Trust - your company is built on trusting the people you hire to do their job. Your clients trust you to do yours. The world operates on a network of trust, yet we’re still fighting the good fight to ensure your users can really be trusted - that they actually are who they say they are.
It’s not their fault. It’s the malicious hackers that want to compromise their passwords and impersonate their identities, sliding into your systems undetected for weeks, months, even years at a time as they steal your data and your customers’ data. According to the Microsoft Security Intelligence Report (SIR), they detected more than 10 million daily attacks, including millions of attacks in which the attacker had valid credentials.
User-centric attacks have been around for a long time, and they continue to persist, simply because they work. Symantec’s 2016 Internet Security Threat Report revealed that the total number of exposed identities jumped 23 percent this year to 429 million.
Phishing & Stolen Credentials
Symantec’s report also revealed that spear-phishing campaigns targeting employees have increased 55 percent since 2015. In a spear phishing campaign, attackers may do extensive research on companies and their employees, using social networks and publicly available information in order to craft convincing phishing emails that are more likely to be opened by their victims.
Recently, the cloud data storage company, Dropbox has reported that 68 million passwords and email addresses were leaked in a 2012 breach, warning users to watch out for phishing emails. The Washington Post reports that this user information is currently up for sale on the darknet. Similarly, the music streaming community, Last.fm reported that 43 million passwords were hacked in 2012 and posted online, according to TechCrunch.com.
In the 2015 data breach that hit Anthem, the second largest healthcare insurance provider, it was speculated that phishing emails gave attackers the credentials of five different Anthem technical employees. Anthem’s CIO first detected the attack when a systems administrator noticed queries running on his account that he hadn’t initiated, indicating that an attacker had logged into their database using his stolen credentials. The breach resulted in a compromise of 80 million users' personal information.
Vulnerable User Devices
Employees are now working around the clock, from their homes and other remote locations as they travel, logging into enterprise applications to do their jobs. That means they’re often using their personal laptops and smartphones to access your applications - which aren’t always patched and updated to the latest software versions to protect against the newest vulnerabilities.
In the 2016 Duo Trusted Access Report, we found that 60% of user devices are running outdated versions of Flash and a quarter of all Windows devices are running outdated and unsupported versions of IE, exposing them to old vulnerabilities that affect the plugin and browser.
According to the 2016 Cyber Risk Report from HPE, Microsoft vulnerabilities account for nearly 50% of their sample size, followed by Adobe Flash at 29%.
Meanwhile, the disclosure of high-severity vulnerabilities has increased 42% across the industry in 2015, with exploit kits increasing by more than a third, according to Microsoft’s SIR. Exploit kits are collections of exploits that are packaged together and sold as malware as a service.
The most targeted operating system flaw found in these exploit kits, CVE-2010-2568 has been patched since August 2010, but many systems are still successfully breached using this old vulnerability, according to Threatpost. This shows that patching is still a problem, as many have failed to update their systems with the available security patch for six years.
How to Ensure Trusted Users
We’ve built a holistic security solution, Trusted Access in order to ensure you have Trusted Users - that is, we verify the identity of your users and protect against breaches due to phishing with a secure two-factor authentication solution.
We recommend using Duo Push, a push-based mobile authentication method that is more secure than SMS methods, as the National Institute of Standards and Technology (NIST) announced at the end of July.
Going even further, Duo’s Trusted User policies and controls allow you to create advanced access restrictions for certain user groups to create an even stricter security profile:
- Require a certain authentication method for certain users (like Duo Push or U2F)
- Block login attempts from countries you don't do business in
- Or, block users attempting to access your enterprise applications from anonymous networks like Tor
This type of contextual authentication gives you more control and insight into who is trying to log into your applications. Our two-factor solution also offers extensive user and device logs that give you information about the user, location and device used to log in.
We also check your users’ endpoints every time they log into your applications to ensure they’re running the latest operating systems, browsers and plugins like Flash and Java, in order to block or notify users with potentially vulnerable devices and protect your organization from the threat of old exploits.
Regain your trust in your users by using a holistic security solution that integrates to work with your technology, people and their devices.