Dramatic increase in human dependence on IT systems has resulted in something more dramatic than itself: the amount of data it generates. Other than business and professional endeavours, we also generate a lot of digital data out of personal activities. Facts related with this digitization are mind just mind boggling. Ninety percent of all the data we have today was generated in last two years. Rise of digital and smart devices has also significantly contributed to the growth of digital data.
But along with all the convenience and increased efficiency, threats to security of data and privacy have also increased. On the other hand, we have increasing influence of biometrics for identification and access control applications, which is being seen as the future of identity management.
This article discusses data security crisis and biometrics as a possible countermeasure to solve it.
Image: Implementing data security and privacy measures beforehand is a way smarter approach than managing aftermath of data breaches. Data breaches can take place without giving a hint and leaving a trace. (Representational)
Data security crisis: definition
Exaggerated explanation of data security crisis can lead to confusion, so we need a formal, yet straightforward definition of what counts as a data security crisis?
Any incident in which confidential, personal or sensitive data is leaked or accessed by an unauthorized entity, where it may be (or may not be) used for a malicious activity is a data breach or data security incident. Data security incidents may be intentional or unintentional (e.g. accidental data breaches), however, when breach is intentional, there is a higher probability that data will be used to commit an illegal or malicious act.
A data security incident may turn into a crisis when it starts affecting crucial business operation and even starts forcing them to shut down. When breaches become crisis, they need a systematic response and handling, following data / cyber security crisis management practices.
Why do data breaches occur?
Reasons behind data security incidents may range from human ignorance or errors to sophisticated hacking attempts. Contrary to the popular belief, data breaches are not always an expert attempt coming from hackers or cyber criminals.
Data breaches may not always be intentional either. For example, if you dispose your old malfunctioned hard disk that consists of your personal information (e.g. photos, videos, documents, etc.) by throwing into the garbage, it may accidently reach someone who has expertise to extract information out of the malfunctioned media. It may be a shoulder surfing attempt by some stranger at the bus stop, who is noticing you entering your mobile banking PIN or an expert hacker who has ability to circumvent best laid computer network security and gain access to confidential data.
In corporate environments, weak passwords, improper policies and sloppy attitude towards computer and network security can lead to data breaches. Infamous WannaCry ransomware attack in May 2017 showed the world how inability of organizations to patch a known vulnerability of Windows operating systems resulted in stalled operations and losses. The attack was estimated to infect as much as 200,000 computers and several organizations suffered losses.If we have a look at Wikipedia’s list of data breaches, which consists of confirmed data breaches occurred since 2004, it lists the following reasons:
- Personal / Confidential data accidently published
- Resulted out of hacking
- Inside Job
- Due to lost or stolen computer
- Due to lost or stolen media
- Poor security
- Social Engineering
Unfortunately, present day cyber attacks have become so complex that it may even take years to know that a breach happened. They may even be completely untraceable in some cases.
Banking data security crisis
Banking and financial services have always been one of the top targets of fraudsters. Now when banks are all connected and accessible via the internet, they are also vulnerable to online fraud and cybercrime. Targeting banks have dual benefits for cyber criminals: 1. Banks deal with money which cyber criminals can steal. 2. Banks also store financial as well as personal information of customers.
Hackers can circumvent banking transaction authentication system in many ways. We have heard how ATM skimmers work, fraudsters keep recording ATM card details as well as user actions on a device overlaid on ATM keypad and the card reader. However in case of online banking, hackers can make use of sophisticated attacks, session hijacking, malware specially crafted for banking industry, etc. In 2009, W32.Silon was an infamous banking Trojan that could steal user credentials and send it to a remote entity.
Banking industry can be more sensitive than many other industry types and require cutting edge data security methodologies. End-to-end encryption, tokenization, DLP (Data Loss Prevention), etc. are some of the commonly adopted technologies by banks to implement data security and privacy.
Internet of things security concerns
So far we have seen information being stolen out of data security incidents as today’s internet is largely “internet of information”. Information technology is keen to digitize every bit of human endeavours and we are yet to see its true potential. After digital revolution and the internet, IoT or Internet of Things is going to be the next big thing. It has already started coming out of experimental stage and making its way to homes and businesses. Soon we will have connected equipments, home appliances, vehicles, etc. that will be able to communicate with other devices.
For example, IoT connected smart refrigerators which will be keep track of item stored in them and will text you on the way about your beer cans going below the set quantity. Smart air conditioners will start cooling down your home automatically when you are on your way home by accessing your GPS location. IoT sounds cool but the problem is that what if a hacker takes control of your home appliances or cars?
What if hackers are able to hack equipments, devices, vehicles or entire smart building on internet of things? Today when we have information stolen out of hacking attempts, we at least have infrastructure in place and operations can be restored after data or cyber security crisis management part is over. But with IoT, things can quickly go out of hands if a hacker is able to take control of your equipments. Some of these equipment like connected medical devices can also store sensitive data, which can be used to commit identity related crimes as well. Even in case of IoT home appliances, I would worry if someone takes control of my connected refrigerator and stale my food by messing up its cooling.
Be it the internet or the internet of things, security breaches can have a complex and serious outcomes.
How to respond to a data security crisis?
Unlike unintentional or accidental data breaches, intentional data security incidents take place with malicious objectives of illegally gaining access to data or resources. These attacks initiate with the study of the target system or network. During this time, weakness and vulnerabilities of the target network are studied and methods to exploit them are devised. Gaining access to large databases with personality identifiable information (PII), credit card numbers, email addresses, social security and medical records is usually the motive behind intentional cyber attacks.
