Archive

Archive for the ‘Tips & Talk’ Category

Partnering with the industry to minimize false positives

August 16th, 2018 No comments

Every day, antivirus capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP) protect millions of customers from threats. To effectively scale protection, Windows Defender ATP uses intelligent systems that combine multiple layers of machine learning models, behavior-based detection algorithms, generics, and heuristics that make a verdict on suspicious files, most of the time in a fraction of a second.

This multilayered approach allows us to proactively protect customers in real-time, whether in the form of stopping massive malware outbreaks or detecting limited sophisticated cyberattacks. This quality of antivirus capabilities is reflected in the consistently high scores that Windows Defender ATP gets in independent tests and the fact that our antivirus solution is the most deployed in the enterprise.

The tradeoff of an intelligent, scalable approach is that some of our more aggressive classifiers from time to time misclassify normal files as malicious (false positives). While false positives are a very tiny occurrence compared to the large number of malware we correctly identify (true positives) and protect customers from, we are aware of the impact that misclassified files might have. Keeping false positives at a minimum is an equally important quality metric that we continually work to improve on.

Avoiding false positives is a two-way street between security vendors and developers. Publishing apps to the Microsoft Store is the best way for vendors and developers to ensure their programs are not misclassified. For customers, apps from the Microsoft Store are trusted and Microsoft-verified.

Here are other ways developers can raise the level of trust by both security vendors and customers and help make sure programs and files are not inadvertently detected as malware.

Digitally sign files

Digital signatures are an important way to ensure the integrity of software. By verifying the identity of the software publisher, a signature assures customers that they know who provided the software theyre installing or running. Digital signatures also assure customers that the software they received is in the same condition as when the publisher signed it and the software has not been tampered with.

Code signing does not necessarily guarantee the quality or functionality of software. Digitally signed software can still contain flaws or security vulnerabilities. However, because software vendors reputations are based on the quality of their code, there is an incentive to fix these issues.

We use the reputation of digital certificates to help determine the reputation of files signed by them. The reverse is also true: we use the reputation of digitally signed files to determine the reputation of the digital certificates they are signed with. One of the most effective ways for developers to reduce the chances of their software being detected as malware is it to digitally sign files with a reputable certificate.

The second part of reducing the risk of unintended detection is to build a good reputation on that certificate. Microsoft uses many factors to determine the reputation of a certificate, but the most important are the files that are signed by it. If all the files using a certificate have good reputation and the certificate is valid, then the certificate keeps a good reputation.

Extended validation (EV) code signing is a more advanced version of digital certificates and requires a more rigorous vetting and authentication process. This process requires a more comprehensive identity verification and authentication process for each developer. The EV code signing certificates require the use of hardware to sign applications. This hardware requirement is an additional protection against theft or unintended use of code signing certificates. Programs signed by an EV code signing certificate can immediately establish reputation with Windows Defender ATP even if no prior reputation exists for that file or publisher.

Keep good reputation

To gain positive reputation on multiple programs and files, developers sign files with a digital certificate with positive reputation. However, if one of the files gains poor reputation (e.g., detected as malware) or if the certificate was stolen and used to sign malware, then all of the files that are signed with that certificate will inherit the poor reputation. This situation could lead to unintended detection. This framework is implemented this way to prevent the misuse of reputation sharing.

We thus advise developers to not share certificates between programs or other developers. This advice particularly holds true for programs that incorporate bundling or use advertising or freemium models of monetization. Reputation accruesif a software bundler includes components that have poor reputation, the certificate that bundler is signed with gets the poor reputation.

Be transparent and respect users ability to choose

Malware threats use a variety of techniques to hide. Some of these techniques include file obfuscation, being installed in nontraditional install locations, and using names that dont reflect that purpose of the software.

Customers should have choice and control over what happens on their devices. Using nontraditional install locations or misleading software names reduce user choice and control.

Obfuscation has legitimate uses, and some forms of obfuscation are not considered malicious. However, many techniques are only employed to evade antivirus detection. Developers should refrain from using non-commercial packers and obfuscation software.

When programs employ malware-like techniques, they trigger flags in our detection algorithms and greatly increase the chances of false positives.

Keep good company

Another indicator that can influence the reputation of a file are the other programs the file is associated with. This association can come from what the program installs, what is installed at the same time as the program, or what is seen on the same machines as the file. Not all of these associations directly lead to detections, however, if a program installs other programs or files that have poor reputation, then by association that program gains poor reputation.

