The need for Mutual Authentication

Share This:

Tom Brett 22-Jan-2016

Abstract

With the increased use of online services together with more common cyber breaches, the need for better security has never been more important. When IT systems and websites are analysed, it is commonly known that the user is the weakest link, often fooled into disclosing part or all of their login credentials to others masquerading as a system, process or colleague. These login credentials are used to identify and authenticate users to systems whoever they may be. This along with the fact that users still reuse passwords for multiple sites and applications and the number of Phishing sites setup, the protection of login credentials is paramount to the security of any and possible all systems. In order to protect systems and users against these types of attacks it is imperative that organisation’s develop and implement systems incorporating mutual authentication prior to passwords being submitted for authentication purposes.

Keywords: Authentication, Authorisation, Identification, CIA, Phishing, two way authentication, mutual authentication

Current Technology Trends

The world that we live is has vastly changed over the last decade, although some have been doing it for up to 25 years (Helman, 2015), we are now living in a ‘connected world’ where we are constantly engaging and communicating online, the separation between our physical and online presence is becoming increasingly blurry.
The following tagline provided by Huawei on their website, illustrates the companies prediction for the near future:

Soon connectivity will be everywhere, improving life 

               even in the far reaches of the world” (Huwaei.com, 2015)

The amount and type of devices being connected is increasing all the time, this explosion has given rise to the term ‘Internet of Things’ (IoT) where people are now interfacing with devices such as door bells, kettles and watches from their internet connected networks in a reach to be able to access and control literally everything from any device. A report from Gartner states that there will be 6.4 Billion connected devices in 2016 which is an increase by 30% to that of 2015 (Gartner, 2015).

A huge problem with this explosion is that companies want access to data, this data is considered the new Oil, the first reference I could find to this reference was back in 2006 by Michael Palmer where in his blog, he states that “Data is just like crude. It’s valuable, but if unrefined it cannot really be used. It has to be changed into gas, plastic, chemicals, etc to create a valuable entity that drives profitable activity” (Palmer, 2006)

Figure 1 Data is the new Oil Retrieved from http://www.futuristgerd.com/2013/08/14/great-piece-on-why-data-is-indeed-the-new-oil-linkedin-connects-big-data-human-resources-via-wapo/

Figure 1 Data is the new Oil
Retrieved from http://www.futuristgerd.com/2013/08/14/great-piece-on-why-data-is-indeed-the-new-oil-linkedin-connects-big-data-human-resources-via-wapo/

 

 

 

 

 

 

 

 

 

 

 

 

As can be seen in the past, when there is a rush for connectivity, security is often neglected, an afterthought as such leaving vulnerabilities which can be used to compromise systems and gain access to this valuable data. With the increasing amount of vulnerabilities being identified in devices, some are starting to brand the ‘Internet of Things’ the “Internet of (Insecure) Things” (Fruehe, 2015). A recent study and report from HP (Hewlett Packard Entreprise, 2015) highlighted a number of concerns which include the following

  • 80 percent of the devices studied raised privacy concerns
  • 70 percent of devices used unencrypted network services
  • 6 out of 10 devices studied used user interfaces which were vulnerable to a range of known attacks like persistent XSS and weak credentials
  • 80 percent failed to require long or complex passwords

As these devices become interconnected a simple vulnerability in a single device may be used to compromise all of the other interconnected devices, an example of this could be the disclosure of authentication credentials or encryption keys in plain text from one device to another.
Several such vulnerabilities have been compromised, some devices have even been found to have malware included within the devices firmware (Kirk, 2014) other devices have been found to store wireless keys and passwords in plaintext (Kumar, 2016). This coupled with less secure systems popping up to hold and manage the data creates a concern, during the time I have been writing this article a new headline reports that 191 million U.S. voters Personal Identifiable Information (PII) has been compromised in one single incident because of a misconfigured database (Ragan, 2015).

