Identity Up for Grabs
Identity is a fascinating study. Your face, voice, fingerprints, attitude: Any number of things are used to characterize you. They are definitive, unshakeable and inherently yours. Then there’s the binary you. The by-the-numbers you. These are all those identity numbers, account numbers, usernames and passwords, secret codes, passkeys – these, unfortunately, are up for grabs by anyone with the audacity and wherewithal to take them.
So, what do we do about ensuring a strong identity in a new global economy, in an online world where the definitive you means less than the binary you?
It’s like many things. You have to know what game you’re playing before you can play. It seems every day on the news we see that some cyberattack opened access to millions of users’ personal data. Where do you begin in a world filled with identity theft and cybercrime?
What’s Happening in the World of Identity Theft?
Let’s start with Equifax.
Equifax is a credit-reporting agency that systematically gathers your personal identifying information and (at least until now) poorly stores it on their servers. The personal data includes your name, address, social security number, birthdate, driver’s license number and so on. How secure was the data? Well, not very. In fact, it was basically available on the open internet for anyone who looked for it.
According to Motherboard, back in 2016, a security researcher was probing Equifax servers to check for security issues. The researcher found an “employee-only” site within Equifax that was not employee only from an access standpoint. The researcher was able to access all of Equifax’s consumer data. This portal to data was completely open to anyone on the internet. But it didn’t stop there:
“While probing Equifax servers and sites, the researcher said that they were also able to take control—or get shell access as hackers refer to it—on several Equifax servers, and found several others vulnerable to simple bugs such as SQL injection, a common, basic way of attacking sites. Many servers were running outdated software. According to one analysis performed in early September, Equifax had thousands of servers exposed on the internet, indicating both massive sprawl and loose control of its infrastructure, which increased the company’s attack surface.”
This problem was reported immediately, but nothing was done. In fact, Equifax was used to getting complaints. Since 2012, the Consumer Financial Protection Bureau (CFPB) received 57,000 complaints against Equifax, about 31 a day. Time went on.
In September 2017, Equifax announced that (what would ultimately become) 145.5 million consumers had their personal data stolen. This wasn’t the biggest breach ever. That must belong to Yahoo, whose 3 billion accounts were hacked. But unlike our email, Equifax is the keeper of so many identifying pieces of data that virtually any falsification can be authenticated with data found on Equifax’s network. And these are pretty longstanding pieces of data. Your birthday doesn’t change, your address is fixed, your social security number is nearly impossible to change. Meaning that if you are one of those 145.5 million people, you have a lifetime of identity checks ahead of you.
Not to worry. Equifax apologized.
That happened. Now What?
This astounding Equifax security breach was a shock to many, not only because of the breach’s size and the scope of the personal data involved but also because we have no say in the Equifax data pool. There’s no amount of personal cybersecurity best practices you could have used to prevent Equifax from losing it.
This is the state we live in. There is a security risk for every website out there, whether you actively participate in its use or not. For you, this means your sacred identity is always at risk. That’s the bad news. The good news is, there’s something you can do about it. We’ll learn the rules of the game and navigate as best we can through best practices and a little common sense.
The Best Practices for Identity Management
The fact is that unless you decide to live off the grid in the woods somewhere you need to start thinking creatively and systematically about how you interact with the cyber world. Your personal data is out there. There are situations, like the Equifax breach, where you are unfortunately a victim of circumstances you cannot avoid. But, you don’t have to make identity theft easy, and practicing good due diligence can keep you from a much more damaging scenario.
So, let’s start easy. There are three first steps in securing your online persona. These are simple best practices that have a lot of common sense behind them.
Let’s Talk Passwords
By this point in the timeline of internet access and the digital age, you know the importance of a good password. Those of us who continue to use the same password for every account know fundamentally that it’s not a great piece of security. But lazinesses is probably the key there.
Here is an interesting fact: “123456” is the world’s most popular password. If you’re using this for any of your passwords, you are in a pretty bad situation, digitally speaking. Considering that hackers can run algorithms that can hack most passwords in seconds, this should give you pause.
Two things need to happen. You should use unique passwords for every site. And you should use passwords with 10 or more random characters. This does one important thing. It takes memorization out of the equation for those of us without photographic memories.
You can solve this with a password manager. (Check out this list of top Password Managers.) A good password manager encrypts your data, gives you fairly simple access and covers you with top-tier security.
There are staple bad emails. There is no Prince in Nairobi who can guarantee money for you. Your old softball coach didn’t really send you a gibberish link with the nebulous line, “Thought you’d want to see this.”
Malware is extremely prevalent and is not going away anytime soon. In 2016, spam emails quadrupled, so knowing that you should operate with a healthy dose of skepticism with any email. Whether hacking your email is done to peel away a few dollars from your bank account or to prevent you from winning a presidential election, taking extra precaution is in everybody’s best interest.
