MFA & Behavioral Analytics Answer to Counter Human Element in Information Security

Abstract

Multi-Factor Authentication in simplicity adds another layer of security for any consumer of IT system in addition to the traditional authentication method of username and password. Cyber world and threats evolve every day, cyber criminals are getting smarter and find new, different ways to steal Personally identifiable information. This paper captures how human element affects the design, usability and security implementation of MFA while accessing the IT resources. A deeper dive into user experience and behavioral analytics to understand how humans knowingly or unknowingly aid in Security Breaches. Finally, the future state of MFA.

Background

 The basis of every Information Security policy is ensuring that confidentiality, integrity and availability of the system. Confidentiality makes sure that authorized people have access to the information. Integrity assures that data is accurate and trustworthy. Availability guarantees the sensitive data is available to authorized people.

 There are different ways to ensure confidentiality, integrity and availability of data, various steps are taken to make sure that authorized users have access to authorized resources. Installing Antivirus on client and servers and updating periodically, exploring & understanding the security tools that we use and install, using unique passwords for every login to different system that the user has access to, using VPN connection when using WIFI, using passcodes when available with system, using NFC to make payments, using different email addresses for different accounts, periodically clearing cache, turning off the ‘save password’ feature in browsers, avoiding clickbait and suspicious links in email, protecting social media privacy and finally using two-factor or multi-factor authentication are the most basic and simple practices that can be adopted to securely access IT systems on a personal or professional level.[[1]]

In 2014, Heartbleed exploit was able to open a door for hackers to exploit credentials for millions and millions of users. It is estimated that 800,000 or more websites were still vulnerable to the exploit as of May 2014 [[2]] Ever since that mass security breaches are becoming mainstream and securing personally identifiable information individually and for the organization is more imperative than ever. The infographic summarizes the amount of data that was exploited and stolen worldwide as reported by IBM Force-X Threat Intelligence Index 2017 report.

Figure 1. Notable 2016 global data leaks of unstructured data from [[3]]

 In this age and time, just changing password periodically or increasing password complexity is not enough. Password are easily comprised by using social engineering, simple or sophisticated phishing attacks or sheer brute force. Password setup is very simple basic and easy to implement authentication but is the weakest form when it comes to being vulnerable to attacks and exploits.

 With increasing attacks and need for securing resources being exponentially high, the solution of Two-Factor authentication (or Multi-Factor authentication) was coined. In the simplest term, two (or multi) factor adds another layer of security to verify the identify the user accessing information. The initial setup and implementation can be tedious, confusing and hard to follow for some users, it would make the process of accessing the information slow but certain delay is worth to offset the prospective damage.

Multi-Factor Authentication

 Authentication is simple a process that verifies a user’s identity. There are three factors for authentication:

• Knowledge factor – Something you know (password, security questions)
• Ownership factor – something you have (hardware token, USB key fob, cellphone)
• Biometric factor – something you are (biometrics – fingerprint, facial, orbital recognition).

Figure 2. Conceptual Authentication Examples [[4]]

Combining two or more constitutes to Two-Factor or Multi-Factor authentication. Single Factor authentication is the easiest, basic and weak form of authentication. It consists of using combination of username, password or pin to access restricted resources. [[5],[6]]

Below is list of companies who are using multi-factor authentication and brief description of it.

• Google – they use 2-step verification where code is sent to your mobile device to verify your identify. They also offer support for USB security keys. [[7]]
• Facebook – Similar to Google, Facebook use 2-step verification where code is sent to your mobile device as well as support for USB security code generators. [[8]]
• Instagram – The site is in process of rolling out 2FA using security codes upon login. [[9]]
• Apple – Apple uses 2-factor authentication across the board whether you are accessing on of their devices, iTunes, iBooks, App Store or Apple Music. [[10]] Apple has started integrating Biometric authentication known as Face ID with its new Product offerings.
• Microsoft – Uses 2-factor authentication to secure its offerings of Outlook.com, One Drive, Xbox Live, Skype and all Office Suite products. [[11]]

Detailed descriptions on how to use two-factor authentication is covered thorough in PC Magazine article by Eric Griffith, Two-Factor Authentication [[12]]

 All the advancements but we are still hearing about the attacks over and over again. IBM Force-X Threat Intelligence Index 2017 report provides a very interesting insight. Although, companies are taking precautions, applying security measures yet there are new avenues that open up which makes users and ultimately the company and its IT resources vulnerable to harm and exploitation.
 