With the increase of these devices sharing information, our online profiles are growing, this along with the increased value of data and PII, there is an increasing need to secure and control access to this information as cybercriminals will invest more time and resources to gain access. There is also the new European Data Protection Regulations coming into effect as there will be strict fines imposed for breaches leading to data leaks, organisations now have a legal as well as moral obligation to implement adequate levels of security.

Access Control and the three A’s

Access is the flow of information between a subject and an object, the subject is the active entity which requests access and the object is the passive entity to which access is requested. Access is not only required by users to access systems and data, it is also required by systems and applications as well, therefore a subject can be a user, program or a process and an object can be a computer, a file, a database etc.

CIA Triad

Security as a word is a broad term, when we are dealing with Security in Information systems we want to be more specific, therefore we break the overall security term into 3 distinct categories: confidentiality, integrity and availability. The three categories of Security are commonly known as the CIA Triad.

Confidentiality: ensuring that only the authorized entities have access

Integrity: ensuring the accuracy of the information held

Availability: ensuring that resources are available as and when needed.

The Triple A System of Authentication, Authorization and Accountability

When working with security, it is not enough to simply control access to objects, we also need to identify and record what objects have been accessed by which subjects and what tasks were performed on them (read, write etc.).

In order to maximize our effectiveness in securing resources we implement the triple A system, which according to TechTarget.com “is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security.” (Rouse)

This ‘Triple A’ system consists of Authentication, authorization, and accounting which is briefly explained in the following below:

Authentication

Identification is used to provide an identity to a system. Identification alone is just a claim, when identifying itself, the entity claims to be that person or process. Identification is considered weak, we cannot just accept a subjects expressed identity so the subject proves its identity by providing some proof such as a password or other form for example the use of a smart token or biometric scan. Providing the proof that a subject is in fact whom they claim to be is known as authentication.

Authorization

Authorization is what the subject can perform (example: read, write etc.) on the object, there are numerous methods of controlling what can be performed, these are known as access control models. Examples include Discretionary Access Control, Mandatory Access Models and Role Based Access Control.

Accountability

Accountability is the measuring and or recording of what was accessed by the entity. It is extremely important to record what is performed in order to be able to audit and provide reports on the effectiveness of any system and to be able to identify what subjects did to objects and potentially hold subjects accountable or be able to remediate and reduce risks.

Factors of Authentication

There are three factors of authentication

Type 1. Knowledge Based – Something you know
Type 1 or what you know involves proving your identity by use of a secret phrase or password that you have already disclosed with the system. What you know is the most common form of authentication, but it is also one of the most open to attack if not used correctly. This will be addressed later in the section entitled ‘Risks’

Type 2. Token Based – Something you have
Type 2 or what you have involves the use of something in your possession, this could be a smart card or some other device (A smart card is a credit-card sized card that has an embedded certificate used to identify the holder).

Type 3. Characteristic Based – Something you are
Biometric methods provide the something you are (type 3) factor of authentication. Some of the biometric methods that can be used are fingerprints, hand geometry, retinal or iris scans, handwriting, and voice analysis.

Type 1 is the least secure with type 3 generally considered the most secure, The editors of the Official ISC2 SSCP CBK state that “knowledge-based devices can be more easily defeated than characteristic-based devices” (Contesti, Andre, Waxvik, Henry, & Goins, 2007)

Multifactor Authentication

EMC_Image_C_1300589960751_uw-promo-225x145-try-securid

Figure 2: RSA SecureID Token Retrieved from http://www.emc.com/security/rsa-securid/rsa-securid-hardware-tokens.htm

 

 

 

 

 

 

 

 

 

Where an increased level of security is required, multifactor authentication can be used. In multifactor authentication the subject must present more than one method to prove their identity. A common example of this is where a visa card is presented along with a pin code, this combines type 1 and type 2 factors which creates a stronger and more secure authentication method because an attacker will now need to possess the card along with the knowledge of the pin code to gain access or in this case to purchase goods. For this reason Multifactor authentication is commonly referred to as strong authentication.
Multifactor authentication is still susceptible to attack, but it reduces the risk, other examples include token based systems see Figure 1  (EMC.com) whereby a device will provide a code which needs to be entered along with the user’s password to gain entry to a system.

