The University of Sunderland, a tertiary institution located in Northeast England, has become just one more victim in an increasing wave of cyberattacks that have been aimed at universities. In recent months, other schools, such as Newcastle University also in England, and Howard University in Washington DC, United States, have suffered similar threats to their cybersecurity.

In the case of the University of Sunderland, the cyberattack rendered students unable to log in for online, remote/distance learning classes and left staff unable to access their email and other data stored on the university network. The school’s online infrastructure was disabled for five days before restoration operations could bring the network back online and accessible to students and staff.

Universities Are New Targets

As the global pandemic changed the way people lived and worked, especially in school situations that put many young people in close proximity of each other, universities, like other organizations, had to change. Remote learning through the Internet had already made in-roads for some universities and certain courses. However, the pandemic accelerated the use and reliance of these systems, causing universities to lean more heavily on their digital infrastructure.

For many cyber-criminals, this presented new opportunities. Rather than corporations or government agencies with years of experience and “hardened” their cyber security against incursion, universities were viewed as easier targets that now relied on their digital infrastructure to work smoothly more than ever.

Ransomware On The Rise Without Cyber Security

One of the most popular forms of cyberattack in the modern day is known as “ransomware.” Rather than for the purposes of mischief or destruction, ransomware is entirely profit-motivated. In these attacks, hackers successfully bypass cyber security and seize control of a network. They then lock out legitimate users so they can no longer access their own data or manipulate the network.

The hackers then offer to restore control of the network back to the facility provided that their release fee is paid. Depending on how crucial the data is and how quickly it needs to be accessed, this can be very lucrative for digital criminals. Organizations may sometimes determine that it will be cheaper and faster to give in to the demands.

Digital Security Is Crucial

With more and more valuable data being stored digitally on networks, it is more important than ever to ensure access to confidential and critical information is properly protected. Modern cybersecurity is about more than just strong passwords, with multi-factor authentication and anti-phishing measures critical to good network security.

For modern digital protection and peace of mind, learn more about Nok Nok’s multifactor authentication technology and passwordless identity and authentication measures.

Nicholas Chaillan worked as a software chief for the United States Air Force and was assigned to the Pentagon to modernize the organization’s digital security in August of 2018. In September of 2021, he resigned from his post and claimed, “We have no competing fighting chance against China in 15 to 20 years. Right now, it’s already a done deal; it’s already over, in my opinion.”

Chaillan’s concerns stem from two major issues. The first and most important is that the United States military does not take the threat to digital security seriously enough and was unwilling to commit the funds that would have been necessary for adequate protection against military-grade digital incursions.

“I am just tired of continuously chasing support and money to do my job,” he said. “My office still has no billet and no funding, this year and the next.”

The other concern Chaillan had was the Pentagon’s reluctance to recognize that the next looming threat in digital security was not conventional attacks like “phishing” to illicitly secure passwords, but instead, the threat comes from next-generation, highly sophisticated digital attacks reliant on artificial intelligence to penetrate systems that still don’t use newer techniques like biometrics.

While not true artificial intelligence in the sense of software that can think autonomously, AI refers to increasingly complex algorithms capable of finding patterns and solving problems. When directed for offensive purposes, AI can be used for digital reconnaissance, such as scanning and compiling social media profiles to construct a digital “alias” of a trusted individual. It can be used to intelligently guess passwords, reducing brute force time by accessing profiles of relevant individuals. For systems not using biometrics, this collects a list of potentially useful keywords, and uses those in alphanumeric combinations for user-ID/password combinations.

Chaillan contends that China is aggressively pursuing AI in a cyber warfare capacity. They are putting in both the money and eliminating any professional or ethical barriers that might slow progress. Conversely, the United States is experiencing difficulties in this same area as expertise from companies like Google is withdrawn on ethical grounds, such as when Google objected to the use of its technology to increase the precision of drone targeting systems.

Digital Warfare Continues To Evolve

As with real-world defensive and offensive measures, digital attack and defense are in a constant state of new measures being developed requiring new countermeasures to repel. With increasingly sophisticated and automated phishing attacks, relying exclusively on 40 year old legacy password security technology is no longer be enough. If you’re still relying on a legacy password security technology and want to upgrade your network to modern identity and authentication security technology, (including the new global standard of key-pair biometrics), look at Nok Nok products for secure, password-free cyber authentication solutions. The largest global financial brands depend on Nok Nok’s modern auth platform for improving and protecting customer trust.

Insurance companies around the USA are now following an alarming trend of increasing premiums on hacking and digital security breach coverage while providing less coverage when these issues occur. When it comes time to renew a policy for digital security, some companies are now facing as much as a 300% increase for budgeting in this contingency. A major reason for the increase is the rising number of successful attacks, forcing insurers to pay out to clients. Throughout the pandemic, as various organizations have moved work and data to local networks and even to cloud-based networks to facilitate data sharing, digital intrusions have increased. Ransomware and similar attacks have plagued many sectors, including construction, healthcare, government, and education that have failed to upgrade to more secure forms of protection like multifactor authentication.