Understand the detection criteria

Microsofts policy aims to protect customers against malicious software while minimizing the restrictions on developers. The diagram below demonstrates the high-level evaluation criteria Microsoft uses for classifying files:

  • Malicious software: Performs malicious actions on a computer
  • Unwanted software: Exhibits the behavior of adware, browser modifier, misleading, monitoring tool, or software bundler
  • Potentially unwanted application (PUA): Exhibits behaviors that degrade the Windows experience
  • Clean: We trust the file is not malicious, is not inappropriate for an enterprise environment, and does not degrade the Windows experience

These evaluation criteria describe the characteristics and behavior of malware and potentially unwanted applications and guide the proper identification of threats. Developers should make sure their programs and files dont demonstrate undesirable characteristics or behavior to minimize chances their programs are not misclassified.

Challenging a detection decision

If you follow these pieces of advice and we unintentionally detect your file, you can help us fix the issue by reporting it through the Windows Defender Security Intelligence portal.

Customer protection is our top priority. We deliver this through Windows Defender ATPs unified endpoint security platform. Helping Microsoft maintain high-quality protection benefits customers and developers alike, allowing for an overall productive and secure computing experience.

 

 

Michael Johnson

Windows Defender Research

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Categories: cybersecurity, Tips & Talk Tags:

Use Windows Information Protection (WIP) to help make accidental data leakage a thing of the past

Have you always wished you could have mobile application management (MAM) on Windows?

Now you can!

Windows Information Protection (WIP) is an out-of-the box data leakage prevention feature for Windows 10 that can automatically apply protection for work files and data to prevent accidental data leakage. With 600 million active Windows 10 devices, corporate customers continuing to deploy in earnest throughout 2018, and support for WIP built right into Office 365 ProPlus, its benefits are within easy reach.

Sixty to eighty percent of data leakage is accidental (see ICO data for 2016 and 2017). WIP is a key feature that offers much needed data protection for files at rest on the Windows platform, for any organization with sensitive data, big or small. In todays security ecosystem, companies are spending $93B on security features (enough to host seven Olympic Games!). Yet companies still saw a 29 percent increase in data leakage worldwide between 2016 and 2017. WIP comes as a timely solution.

With Windows 10, Microsoft is providing a fundamental solution to this growing problem. Recognizing that the risk of leak comes from both fully managed devices and personal devices accessing work resources, we designed WIP to be deployed on PC and mobile devices running Windows 10. WIP is designed for organizations of all shapes and sizes, as a scalable solution that works to prevent accidental data leakage for end users.

WIP protects users and organizations from accidental leaks via copy-and-paste, drag-and-drop, removable storage (e.g., USB thumb drives), and unauthorized applications (e.g., non-work cloud storage providers). Windows shell integration appears in clear but unobtrusive ways. Elements like File Ownership are displayed and selectable in Explorer and File Save As dialog. Helpful briefcase icons mark resources when you are in a work context in places like window title bars, and Microsoft Edges navigation bar. Unauthorized applications are blocked from single sign-in with work credentials. WIP also includes the ability to perform selective wipe of business information, while leaving personal data behind.

WIP has three simple policy enforcement modes. It lets you choose how and whether the user experience in the clipboard, save dialog, and similar data-sharing cases have options (overrides) to move work content to non-work context. You can decide to Hide Overrides, Allow Overrides for your users, or even deploy in Silent mode just for auditing. Silent mode does not restrict unmanaged apps from opening work data the way Hide Overrides and Allow Overrides do, so you can get away with configuring less, yet still benefiting from the BYOD selective wipe capability for your work data, such as data downloaded from OneDrive for Business and Outlook email. This means when you or your user decides to unenroll their work account from their personal device, that work data stops being accessible.

WIP policy can be deployed in a few clicks in Microsoft Intune for MAM-only (without enrollment) targeting, MDM (with enrollment), or both. Being able to apply MAM-only policy will help you finally enable BYOD in regions and situations where fully managing the personal device is unacceptable. For companies that are not yet fully in the cloud, WIP policy can also be set on domain-joined computers using System Center Configuration Manager. Then, when youre ready for co-management, you can move the WIP policy management authority to Microsoft Intune.

Your corporate files can also be automatically encrypted with a local key when downloaded to WIP-managed devices. You can do this by configuring your corporate network boundary. Using network isolation policies, you can identify your LAN and corporate cloud resources, which Edge and other applications will use to recognize work sites and encrypt the data that comes from there. This works even better when combined with Conditional Access controls on Exchange Online and SharePoint Online to ensure that only managed devices can reach that data.

