A growing number of organizations are testing cutting-edge, adaptive forms of authentication that recognize patterns in keystrokes, typing patterns, mouse movements, or even gait (if you’re wearing a smart watch).

While the extra authentication factors are intended to help organizations like enterprises, banks, and hospitals guard their most valuable assets and avoid the user irritation sometimes associated with multi-factor authentication requests, the adaptive technology is still in an early phase of adoption and deployers will have to prepare employees for the systems’ potentially surprising grasp of their behaviors.

What’s the score?

“Risk-based authentication” verifies a user by scoring one’s reliability, often based on factors like IP address, geo-location, and time of day.

Calculating the risk score, however, was traditionally a simple task involving one basic question, according to Johannes Ullrich, dean of research at the SANS Technology Institute: “Is the user connecting from a new device?” The cutting-edge aspect of adaptive authentication lies in its ability to assess risk by asking much more than that, said Ullrich.

“That’s really sort of where the cutting-edge part comes in,” Ullrich told IT Brew. “How granular are you? And how are you sort of doing that behavior analysis and such to figure out: Is this a high-risk transaction or not?”

Adaptive authentication products build a baseline of normal behaviors from a legitimate user’s patterns and then notice anomalies. An unusual pattern—say, an unlikely database request at 3am—is flagged as a potential account takeover, and the access system can then log the user out, prompt a multi-factor authentication request, or reduce in-session privileges, according to Andras Cser, VP and principal analyst at Forrester.

Adaptive technology combines a rule-based approach with advanced analytics and artificial intelligence, or machine learning, and machine learning can figure you out, according to Dan Lohrmann, field CISO for public sector at New York-based systems integrator Presidio.

“It learns behaviors; it learns how you do your work; it learns when you access different types of data, what data are you trying to access,” said Lohrmann. “They can get pretty good at determining how you do what you do when you do it.”

Read more here.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.

Traditionally, ransomware gangs have targeted IT systems with methods like email attachments, phishing, and web scripts. But a new report by Forescout’s Vedere Labs predicts that the next generation of ransomware will gain access via Internet of Things (IoT) devices by taking advantage of lax security, and directly attack IT devices and operational technology (OT).

Forescout researchers developed a proof-of-concept attack vector, calling the new approach “Ransomware for IoT,” or R4IoT. The method relies on exploiting known vulnerabilities and configuration errors in IoT devices like routers and IP cameras to gain initial access to a network, after which an attacker could spread laterally to traditional IT devices and then an organization’s OT devices. The method detailed in the case study is “general purpose,” meaning it “works at large-scale on a wide variety of devices impacted by TCP/IP stack vulnerabilities” and is not limited by operating systems or device type.

Be careful what you plug in

“It’s currently sitting at around 45% of the number of nontraditional wi-fi devices in an organization,” Daniel dos Santos, head of security research at Forescout, told IT Brew. “So close to half of what you have in an organization nowadays is not a laptop or a computer or something like that, right?”

“It’s the IP cameras, routers, and printers…PLCs [programmable logic controllers], and whatever else you have in terms of IoT and OT,” he added. “So if we put those things together, like a larger attack surface, that is very hard to patch, very hard to manage for the security teams.”

The R4IoT report’s case study involved an IP camera that was incorrectly exposed to external connections. By exploiting a series of critical vulnerabilities to hijack the camera’s root directory, Forescout researchers were able to effectively turn it into a proxy server running a Remote Desktop Protocol cracker. That allowed them to steal credentials and gain access to a connected Windows machine.

Read more here.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.

Today’s top IT reads.

Stat: Over 290,000 instances of plagiarism have been identified by DeviantArt on various NFT marketplaces, including OpenSea, according to the New York Times.

Quote: “Consumers who share their private information have a right to know if that information is being used to help advertisers target customers.”—US Attorney Stephanie M. Hinds on Twitter’s $150 million civil penalty over alleged data privacy violations (US Department of Justice)

Read: The infamous dark-web marketplace AlphaBay was taken down in 2017. But now it’s back and seizing market share for potentially illegal transactions, thanks to fewer competitors. (Wired)