Last updated: 22 May 2014
It’s happened again, this time to “The World’s Online Marketplace” – eBay. The online auction giant announced yesterday that a database, holding the personal details of up to 223 million users, was hacked. Ebay has asked 128 million users to change their account passwords in the wake of the breach. The cybercriminals were able to access the corporate network through a handful of compromised employee login credentials. What’s most frustrating is eBay actually offers several multi-factor authentication options for its customers, from one-time password tokens to mobile SMS. So why doesn’t it do the same for its employees, who have access to the company’s most sensitive data?
According to the 2014 Verizon Data Breach Investigations Report, of all the confirmed breaches in 2013, 76% used stolen credentials or exploited weak credentials. And Heartbleed, dubbed the Internet’s worst nightmare, very publicly proved that usernames and passwords are simply not good enough for today’s smarter, faster and more determined hackers. As online threats continue to become more sophisticated, the only way for companies of all sizes to protect their data is to provide additional layers of authentication to ensure they know who is accessing their network at all times.
View the infographic
A layered security approach typically involves three key elements. First, ensuring strong identity control. The first line of cyber-defense is to protect the perimeters so a company knows exactly who is accessing specific resources on its network. This is done by implementing security controls that strengthen online identity. Additional access controls are commonly referred to as “strong authentication” and require users to use something they have (a smart card, one-time password token (OTP), mobile OTP, etc.), combined with something they know (a passphrase or PIN), and if possible something they are (a biometric detail such as a fingerprint). The more factors required, the stronger the control. A good hacker can fairly easily compromise an account with single authentication, but with additional factors would actually need the OTP device and a PIN in conjunction with the user’s other information, a much less likely scenario.
The second area to consider is network-based access control. Not everyone in a company should have access to the same types of information. Someone in marketing should not have the same level of access permissions as someone in human resources. With basic network access controls, each user accessing the network has a set of requirements based on job function and access needs for their profile, thus requiring a flexible security solution. This is where a company could implement step-up authentication, where an employee enters through a low security area of the network, but is prompted for additional authentication (a second identity factor for example) when attempting to access a more secure area housing more sensitive data.
Finally, data encryption for stored information is essential. Put simply, all data stored on a network server should be encrypted to ensure that the data is unusable if it is accessed by an unsanctioned party.
It is critical to have a 360-degree view of employee authentication and data protection. As the eBay case shows, strong security controls for employee access should be taken seriously by every company, no matter what size or what business. Only then can we start to avoid security breaches that ultimately destroy the confidence of the everyday consumer.