Additionally, WIP Learning lets you see the applications you didnt know are used with work data. It reports any app not in your policy that tries to access a work resource. You can see this data in Microsoft Intune or your Windows Analytics portal, if you have Azure Log Analytics (formerly Microsoft Operations Management Suite or OMS). WIP Learning allows you to tune your app policy to add legitimate work apps and even detect apps that should not be trying to access work data. Combined with Silent mode, you can deploy and see the immediate benefit of selective wipe control and auditing, while tuning your app list for different deployment groups in preparation for enabling boundary enforcement.

WIP provides a robust and automatic solution for protecting work data coming to the Windows device, but it also pairs well with Azure Information Protection (AIP). AIP adds the ability to control and help secure email, documents, and sensitive data that are shared, even outside your company and in the Azure cloud. WIP, combined with AIP, provides application-level access control capabilities while preventing unauthorized applications from accessing business information at rest and in flight. At the same time, WIPs simple business vs personal information classification system ensures simplicity and ease of use.

USB flash drives arent the only way data can leave a device. With the app restrictions on accessing work data, you can use WIP to guide users to use Outlook with their corporate email account to send work attachments, and SharePoint or OneDrive for Business to collaborate on work documents. This lets you enhance your overall data protection with Office DLP outbound rules, send email notifications, policy tips, and Office 365 Information Protection for GDPR.

WIP originally shipped in the Windows 10 Anniversary Update (version 1607) and since then, working across Microsoft and with industry, we have made a number of improvements, including:

  1. Support for Office 365 ProPlus, Microsoft Teams, and numerous inbox apps
  2. Simplified management Intune quick setup, WIP Learning for Apps and Network Boundary policy
  3. Manageable as MAM-only (i.e. without full device enrollment)
  4. Improved Recovery (e.g. data access resumes via re-enrollment or re-adding your work account)
  5. AIP integration to enable roaming data on removable storage (e.g. USB thumb drives)
  6. Support from 3rd party apps such as from Citrix (ShareFile), DropBox (desktop sync client), Foxit (Reader, PhantomPDF), and WinZip (WinZip 21, WinZip 22)

With all these features available, WIP is easier than ever to deploy and maintain. Enable this fast, robust, user-friendly security solution to help ensure a more effortlessly secure user experience for your organization.

More information on Windows Information Protection (WIP) found in the following resources:

Building a world without passwords

Nobody likes passwords. They are inconvenient, insecure, and expensive. In fact, we dislike them so much that weve been busy at work trying to create a world without them a world without passwords.

In this blog, we will provide a brief insight into how we at Microsoft have been thinking about solving this problem along with details on solutions that you can try out today.

Password-less

When we think about creating a world without passwords, we want to deliver on two key promises:

  1. User promise: End-users should never have to deal with passwords in their day-to-day lives.
  2. Security promise: User credentials cannot be cracked, breached, or phished.

Passwords have been a big part of our digital lives, and to fully get rid of them, not only do we need to address all that is bad with them, we also need to acknowledge all that is good: they are familiar, portable, and easy to provision.

 

Figure 1. Passwords – Pros vs cons

At its core, our fundamental philosophy is simple: devalue the password, and replace it with something that eradicates its use for the end user and drains its value for an attacker.

Passwords have been a big part of our digital lives. To fully get rid of them, not only do we need to address all that is bad with them, we also need to acknowledge all that is good; they are familiar, portable, and can be used almost everywhere.

So how are we going about it? Well, we break this up into discrete buckets:

Figure 2: Password-less strategy

  1. Develop password-replacement offerings, i.e., replace passwords with a new set of alternatives that address the shortcomings of passwords while embracing their positive attributes.
  2. Reduce user visible password-surface area, i.e., upgrade all experiences related to the entire life-cycle of a users identity (including provisioning of an account, setting up a brand-new device, using the account/device to access apps and websites, recovery, etc.) and ensure these work with password-replacements (#1).
  3. Simulate a password-less world, i.e., enable end users and IT admins to simulate and transition into a password-less world with confidence.
  4. Eliminate passwords from the identity directory, i.e., the final frontier delete passwords from the identity directory.

For more details, watch Microsofts Guide for going password-less.

Heres a quick overview of some of the solutions that you can try out today and how they map to the strategy above.

Password-replacement offerings

Windows Hello

Heres a video that provides a quick overview of Windows Hello, how it is more secure than passwords, and some of newest enhancements.