Common Risks and Attack Methods effecting Authentication Systems

The User

As Thomas Reid (Reid, 1786) wrote in his essay “In every chain of reasoning, the evidence of the last conclusion can be no greater than that of the weakest link of the chain, whatever may be the strength of the rest.” Which has been changed and widely adapted as a figurative phrase to the fact that that a chain is only as strong as its weakest link and when it comes to Information systems and user authentication, the weakest link is most commonly the user. Without trying to seem completely against the user, the user’s habits and bad practices can easily compromise a system, but even knowledgeable trained staff have been known to fall victim of spear phishing and social engineering attacks.

Type 1 Authentication

Type 1 authentication is generally considered the easiest to beat, the level of difficulty depends on a number of practices to include the following

  • Complexity: the creation of the phrase involving alpha, numeric and non-alphanumeric characters
  • Length: the longer the phrase the more difficult (longer to crack time wise) to attack
  • History: Not allowing a previous password or phrase to be repeated before a set amount of time or changes has occurred.

One also has to consider though that the more complex a password is, the more likely it is that a user will record it somewhere and also use it on multiple systems. This is especially true when it comes to long passwords or phrases.

Some common methods of compromising Type 1 authentication

Dictionary and brute force attacks: both dictionary and brute force attacks are methods where the attacker uses a program to automate the entry of the users credentials, the difference between the two is that with a dictionary attack the attacker uses a prebuilt file of common passes and phrases where as in a brute force attack the attacker uses every combination of characters to break the password. Both are extremely powerful with dictionary attacks being considerably quicker which identifies the reason why users should not use common phrases/

Key loggers: key loggers are devices and or software used to record the keystrokes entered into systems, they can either write the data to files or ROM’S (in the case of devices) or alternatively transmit the captured keystrokes to a remote application or database.

Social engineering: Social engineering attacks are considered the least technical and are the first choice for many attackers, Social-Engineer.org define Social Engineering as “a blend of science, psychology and art. While it is amazing and complex, it is also very simple.” They continue to state that “Any act that influences a person to take an action that may or may not be in their best interest.”(http://www.social-engineer.org/)

Phishing attacks: Phishing attacks can be seen as a type of attack whereby the attacker masquerades as a legitimate subject or organization contacting the user by e-mail, SMS or other form in order to gain access to user’s personal information and or credentials. Phishing attacks are covered in their own heading later on in this paper.

Education can be used to reduce the risks associated with type 1 authentication, staysafeonline.org have published a list of tips for the securing of accounts and passwords as follows (Alliance, n.d.):

  • Not to share your password with others.
  • Make your password unique to your life and not something that is easily guessed.
  • Have a different password for each online account.
  • Write down your password and store it in a safe place away from your computer.
  • Change your password several times a year.

Even with all of the advice commonly delivered from many websites and articles it is still very common for users to reuse their password on more than one website a frightening statistic was released in an online article on SecurityWeek.com which said that BitDefender conducted a study of over 250,000 user accounts for social networking sites and the study revealed that 75 percent of the username and password combination were identical to their email accounts (SecurityWeek.com, 2010). In a more recent study commissioned by TeleSign in 2015 concluded that 73 percent of online attacks use duplicated passwords and that more than half of consumers (54%) use five or fewer passwords in their whole life and 22% just using three or less (Telesign, 2015).

Type 2 Authentication

The benefit of a Type 2 Authentication is that the attacker must gain access to something that the subject is in possession of in order to gain access to a system. A disadvantage to these systems is that users can become over confident with regards to the security because of this and may be careless with the devices possessed. Some devices can be cloned easily (for example RFID cards), devices can also be lost or stolen allowing an attacker then to easily gain access to a system

Type 3 Authentication

Although Biometrics is generally considered the most secure form of authentication, it too is prone to errors. There is always the likeliness of a miss reading which could be caused from a number of factors, for example in signature dynamics it could be a change in the way a user signs their name due to differently placed work surface or injury, it could be caused by direct sunlight during the scanning and even dirt on the subjects hand or finger being scanned during a fingerprint or palm scan.