More Measures Required Like Multifactor Authentication

Insurance companies themselves are becoming increasingly stringent when it comes to even considering giving coverage to a company for digital security. For example, many insurance companies won’t approve an application from a company that doesn’t use MFA, or multifactor authentication, a verification system that relies on more than just a person using only a single password to gain access to a network. Single password systems are incredibly vulnerable and far more prone to a successful intrusion than networks using MFA protocols.

Insurance companies are now also using their own scanning and digital reconnaissance technologies to “audit” the networks of potential clients and see how vulnerable they are. This has played a role in how insurers determine the monthly rates for the premiums a company must pay if they are serious about getting insured against cyber attacks.

Cyber Attacks Are Real And On The Rise

The days when only large companies or government agencies had to worry about hacking or other forms of digital intrusion are over. As more and more businesses of every size—and even private citizens—move more of their crucial data into the digital space, it becomes more lucrative for criminals.

Identity theft, where other individuals use personal identity details like credit cards and social insurance numbers, is rising. Ransomware, where network access and other critical functions are taken over and locked out until money is paid, is also hitting more companies. Network security is a real concern for any person or organization collecting and storing important, sensitive, or confidential data digitally. Legacy security systems based on single-passwords and personal information (knowledge-based access) is proving to be insufficient to protect against modern digital threats that are increasingly more sophisticated and automated. If you’re interested in upgrading your legacy security systems to modern FIDO-based multifactor authentication, Nok Nok has a variety of platform solutions and is trusted by the biggest financial institutions for protecting their customer’s identity and authentication.

The world is now experiencing a time of conflict unlike anything seen in years, but because this is a modern-day, 21st-century clash, the war is not just being fought on a physical battlefield but also a digital one. As the invasion of Ukraine began official state hackers from both Russia and the West engaged in digital warfare, as did independent organizations such as “Anonymous,” a rogue hacking collective that has decided to stand against Russian cyber warfare.

Unfortunately, the worlds of military, corporate and civilian government data spaces are now considered fair game for state-level cyberattacks, funded and driven by government agencies. Now some companies are taking a stand.

Google Intervenes

Google, one of the premier technology companies globally for data management and analytics, is now providing security keys to groups and individuals to help protect them against cyberattack activity. They are distributing 10000 Titan security keys to individuals like journalists, whistleblowers, government officials, and others with sensitive or confidential data to encrypt and protect systems against intrusion and spying.

A Titan security key is an added level of encryption and access control. It is two devices, one a USB card shaped like a key, a Bluetooth device that functions similarly for wireless connections. This adds an extra level of multifactor authentication to an account. In addition to inputting a password to access data on, for example, a Gmail account, an account linked to a Titan security key would require the presence of the USB key plugged into the computer or a confirmed connection to the Bluetooth version for verification.

In other words, like with older multifactor authentication, methods that require a one-time code sent to a phone as an added layer of security, a Titan key system means that even if a password has been stolen through phishing or other means, the data can’t be accessed without a Titan security key to open the second “lock” on the data.

Multifactor Authentication Is The Best Defense

What Google and many other technology companies are discouraging is the use of only a single password to gain access to data and control of systems. A single password means that everything from identity theft, spying on confidential data, and outright seizure of control of systems is possible once that password is discovered.

Now that government agencies like Russia’s GRU are going after many systems and data, security is more important than ever.  If you’re still relying on a legacy password security technology and want to upgrade your network to modern identity and authentication security technology, (including the new global standard of key-pair biometrics), look at Nok Nok products for secure, password-free cyber authentication solutions. The largest global financial brands depend on Nok Nok’s modern auth platform for improving and protecting customer trust. 

Cyber attacks do not only target private individuals, but they can also represent increasingly sophisticated and persistent threats to national security. Billions of dollars are spent on legacy security annually, yet data breaches and theft are accelerating. Many institutions and organizations have suffered. That is why it is important to leverage modern security technologies and zero-trust architectures across sectors.

Becoming More Proactive

In its bid to address exposed areas of weakness in US digital infrastructure, the United States Federal Government updated its cyber security strategy.  In January 2022, President Biden signed Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity. With this modern approach to cyber security, the US Federal Government boldly transitions from incremental improvements to legacy perimeter-based defenses – to significant investment in modern “zero-trust” architectures that never trust and always verify “anything and everything attempting to establish system and data access.”