Windows Hello is being used by over 47 million users worldwide. More than 5,000 businesses have deployed Windows Hello for Business, with adoption on over one million commercial devices.

For more details, refer to www.aka.ms/whfb

Windows Hello is an excellent replacement for passwords on personal PCs. That said, we acknowledge that there are many scenarios that involve shared PCs used by transient users and that provisioning Windows Hello is not ideal. To that end, we have been working hard on lighting up a series of portable credentials that are more suitable for such shared PC scenarios.

Microsoft Authenticator app

The Microsoft Authenticator app enables users to authenticate to their Microsoft account using their mobile phone. It is built on similar secure technology that Windows Hello uses, and packages it into an simple app on your mobile device.

Heres a video that provides a quick overview of Microsoft Authenticator App.

To download the app and learn more, please go to Microsoft Authenticator

Windows Hello and our mobile Authenticator app are both great alternatives to passwords. To create a world without password, we need an interoperable solution that works across all industry platforms and browsers.

Windows Hello and FIDO2 security keys

Microsoft has been aligned with the Fast Identity Online (FIDO) working group from the start. The alliance represents 250 organizations from various industries on a joint mission to replace passwords with an easy-to-use strong credential. With the recent ratification of FIDO2 security keys by the FIDO working group, were updating Windows Hello to enable secure authentication for many new scenarios.

For more details, please check out our latest blog, Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices.

Whats new in the Windows 10 April 2018 Update?

Among many new and exciting features in the Windows 10 April 2018 Update, we set out with the goal to deliver an end-to-end product experience that’s password-less ready. With Windows 10 in S mode, we are enabling our cloud users (Managed Service Account or Azure Active Directory) to be able to go through the entire life-cycle of using their Windows 10 PC with S mode enabled without ever having to enter their passwords. Thats right. Heres how you can try it out.

Windows 10 in S mode Password-less!

  1. Set up your Authenticator App

    1. Install the Microsoft Authenticator app on your mobile device.
    2. Set it up with your Managed Service Account (MSA) and/or Azure Active Directory (Azure AD) account

Note: Upgrade your default way of authenticating from using password to the Microsoft Authenticator app by clicking the Use the Microsoft Authenticator app instead on the login page.

Figure 3: Select Microsoft Authenticator as default sign-in option

  1. Set up your Windows 10 PC with S mode enabled

    1. Install the Windows 10 April 2018 Update with S mode enabled
    2. Proceed through OOBE and set up your account
    3. Use the Microsoft Authenticator app to sign-in to your account. No passwords required!

Note: If you are prompted for a password on this screen, click the Use the Microsoft Authenticator app instead link.

Figure 4: Windows 10 S OOBE with Microsoft Authenticator app

  1. Set up Windows Hello

Figure 5: Windows Hello provisioning

  1. Thats it! Your Windows10 PC is password-less! Just use your device like you normally do.

    1. Access/SSO to your apps and websites will continue to work. No passwords required!

Figure 6: Access apps and websites seamlessly

    1. You will notice that youll be required to use Windows Hello (PIN, Face, Fingerprint) for sign-in/unlocking your PC. No passwords!

Figure 7: No passwords under Sign in options for Windows

    1. The password credential provider will no longer enumerate for Windows scenarios.

In summary, you will be able to set up a brand-new device, provision Windows Hello, log in, lock/unlock, use your favorite apps and websites without ever having to enter a password!

Security Keys for Windows Hello (Private preview for Azure AD-joined shared PCs)

FIDO2 Security keys allow you to carry your credential with you and safely authenticate to an Azure AD-joined Windows 10 shared PC thats part of your organization. A user can walk up to any device belonging to the organization and authenticate in a secure way no need to enter a username and password or set-up Windows Hello beforehand.

See how it works in this video:

The Windows Hello FIDO2 Security Key feature is now in limited preview. Please let us know if you would like to be added to the waitlist.

While we still have a way to go before we can claim victory, with the incredible lineup of products and features in our portfolio along with those in the works, we are confident that we will get there soon. Please send us your comments, questions, and feedback at pwdless@microsoft.com.

 

Karanbir Singh
Principal Program Manager, Enterprise & Security

Teaming up in the war on tech support scams

(Editors note: Erik Wahlstrom spoke about the far-reaching impact of tech support scams and the need for industry-wide cooperation in his RSA Conference 2018 talk Tech Scams: Its Time to Release the Hounds.)