In order to reduce the errors logging in, the system sensitivity is adjusted.
When the system is adjusted to only accept exact matches, type 1 errors (false rejection) will happen which is when a user who should be authenticated is refused. When the system is adjusted to accept more deviations in the biometric scan this introduces type 2 errors (false acceptance) which is the possibility of an unauthorized user to be accepted. There is a crossover between the Type 1 and Type 2 Sensitivity known as the Crossover Error Rate (CER)

 

Multi factor Authentication

Although multifactor authentication reduces the risk of a site and account being compromised it is still open to attack. Attacking multifactor authentication involves the attacker gaining access to each of the authentication methods used causing an attacker more work, they can still be compromised via man-in-the-middle attacks, trojans or account recovery attacks etc. . An article published in ComputerWeekly.com states that while using multiple different types of authentication to include biometrics are excellent at protecting devices against the login process the author continues to state that “these technology options will not protect organisations if users reuse the same insecure passwords on other systems that use only single-factor, password-based authentication.” (McLaughlin, 2011)

Phishing

Figure 3 Phishing

Figure 3 Phishing

 

 

 

 

 

 

 

 

 

Phishing is a type of fraud, it can happen in a variety of ways from attackers sending emails or other channels of communication to setting up fake websites.
The function of phishing is clear and simple: to obtain credentials or account information by masquerading as a reputable entity. According to Visa, “Phishing refers to scams that attempt to trick consumers into revealing personal information that can be used to commit fraud. Such scams can happen over the phone, email, mail and text message. Phishers often target users with fake internet sites or email messages that are disguised to seem legitimate, or leverage social networking sites where users are already sharing information with others.”  (Visa.com, 2015) ISC2 give a similar definition “Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization.” (ISC2, 2015)

081915_0002_Spearphishi1

Figure 4Phishing attacks per day Retrieved from http://resources.infosecinstitute.com/spear-phishing-statistics-from-2014-2015/

 

 

Phishing is a popular technique used by cybercriminals because it is easier to trick a user into disclosing credentials rather than break through a systems defenses. Users are often intrigued by phishing emails wondering who would fall for them, some of these emails are badly designed consisting on numerous spelling and grammar mistakes but others look professional and can be difficult to spot by the untrained user. A recent whitepaper by Mimecast informs us “that 91% of all hacking begins with an email-based phishing or spear-phishing attack” (Mimecast, 2015).  RSA, The security division of EMC report that they identify “a phishing attack every minute”  they further inform us that in 2014 “Phishing attacks cost global organizations $4.5 billion in losses” (RSA). Current research does however show that there is an overall decline in the use of phishing attacks, this can be seen in an online report entitled Spear-phishing statistics from 2014-2015 by infosecinstitute.com released mid 2015 confirms this (see Figure 4) these figures are evident in research conducted by Kaspersky Lab illustrated in the following graph (Figure 5).

spam-Q110-267168

Figure 5 Kaspersky.com : The proportion of spam in email traffic, October 2014 – March 2015 Retrieved from http://www.kaspersky.com/about/news/virus/2015/Spam-and-Phishing-in-Q1-New-domains-revitalize-old-spam

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The frequency of these attacks can and do fluctuate with high profile events, as an example Kaspersky lab reported an increase in phishing mails due to the war in Syria, , they state that “Widespread media coverage has increased international interest in the plight of Syrian citizens, and this has led Nigerian scammers to jump on the bandwagon and exploit the kindness of strangers looking to help those affected by events in the Middle East.” They also state that although most of the emails are in English but that they are also being sent in German, French and Arabic, these emails are “claim to be from Syrian citizens seeking asylum in Europe and request assistance in investing large sums of money” (Kaspersky Lab, 2015).