Aiming for Safer Cyber Infrastructure

When multifactor authentication (MFA) was added to legacy knowledge-based-access (KBA) that is based on the storing and passing of passwords and other personal secrets, there was indeed, a measurable reduction in risk to digital systems and data compared to single factor authentication.

However, the attack strategies of bad actors (attack vectors) evolved such that today, these legacy KBA methods, even with MFA, no longer protect against sophisticated phishing attacks that easily fool account owners into providing account credentials to the attackers. Once a legitimate account is taken over (such as the case in the ransomware attack against Colonial Pipeline), it is very hard for any system to detect a bad actor before significant damage is done, data is stolen, or malicious code is embedded that creates security vulnerabilities at a later time (such as the case with the Solarwinds supply chain attack.)

In a very bold move and positive development for the modern identity and authentication industry, our nation’s new cyber security executive order recommends that federal agencies achieve zero trust security goals with strong, FIDO-based MFA by the end of Fiscal Year (FY) 2024, with plans for implementation due within 60 days.

Among other requirements for networks, devices, endpoints plus encryption for data and DNS traffic, the directive includes centralized enterprise-managed identities with phishing-resistant MFA to protect users from sophisticated attacks (including both PIV credentials and FIDO2 Web authentication (known as “WebAuthn”) created by the FIDO Alliance and published by the World Wide Web Consortium (W3C). The directive also includes enterprise-wide identity systems based on zero trust architecture that always verifies users before granting access.

Strong Defense for All

In a push for safer cyberspace infrastructure, the US Federal Government joins the thousands of enterprises that are leaving legacy KBA and perimeter-based security thinking behind in favor of modern and strong MFA identity and authentication.

As the world continues to see a massive proliferation in devices and network connectivity, technological advancements are required to address the growing challenges in fighting cyber threats and risks. Nok Nok Inc in partnership with the global FIDO Alliance they founded, is among those at the forefront of this fight.

The FIDO Alliance is an open industry association that develops and promotes authentication standards. At the same time, it also pushes for safer and more convenient cyber security measures for the end-user. Thus, making it a mission to reduce people’s insecure and over-reliance on legacy password and KBA-based system access. Learn about Nok Nok’s industry-leading FIDO platform for strong user and IoT authentication here.

Billions of dollars are spent on legacy perimeter-based security annually, yet data breaches and theft continue to accelerate. These security risks are among the threats that institutions, especially those dealing with finance, need to address. Not only will solutions protect the organization itself, but they will also ensure the trust and safety of consumers – a top five 2022 priority among VP, C-suite and other enterprise executives.

Going Password Free

For many years, we have been relying on the use of passwords and knowledge-based-access (KBA) to verify user identity before granting system access. With its addition, while MFA has helped in protecting users against many types of attacks, the attack strategies of criminals evolved to find additional ways to take over accounts and conduct data breaches and identity theft.

Modern, phishing-resistant authentication (also referred to as “passwordless authentication”) is now a leading priority to improve security. Generally, it involves a consumer-centric approach to verify user identity without the need to capture, store and transmit passwords, personal secrets and other sensitive user data. This modern authentication approach involves cryptographic keypairs combined with one-time passwords (OTPs) and device-level biometrics that verify users on devices requesting access to digital services in a way that dramatically decreased user friction related to account setup and sign-in.

The advantages of going password-free can be experienced by both the institution and the users. As it offers dramatically reduced user-friction with defense-grade security, both the user experience and enterprise performance improve significantly. Enterprises implementing modern, phishing-resistant identity and authentication report authentication success rates of 99.5%, speed improvements in account signup and authentication of 50% or more and decreases in CSR calls and password resets of 60% or more. Both users and enterprises report dramatically improved consumer satisfaction in high value operating environments and payment transactions.

Nok Nok and Passwordless Authentication

Joining multiple members of the financial technology industry, Nok Nok participated in the recently conducted Authenticate 2021. Aside from being a participant, Nok Nok also served as a presenter.

During the presentation, attendees have seen some examples of real-world applications of password-free authentication. These are all based on Nok Nok’s customers’ experience.

• Intuit TurboTax®: The partnership between Intuit and Nok Nok has addressed the former’s problem with a high level of friction during the creation of a new account. By leveraging the mobile App for passwordless Sign-Up, the company has seen a 10% increase in Sign-Up conversions. The Sign-Up time has also shown a 50% reduction.

• T-Mobile: Forgotten passwords and account pins are among the problems many users experience. By incorporating FIDO-based biometrics and out-of-band push authentication, there has been at least a 65% reduction in account recovery requests within three months.

• Fintech: Among the common problems causing friction to user experience is the complex login requirements, such as the use of passwords and SMS OTPs. Enhancing platform authenticators through FIDO passwordless authentication during web Sign-In, the Sign-In speed increased by 8x. Additionally, there was a 40% increase in users during the first month.