 

Social engineering attacks like tech support scams are so common because theyre so effective. Cybercriminals want to bilk users money. They can spend a great deal of time and energy attacking the security of a devicebrute-force passwords, develop custom and sophisticated malware, and hunt down vulnerabilities to exploit. Or they can save themselves the trouble and convince users to freely give up access to their devices and sensitive information.

Microsoft has built the most secure version of its platform in Windows 10. Core OS technologies like virtualization-based security, kernel-based mitigations, and the Windows Defender ATP stack of security defenses make it much more difficult for exploits, malware, and other threats to infect devices. Every day, machine learning and artificial intelligence in Windows Defender ATP protect millions of devices from malware outbreaks and cyberattacks. In many cases, customers may not even know they were protected. Windows 10 S, a special configuration of Windows 10, takes this even further by only running apps from the Microsoft Store, effectively preventing the vast majority of attacks.

Protect yourself from tech support scams

  • Note that Microsoft does not send unsolicited email messages or make unsolicited phone calls to request for personal or financial information, or fix your computer.
  • Remember, Microsoft will never proactively reach out to you to provide unsolicited PC or technical support. Any communication we have with you must be initiated by you.
  • Dont call the number in pop-ups. Microsofts error and warning messages never include a phone number.

The Windows 10 security stack greatly increases the cost for attackers. Many cybercriminals instead choose to target the humans in front of the PCs. It can sometimes be easier to convince users to willingly share their passwords, account info, or to install hazardous apps onto their device than to develop malware and steal info unnoticed.

Scammers continue to capitalize on the proven effectiveness of social engineering to perpetrate tech support scams. These scams are designed to trick users into believing their devices are compromised or broken. They do this to scare or coerce victims into purchasing unnecessary support services.

To help protect customers from scammers, we continue to enhance antivirus, email, URL blocking, and browser security solutions. However, given the scale and complexity of tech support scams, how can the security industry at large work together to deal a major blow to this enduring threat?

Still a growing global problem

In 2017, Microsoft Customer Support Services received 153,000 reports from customers who encountered or fell victim to tech support scams, a 24% growth from the previous year. These reports came from 183 countries, indicating a global problem.

Approximately 15% of these customers lost money in the scam, costing them on average between $200 and $400. In some cases, victims pay a lot more. In December 2017, Microsoft received a report of a scammer emptying a bank account of 89,000 during a tech support scam in the Netherlands.

Tech support scams reported to Microsoft

In a 2016 survey sponsored by Microsoft, two in three respondents reported experiencing some form of tech support scam in the previous 12 months, with nearly one in ten losing money.

However, as with many social engineering attacks, its tricky to put an absolute number to the problem. The figures above represent reports to Microsoft. The problem is so much bigger, given that tech support scams target customers of various other devices, platforms, or software.

An organized cybercriminal enterprise

Tech support scams come in several forms, but they share a common attack plan:

Scammers initiate these social engineering attacks in many ways, including:

  • Scam websites that use various tactics including browser dialog traps, fake antivirus detecting fake threats, and fake full-screen error messages. Scammers lead potential victims to these websites through ads, search results, typosquatting and other fraudulent mechanisms.
  • Email campaigns that use phishing-like techniques to trick recipients into clicking URLs or opening malicious attachments
  • Malware thats installed on computers to make system changes and display fake error messages
  • Unsolicited phone calls (also known as cold calls), which are telemarketing calls from scammers that pretend to be from a vendors support team

The complete attack chain shows that these attacks lead to the same goal of getting customers in contact with a call center. Once connected, a fake technician (an experienced scammer) convinces the victim of a problem with their device. They often scare victims with urgent problems requiring immediate action. They instruct victims to install remote administration tools (RATs), which provide the scammers access to and control over the device.

tech support scams attack chain

From this point on, scammers can make changes to the device or point out common non-critical errors, and present these as problems. For example, scammers are known to use Event Viewer to show errors or netstat to show connections to foreign IP addresses. The scammers then attempt to make the sale. With control of the device, scammers can make a compelling case about errors in the device and pressure the victim to pay.

