How state and local government can defend against identity attacks

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Jack Alexander
 

Connecting state and local government leaders

By Jack Alexander

|

By evaluating authorization at the individual level, agencies can mitigate some of the most credible threats and shift their focus back to improving citizen experience through innovation and modernization.

In October, the National Association of State Chief Information Officers hosted its annual conference in Nashville. When asked to cite their top concerns at the conference, many of the CIOs and other IT leaders cited identity management, the practice of ensuring only the appropriate people within an organization have access to resources.

Hackers want access – the rise of identity attacks

Government IT leaders know identity attacks are on the rise. A recent report by Proofpoint shows that credential compromise via phishing attacks shot up by more than 70% in the past year. When hackers target an individual, they attempt to access a system by obtaining and leveraging user credentials. A hacker with a victim's credentials has the same level of privilege as the victim – permission to install programs, read and download protected information and upload software, including malware.

State and local governments are particularly attractive targets to hackers because of the amount of sensitive information housed within their networks, such as personal information on employees and residents. In addition, citizens need to interact regularly, securely and efficiently with government. That requirement makes government a prime target for ransomware attacks, which can cripple local agencies and make it impossible for residents to access important documents like marriage and birth certificates as well as permits needed to move forward with various projects.

Identity attacks start with vulnerable individuals, but ensuring the workforce is trained to detect phishing and other identity attacks is a challenge. It only takes one compromised account to open access to the entire organization, and attackers create around 1.5 million new phishing sites each month.

To defend against identity attacks, security teams must understand which user-focused attacks are the most prevalent and prepare employees to defend against them. According to Okta, hackers leverage several common identity attacks, including:

  1. Broad-based phishing campaigns.By identifying basic information about a victim to seem credible, attackers use phishing attacks to trick unsuspecting users into handing over their credentials. More than three-quarters of organizations and businesses surveyed in a 2018 report were targeted by phishing in 2018.
  1. Spear-phishing campaigns. Spear phishing is a more targeted form of phishing. The level of social engineering is sophisticated, with personalized messages containing a call-to-action specific to a particular individual. The message can include personal information such as family member names, accurate identifiable details about the individual or other information that looks and feels real to a victim. Spear phishing was used in 2018, when Iranian state-sponsored hackers stole research, secrets and sensitive information from universities, private companies and U.S. government.
  1. Credential stuffing and password spraying. Attackers leveraging credential stuffing will test stolen credentials on multiple sites to determine if they have been used before. According to Troy Hunt, founder of HaveIBeenPwned.com, 86% of subscribers affected by the CashCrate data breach of 2017 were using passwords already leaked in other data breaches and available to attackers in plain text. In password spraying, on the other hand, the threat actor attempts to break in using the most commonly known passwords, such as "1234" or "qwerty."

4: Man-in-the-middle attacks. These highly targeted attacks intercept a network connection and allow an attacker to hijack sessions, compromising a user's web session by stealing the session token. One example of a MitM attack is an attacker creating a fraudulent Wi-Fi access point designed to look like a legitimate public network -- i.e., a hotel or restaurant's public network. An unknowing victim would then connect to the attacker's network, giving away credentials and access in the process.

Fighting back

The breadth and (unfortunately) frequent success of these credential-focused attacks can seem intimidating. Through informed planning, training initiatives and the enforcement of cybersecurity policy, however, agencies can take action against these common threats. Simple strategies to strengthen identity and access management can go a long way to mitigating these attacks:

Enable multifactor authentication. MFA can help prevent credential compromise resulting from identity attacks, even if a user clicks a malicious link and gives away credentials. MFA prevents an attacker from being able successfully access a system by requiring a second layer of proof beyond a username and password -- factors such as a one-time passcode, soft tokens, hardware tokens or a biometric authenticator -- before allowing access.

Use password-less authentication. By stealing a user's password, an attacker can use it to gain access to a variety of sensitive information. Using tools like WebAuthn, agencies can require servers to authenticate users with public key cryptography rather than a password, greatly decreasing the success of phishing attacks. Since the authentication requires a private-public key pair, databases aren't useful to hackers, because the public keys aren't valuable.

Extend strong authentication to infrastructure and APIs. A 2017 Gartner report predicted that by 2022, application programming interface abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications. To build in additional protection across the entire infrastructure, agency security teams should extend authentication to servers and APIs and consider stronger policies and controls around these technologies to limit access and strengthen the overall posture of the agency.

Leverage network insights. Agencies can benefit from services with built-in intelligence capable of detecting suspicious login attempts and other abnormal activity across the network and utilizing that insight at various points in the ecosystem. This level of insight can prevent attackers from stealing user credentials while mitigating account lockout.

Defending against identity attacks starts with strengthening access controls. The shift to the cloud has allowed remote access to resources from devices outside traditional environments. With so many devices requesting access to resources, the common control point has shifted to the identity of the user.

By evaluating authorization at the individual level, agencies can use these strategies to mitigate some of the most credible threats against their ecosystems and shift their focus back to improving citizen experience through innovation and modernization.

NEXT STORY: In search of better biometrics

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.