Many organizations, including government entities, are deploying biometrics. How can this tech be toughened against data theft?
A worst-case scenario of biometrics data falling into the wrong hands is for a person to wake up and find himself accused of committing credit card fraud—in different countries. Or having your personal data used to establish trust with your family and friends online and then ensnaring them in financial scams.
It seems biometrics scanners have their uses, but determined hackers have so far been able to bypass them.
With that in mind, CybersecAsia conducted a Q&A with a company that focuses on risk reduction created by privileged credentials. Shay Nahari, Head of Red Team Services at CyberArk, has some good news about how risks can be mitigated when biometrics tech and data are properly managed:
According to a survey, the barriers to adopting biometrics are cost of implementation, employee pushback, reliability concerns and storage/management of the sensitive data, which if stolen, causes liability concerns. Do you see such barriers being eradicated in the near future?
Shay: Cost and reliability concerns will definitely be reduced. Compared to two years ago, there have been significant improvements in the field, particularly on the consumer side.
Traditional bypasses demonstrated in the past by researchers of face recognition biometric features are considered obsolete. Nowadays, technology in the area of biometrics is much more reliable as various sensors and other forms of biometric authentication provide a consolidation of those methods. We are now also looking at other various forms of validation.
On the consumer side, we are also seeing improvements in reliability. As this form of technology becomes more prevalent, the cost of implementing biometrics will be significantly reduced.
The fact is, biometric data can be combined to prevent recognition systems from being fooled. It could be an authentication of a fingerprint as well as a voice recording. When we refer to a combined method, it could involve either biometric and non-biometric data, but it can also be two biometric sensors at the same time to confirm an identity.
Another solution is to ensure companies have stringent cyber security procedures, such as fingerprint and face hashing, merging fingerprint recognition and cryptographic methods, where the data is encoded in a way that cannot readily be reversed.
Of course, as biometric technology advances, so do the attackers’ sophistication. This is why having a zero-trust approach is critical—organizations must trust nothing and verify everything before granting access, whether it comes from inside or outside their perimeters.
Stolen biometrics; however, seem to be more challenging but we have observed steps in the right direction. On the consumer side, the incorporation of biometrics into mobile phones would eradicate the risks associated with storing that type of data for enterprises.
Taking into account the fact that CyberArk uses tactics, techniques and procedures (TTP) to help organizations detect and react to attacks or threats, could you provide brief sample descriptions?
Shay: Yes.
Threat Avoidance: There needs to be some sort of threat modeling baseline. This means knowing who your most likely attackers are, and how your company will defend against them. This looks at the TTP and the reasons for that organization getting breached.
For example, we are looking at all breaches including privilege. Companies will want to prioritize privilege as the main avoidance strategy. The key is to make sure that the privileges are managed correctly, taking into account the common attack vectors to plan ahead.
The answer varies by the type of actor. For example, with government agencies, the malicious actor is going after a very specific set of biometric data. In this instance, the organization may want to spend time and resources to identify the source.
Commercial entities have too much attribution volume, making it not worth the time to identify the source. Organizations may want to plan a strategy to investigate these attacks. One way is to automatically remediate a breach, do some analysis and contain it.
Threat Identification: If an organization knows that almost every attack uses privilege as a way to move laterally, it is worthwhile to put monitoring mechanisms in place to understand the usage of access privileges in the organization. Companies can see who are using all the accounts across the departments, and how. The IT team should also audit this access to identify when one is being used in an improper way.
Threat Escalation: This should be viewed as an assumed breach. Whether intentional or unintentional, there is some actor already operating in your network. The first line of defense is assumed to be breached and the organization has already suffered from the compromise.
Finally, we know that attackers think in terms of data. If you have 10,000 computers in your network the attacker will not scan all of these resources. The attacker will go after the one that contains the desired data. Companies need to make sure that they have the ability to monitor, protect and mitigate risks associated with these credentials to prevent the actor from moving laterally.
Assuming that the actor has an identity in your network, make sure their privileges do not escalate giving them access to the crown jewels.