An industry-wide problem requires industry-wide action

The tech support scam problem is far-reaching. Its impact spans various platforms, devices, software, services. Examples include:

  • Tech support scams targeting specific platforms like Windows, macOS, iOS, and Android
  • Tech support scam websites that imply a formal relationship or some sort of approval by well-known vendors
  • Fake malware detection from programs or websites that mimic various antivirus solutions
  • Customized tech support scams that tailor messages and techniques based on geography, OS, browser, or ISP

As in many forms of social engineering attacks, customer education is key. There are tell-tale signs: normal error and warning messages should not have phone numbers, most vendors dont make unsolicited phone calls to fix a device, etc. To help protect and educate Microsoft customers, we have published blogs, websites, videos, and social media campaigns on the latest tech support scam trends and tactics. We have also empowered customers to report tech support scams.

Beyond customer education, the scale and complexity of tech support scams require cooperation and broad partnerships across the industry. The Microsoft Digital Crimes Unit (DCU) works with law enforcement and other agencies to crack down on scammers.

We have further built partnerships across the ecosystem to make a significant dent on this issue:

  • Web hosting providers, which can take down verified tech support scam websites
  • Telecom networks, which can block tech support scam phone numbers
  • Browser developers, who can continuously thwart tech support scam tactics and block tech support scam websites
  • Antivirus solutions, which can detect tech support scam malware
  • Financial networks, who can help protects customers from fraudulent transactions
  • Law enforcement agencies, who can go after the crooks

We seek to continue expanding and enriching these partnerships. While we continue to help protect customers through a hardened platform and increasingly better security solutions, we believe its high time for the industry to come together and put an end to the tech support scam problem. Together, we can make our customers lives easier and safer.

 

 

Erik Wahlstrom
Windows Defender Research Project Manager

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

SSN for authentication is all wrong

October 23rd, 2017 No comments

Unless you were stranded on a deserted island or participating in a zen digital fast chances are youve heard plenty about the massive Equifax breach and the head-rolling fallout. In the flurry of headlines and advice about credit freezes an important part of the conversation was lost: if we didnt misuse our social security numbers, losing them wouldnt be a big deal. Let me explain: most people, and that mainly includes some pretty high-up identity experts that Ive met in my travels, dont understand the difference between identification and verification. In the real world, conflating those two points doesnt often have dire consequences. In the digital world, its a huge mistake that can lead to severe impacts.

Isnt it all just authentication you may ask? Well, yes, identification and verification are both parts of the authentication whole, but failure to understand the differences is where the mess comes in. However, one reason its so hard for many of us to separate identification and verification is that historically we havent had to. Think back to how humans authenticated to each other before the ability to travel long distances came into the picture. Our circle of acquaintances was pretty small and we knew each other by sight and sound. Just by looking at your neighbor, Bob, you could authenticate him. If you met a stranger, chances are someone else in the village knew the stranger and could vouch for her.

The ability to travel long distances changed the equation a bit. We developed documents that provided verification during the initiation phase, for example when you have to bring a birth certificate to the DMV to get your initial drivers license. And ongoing identification like a unique ID and a photo. These documents served as a single identification and verification mechanism. And that was great! Worked fine for years, until the digital age.

The digital age changed the model because rather than one person holding a single license with their photo on it, we had billions of people trying to authenticate to billions of systems with simple credentials like user name and password. And no friendly local villager to vouch for us.

Who are you? Prove it!

This is where the difference between the two really starts to matter. Identification answers the question: Who are you? Your name is an identifier. It could also be an alias, such as your unique employee ID number.

Do you want your name to be private? Imagine meeting another parent at your kids soccer game and refusing to tell them your name for security reasons. How about: Oh your new puppy is so adorable, whats her name? And you respond, If I told you, Id have to kill you. Or you try to find an address in a town with no street signs because the town is super security conscious. Ridiculous, right? Identifiers are public specifically so we can share them to help identify things.

We also want consistency in our identifiers. Imagine if that town had street signs, but changed the names of the streets every 24 hours for security reasons. And uniqueness, if every street had the same name, youd still have a heck of a time finding the right address wouldnt you?

Now that were clear on what the identifier is, we can enumerate a few aspects that make up a really good one:

  • Public
  • Unchanging
  • Unique

In a town or public road, we have a level of trust that the street sign is correct because the local authorities have governance over road signs. Back in our village, we trust Bob is Bob because we can verify him ourselves. But in the digital world, things get pretty tricky how do you verify someone or something youve never met before? Ask them to- Prove It!

