bufferzone creates a virtual container around any applications you deem insecure. This can include browsers, email, Skype, FTP and removable storage devices. Essentially, it segregates the corporate network into two zones: trusted and untrusted domains. The tool creates a virtual sandbox around the entire application environment, including related files, registries and network access that your administrator deems insecure. This allows the solution to contain malware, protecting not only your network but the rest of the end user’s computer.

What’s unique: Bufferzone does not attempt to detect or block malware but instead focuses on containing all “untrusted” sources. Any infections are automatically confined to the container. The upside is it doesn’t require maintenance of a blacklist or whitelist and, unlike traditional endpoint detection solutions, it doesn’t need to learn to detect new, suspicious behaviors. “It simply isolates threats like ransomware and zero-days so that they cannot do any harm,” the company notes.

Replace or complement: Bufferzone integrates existing SIEM solutions and Big Data analytics tools to identify targeted attacks.

Supports: Windows devices

Analytics: Bufferzone provides data to enterprise solutions that analyze endpoint data, such as Splunk and McAfee.

Big brag: Bufferzone is effective in blocking ransomware and preventing it from encrypting files on the endpoint or spreading to other computers on the network. It is fully integrated with McAfee ePO and with Landesk LDMS.

Bonus points:
• Transparency to end users and their applications
• Scanning removable storage
• A free home edition is available for download

Barkly

https://www.barkly.com/

How it works: Barkly relies on proprietary behavioral analytics to detect techniques and behaviors common to all malware. An agent called Rapidvisor is installed locally on your endpoints and managed via a cloud-based portal. The agent watches in real-time across multiple levels of the system, including user space, operating system functions and CPU instructions. When Barkly detects something malicious, it stops the process and blocks the attack, notifying the end user and administrators.

What’s unique: Barkly says it is the only solution to stop advanced attacks by applying sophisticated behavioral analytics on the endpoint. It monitors processes across all levels of the system and instantly blocks malicious behaviors on the endpoint, even without an internet connection. This enables Barkly to stop new and never-before-seen attacks that traditional solutions miss.

Replace or complement: Barkly is designed to work with traditional solutions, offering another layer of protection.

Supports: Barkly supports Windows 7 on 64-bit system machines. Support for more operating systems, including Windows 10 and Windows 8.1, is coming soon.

Analytics: Barkly leverages real-time behavior analytics to identify malware while avoiding false positives.

Big brag: When CryptoWall 4.0 was released in November 2015, its signature changed, leaving millions of devices unprotected until anti-virus vendors could release an update. Barkly recognized this behavior and stopped CryptoWall 4.0 with no updates needed.

Bonus points:
• A free, 60-day Early Access program is available, but spots are limited. Register here: https://www.barkly.com/early-access
• Rapidvisor updates automatically on every connected endpoint each time a new version of Barkly is released.

Carbon Black

https://www.carbonblack.com/

How it works: Carbon Black Endpoint Security Platform is another system that combines advanced analytics and behavior recognition to stop attacks. The platform incorporates three components: an advanced analytics, data science and behavior recognition core; a lightweight endpoint sensor that records all critical activity on the endpoint, flagging malicious activity for your security team; and an element that can thwart attacks by locking down critical systems using multiple levels of application control. Each of these elements is powered by Carbon Black’s Collective Defense Cloud, which aggregates security data from more than 7 million endpoints to strengthen the entire customer base.

What’s unique: Carbon Black’s platform approach combines next-generation endpoint security with security policy controls, including the ability to whitelist applications. It also records all endpoint activity, and supports search so your team can gather security forensics and respond to attacks.

Replace or supplement: Carbon Black is a replacement for traditional anti-virus and other endpoint security solutions, but can integrate with existing SIEMs.

Supports: Windows, Mac and Linux

Analytics: Carbon Black has built-in analytics. It also integrates with existing SIEM, network security and threat intelligence solutions so you can perform user-behavioral analytics and other forms of analysis.

Big brag: Carbon Black was named “Best Endpoint Protection” in the SANS Institute’s Best of 2014 Awards.

Bonus points:
• Offers an evaluation period before purchase
• Support for whitelisting applications

CrowdStrike

https://www.crowdstrike.com/

How it works: CrowdStrike’s Falcon platform is a SaaS solution that’s built on top of a massive graph database. This allows CrowdStrike to couple machine learning with behavior-based detection and prevention to detect attacks on endpoints. It delivers both detection and response in a single endpoint agent.

What’s unique: CrowdStrike is a fully cloud-based solution. And it analyzes massive numbers of security incidents — more than 15 billion events a day, according to the company.

Replace or supplement: CrowdStrike replaces traditional anti-virus solutions.

Supports: Apple, Windows and Linux endpoints

Analytics: CrowdStrike analyzes security events, then delivers findings immediately so customers can stop an attack while it is actually happening.

Big brag: “Virtually limitless” scalability, thanks to the cloud architecture. A leading financial institution deployed 77,000 endpoint sensors globally within two hours – a task that would typically take a traditional security vendor 18 months to complete, the company notes.

Bonus points:
• Offers a free proof-of-value trial
• Deployed in more than 170 countries
• No updates required, since it’s deployed via the cloud

Secdo

http://www.sec.do

How it works: Secdo’s OS Mirroring technology proactively records all OS-level events. It also incorporates a causality engine, which uses advanced analytics to find connections between other security system alerts and endpoint events. This allows the tool to determine whether an event is suspicious behavior or a false positive. The thread-level endpoint monitoring coupled with causality analytics allows analysts to visualize the attack chain, so your security team can understand the context of any unusual activities.