Although the widespread use of phishing may have decreased, there has been an increase in more targeted spear phishing and whaling campaigns, this is emphasized by a security alert issued on the third of September 2015 by SMX Secure Cloud Solutions, where they state that there is a rise in targeted emails (spear phishing) they further state that “We would also like to warn that attackers are undertaking sophisticated whaling attacks, researching and identifying ‘big fish’ within an organisation. These individuals are then attacked with a combination of social engineering and email spoofing techniques in order to elicit funds” (SMX Cloud Solutions, 2015).

Kaspersky Labs also identify an increase in the use of targeted phishing during the weeks leading up to Christmas for customers of DHL and Fedex as attackers exploit online shoppers spending sprees (Kaspersky Lab, 2015), an example of one such email can be seen in Figure 6

Figure 6: Phishing website example, Retrieved from https://securelist.com/blog/phishing/73174/tis-the-season-for-shipping-and-phishing/

Figure 6: Phishing website example,
Retrieved from https://securelist.com/blog/phishing/73174/tis-the-season-for-shipping-and-phishing/

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

All of these facts clearly identify that phishing attacks are still very relevant and illustrate the importance of properly managing the risk accordingly.

Types of Phishing attacks

Spear phishing

Spear Phishing is a type of attack directed at specific individuals, roles or organisations. Because these attacks are pointed specifically at an entity, the attacker may go to great lengths to gather information which may be used to make the attack more believable therefore increasing the likeliness of success.

Whaling

Whaling is a type of phishing attack which is aimed specifically at executive officers or other high profile targets, these are also generally aimed at a specific organization, role or individual so can be generally categorized as a sub form of spear phishing attack.

Smishing

Smishing is a type of an attack which is sent through a SMS message consisting of a message and either a bogus URL a telephone number or requesting a SMS response.

Vishing

Vishing is a type of attack where an automated system is used to make calls and a recorded message is sent requesting log in details, the system may request you to call out or enter your pin or passphrase with a view to recording it and using it at a later time.

Avoiding phishing scams

Although the best defence for any type of phishing attack is user knowledge and training, there are some general guidelines and best practices.

APWG.org identify the following main points as follows (APWG Anti-Phishing Working Group):

  • Be suspicious of any email or communication (including text messages, social media post, ads) with urgent requests for personal financial information.
  • Avoid clicking on links. Instead, go to the website by typing the Web address directly into your browser or by searching for it in a search engine. Calling the company to verify its legitimacy is also an option, too.
  • Don’t send personal financial information via email, and avoid filling out forms in email that ask for your information.
  • Use a secure website (https:// and a security “lock” icon) when submitting credit card or other sensitive information online.

Other general guidelines include checking website digital certificates, validating email and website addresses to include the correct spelling etc.

Most online organisations now communicate the common messages that they will not request your credentials from you, this is to combat phishing scams, the figure below shows an example from paypal (Figure 7) below (PayPal.com).

https://www.paypal.com/webapps/mpp/security/suspicious-activity

Figure 7: PayPal: Recognize fraudulent emails and websites Webpage Retrieved from https://www.paypal.com/webapps/mpp/security/suspicious-activity

 

 

 

 

 

 

 

 

 

 

These messages generally provide examples of suspicious emails and may provide steps to take in the event that you have been caught by such an attack.

What to do if you think that you have been phished

Whether you have fallen victim to a successful phishing attack or you have just received a communication and suspect it to be a phishing scam, do not click on any of the links, check the source of the message and contact the relevant organization who is supposed to have sent the message by using another form of communication this can be by directly opening the website or contacting a support contact number for them.

One of the biggest problems with phishing messages is that when we detect it we just delete it, the problem here is that users who are less experienced may not identify it as a hoax and may act on it. Organisations should train users on how to identify hoax messages and provide a point of contact where suspecting messages can be sent. Organisations can then also create their own phishing messages to audit and report on the effectiveness of training within the organization. Organisations can then publicize the types of phishing scam emails to users to raise awareness, example illustrated from Arizona State University

https://getprotected.asu.edu/phishing#accountexpirationalert

https://getprotected.asu.edu/phishing#accountexpirationalert

 

Does multifactor authentication help reduce Phishing attacks

This really depends on what type of multifactor authentication and the method of how it is used, the current most common methods of multifactor authentication involves the sending of a SMS message or email to the registered users account which includes a code or challenge this code or an answer to the challenge needs to be included in the login process by the user to fully authenticate with the site. An example of this type of login would be as follows:

  1. User opens login page
  2. User enters username and password combination
  3. Site sends a phrase or code to the user via SMS or email
  4. User enters the code
  5. The code is checked and if valid access is granted.