We use these two aspects of authentication almost daily when we log into systems with a user ID (identification) and password (verification). How we verify in the real world can be public, unchanging, and unique because its very hard to forge a whole person. Or to switch all the street signs in a town. But verification online is trickier. We need to be able toprovide verification of who we are to a number of entities, many of whom arent great at protecting data. And if the same verification is re-used across entities, and one loses it, attackers could gain access to every site where it was used. This is why experts strongly recommend using unique passwords for every website/app. This goes for those challenge questions too. Which can lead to some fun calls with customer service, Oh, the town where I was born? Its: xja*21njaJK)`jjAQ^. At this point in time our fathers middle name, first pets name, town where we were born, school we went to and address history should be assumed public, using them as secrets for verification doesnt make sense anymore.

If one site loses your digital verification info, no worries. You only used it for that site and can create new info for the next one. What if you couldnt change your password ever? It was permanent and also got lost during the Yahoo! breach? And it was the one you use at your bank, and for your college and car loans, and your health insurance? How would you feel?

So, with that in mind, youd probably agree that the best digital verifiers are:

  • Private
  • Easily changed
  • Unique

Your turn

OK, now that you know the difference between identification and verification and the challenges of verification in a digital world, what do you think – Is your SSN a better identifier or verifier?

Categories: cybersecurity, Data Privacy, Tips & Talk Tags:

Top Five Security Threats Facing Your Business and How to Respond

This post was authored by Ann Johnson, Vice-President, Enterprise Cybersecurity Group

Headlines highlighting how vulnerable we are to cyber threats are now all too commonplace. The statistics on security events and successful network breaches continue a trend that favors attackers. These bad actors are getting faster at network compromise and data theft while their dwell times inside networks have increased to over 200 days according to most of the major annual cybersecurity reports. The result of these voluminous and persistent threats has been hundreds of millions of dollars in lost business alone without counting the long term costs of diminished customer and citizen confidence.

Still organizations may face even greater risks as they try to fend off sophisticated attackers against a backdrop of an ever expanding network footprint.  The new network now includes myriads of personal devices, virtualized workloads, and sensors that represent rapidly increasing points of connectivity as well potential compromise.

When considering these trends, it is clear that the traditional means of protecting organizations are not as effective as they once were. Static access controls like firewalls and intrusion prevention systems placed at network ingress and egress points are being easily evaded by attackers because the communications paths in and out of networks are too complex and dynamic. Also broad use of personal devices inside corporate networks has dissolved what used to be a hardened network boundary. We no longer conduct business within a perimeter of highly controlled, corporate-issued end user devices that gain access only under the strictest of authentication and authorization controls. Instead, the modern enterprise enables dynamic communities of employees, contractors, business partners and customers as well as their data and applications, all connected by an agile digital fabric that is optimized for sharing and collaboration.

In today’s networks then, we have to consider that identity is the new perimeter to be protected. Identity in this case does not mean only the device and its physical location but also the data, applications and user information it contains. Given that 60% of all breaches still originate at an endpoint compromised through a phishing scam or social engineering attack, it is no wonder that a risk mitigation strategy with identity at its center, is top of mind for many business and technology leaders.

In fact, cyber security is a boardroom level agenda item today. Business leaders want to ensure that they have in place the investments necessary to protect intellectual property and customer data, keeping their businesses out of the headlines that damage reputation and affect profitability. CIOs and CISOs feel caught between seemingly opposing goals of enabling digital transformation while protecting data and intellectual property at all times. These are concerns they share with their teams in IT and operations who feel equally burdened to balance performance and accessibility with rightful and appropriate resource use. Cybersecurity as we have all come to understand, can be either a critical barrier or key enabler to an organization’s ability to be productive. Current top of mind concerns for protecting the modern enterprise coalesce around 5 key areas: infrastructure, SaaS, devices, identity and response.

  1. Infrastructure – The public cloud offers unlimited potential for scaling business. On-demand compute and storage are only a small portion of the benefits of a highly agile IT environment. Easy access to applications, services and development environments promises to redefine business agility. Naturally, more and more organizations are taking critical workloads to the public cloud. Still the migration to an environment that is provisioned and managed by a non-organizational stakeholder creates new security challenges. So the top of mind question is: “How do I secure my cloud resources?”

Going to the cloud does not mean relinquishing security control or accepting a security posture that is less secure for cloud-hosted workloads relative to premised ones. In fact, the selection of cloud provider can mean having access to the very latest in security technologies, even more granular control and faster response than is possible with security in traditional networks. As a first step, security stakeholders need to understand how sensitive and compliance intense their cloud-hosted workloads and data are.  They should then opt for access controls that limit use to only that which is business appropriate and emulate those access policies already in place for premised workloads. Enrolling in cloud workload access monitoring will also ensure that any events which are a deviation from desired security policies can be flagged as indicators of possible compromise. Cloud users should also be familiar with the security technologies offered by their provider whether native or through partnership. This gives cloud users options for implementing the kind of multi-tiered security architecture required to ensure least privilege access, inspect content and respond to potential threats.

