Data encryption. Cryptocurrency. These two crypto-based technologies are game-changers—the former old and tried, the latter still in its infancy—shaping the way business is done in the digital world. While most of us typically think of their positive, legitimate uses (consider secure communications, digital transactions, or data storage in the cloud), we occasionally get an unpleasant reminder that these very same technologies are enablers for ransomware attacks.
One of the most recent cases was a ransomware attack at Hancock Health, a hospital based in Indiana in the US. In mid-January, hackers penetrated the hospital’s systems via unauthorized access to their remote access portal. After entering the hospital’s network, they encrypted files and held them for ransom, by installing SamSam ransomware on vulnerable systems.
According to reports, the Hancock Health attack apparently did not lead to any compromise of patients’ data. And once the $55,000 (or four Bitcoin) ransom was paid, the hackers provided the hospital the decryption key to unlock its IT systems and data so they were back up and running quickly.
What particularly caught my attention in this attack was not the end result, though. Rather, it was the entry point: the initial method the hackers used to get into the hospital’s network. Their way in was a login to the hospital’s remote access portal using a third-party vendor’s credentials.
Compromised authentication credentials are a notoriously common means of attack. According to Verizon’s 2017 Data Breach Investigations Report, 81% of hacking-related breaches involved the use of stolen and/or weak passwords. Stronger multi-factor authentication methods, which require user device-generated one-time passwords or biometric identification, for example, are effective at preventing illegitimate access. But implementation complexity, usability or privacy concerns can inhibit deployment of such security measures, especially when it comes to external parties such as suppliers and customers accessing an organization’s resources.
The BYOD (Bring Your Own Device) trend that is fundamentally changing IT, also has a role in making advanced authentication practical. Solutions that leverage users’ existing personal devices to prove their identity, without requiring additional dedicated hardware, can improve the user experience and simplify deployment.
The security of any authentication mechanism depends on the protection of cryptographic keys and other secrets used to validate users’ identities. Public-key cryptography helps alleviate security concerns in the server side, enabling organizations to verify users’ devices using unique private keys held by each device and associated public keys in the backend. There’s no need to store (and protect) a trove of sensitive information in the server as you do with shared secrets like user passwords or OTP, only public information.
However, the main challenge of secret protection—especially with BYOD-based authentication—lies in the end device side. Organizations have limited control over the security of these heterogeneous, innately untrusted devices, and the private keys stored on them. If hackers compromise the keys, they can use them to gain illegitimate access. To make matters worse, if the private keys are copied and lifted off the device, hackers can now perform authentication remotely from any device, without the user’s knowledge.
This is where Unbound can help, enhancing BYOD-based authentication by raising the security bar significantly. With Unbound Crypto-of-Things, organizations can leverage private keys for secure authentication using any device without storing the full key on the device. Rather, each key exists as two random key shares, working together yet completely separated: One share on the device and one share on a remote server. Keys cannot be taken, even if the attacker has direct physical access to the device! Unbound Crypto-of-Things augments existing security solutions and standards, integrating easily with popular multi-factor authentication solutions and supporting FIDO U2F.
Ransomware is a major concern for which there is no one sure solution. Hackers will always try to exploit any security gap to achieve their goals and implementing multiple layers of defense will help organizations to reduce, not eradicate, risk of attack. But here’s a claim we can make with certainty: By embracing cryptography to protect network access as part of their cybersecurity arsenal, companies can thwart attacks such as the one at Hancock Health—using the very same underlying technology the attackers are trying to use against them.
To learn more about how Unbound helps secure authentication on any BYOD, look here.