 Problems with these types of multifactor authentication

The main problem with multi-factor authentication here is that it is only designed to protect and prevent access to the site or application but considering that a lot of users re-use their passwords and that the login username is generally their email address, this leaves the user still open to being phished if a site is copied, the fact that the phishing site does not send the SMS or email is irrelevant as the users credentials have already been sent.

Multifactor authentication could actually be used to increase its effectiveness as a site could be developed where the hoax login page informs the user that new challenges have been created to increase its security, the site could inform the unsuspecting user that they must enter a mobile number to associate with their account and that they will then receive an SMS message with a code and that this is needed to be entered prior to login. This code could be a single static code and may not even be validated, and given the amount of SMS type message software / devices it is possible that the SMS may not be track-able back to the sending device.

Better Authentication approaches for dealing with Phishing scams

In order to protect a user’s credentials from phishing site scams, it is important to limit the credentials which a user needs to submit to get authenticated but to instead provide some form of one time password. A one-time password is just that, it is a password or passphrase which can be used only once, this is not new and there have been several versions of these used over time within entreprise environments for staff but just not with the general public, with the more common ones a piece of software or a token device of some sort is in the possession of the user, when the user logs in they are either asked for a value from the device or alternatively they are presented with a challenge to which the user enters the challenge to the device and gets a response, this response is then used to authenticate the user.

Mutual Authentication

In order to reduce the risk of a user’s credentials being captured via phishing scams there is a growing need to introduce a method whereby the website (object) authenticates itself to the user (subject) as well as the subject authenticating itself to the object. This is where mutual authentication comes into play.

Shon Harris tells us that “Mutual authentication is when two entities must authenticate to each other before sending data back and forth. Also referred to as two-way authentication” (Harris, 2013). Before communicating any sensitive data such as passwords to website, with mutual authentication the site must also authenticate its identity to the subject accessing it as well as the subject having to authenticate to the site. This can serve many purposes but in this paper it is to prevent the unwanted disclosure of sensitive data to phishing based sites.

The definition on Techtarget.com is as follows “Mutual authentication is gaining acceptance as a tool that can minimize the risk of online fraud in e-commerce”. (Rouse, Mutual Authentication, n.d.)

Several methods of mutual authentication could exist, a simple version could be that upon registering, the user submits a graphic or phrase that when they go to login, they supply their username and the image or passphrase is shown to them prior to them entering their password.

Google’s new Password Free Account Sign-In

Although primarily a two factor authentication system, Google’s new password free sign-in which they are working on, also provides mutual authentication as Google is sending you a challenge on another platform / device known to be from Google as part of the login process. This is been designed so that a user does not have to enter their password but instead gets sent a challenge and waits for a response from the user on another device known to be theirs therefore providing multifactor authentication without compromising the users password.

The process is as follows please note that the images included in the following steps have been retrieved from Paul Rohit (Rohit, 2015) but have been modified to remove the Paul’s credentials accordingly/

  • The user access the Google Sign in page,
  • The user enters their username (email address) and clicks next
  • A page displays informing the user to check their phone, and when a notification appears from google to choose a specific value
  • The user accesses their phone, a message in the notification bar appears from Google asking the user to confirm that they are trying to sign in
  • The user chooses yes
  • The user is then provided with a selection of choices and they choose the choice based on the message they received when they went to log in via the browser
  • The user is then logged in to their account in the browser

This offers several benefits as follows

  • The user never has to enter their password (although there is a facility to access their account in the event that they have no reception etc.)
  • The system uses multifactor authentication involving something they know (username) and something they have (password)
  • As well as authenticating the user, the system also allows the user to authenticate the system as they know that when they enter their username and click next that response will be required from the other registered device.