Figure 3. Attack sources by the Industry, Year 2016 [[13]]

 Healthcare and Financial services are biggest culprits where attack sources accounted 71 and 58 percent as Insiders whether someone with bad intentions or someone who accidentally downloaded malware or fell victim of phishing attack. As we dive deeper into Information Security, we learn that we can plan, identify and mitigate most of risk factors except the human factor. Human element in itself when it comes to Information security is one of the biggest anomaly and unpredictable avenue that we have to navigate through. There are numerous security evaluations that are undertaken, countless frameworks, policies and procedures in place which are human created and at the same time most vulnerable by the humans.

 There are numerous studies done to identify, understand why do we do, what we do. Contextualized messages appeal to psychological weaknesses which makes us more susceptible to phishing. [[14]] Cognitive neuroscience provides us more insight on how carefully constructed phishing attack may activate basic emotions that would persuade to do something harmful, which they might not do otherwise. We all are distinct and unique individuals, there are so many different factors define who were such as behavioral traits, demographics, personality, habits, preference that trigger us to make some irrational actions.

Phishing attacks are becoming more and more sophisticated which makes it really hard to decipher. Below is very popular example of PayPal phishing email. Even after repeated awareness, user training and briefing about the incidents, they take advantage of human tendency to make snap judgement based on initial impression of the message presented.

Figure 4. PayPal Phishing Email example [[15]]

 Recent phishing incident that occurred at Augusta University, it hits too close to home for comfort. Investigation in the incident has revealed that close to 417,000 people were affected by the breach. [[16]] Subsequent investigation also determined that there was another breach in September 2017. There has been lot of corrective action taken since the incident, personnel changes, wide-spread across the board implementation of multi-factor authentication, stringent email screening programs are deployed, training materials, policies and procedures have been updated and re-iterated to prevent such threats from transpiring again. Next step to further the efforts, would be to create directed, context-based training programs that target specific group of users such as health-care workers, IT, leadership, students which focuses on how they can be exploited using their work habits and usage of IT resources. Demographics also play a vital role in understanding the behavior and thus, helping create target training material for specific scenarios and specific segment of user group. [[17]]

One another factor that also expands the human element is Optimistic Bias which is defined as underestimation of the likelihood or probability of experiencing negative events. We as human beings have a tendency to underestimate the risk that we take on daily basis and that we can be exposing us to great ordeal. We have a tendency to think that we will have less exposure compared to the next person in likelihood of the risk materializing. When evaluating Information security such Optimistic bias exists, people tend to put more weight on the likelihood of a negative event taking place and how it affects them compared to other vs. evaluating the risk as related to information security. [[18]]

Researchers have identified two key factors influencing optimistic bias – Perceived Controllability and Social distance of comparison target. Perceived controllability refers to capability of producing desired and preventing undesired events. There are three beliefs system that contribute to the perceived controllability

• Control belief – Extent to which a person can produce desired or prevent undesired events.
• Capacity belief – Extent to which a person possesses or has access to certain means.
• Strategy belief – Extent to which certain means are sufficient conditions for the productions of ends or outcomes.

The exaggeration of the perceived controllability is called illusion of control. [[19]]

The nature of comparison targets influences to the degree to which people display optimistic bias. Social distance gives another parameter in understanding human behavior when it comes to understand human tendencies when it comes to Information Security. Information is shared in different ways, scenarios and variety of different stakeholders that we deal with every day. We are more likely to share information that we are familiar with, people who we are comfortable with and some kind of connection with. The overall perception of unknown people is very skewed and often related to being negative experience, we are taught day in and day out to not interact with strangers. This concept relates back to control, we are willing to share with people we know (things we can control) and are closed off to sharing with unknown people (who are unpredictable and cannot be controlled). [[20]]