What’s unique: Secdo’s solution includes an anti-ransomware deception tool that forces ransomware to reveal itself early. Once ransomware is exposed, Secdo’s proprietary technology, IceBlock, automatically freezes the ransomware before files are encrypted, thus preventing further damage. It then pinpoints the root cause for the attack, as well as the entire attack chain, including the presence of ransomware on an organization’s endpoints. Once the root cause is identified, the security team is alerted, allowing analysts to perform a forensic analysis on any of the endpoints and servers in an organization.

Replace or supplement: Secdo is an enhancement to traditional security solutions.

Supports: Windows, Mac, Linux and virtual machines

Analytics: The solution supplies detailed endpoint and server data to other systems so your security team has the full context of an attack.

Big brag: Named a Gartner Cool Vendor in 2016.

Bonus points:
• Free 30-day trial for each of the company’s solution modules
• Leverages existing SIEMs and threat intelligence investments
• Has been tested on over 50 ransomware families and over 300 variants, including common types of ransomware such as CryptoWall, TeslaCrypt and CryptoLocker

Morphisec

http://www.morphisec.com/

How it works: Morphisec takes what is typically a hacker tool — a polymorphic engine for encrypting or scrambling code — and turns the technology into a security shield for an application. It calls this Moving Target Defense technology; essentially it conceals vulnerabilities and web browsers by making memory space unpredictable to attackers. This stops attacks from running, according to the company, and is managed with a Dynamic Link Library (DLL) agent that sits on endpoints. This means it doesn’t require signature updates or learning algorithms.

What’s unique: Its use of a polymorphic engine as a security tool. Morphisec says it’s also proven popular in companies with a big usage of VDI, Citrix and Xenapp.

Replace or supplement: Morphisec augments endpoint security, offering protection against advanced attacks such as zero-day attacks, ransomware, APTs and unpatched vulnerabilities.

Supports: Windows-based endpoints and servers, both virtual and physical

Analytics: Protector Morphisec Dashboard supports role-based views so users can view attacks, view and filter attack information, and obtain insights for conducting forensic analysis. The company is also developing a real-time crowdsourced investigation and threat intelligence product to help identify and stop attacks faster.

Big brag: Morphisec was named a 2016 Gartner Cool Vendor in Security for Technology and Service Providers.

Bonus points:
• Currently offers a free trial
• Offers proof of concepts
• Protects against file-less attacks, which inject malicious code into legitimate operating system services like Windows PowerShell
• Installs without requiring a reboot

SentinelOne

http://www.sentinelone.com

How it works:SentinelOne learns normal registry behavior and then monitors for specific deviant behaviors, such as attempting to maintain persistence, modify a registry or interject code into processes. This allows it to protect against all major attack vectors, including file-less malware and insider attacks. It does this using a lightweight agent that sits on the endpoint. SentinelOne also eliminates threats upon detection with fully automated, integrated mitigation and remediation capabilities and real-time forensics.

What’s unique: Sentinel’s Dynamic Behavior Tracking engine uses machine learning and sophisticated pattern-matching algorithms to detect threats on the endpoint itself.

Replace or supplement: SentinelOne Endpoint Protection and Critical Server Protection platforms are complete and certified replacements for anti-virus, the company states.

Supports: Windows, iOS, OSX, Android and Linux endpoints

Analytics: SentinelOne offers integration with popular SIEM solutions, with support for standard data export formats.

Big brag: A global cosmetics company deployed SentinelOne Endpoint Protection (EPP) across 3,000 endpoints, replacing a legacy AV product. It caught every subsequent ransomware threat and saved the company 72 man-hours per week spent on desktop support, re-imaging infected laptops. The customer now plans to deploy SentinelOne’s Critical Server Protection Platform across 5,000 servers.

Bonus points for:
• Includes a rollback capability that can restore any files modified or deleted by ransomware or other attacks
• Detects insider attacks
• Already certified by third-party AV testing organization AV-TEST

TrustPipe

http://trustpipe.com/

How it works: TrustPipe compares its approach to DNA markers. After analyzing terabytes of data on malicious attacks and harmless traffic, the company identified a template of about 1,000 markers for malware. It distilled these markers into a lightweight client that sits on the endpoint and maps every digital conversation against those markers. If a marker set is a match, the attack is stopped while the code is still being transmitted — and before the attack can launch. It also looks for unique indicators that show when a machine has been compromised and automatically stops the endpoint from transmitting that the attack worked, seals off the compromised instance of the services and creates a new marker set so the endpoint won’t fall to that attack again.

What’s unique: TrustPipe relies completely on the endpoint agent without additional software. Because it uses common attack markers, it can go months without requiring an update. Trustpipe also goes to market through partners, rather than selling as a standalone solution.

Replace or supplement: It is marketed as a supplement to existing solutions because it does not collect forensics or identify attacks.

Supports: Linux, Macs and Windows OSes, including XP

Analytics: No

Big brag: TrustPipe was one of 33 cybersecurity companies out of more than 450 secretly-nominated candidates to present at the Office of the Secretary of Defense’s Rapid Reaction Technology Office (RRTO) DoD-Cyber Solutions Meeting in July.

Bonus points for:
• Low maintenance approach

The post Best Next-Gen Endpoint Security Solutions appeared first on eSecurity Planet.