-By Csaba Krasznay, Security Evangelist, Balabit
Eighty percent of hacking related breaches involve the use of either compromised or weak passwords. Data breaches are far too often a result of weak authentication protocols. If cybercriminals are able to obtain the credentials of users they gain access to an entire organisation, including its most valuable assets within its IT infrastructure. Increasingly technology is vital in the fight against credential hijacking and the theft of passwords.
The development of biometrics has been accelerating in recent years, with it now appearing in the consumer devices that we use every day. The advantage of biometrics is that it is a method of authentication that cannot be easily stolen or replicated by malicious actors. It also has an element of permanence, that’s why the physiological aspect has been adopted so readily in consumer applications. Apple’s Touch ID, or more recently Face ID, they’re convenient and can’t be copied or stolen. But, biometrics incorporates more than just biological characteristics, it can also include the behavioural.
Our physical traits are not the only things that can make us unique. Research suggests that routine tasks such as the way we speak, write and type are actions that can be just as unique to us. These traits are significantly harder to replicate, making behavioural forms of biometrics arguably more secure than their counterparts. Behavioural biometrics are already being used commercially; signature recognition, mouth movement analysis and typing rhythm are all valid right now.
Authentication in IT
Authentication is a constantly developing issue, but no matter the application all authentications systems use one of the following factors:
Something you know - Passwords
Something you have - A physical key, badge or mobile device
Something you are - Fingerprints - facial recognition and typing rhythm
The strongest levels of authentication will use a combination of all three of these systems.
Unlike password systems, which require an exact match, biometrics measure similarity. The system is asking - What’s the probability that this is the same as the measurement on file? A non-match represents a probability, rather than a definitive conclusion. If measurements reach a certain threshold when compared to the reference data point it is considered a match. Even the best designed biometrics can give incorrect results, but when incorporated into other systems it will undoubtedly increase an organisations’ level of defence because of a number of factors:
- Real time detection: Although in most cases, criminals spend days, weeks or even months in the IT system before being detected, they sometimes access the most critical data in the first few minutes. This is why it’s crucial to detect attackers as soon as possible.
- Continuous monitoring in a non-obstructive way: One-off authentication is useless if an external attacker has compromised user credentials. Users find multiple authentications cumbersome and annoying so they are likely to circumvent them wherever possible. Continuous, behaviour-based monitoring offers the best approach to authentication.
- Reasonable accuracy: With security teams already overwhelmed by thousands of false alerts, a technology producing even more false positive alerts is not a practical option.
Physiological factors offer the reasonable accuracy required for logins but lack the real-time aspects of behavioural biometrics. Measuring behavioural factors by using input technologies like keyboards and mice can provide constant and consistent feedback on a user.
Mouse movement analysis doesn’t measure the position of the mouse cursor, but rather the changes in position that it makes. The speed of movement, the idle time between movement and double click speed can all be measured easily. Through analysing these traits software can gauge if a users’ mouse movement deviates from their baseline behaviour.
Keystroke analysis assesses the manner and rhythm with which a person types on a keyboard. Software generally measures “dwell time” - a measure of how long a key is pressed for and “flight time” - the time between releasing a key and pressing the next. Other patterns can also be identified and these can also be useful in identifying a user. For example, some users prefer the backspace key whilst some prefer delete, some users use the left shift over the right shift and some user specific shortcuts. The time taken to press a key can also vary between users, as it depends on the size of their hands. With this information it’s possible to create a group of keys that are unique to each user.
Through keystroke and mouse movement analysis users can be monitored at all times and their actions compared to a baseline measurement. If changes are seen it is likely the user's account has been hijacked and is being used by a rogue agent. Spotting these actions early can mean that hackers are locked out before they can cause any significant damage.
Like any security solution, biometric technology offers no guarantees when defending against a data breach, they are inevitably fallible – however, the goal here is to reduce the possible risk. There are no silver bullets in cyber defence. But by layering multiple security mechanisms with biometrics at their heart they can increase security across an entire IT infrastructure. If an attack causes one system to fail, other systems will be there as back up. Organisations can introduce biometric solutions easily, without subjecting their employees to obtrusive examinations, or forcing them to memorise passwords and keys. But, most importantly, by providing real-time results IT security teams can be sure that malicious activity can be spotted 24/7.