Global Password Day

In 2017, more than 4 of every 5 hacking breaches leveraged a stolen or weak password, according to the Verizon Data Breach Investigations Report (DBIR). This phenomenon has given rise to a Global Password Day to go along with the National Cybersecurity Awareness Month.

What’s next? National Patch Day?

Bringing awareness to issues like Human Trafficking, Law Enforcement and even Receptionists (May 9th) might make sense in a world where we naturally take things that don’t affect us directly for granted, but how about instead of awareness about awareness, why don’t we just do something about the problem instead?

One might argue that with the money spent and the acceleration of awareness, we should have put an end to human trafficking years ago, but in the case of Cybersecurity awareness, the amount of money required to address the issue is sofa change compared to the cash we pony up every year on Cybersecurity technologies, which by the way don’t favorably compare to corralling human error.

A simple awareness program which includes entertaining training and random exercises throughout the year for all of your employees is only a few grand a year, yet it will probably prevent over 95% of your hacking problems.

Passwords are another issue entirely. We find ourselves spending billions each year on clever technologies, policies and processes that purport to address our cyber-threats and vulnerabilities, while we continue to use the same access methodologies we were using during the stone age.

The number of U.S. data breach incidents tracked in 2017 hit a new record high of 1,579 breaches, according to the 2017 Data Breach Year-End Review released by the Identity Theft Resource Center? (ITRC) and CyberScout?. The Review indicates a drastic upturn of 44.7 percent increase over the record high figures reported for 2016. Hacking continued to rank highest in the type of attack, at 59.4 percent of the breaches, an increase of 3.2 percent over 2016 figures.

Of the 940 hacking style breaches, 36% were attributed to hacking via unauthorized access. Compromised passwords were the port of entry for most of these attacks, in large part because we frequently reuse passwords on multiple sites, making every one of these accounts particularly susceptible.

The mere fact that the vast majority of compromised password breaches in 2017 leveraged a vulnerable password and the primary information stolen was usernames and passwords should be all the evidence required to convince organizations to implement stronger password hygiene.

The basics are brain-dead simple:

1.      Generate more complex passwords

2.      Use different passwords for each application

3.      Use Multifactor Authentication

4.      Keep Admin passwords secured

But, we don’t like any of these ideas except maybe the 4th one which requires no sweat off our backs. All of this is incredibly inconvenient. Some of us are forced to maintain a separate password for dozens of applications, websites, databases, desktops, laptops, networks, etc., and it makes our lives impossible.

Well, there is (soon to be) a better solution.

How about we deep six the whole notion of passwords altogether and drag ourselves into the modern era where technologies exist that can validate our identities through passive biometrics and behavioral analytics. Every one of us is unique in the ways we interact with our devices and our various web sessions.

User Behavioral Biometrics combines a biometric and behavior-based analysis of the user. User Behavior Analytics (UBA) adds multiple layers of nuanced information of passively observed behavior that goes beyond what data they input and what device they use and is able to really understand how the user interacts with the mobile or web portal.

We all interact with the web in passive, yet very specific ways. Fingerprint: information like typing speed and patterns, the ways in which we habitually navigate each website, our patterns of online usage, and even how we hold our mobile devices. These behaviors and hundreds of others, coupled with traditional passwords and connectivity details, offer multiple layers of information, and a more complete picture of each individual user.

We have technologies today that can passively observe multiple layers of user behavior and biometrics and build a profile for that user that doesn't rely on the device they use or the password they enter. Every time a user returns to the environment, the technology can measure that behavior against their unique historical data. This allows the system to finally answer, "Is this the real user?" with confidence.

Then the same technology can compare those user behaviors with other “good” user behaviors to broaden the understanding of how “good” users behave and answer the next level question with the same certainty, "is this user behaving like a human being?" and "is this user acting safely" and then trigger action accordingly in real-time.

User Behavioral Biometrics will help e-commerce businesses fight fraud by bringing a wider context to every transaction decision. Most e-commerce merchants today simply look at the transactions and use knowledge-based fraud prevention techniques (KBA) that rely on PII and PCI even though that data is too freely available to be completely secure. Moving beyond easily compromised PII and instead relying on a user's unique behavior will protect both the online assets the users from fraud.

Fraudsters know that traditionally e-commerce merchants and financial institutions have relied on KBAs for their fraud prevention strategy, which means they authenticate by the user having the right answer to pass the test. So long as the fraudster has the cheat sheet, they don’t have to worry about getting the answers right.

Here we are almost two decades after the birth of the commercial Internet, and companies continue to be breached to the tune of hundreds of millions of dollars because bad actors are use simple social engineering strategies to acquire the information they need to access user credentials.

Gartner says we are a few years away from being able to implement secured transactions using these combined technologies, but my bet is that by this current year-end, we will be testing User Behavioral Biometrics in combination with passwords on many transactional websites.

Then, maybe by 2020, we can put an end to this crazy process and wipe one more “Global Day” off our calendars for good.