11.30.2018 - HTTP Header Session Protection
The HTTP protocol was designed as a transport protocol to fetch and return content and to display HTML or other functions. But, HTTP wasn’t designed with authentication security top of mind. Approximately 40% of data breaches originate from attacks on web apps. And many of these breaches are preventable. HTTP header session protection as a part of your SSO solution should be at the forefront of your mind. Access to web/SaaS applications obviously initially requires successful authentication. After your username and password are accepted, authentication between the user and web service (client/server) session is usually maintained by cookies. The cookie allows the server, after successful authentication, to identify and trust the client during the session to allow seamless access to the web service. Many web services are front ends to databases, consumer data and/or corporate user specific data. An attacker, therefore, would just need to steal the cookie to hijack the current authenticated session. HTTP headers provide another layer of security for employees and consumers to guard against a number of attack vectors — including man-in-the-middle attacks (MIM), many cross-site scripting (XSS) attacks, session hijacking, and more. Cross-site scripting (XSS) has been a popular attack vector. In fact, it’s reported that XSS is the most common exploited vulnerability in web applications. XSS are high risk vulnerabilities where a type of code injection is used to hijack a legitimate users’ session. This isn’t a password breach, but a breach in the web session where the user has already successfully authenticated and is interacting with a web service. The HTTP session is hijacked and the attacker is now impersonating a legitimate authenticated user. Users are vulnerable everywhere to these threats but are especially susceptible within public unsecured WiFi networks where attackers can easily extract session cookies. Certainly, you would always also prefer an HTTPS session over an HTTP session, but that won’t necessarily help mitigate some XSS security issues. You need multiple layers of protection. HTTP header session protection is an essential component of a secure web services session; however, HTTP header session protection won’t protect against weak and reused passwords, brute force attacks, phishing attacks and other attacks against the passwords themselves. To mitigate password threats, implement strong authentication using multifactor authentication (MFA). Optimal IdM has a rock solid, agile MFA solution that was named Best MFA Solution of the Year in the GSN Homeland Security Awards. Microsoft reports that only 4% of SaaS storage apps and 3% of SaaS collaboration apps support all HTTP headers session protection. It’s irresponsible for organizations to ignore such large, yet solvable, attack vectors. Today’s sophisticated threat landscape for web and SaaS SSO applications require a vendor who can support modern, strong authentication by leveraging multiple HTTP session protections. Optimal IdM is that vendor. Further, Optimal IdM’s SSO solutions session support protections and encrypt data in transit and at rest. Additional Recommendations ...
10.11.2018 - Identity Management Challenges for Retailers
09.10.2018 - Identity And Access Management Solutions: Build vs. Buy
09.7.2018 - Interview: “How to Protect Your Identity in the Workplace”
Mike Brengs from Optimal gives Alayna Pehrson from Best Company some tips on “How to Protect Your Identity in the Workplace”. The full article can be seen here: https://bestcompany.com/identity-theft/blog/how-to-protect-your-identity-in-the-workplace ...
08.15.2018 - Optimal IdM Announces FIDO Compliance with U2F Integration
U2F integration now an additional MFA option with The OptimalCloud. ...
08.6.2018 - The Last Watchdog Interview: How Typing and Swiping Nuances Can Verify Your Identity
Q&A: How your typing and screen swiping nuances can verify your identity Optimal IdM speaks with Byron Acohido at The Last Watchdog about behavioral biometrics, specifically using a person’s typing habits as a second form of authentication ...
08.1.2018 - Optimal IdM Earns ISO/IEC 27001:2013 Certification
Optimal IdM, a leading provider of Identity and Access Management (IAM) solutions, today announced it has achieved ISO/IEC 27001:2013 certification, the international standard outlining best practices for information security management systems. “These certifications validate our commitment to transparency and providing the highest standards of security to our customers,” said Ed Gorczyca, Chief Compliance Officer at Optimal IdM. ...
07.26.2018 - Interview with The Last Watchdog
Interview with The Last Watchdog – “MY TAKE: Here’s why identities are the true firewalls, especially as digital transformation unfolds” Optimal IdM speaks with Byron Acohido at The Last Watchdog about dynamic authentication management that can weed out threat actors, without slowing digital transformation. ...
07.25.2018 - Optimal IdM Partners with Biometric Firm TypingDNA To Extend MFA Offering
Optimal IdM, a leading provider of Identity and Access Management (IAM) solutions, today announced it has partnered with TypingDNA to bring customers a secure biometric option as part of their multi-factor authentication (MFA) solution. TypingDNA’s behavioral biometrics can identify people based on how they type either on a mobile or desktop platform. This is a secondary form of login authentication for users who enter their email address and password. “Having this kind of behavioral authentication extends our MFA offering and strengthens our portfolio,” said Chris Curcio, VP of Channel Sales and Partnerships at Optimal IdM. “We are very excited about our partnership with TypingDNA because of the ease of use and quick implementation they bring to our customer’s current applications.” Raul Popa, CEO of TypingDNA, had this to say about the new partnership, “We are delighted to join Optimal IdM in the mission to accelerate the availability of a ‘no more painful’ authentication. An increasing number of people are and will be authenticated by something they already are naturally doing, such as typing.” ...
07.23.2018 - Manufacturers Need Industrial-Quality Access Control
Ideas about cybersecurity in the manufacturing sector have started to change, and it’s about time. Until recently, a common misperception among those in the industrial world was that that they had little to attract hackers—no credit card data, no health records, no bitcoin. But manufacturers do have data, and it’s immensely valuable — their trade secrets. Profit isn’t the only motivation for hackers many just want to cause chaos. There are plenty of reasons for hackers to attack manufacturing systems; the proof is that one out of three industrial control systems (ICS) computers were hacked last year (Kaspersky Lab, Sept 2017). That number seems daunting. Many industrial automation systems have only limited internet connectivity, if at all. But they are connected to their corporate networks, and that’s where the weakness lies. Only half of manufacturing businesses isolate their ICS networks from their corporate networks (www.ncms.org/CyberSecurityReport). The rest are the mercy of the same phishing, ransomware, and insider attacks as any financial or healthcare organization. One vulnerability that affects manufacturers in particular is poor security practices among their vendors. It just takes one weak partner to infect an entire supply chain. Hackers are efficient criminals; they conduct research using Lexis Nexis, LinkedIn, and even dumpster dive to learn what they need to know to launch the most effective attack possible against their target of choice. If they want to attack your business, they may learn who your vendors are, choose those they suspect to be the weakest¾which may be a mom-and-pop shop, or may be a larger business that has a reputation on the dark web as an easy takedown¾and breach the weak vendor in order to hop onto your network. Security professionals like to say, “Security is people.” The average worker at a bank or hospital is highly aware that their employer is a high-value target, so they are more cautious than those in other industries about clicking on links or opening attachments. The average worker in an industrial business may not be as guarded. Security awareness training is a step in the right direction, but not all workers will take it seriously. Even if every worker did keep security at top-of-mind, humans still make mistakes. It just takes one accidental click to open the door to malware. And once inside, it may make its way to whatever target its authors desire. That could be your trade secrets, or it could be the main controllers in your automation system. ...