Potential problems with the system

  • The main problem with this system is if the user losses their phone and it is unlocked, an attacker will then be easily able to access the user’s google account and data.
  • Google allows you to setup multiple accounts on multiple devices, I would presume that the user will pick the device which receives the challenge.
  • Although everyone needs

 

References

Alliance, N. C. (n.d.). Passwords & Securing Your Accounts. Retrieved 12 15, 2015, from https://www.staysafeonline.org/stay-safe-online/protect-your-personal-information/passwords-and-securing-your-accounts

APWG Anti-Phishing Working Group. (n.d.). How to Avoid Phishing Scams. Retrieved 12 29, 2015, from apwg.org: http://apwg.org/resources/overview/avoid-phishing-scams

Contesti, D.-L., Andre, D., Waxvik, E., Henry, P., & Goins, B. (2007). Official ISC2 Guide to the SSCP CBK. In Official ISC2 Guide to the SSCP CBK (p. 7). CRC Press. Retrieved 1 10, 2016

EMC.com. (n.d.). Hardware Tokens. Retrieved 12 20, 2015, from http://www.emc.com/security/rsa-securid/rsa-securid-hardware-tokens.htm

Fruehe, J. (2015, 9 15). The Internet Of (Insecure) Things. Retrieved 1 9, 2016, from forbes.com: http://www.forbes.com/sites/moorinsights/2015/09/15/the-internet-of-insecure-things/

Gartner. (2015, 11 10). Retrieved 12 29, 2015, from gartner.com: http://www.gartner.com/newsroom/id/3165317

Harris, S. (2013). In All in one CISSP Exam Guide sixth edition (6th Edition ed., p. 164). McGraw-Hill Companies. Retrieved 12 21, 2015

Helman, C. (2015, 4 14). Internet Of Things? We’ve Been Doing That For 25 Years. Retrieved 1 8, 2016, from forbes.com: http://www.forbes.com/sites/energysource/2015/04/14/internet-of-things-weve-been-doing-that-for-25-years/?ss=connect-world

Hewlett Packard Entreprise. (2015). Internet of things Research Study. Retrieved 12 29, 2015, from http://www8.hp.com/h20195/V2/GetPDF.aspx/4AA5-4759ENW.pdf

http://www.social-engineer.org/. (n.d.). What is Social Engineering?, http://www.social-engineer.org/. Retrieved 12 28, 2015, from social-engineer.org.

Huwaei.com. (2015). Better Connected World. Retrieved 1 9, 2016, from Huwaei.com: http://www.huawei.com/better-connected-world/en/

ISC2. (2015). Phishing Attacks. In Official (ISC)2 training Guide CISSP CBK (p. 87). ISC Press. Retrieved 12 10, 2015

Kaspersky Lab. (2015, 12 7). Nigerian Scammers Use the War in Syria to Extort Money from the International Community. Retrieved from kaspersky.com: http://www.kaspersky.com/about/news/spam/2015/Nigerian-Scammers-Use-the-War-in-Syria-to-Extort-Money-from-the-International-Community

Kaspersky Lab. (2015, 12 23). Phishing Messages Deliver Chaos to Consumers this Christmas. Retrieved 12 29, 2015, from kaspersky.com: http://www.kaspersky.com/about/news/spam/2015/Phishing-Messages-Deliver-Chaos-to-Consumers-this-Christmas

Kirk, J. (2014, 3 4). Pre-installed malware turns up on new phones. Retrieved 12 20, 2015, from PCWorld.com: http://www.pcworld.com/article/2104760/preinstalled-malware-turns-up-on-new-phones.html

Kumar, M. (2016, 1 13). How to hack WiFi password from smart doorbells. Retrieved 1 18, 2016, from thehackernews.com: http://thehackernews.com/2016/01/doorbell-hacking-wifi-pasword.html

McLaughlin, M. (2011, December). A pen tester’s perspective on creating a secure password. Retrieved 12 22, 2015, from ComputerWeekly.com: http://www.computerweekly.com/tip/A-pen-testers-perspective-on-creating-a-secure-password