Antivirus software and firewalls offer great protection from common malware attacks. In addition to that, keeping current with your computer updates is helpful too. Each release generally offers greater protection and fixes previously existing gaps and bugs in security. As well, it’s imperative that you consider each email before blindly clicking through. “Is this unusual behavior?” If the answer is yes, confirm with the sender by phone.
The Wi-Fi Trap
While it may seem open Wi-Fi hotspots are a great piece of communal sharing, the fact is that they are free and open channels right into your computer or devices. Once you connect to public Wi-Fi, any hacker has free reign in your system. CNBC showed us that 87% of US consumers accessed public Wi-Fi. This is an incredibly high number of people who willingly opened their private data to anyone who was looking.
Bottom line: Don’t sign into public Wi-Fi. There are ways to safely do it (using VPNs), but unless you’ve got the technical knowhow to navigate the latest in encrypted web surfing, you probably want to steer clear.
By adding an extra step to your site access, you achieved highly elevated security. It works simply. You get a text with an access code, then plug it in when asked. The extra step takes a little longer, but the dividends paid in security are worth it.
Try to turn on multifactor authentication whenever it’s available. Quickly, you’ll get used to the extra step and will feel safer and more secure knowing you’re applying some common sense cybersecurity to your daily rituals.
How to Control Access
As a business owner, your concerns are much greater. Having lax security procedures could mean not only a loss in revenue (from ransomware) and loss in productivity (from downtime), but you can also lose the trust and respect of your clientele. The latter could affect the longevity of your business, which, after all, deeply affects the lives of your employees.
So, what procedures can help you control access for your employees so that easy windows of entry for hackers is off the table? Your identity management system should contain the following components.
Authentication is how your network identifies the employee (or whoever is attempting access). These tools help separate each individual, creating layers of defenses at the access point. Authentication can include single sign-on technology that gives the end user access to all approved applications. Multifactor authentication can be utilized here, with digital certificates, PINs, fingerprints and SMS codes. Likewise, session and token management is part of this framework.
Authorization can be found in many areas, particularly in the development of roles and rules for users. Maybe a temp doesn’t need the same access as the CEO. By creating attributes and privileged access levels depending on position with the organization, you are able to disperse information and access based on need. This limiting of data access can significantly decrease the chance of security breach.
User Management Reporting
Your identity management program should give you provisioning and deprovisioning elements as your business grows. This means that when you hire or fire employees, you have the processes in place to quickly add or subtract access based on needs. By collating staffing and user management reports, you can drill down more deeply into your network to ensure appropriate access to those who need it.
With directory analysis, you get high-level understanding of your network’s architecture. This directory federation can give a better understanding of access points while giving you metadata synchronization and other key data points.
Information is Control
It sounds a little Orwellian, but when it comes to your network, information is control. To better protect your business, you want total visibility into your system. Your policies should dictate who has access to what, how that access is given, where and when systems were accessed. This isn’t Big Brother – it’s simple, common sense cybersecurity design to protect your valuable data from loss and your team from detrimental downtime.
As a staple element of your best practices documents, your identity and access management system should be a well-thought-out plan that meets your business needs and helps prepare you for the long road ahead: Growth, competitive improvement and bigger profits.
But getting to that point can be challenging. Knowing the latest methods of identity management is a complex venture that must account for the neverending juggernaut of technical evolution.
This is where your managed services provider comes in.
The EaseTech Method of Identity Management
Knowing the right identity management and access management system truly depends on knowing the needs and goals of your business. While costs can vary dramatically for IAM systems, so can features. For instance, if you own a local cupcakery, it’s true you want to secure your data, but you probably don’t need NSA-level identity management.
But the system you choose can greatly impact how the end user is affected. Imagine you are a private school in the area, looking for a way to give your students access to all the educational opportunities the web has to offer, but likewise, you need security embedded in each student’s identity. Unique identifiers must be created for all students, with access levels that correspond to content filtering tools as well as education apps and grade access. Identity management can get very complicated very quickly.
Your organization’s data shouldn’t hinge on thieves stealing your identity. Our identity and access management tools provide each employee with powerful authentication rules and help protect your infrastructure so your defense is well-orchestrated.
- Integrated multifactor authentication—layered protection against data breaches
- Single sign-on—seamless sign-on across all applications and devices
- Secure remote access—the same high-tech security wherever you work
EaseTech has the experience and industry expertise to create a new identity and access management system for your organization by analyzing your needs and formulating a plan that is custom to your workflow. If you’ve got an identity management system that needs improvement, we can help you upgrade and scale down.
Call us today to find out how our identity management solution can help your organization.