Please ensure Javascript is enabled for purposes of website accessibility

Identity verification should be cybersecurity first line of defense

Identity verification should be cybersecurity first line of defense
Identity verification should be cybersecurity first line of defense

Identity verification should be cybersecurity first line of defense

Listen to this article

The topic of identity verification is one Cheryl Nelan, president and CEO of CMIT Solutions of Rochester, often has with her clients.

“It’s a common conversation,” said Nelan, especially during quarterly reviews with clients. “In every single one of those meetings we’re talking about identity verification and cybersecurity best practices.”

And for good reason; the CrowdStrike 2023 Threat Hunting Report revealed a massive increase in identity-based intrusions from summer 2022 to summer 2023, including a 583% increase in a type of identity attack called Kerberoasting, where bad actors obtain valid credentials for Microsoft Active Directory service accounts.

“Identity verification is basically making sure that the person you’re talking to and communicating with is who they say they are,” said Nelan, noting this can happen in many ways from online to in person. “It’s important, because if they’re not who they say they are, then the actions you may take because you believe them is where the risk comes.”

Overall, CrowdStrike found that 62% of interactive cyber intrusions involved compromised identities, concluding the most dangerous cybersecurity threat today is an attacker with access to legitimate identity information.

“We’re seeing it more and more and the onus is getting more and more on the end user,” Nelan said. “There’s a lot of things we can do as a tech company to protect and minimize risks, but at the end of the day, if the user falls for it, the user falls for it.”

Education is key when it comes to identity-based cyber threats, Nelan says. Her firm, which specializes in protecting small to mid-size businesses, makes sure users go through regular cybersecurity training on an ongoing basis.

“End-user awareness and training is by far the most important tool,” Nelan said. “Then, from a technology perspective, there are tools like multi-factor authentication (MFA) and geofencing, where you can limit where people can log into.”

The U.S. Cybersecurity and Infrastructure Security Agency defines MFA as “a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login.”

When it comes to identity verification, David Wolf, vice president of Just Solutions, Inc., a provider of managed IT services with offices in Rochester and Buffalo, thinks of it as a two-way street.

“Businesses have to be diligent at protecting their employees and their customers, but I think people need to be diligent in protecting themselves and their families,” Wolf said. “There’s a lot of trickery that goes on.”

For example, if you get a call from a company you do business with, you should not automatically assume it’s valid and if you have concerns it’s OK to call the person back after you verify the phone number they’re calling from is legitimate.

“Be suspicious all the time in verifying who you’re dealing with,” said Wolf, who notes AI-generated deep fakes are increasingly becoming an issue. “There are two sides to this equation – it’s you as a company dealing with a consumer and you as a consumer dealing with a company. Both must be active in verifying the identity of who they’re working with.”

For both individuals and companies, Wolf recommends looking into third-party identity protection software and services, including monitoring. He expects to see more businesses using MFA, as well as looking into new and developing technologies for identity protection and verification.

Token, a Rochester-based company, is a leader in this movement with the world’s first MFA smart ring, which removes the human element from the login process.

“What we set out to do with the Token ring was to remove human vulnerabilities from the process,” Gunn said. “Other companies say, “How do we make the network hacker-proof?’ We say it’s not the network, it’s the people. We’re asking too much of them. How do we make people hacker-proof?”

Token’s answer is the Token ring, whose technology was developed by RIT graduates Steve and Melanie Shapiro. It looks like a sleek band anyone might wear on their finger, but it is full of technology that protects organizations by providing password-less, biometric, next-generation MFA.

“The current technology that most companies are using to protect access is twenty-year-old technology,” said John Gunn, CEO of Token, who explained legacy MFA solutions are outdated and vulnerable to threats in part because they rely on users to recognize phishing, hacking and other malicious activities.

With legacy MFA there is also the risk of prompt bombing, which is when cybercriminals flood a device with simple authentication requests. The barrage can cause MFA fatigue, in which case a user will accept the authentication request out of exhaustion, annoyance or ambivalence.

Microsoft reported in September 2022 that the company was seeing “increasing adoption of strong authentication, multi-factor authentication fatigue attacks” with one percent of users accepting a simple approval request on the first try.

The Token ring eliminates such vulnerabilities of existing MFA methods, Gunn said. Setup of the ring involves three simple steps and once complete only the user’s fingerprint will activate it. It also protects from account takeover attempts, phishing, credential stuffing, Man-in-the-middle attacks, ransomware, and data breaches.

Ransomware attacks can be particularly harmful to small and medium-sized businesses, said Gunn, pointing to research from the National Cyber Security Alliance that shows 60% percent of small and mid-sized businesses that experience a ransomware attack fold within six months.

Caurie Putnam is a Rochester-area freelance writer.

i