This past year provided many important lessons in online security and protection. Based on these lessons and because of the numerous cyberattacks and threats in 2011, many organizations and businesses are currently revamping their online security guidelines and systems in an effort to improve authentication compliance and abide by authentication best practices.
In January, the Federal Financial Institutions Examination Council (FFIEC) recent updates to its Authentication Guidelines went into effect, requiring up-to-date and strong authentication compliance for financial institutions. The purpose of the guidelines is to “provide a risk management framework for financial institutions offering Internet-based products and services to their customers. Institutions should use effective methods to authenticate the identity of customers and that the techniques employed should be commensurate with the risks associated with the products and services offered and the protection of sensitive customer information” (See BankInfoSecurity for more information).
The Department of Defense (DoD) has also made updates to its authentication program, the Joint Personnel Adjudication System (JPAS). JPAS is a centralized security program that helps protect against unauthorized access to its networks and applications, comply with data protection regulations and enforce security best practices. As of January 21, 2012, non-DoD individuals in the JPAS program must use a digital certificate stored on a USB token or smartcard that has been issued by a DoD-approved External Certificate Authority (ECA).
Both the FFIEC and the DoD took note of the cyberthreat and attack lessons learned in 2011. In order for corporations to follow suit, they must implement authentication best practices that will more effectively keep their data and customer data secure. One of the most important solutions of identity authentication available to corporations today is two-factor authentication or risk-based authentication. Two-factor authentication helps corporations better protect themselves against hackers by requiring two methods of identity verification: a password (something the user knows) and an authentication token (something the user has). Risk-based authentication profiles a user’s device and their behavior to assess the risk associated with their activity and invoke secondary authentication when that activity appears to be unusual.
The popularity of smartphones and tablet devices represents a security opportunity for organizations – more users already have a device that could function as an authentication token to provide a stronger assertion of their identity to a wide variety of parties. Unlike traditional two-factor authentication token solutions, approaches that enable re-use of existing mobile devices are faster and easier to deploy, and more cost-effective to maintain. And, unlike traditional hardware tokens, users are far less likely to forget their mobile device at home. And using risk-based authentication mechanisms that profile a user’s device and behavior can provide similar protection, without any impact to a legitimate user’s experience.
Like this last year, 2012 will be full of cyberthreats and attacks. We can expect hackers will only increase the number and intensity of their attacks. Among the current threats to users of financial institutions is the Zeus Trojan, which the FBI is calling “Gameover” because once the hackers get a user’s financial information, it’s game over. In fact, so far in 2012 Symantec has seen over 200,000 attacks each day from criminals using the Zeus tool kit. The Zeus Trojan, as well as the recent DreamHost attack, prove the urgency corporations should feel about stronger authentication.
As corporations and organizations implement these and other authentication best practices, they’ll not only be keeping theirs and user data more secure, but they’ll also be better equipped to avoid finding themselves the subject of the latest hacked corporation news headline.