If there was ever any doubt about the importance of securing employee credentials, Verizon's 2015 Data Breach Incidents Report drives the point home.
About half (50.7%) of all web attacks in 2014 were by hackers who had gained access to company data using stolen credentials (according to a report that analyzed 79,790 security incidents and 2,122 confirmed data breaches). Even more startling, 95% of the credential theft happened outside company firewalls, on a mobile device.
In fact, stolen or compromised credentials were at the root of many recent high-profile data breaches like Target and eBay. "Credentials are literally the keys to the digital kingdom, and a high-value target for attackers," the report says.
And it's not just your own employees' credentials that you have to worry about, but your vendors' and partners' credentials into your systems, as well. The massive data breach at the U.S. Office of Personnel Management was traced back to a contractor that federal agencies used to conduct background checks, which gave hackers the credentials needed to access sensitive employee data held by the OPM, the agency director confirmed in June. Target's data breach was blamed on network credentials that were stolen from a third-party vendor, an HVAC subcontractor that had worked at several Target locations. Home Depot, CVS and Costco have also pointed to third-party vendors as the culprits in their data breaches.
Attacks like these, where thieves target one source just to set up an attack on a different target, made up nearly two-thirds of web attacks in 2014. The tactic, known as Strategic Web Compromise, is also on the rise. You might be thinking, 'That won't happen to me. My company isn't big enough' or 'We don't have any really valuable information that an attacker would want.' But Verizon says that with the uptick in secondary attacks, "few industries fully escape the attention of criminal empires." (Yes, the cybercrime industry is that big in some countries.)
What can be done about it? Verizon recommends that companies improve authentication with a second factor, such as a hardware token or mobile app. We wholeheartedly agree.
Multi-factor authentication requires a user to prove their identity in more than one form, such as entering a time-allotted, unique code provided on a key fob. Today, new MFA technologies are using mobile devices, such as phones and watches, to replace key fob hardware. Mobile-based, multi-factor authentication is much more cost effective, and it's easier to implement and integrate into a single sign-on environment. Perhaps most importantly, it provides a superior user experience.
With mobile-based MFA, users simply follow a prompt to swipe or enter a code provided by the MFA app on their mobile device. Once a user authenticates with this second factor, they are able to access their apps.
Does MFA really make a difference? The proof is in the pudding. Verizon identified the percentage of incidents where 10 critical security controls could have stopped a confirmed attack. Two-factor authentication topped the list and tied with patching web services. That's serious food for thought. Many data breach incidents could have been prevented with multi-factor authentication. Clearly MFA is an area where enterprises can close a huge security hole immediately.
PingID is a multi-factor authentication solution that enables users to authenticate to applications via a swipe on their phone, a tap on their Apple Watch, a one-time password delivered by voice or SMS, or by using a hard token like YubiKey. It's easy to use for both end users and IT administrators, and it allows companies to implement strong authentication to legacy and cloud applications using a mobile app.
Don't become a statistic in Verizon's next data breach report. MFA is a quick win in the ongoing battle against attacks.