3.) The adoption of multifactor authentication is slow and disorganized.
While multifactor authentication wouldnt have completely protected the executives who fell for the subpoena attack, it would have limited the scammers access to sensitive systems and applications.
The problem is that the deployment of multifactor authentication, even in the financial sector, is completely disorganized. Most online banking security considers details of your computer as an additional authentication factor, tracking things like your IP address and browser and software settings. If those arent recognized, youll face challenge questions. An attacker could spend five minutes on a Facebook page, however, and figure out answers to most of these questions.
Will they go to this trouble? Probably not, but only because they dont yet have to.
Within the broader enterprise market, adoption is painfully slow, and its mostly token-based. End users balk at tokens, though, because theyre easily lost or forgotten. There are a few promising trends, however. Tokens are moving from hardware to software, and the idea is spreading that they should be embedded in things people carry already.
Expect to see SMS tokens sent to mobile phones, and your future ATM cards should have built-in one-time password generators.
4.) Attackers are targeting the SMB market.
Tough economic times usually spur the rise of small businesses. Smart people get laid off, they dont like having their destiny in someone elses hands, and they start working for themselves.
Thats all well and good except from a security standpoint. Phishing attempts have been increasingly targeting smaller businesses, and if multifactor authentication is too expensive and hard to administer for many large organizations, its a complete non-starter for small- and mid-sized businesses.
Mid-sized businesses dont have 24-hour help desks, Hollister said. Often, they dont even have 9-5 support. Yet, theyre doing more and more business online and theyre often conducting business with people or organizations overseas.
They need better authentication, but the typical business-class solution, tokens, is too expensive and requires too much administration for the SMB market.
You must remove the hardware barrier in order for SMBs to buy into strong authentication, Hollister said. Managed strong authentication services are one answer, as are soft tokens and alternative solutions like cognitive-authentication, which relies on memories or, in the case of Passfaces, your ability to remember and recognize faces. These solutions dont require big capital expenditures for hardware and they drastically reduce help desk calls.
5.) Trends like cloud computing will put more information at risk.
Cloud computing promises to be one of the battlefields where technology titans like Microsoft and Google will compete. It also promises to be a gigantic security risk.
The biggest problem with cloud computing is identity management, Hollister said. Once an attacker has used false credentials to get into a network, that person is then considered a trusted user. Any hacker worth his salt can then get through the rest of the networks defenses in several minutes. In cloud computing, the weakest link is the identity of the dumbest user.
Every security pro knows that users are the weakest link in any security chain, but with more and more information moving offsite and to the Internet, those weak-link users pose a much bigger risk.
Meanwhile, many applications will become services as many already have and that shift triggers another set of security concerns. Any online service must worry about account sharing, said Matthew Shanahan, Senior VP of Marketing and Strategy for AdmitOne Security AdmitOne Security, a provider of risk-based authentication systems. Look around the web, The Wall Street Journal, analyst firms, even games like World of Warcraft, all of them are losing money because of account sharing. The business information subscription market alone generates about $111 billion in revenue each year. Fraud through account sharing reduces those revenues by 10-20%.
Why is it so easy to share account data? Because most services rely on bare-bones authentication. Stronger authentication be it a token, a one-time password generator, a biometric factor or even challenge questions would lessen that problem.
And wouldnt that 10-20% in lost revenues be better spent on better security than just writing it off to fraud? Thats a question every industry should ask itself, and up until now its only the financial sector (with the government following slowly) that has answered yes, and that yes only came reluctantly and with the prompting of regulations.
I dont remember where I heard this, but its telling, Hollister said. IT fraud is more lucrative than smuggling, and theres no death penalty. That should tell you all you need to know about whether or not IT fraud will get worse in the future.