[BreachExchange] Behavioral biometrics missing from cybersecurity

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jan 23 19:22:51 EST 2018


Recently, there's been an uptick in the adoption of the NIST Cybersecurity
Framework, a set of guidelines aimed at helping organizations improve their
overall cybersecurity process. In December 2017, NIST released the second
draft of its framework. Among the updates were two critical additions to
the Identity Management, Authentication and Access Control guidance.

These updates address the disturbing reality that our digital identities
are surprisingly unsecure. More than 9 billion credentials have been stolen
since 2013, giving cyber criminals an abundance of personally identifiable
information to use to commit fraud, from account takeover attacks, to
fraudulent credit applications and more. By combining NIST Framework
guidelines with behavioral biometric identity proofing and authentication
solutions, organizations can fight back against these shocking statistics
to detect and prevent fraud.

What is the NIST Framework?

The NIST Cybersecurity Framework is a set of guidelines collaboratively
formulated to give companies a starting place for evaluating, preventing
and responding to cyber risk. Thirty percent of U.S. organizations use the
NIST framework, including JPMorgan Chase, Merck & Co, Kaiser Permanente and
Chevron Corporation. The NIST Framework focuses on five areas for reducing
cyber risk: identify, protect, detect, respond, recover.

Rather than being shocked by each new data breach, ransomware attack or
instance of fraud, companies are increasingly working to improve their
cybersecurity posture, and not just internal information security
professionals. Business leaders and c-suite level executives are waking up
to the importance of putting resources behind their organization's
cybersecurity, from the insurance industry to financial institutions.
Companies are finding the NIST Framework's guidance particularly helpful in
a time when cyberattacks are costly and growing at an alarming rate. Every
39 seconds, there is an attack on a computer with internet access and
cyberattacks are priced at an estimated $400 billion globally per year.

Meeting NIST Framework Identity Management and Authentication Guidelines
with behavioral biometrics: Behavioral biometrics are specifically designed
to address the identity management and authentication guidance added under
the "protect" section of the NIST Framework's second draft. Using
behavioral biometrics, organizations can employ advanced identity proofing
and authentication technology to detect fraud and prevent unauthorized

Identity proofing with behavioral biometrics

The NIST Framework recommends that "identities are proofed and bound to
credentials and asserted in interactions when appropriate." Identity
proofing is a process organization's use to collect and verify information
about a person for the purpose of an account opening or issuing credentials
to that person. Most often, identity proofing is used to meet regulatory
requirements and prevent fraud.

Typically, companies rely on database searches to verify user information
entered into online applications. These traditional identity proofing
methods are no longer sufficient, however, as the information required to
open new accounts is readily accessible to cyber criminals due to
large-scale data breaches. In fact, one in nine of all online accounts
created in 2017 was fraudulent.

Behavioral biometrics fulfill NIST Framework guidance for identity proofing
by monitoring user behavior when filling out online applications, not just
that the correct information is entered. Working in the background,
behavioral biometrics verify that online applications are being filled out
by genuine users, not fraudsters, by testing for application fluency,
navigational fluency and low data familiarity.

For example, fraudsters often use keyboard shortcuts and enter unfamiliar
data in a way not exhibited by legitimate users. Based on these parameters,
organizations can effectively verify user identity, in real-time, and
experience less fraud.

Risk-based, multi-factor authentication and behavioral biometrics

The second update to the NIST Framework that behavioral biometrics can
address relates to risk-based, multi-factor authentication. Specifically,
the NIST Framework recommends that "users, devices, and other assets are
authenticated (e.g., single-factor, multifactor) commensurate with the risk
of the transaction (e.g., individuals' security and privacy risks and other
organizational risks)."

Behavioral biometrics go a step farther and meet these requirements by
providing continuous authentication, not just single or multi-factor
authentication. Rather than requiring users to provide a static identifier,
like a password or fingerprint, behavioral biometrics monitor user behavior
from login to logout to detect suspicious activity throughout a user
session, not just at log in. This is important because 100 percent of fraud
occurs in authenticated sessions, clear evidence that traditional
authentication methods are still failing to catch cyber criminals.

Even multi-factor authentication has already proven vulnerable to attack.
Working behind the scenes, behavioral biometrics collect data on user
interactions with a device, establishing a unique identity profile that
can't be duplicated. How one user moves their mouse, for example, can't be
recreated by a cybercriminal or remote access trojan. This entire
authentication process takes place without the user knowing - a win for
customer experience.

When needed, behavioral biometrics can also introduce additional
authentication measures if suspicious activity is detected. This could be a
prompt to enter a password or use another biometric like a fingerprint or
facial scan. This type of multi-factor authentication is significantly more
secure than knowledge-based security.

Using behavioral biometrics, organizations can meet and exceed NIST
Framework guidelines around authentication to better secure users, online
transactions and the business as a whole.

The NIST Framework is an excellent place for organizations to begin
improving and updating their cybersecurity process. In June 2017, NIST also
released a Special Publication (SP) 800-63, a document outlining Guidelines
on Digital Identity. The document replaced outdated authentication and
identity proofing recommendations with new ones, meant to align with the
types of cyber threats organizations are facing today. This includes
providing adequate identity proofing and authentication solutions to
prevent unauthorized access, activities and transactions.

Advanced technology solutions, like behavioral biometrics, are helping
organizations put NIST Framework recommendations into practice. When it
comes to preventing fraud, account takeover, malware or other cyberattack,
behavioral biometrics provide the best option for ensuring users are who
they claim to be.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180123/911c094f/attachment.html>

More information about the BreachExchange mailing list