Understanding Perceived Controllability and Social distance of comparison target helps us make a point about user tendencies with regards to information security, risk and negligence towards it. Users do not see the value of the security measures in place thereby they do not correct the behavior or practice sound judgement when it comes to dealing with something that seems out of place or different, making them less proactive when it comes to letting the risk trigger materializing. [[21]]

 Even though despite numerous efforts to secure IT infrastructure and assets, there is certain part that we cannot control as much as we would like. Organization do not have enough insight in employee daily routines, tasks they perform, applications they use and how they use it. Organization take enough measures to secure the perimeter, but no matter what you do there is no defense against the threats if it originates from the inside. Firewall logs, audit logs, error logs for application or database can be very time consuming to decipher or detect an insider threats.

Thus, it warrants need for mechanism that would help uncover threats, act proactively so that it doesn’t compromise the infrastructure and provide the optimal safeguard against IT assets, which brings us the concept of Behavioral Analytics or more commonly also known User Behavioral analytics.

Another avenue that has been getting a lot of traction to mitigate human element is behavioral analytics. The combination of multifactor authentication with behavioral analytics allows the companies get better handle on security risks as they transpire, they can tweak security enforcement. If it seems to be normal operations that has very low risk factor, additional authentication parameter can be suppressed. We can never be less cautious, we have to be diligent and always be ready to act when possibility of risk becomes apparent. Every layer of added security layer helps to protect IT assets. More and more companies are now adopting risk- based approach that uses multifactor authentication, taking into account location, behavioral analytics and numerous other way to validate the user. [[22]]

There is a plethora of data being collected every day, access logs, audit logs, errors log and different auditing capabilities at our disposal, this data can be used to create analytics model that can help understand user tendencies, it can also aide in the legal and compliance regulations. Combining Forensic data analytics along with dynamic authentication schemes would minimize human element as much as possible.

 Usability in user authentication is affected by Contextual factors such as human, technology and design. As security threats evolve, we have to be mindful and understand that traditional one-size fits all design approach doesn’t work anymore. The need for adaptability, need for ways to create methods that adapt to uniqueness of the users. [[23]]

So why are surveillance programs that are intrusive, invasive to privacy essential and why they play a vital role. There are numerous reasons to justify that but primarily [[24]]

• Malicious actors try to evade enterprise controls that rely on perimeter-focused security monitoring or identity access controls
• Security or compliance teams receive more alerts and false positives than they can manage.
• Enterprises often don’t have strong security controls or visibility into employee use of third party applications
• Legacy security applications used to investigate alerts are cumbersome and time-consuming.

Behavioral analytics with collections of in-depth data about usage, can give us a foresight into user behavior. Companies can start preventing threats proactively rather than being reactive to security threats that would be disruptive. Proactively thwarting security threats fulfills our goal of overall approach to deterring threats as much as we can. In-depth collection of data, analysis of data would give us trigger points that would detect any variation in user behavior from the norm and notify, alert the right personnel to take corrective action before something disastrous takes place.

Superior, robust, dynamic and agile surveillance systems with behavioral analytics provide them following results that can ultimately aid in legal and compliance issues. [[25]]

• Monitor and investigate rogue employee activities

• Detect theft of critical digital assets
• Elevate controls, risk escalation methodologies, while improving business processes flow and governance
• Deploy customized, user-friendly interfaces that aggregate data to identify key risk areas or performance improvement opportunities.

Behavioral analytics can be further integrated and expanded to mine the date from various social media sites to create more robust, streamlined and predictive analytic approach. At the end of the day, we all operate on public perception. We are more like to engage in business with firms that are breached or always in wrong lime light. We would rather pick to work with company who has sound operations, furthering our optimistic bias. 

There are three things to keep in mind while implementing successful behavioral analytics.