Data breach is a harsh reality and even top notch tech firms cannot say for sure that it would not happen to them. Response to a data security crisis depends on how prepared your data and cyber security crisis management is. Since planning cannot be done when crisis has already occurred, a good cyber security crisis management plan has to be laid beforehand, as soon as the infrastructure goes operational.
Data or cyber security crisis may leave organizations clueless and wondering about next steps to take if efficient cyber security crisis management practices are not in place.Following are the key components of an efficient cyber incident response program:
Review compliances and regulations
This has to be done to avoid any regulatory actions. Adherence to regulatory imposed cyber security standards is the first step to take for regulated industry types like banking and healthcare.
Invoke incident response team
Having an incident response team ready to tackle situations like these is the best way to handle it, however, not all organizations may have a response team ready. In that case, a crisis response team has to be assembled quickly which should include IT experts, cyber security experts, C-suite executives, attorneys, and public relation executives.
Assess the impact
This stage includes assessment of the impact and damages due of the data breach. An insider attack will have different impact on the business than an external attack. Severity and priorities are also set in this stage.
Notifying right people at the right time becomes crucially important. For example, if breach took place in a regulated industry, regulatory officials have to be informed in timely fashion. Who you tell and when you tell them can make a lot of difference in finding and fixing the problem.
Identifying cause and minimizing damage and recovery
A data security crisis may not be very apparent at first glance and may appear as a small issue, however, there might be a lot going on behind the scenes. For example, increased helpdesk requests, dramatic increase in outbound network activity, etc. may look normal, but be signs of a cyber attack. Before beginning the remediation, the incident should be fully understood so that nothing is left untouched. If business operations are impacted, backup resources can put into action.
Documenting the incident
From incident detection to recovery, every step should be documented. It will not only help in legal proceedings, but also will help rebuild the system and will create future references for similar incidents.
Increasing data security concerns and rise of biometrics
In recent years, biometrics technology has emerged as a promising way of human identification and access control for digital as well as physical access. This technology uses human beings’ anatomical or behavioral characteristics to identify them. Systems based on this technology may use a single (like fingerprint) or multiple biometric identifiers (behavioral biometric profiling) to identify them. Recognition with biometrics has advanced for some modalities like fingerprint, iris, face, etc. while it is still in development for many of them like gait recognition.
This technology has been helping people replace older, inefficient and inconvenient methods of human identification and access control like door locks, identity documents, passwords, security questions and hassles related with them.
Most present day computing devices include biometric identification as a must-have feature to get rid of password based security. Major smartphone platforms like Android, iOS, Windows, etc. offer native support for processing biometric data and compatibility to biometric hardware. Owing to widespread deployment and its efficiency, biometrics is being seen as a future of human identification.
Password based data security is no more relevant
Though biometrics has been deployed at many fronts for data security, a large portion of it still relies on password based security. Passwords have been around since the early days of computing and they have very well served their purpose until recent years.
Even today, most banking and financial transactions that are performed on smartphones are secured with knowledge based authentication factor. Before performing the transaction, these devices seek the final user authentication as a confirmation. This confirmation is traditionally achieved by PINs, passwords, OTPs. The irony is that most of these devices already have biometric capabilities like fingerprint or face recognition.
Can biometrics solve data security crisis?
One of the fundamental imperatives of data security is that data should only be accessed by an authorized entity. When data security is laid with passwords, IT systems will let anyone with a correct password in. Unfortunately IT systems can be easily fooled as they only recognize the information provided to them and not the user. Even an unauthorized individual with a guessed or stolen password will be treated like an authorized individual and there will be no additional security measure to stop him/her once he/she is in.
Biometrics based security fixes this fundamental flaw by recognizing a user with something he/she cannot change or replicate easily: his/her own unique physiological or behavioral traits, i.e. biometric identifiers. Passwords, particularly the weaker ones, are the major reasons of behind data breaches and security incidents.Following are the ways in which biometrics can help solve the data security crisis:
Eliminating passwords in logical access control
Since passwords can be guessed, even cracked, replacing them with user biometrics like fingerprint or finger vein recognition can eliminate the possibility of data getting accessed by an unauthorized individual.
Continuous Authentication with behavioral biometrics
Typically passwords works as a barrier between the user and the information she is trying to access. Once this barrier is crossed, user is never questioned for his/her authority till the session last. This approach can have disastrous outcomes if an unauthorized individual is somehow able to access an IT system by providing guessed password or circumventing the security. Continuous authentication is an approach in which user’s interaction with the system is recorded and profile is created out of it. This profile is generated out of user behavior like the way of tapping the touch screen, keypad dynamics, accelerometer data, size of the fingertip, etc. If the authentication system detects anything unusual during the session, it can ask user to re-authenticate.
Physical access control to the IT systems
Physical access to server rooms or data centers can be implemented with biometrics so that only authorized individual can approach them. It also reduced the chance of insider attack or physical attack.
Biometrically enabled mobile devices for biometric authentication
Most tech savvy users carry smartphones with one or more biometric capabilities like fingerprint or face recognition. An authentication system that leverages biometric capability of mobile devices will eliminate the need of password based security, but will also make sure that device is verified by collecting device data in advance.
The world is on its way to complete digitization. IT systems are keen to generate digital data out of every human activity and make use of it. Most businesses, banks and financial institution are already accessible via the internet and exchange sensitive data online. We also have wave of IoT systems incoming, which will change the way we live. All this digitization and connectivity has improved every aspect of human life, however, it has also raised concerns of data security and privacy. Over the last few years, many organizations have fallen prey to data security incidents.
With an efficient cyber security crisis management plan organizations can save a lot of time, efforts and money to recover their systems and restore business continuity. Due to increasing threats to the information security, many organizations have already switched to biometrics for laying data security to eliminate shortcomings of obsolete methods like passwords.