• Major Bank: Financial institutions are also increasingly targeted by cyberattacks, especially for fraudulent activities. The use of modern FIDO biometrics and application pins for secure access via a mobile app has helped reduce fraud incidents. The app user reviews rating has also seen an improvement. Since one-time password resets are dramatically reduced, OPEX costs of decreased SMS OTP were reduced as well.

• TEPCO Power Grid: Ensuring security is a must for the power grid. However, encouraging the use of complex passwords which are deemed “secure” slows down maintenance workers. To address this problem, Nok Nok and TEPCO leveraged modern web browser and device biometric authentication. Not only did this approach offer safe Sign-In experiences, but it also increased the speed and simplicity of account registration, account creation and sign-in as well.

Passwords have been used for many years to protect data and accounts. Despite being used for security purposes, using passwords is not always the best option. That is especially true when combatting cyber security threats. In fact, passwords can be seen as a weakness.

The Passwordless Authentication Path

Various risks come with the use of passwords. For example, users can forget about them. They are also easily compromised since many reuse passwords across different systems. Passwordless authentication is seen as a better alternative.

As the name suggests, password-free authentication includes the use of alternative authentication methods instead of relying on passwords. Common methods include the use of a secondary device or account for verification and biometric authentication.

Aside from reducing cyber security risks, going passwordless can help make reduce friction so that users will have a smoother experience. On the side of an institution, it helps reduce expenses. At the same time, it can help increase sales or the number of users.

Implementing Password-Free Authentication For Cyber Security

There are different ways of applying passwordless authentication. It is also more complex than one may think. Depending on what a company chooses, it may require having dedicated development resources for a long time.

Fortunately, working with a trusted service provider can help organizations skip some steps. In fact, with the help of a service provider, organizations can easily implement passwordless authentication for their users.

What Nok Nok Has Learned

The passwordless journey does not happen overnight. That is one of the main points Nok Nok has pointed out in its presentation at Authenticate 2021. The reasons for this include existing systems and processes being deeply rooted in security practices. It also takes a lot to develop behavior change, which is something necessary to fully adopt passwordless authentication. Additionally, the passwordless journey is typically included in a larger digital transformation.

Nok Nok also shared some of its experiences in applying password-free authentication in systems from different institutions. Based on the results of these partnerships, Nok Nok is proud to share that all companies have seen success.

Among the most notable statistics include the following:

• 10% improvement in onboarding success
• 50% reduction in onboarding time
• 6% increase in sign in success
• 78% increase in sign in speed

Going password-free comes with many benefits for both the institution and end-users. However, it is important to ensure proper implementation.

If you want to learn more about safer authentication techniques for better cyber security, contact us at Nok Nok.

Cybersecurity is one of the pressing issues that the United States is facing. Threats affect the government, organizations, institutions, and even individuals.

The Identity Theft Resource Center (ITRC) said there were 1,291 data breaches publicly reported in the U.S. from January to September 2021, affecting about 281 million individuals. In comparison, this total is 17% more than the recorded breaches during the same period in 2020.

Government Efforts: The Federal Zero Trust Strategy

To address this problem, the government looks for ways to improve cybersecurity. On January 26, 2022, the Federal Zero Trust Strategy was released. The Office of Management and Budget (OMB) published the strategy as Memorandum M-22-09. Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.

This move aims to promote a better security approach through government-wide efforts, setting a new baseline in terms of access controls. An important point to highlight is the prioritization of using phishing-resistant multi-factor authentication (MFA). Additionally, there is also a need to consolidate identity systems for improved protection and monitoring.

Understanding the Strategy

At the core of the strategy are two main focuses — the vision and actions on identity.

Generally, staff members of government agencies have to use enterprise-managed identities to get access to applications used for work. Phishing-resistant multi-factor authentication must be in place to protect said personnel against more sophisticated cyberattacks.

Three actions must be taken.

First, the agencies should have centralized management systems for users. 

Second, they should use strong MFA throughout the organization. Specifically, all agency staff members, contractors, and partners have to use phishing-resistant MFA. Meanwhile, public users should be given this option. Furthermore, it should not be required to use special characters for passwords or have regular password rotation.

Third, agencies should consider having at least one device-level signal when giving users authority to access resources. This signal is additional security alongside identity information about the authenticated user.

The FIDO Standard

Through the announcement of the strategy, the federal government also encouraged using FIDO2 standards. Thus, further recognizing the FIDO Alliance’s efforts to promote the use of phishing-resistant multi-factor authentication and reduce people’s over-reliance on passwords.

The FIDO2 is FIDO Alliance’s newest set of specifications. It includes Web Authentication (WebAuthn) specification and Client-to-Authenticator Protocol (CTAP). Learn more about the FIDO2 Project here.