1. Collect all the information you can lay your hands on. Today’s data trend, there is always something that is left behind bread crumbs, needle in the hay stick. No matter how careful someone can try to be, there is always a possibility of slight variation and sometimes that slight variation can help us detect the variance in behavior.
2. Use state-of-the-art machine learning tools. Technology evolves every day and makes strides, improves the model and can get more results efficiently and at better cost. Also, when needed bring in the experts in Information security to help implement solutions.
3. Reiterate. Security threats are constantly evolving, so is the behavior pattern. For e.g. doing something wrong the first time, can make a user feel uncomfortable. Doing the same thing wrong over and over again, user gets used to the process and hardly any anomaly is detected in behavior patterns. So, to counteract that, we have to constantly revisit, rework, retweak and re-analyze the processes in place.

When implementing behavioral analytics solutions, it should be evaluated based on use cases and ability to work seamlessly. [[26]]

1. Compromised User Credentials – the solution should be able to easily detect if hackers have controls of network user’s credentials
2. Privileged User Compromise – solution should be able to detect compromise of system accounts, as they are only used for emergent situations
3. Executive Assets Accessed – Devices used by Senior executives are very prominent targets as they have elevated access and access to much more company resources
4. Insider Threat – Solution should be able to detect deviation from regular usage of regular user, whether they are accessing something they are not supposed to or they are trying to engage in activities that would cause harm to the organization.
5. Account Lockouts – Solution should be able to distinguish between system account lockout due to brute force attack or it is a user that has either entered the password wrong too many times and have been locked out.
6. Account Creations – Solution should be able to detect on-fly account creations, ability to differentiate if the account is being created during normal operations or in a random fashion.
7. Account Sharing – Solution should be able to detect who is using the shared account when such accounts are used for system maintenance or operations. It should be able to create some kind of accountability and have enough data to justify the same
8. Service Account Classification – Solution should be able to monitor and detect any odd behavior depicted by the service accounts. Typically service accounts are used to start, run or stop services used by consumers. Service accounts are never used to login to front end systems, it should be able to detect that.
9. Dormant User accounts – Solution should provide a periodic list of inactive accounts and able to lock & expire those accounts.
10. Security Alert Investigation – Solution should provide as much information no matter how minimal and take all necessary steps to carefully evaluate every security alert that system generates.
11. Account Investigations – Solution should be able to provide ad-hoc reports that aid in investigation or compliance for internal audit purposes or any disciplinary actions.
12. Breach Forensics Review – Solution should be able to provide full system dump of data if and when Severe data breach has transpired and able to aid in investigation.

Conclusion

Information Security is challenge that is ever-evolving, no matter what steps, method or practices are followed there is always some way that exploits get through. The best defense against any threat to Infrastructure is deterrence. Deterrence starts with educating, training the USER base with threats that we work around, the best way to navigate around it and consequences for not complying. We also looked at the process of Perceived controllability and optimal bias that render user and their cognitive abilities to make mistake that can snowball into something bigger for organization. Multi-Factor authentication is needed to secure IT resources but the best security solution can be provided when it is paired with behavioral analytics.

References

• 12 Simple Things You can do to Be More Secure Online by Neil J. Rubenking, Jill Duffy
• Protect Your Firm and Clients with Multi-Factor Authentication by Jim, Boomer
• Two-Factor Authentication: Who Has it and How to Set it up by Eric Griffith
• Companies need more than Two-Factor Authentication to Keep users safe by Sridhar Muppidi[27]
• Simplify Access Control with Smartphones by Penny, Jannelle
• Multi-Factor Authentication: A Survey by Aleksandr Ometov, Sergey Bezzteev, Nio Maktialo, Sergey Andreev, Tommi Mikkonen and Yevgeni Koucheryavy.
• Got Phished? Internet Security and Human Vulnerability by Sanjay Goel, Kevin Williams & Ersin Dincelli
• Unrealistic Optimism on information security management by Hyeun-Suk Rhee, Young U. Ryu, Cheong-Tag Kim
• Perceived Control, motivation and coping, Book by Ellen A. Skinner
• Surveillance and Behavioral Analytics: A match made in heaven by Todd Marlin and Scott Jarrell
• Security and Usability in Knowledge-based user authentication: A review by Katsini, Belk, Fidas, Avouris & Saramas
• IBM X-Force Threat Intelligence Index 2017 published by IBM

[1] 12 Simple Things You can do to Be More Secure Online by Neil J. Rubenking, Jill Duffy