Mimecast. (2015). Countdown to Compromise: The Timeline of a Spear-Phishing Attack on Your Organization. Mimecast. Mimecast. Retrieved 12 29, 2015, from https://www.mimecast.com/globalassets/documents/whitepapers/ttp-whitepaper-2015.pdf

Palmer, M. (2006, 11 3). Data is the New Oil. Retrieved 1 9, 2016, from http://ana.blogs.com/maestros/: http://ana.blogs.com/maestros/2006/11/data_is_the_new.html

PayPal.com. (n.d.). Suspicious Activity. Retrieved 12 20, 2015, from https://www.paypal.com/webapps/mpp/security/suspicious-activity

Ragan, S. (2015, 12 28). Database Configuration issues expose 191 million voter records. Retrieved 12 29, 2015, from csoonline.com: http://www.csoonline.com/article/3018592/security/database-configuration-issues-expose-191-million-voter-records.html

Reid, T. (1786). Essays on the Intellectual Powers of Man. Retrieved 12 28, 2015, from https://archive.org/details/essaysonintellec02reiduoft

Rohit, P. (2015, 12 22). Retrieved from https://docs.google.com/presentation/d/1SgRcnhqMrUWvhBvrMrQRgn3zYfivdg1V8Pv0hc4unKo/edit#slide=id.p5

Rouse, M. (n.d.). Retrieved 12 10, 2015, from http://searchsecurity.techtarget.com/definition/mutual-authentication

Rouse, M. (n.d.). Authentication, authorization, and accounting (AAA) definition. Retrieved 12 28, 2015, from TechTarget.com: http://searchsecurity.techtarget.com/definition/authentication-authorization-and-accounting

RSA. (n.d.). RSA Online Fraud Resource Center. Retrieved 12 29, 2015, from http://ireland.emc.com/: http://ireland.emc.com/emc-plus/rsa-thought-leadership/online-fraud/index.htm

SecurityWeek.com. (2010). Study Reveals 75 Percent of Individuals Use Same Password for Social Networking and Email. Retrieved 12 9, 2015, from http://www.securityweek.com/study-reveals-75-percent-individuals-use-same-password-social-networking-and-email

SMX Cloud Solutions. (2015, 9 3). SMX security alert: Spear phishing and whaling. Retrieved 12 29, 2015, from smxemail.com: https://smxemail.com/smx-security-alert-spear-phishing-and-whaling.html

Telesign. (2015). TeleSign Consumer Account Security Report. Telesign.com. Retrieved 12 22, 2015, from https://www.telesign.com/site/wp-content/uploads/2015/06/TeleSign-Consumer-Account-Security-Report-2015-FINAL.pdf

Visa.com. (2015, 12 24). Security. Retrieved from Visa.com: https://usa.visa.com/support/consumer/security.html

 

 

 

 

Figures

Figure 1 Data is the new Oil Retrieved from http://www.futuristgerd.com/2013/08/14/great-piece-on-why-data-is-indeed-the-new-oil-linkedin-connects-big-data-human-resources-via-wapo/ 5

Figure 2: RSA SecureID Token Retrieved from http://www.emc.com/security/rsa-securid/rsa-securid-hardware-tokens.htm.. 10

Figure 3Phishing. 15

Figure 4Phishing attacks per day  Retrieved from http://resources.infosecinstitute.com/spear-phishing-statistics-from-2014-2015/ 15

Figure 5 Kaspersky.com : The proportion of spam in email traffic, October 2014 – March 2015. 16

Figure 6: Phishing website example,  Retrieved from https://securelist.com/blog/phishing/73174/tis-the-season-for-shipping-and-phishing/ 18

Figure 7: PayPal: Recognize fraudulent emails and websites Webpage Retrieved from https://www.paypal.com/webapps/mpp/security/suspicious-activity. 20

Figure 8 : Recent Phishing scams Retrieved from https://getprotected.asu.edu/phishing#accountexpirationalert 22

 

Posted in Whitepaper and tagged , .