Key takeaways

  • Monitor workload access and security policies in place
  • Identify deviations from security policies and indicators of possible compromise
  • Deploy new security controls appropriate for your cloud environment

2. SaaS – Whether a business is hosting critical workloads in the public cloud or not, its employees are surely using applications there. The convenience and ubiquity of these applications means broad user adoption for the ease of information sharing and collaboration they enable. As a result, important, security and compliance intense data maybe making its way to the public cloud without security stakeholder knowledge. The question from businesses then is:  “How do I protect my corporate data?”

Organizations want to make sure their employees are as productive as they can be. To that end many are allowing them to bring their own devices and even their own applications into the network. This agility comes with some added security risk. Fortunately, there are ways to mitigate it. Ultimately the goal is to derive all of the benefits these SaaS applications offer without violating company use and compliance policies for data sharing and storage. Additionally, firms must ensure that employees’ use of SaaS apps does not unwittingly enable data exfiltration by bad actors. Limiting risk comes down to enacting a few of the basics that ensure safe use. For starters, there’s a need to identify which SaaS applications are in use in the network and whether they are in line with company policy or on a safe list. Granular access rights management will limit the use of even the safe apps to those persons who have a business need for them. Where possible, policies should be in place that require data to be encrypted when at rest, especially if it is being stored in the cloud. Having the ability to periodically update the safe lists of apps and monitor all use, can potentially alert security administrators when those applications which are unsanctioned appear among an organization’s communications. With these types of facilities in place stakeholders maybe be promptly alerted to unsanctioned application use. At times, unwanted application use will be detected. This is the time to block those applications, modify or deprecate privileges allowing access to them and as a further precaution remotely wipe or delete data stored through use of those applications.

Key takeaways

  • Apply rights management, identify unsanctioned apps, contain, classify and encrypt data
  • Be notified of unauthorized data access or attempts
  • Block suspicious apps, revoke unauthorized access and remotely wipe company data

3. Devices – Smartphones, tablets, self- sourced laptops, these are the new network perimeter and at times its weakest links.  Whether owned by the organization or not, they most certainly contain business valuable data that is at high risk. Because mobile devices often connect from public networks and may not have the most up to date protections, these endpoints are popular targets for the installation of botnets or malware. Use of personally sourced devices is a new and seemingly permanent reality prompting organizations to broadly ask “How do I keep company information secure?”

Many years ago, risk from mobile devices was ameliorated by installed agents and thick clients that provided security controls right on the device itself in a centralized way. Today, with employee self-sourced devices, the installation of such clients is not always feasible. Still today’s security administrators have to accommodate a heterogeneous end-user device environment comprised of various form factors and OSes while applying consistent and organizationally sanctioned controls to all of them. A cloud-based approach can provide a lot of flexibility and control here. From the cloud, endpoint connectivity to network resources can be centrally managed through security policies that restrict where devices can go based on their security posture, installed protections or location-based access rights. Command of devices from a central location ensures not only consistent policy enforcement but automation so that when anomalous device behaviors or connection patterns are detected, centralized command can restrict access, quarantine the affected device and even wipe it clean so that the threat is fully contained.

Key takeaways

  • Manage company and personal devices to classify and encrypt data to ensure compliance
  • Automatically identify compromised or questionable end points
  • Quickly respond to quarantine, wipe and remediate compromised devices

4. Identity – Despite all of the investments organizations make in security and threat mitigation, identity will be compromised. The latest data tells us that way too many of us click on links and attachments that we should not. From that point on, the bad actor has gained a foothold in the network and may set about moving laterally, looking for sensitive information to steal while impersonating the legitimate user. This common scenario is what makes many businesses ask: “How can I ensure identity protection?”

All of the major cybersecurity reports and indices point to this as the most common component of a data breach – the stolen identity. A security strategy for any organization or business needs to have this as a central tenet. The protection and management of credentials that give resource access to customers, employees, partners and administrators is foundational to sound security practice. Implementing multi-factor authentication broadly for all applications and services is a good starting point. It should nevertheless be complemented by facilities for monitoring authentication and authorization events not only for users but also and especially for privileged users and administrators. This type of monitoring offers t