To Battle Token Threat, Focus On People As Well As Security Tools

By Michael Cocanower

Token theft — when unauthorized individuals gain access to security tokens, which are used to authenticate identity and authorize access to systems and data — often is considered to be an information-technology problem, meaning organizations commonly deploy IT defenses against the threat.

But if we accept that token theft is a people problem as much as it is a technology problem, then deployment strategies that forget about the human element are likely to fail.

No cybersecurity professional, of course, wants to hear this. We dread the challenges of dealing with people who skip security training sessions, look for shortcuts around security, sometimes don’t listen and often don’t understand. It’s far easier to roll out a digital tool and expect clear-cut results.

Fast-growing threat

The threat posed by token theft is increasing rapidly. Microsoft recently reported that while token theft still accounts for less than 5 percent of the cases of compromised identity, the company has detected 147,000 token-replay attacks, an increase of more than 110 percent from a year earlier.

Some of the increase is the expected result of wider adoption of two-factor authorization strategies that utilize some sort of token. More tokens will draw more attacks. But the growing number of attacks also reflects the knowledge among bad actors that the theft of tokens presents an attractive opportunity. If they’re able to acquire tokens that allow them to pose as legitimate users, they can easily access sensitive information or undertake malicious initiatives. Multi-factor authorization, in fact, may give users a false sense of security. Even though it provides a stronger level of protection than single-factor tools, multi-factor authorization provides no security at all if a bad actor has stolen the token.

While developers of security tools continue to create powerful safeguards to prevent token theft and limit the damage of a breach, those tools are only as strong as the commitment of the people who use them.

The human factor

The decades-long struggle to convince users to create strong passwords and regularly change them stands as a caution against placing too much trust in technological deployments that aren’t supported by strong training initiatives.

Physical security tokens present obvious security risks when they’re lost or stolen. The larger risks, however, arise when threat actors manage to place themselves in the middle between a user and a server. They’re in a position to grab security authorizations that pass their way. 

These man-in-the-middle attacks often result when users fall for malicious phishing links that show up in their email. (If phishing didn’t work so often, bad guys wouldn’t be using it.) The users who fall for phishing scams usually aren’t foolish. More often, they’re busy professionals working through dozens of emails with their brains on autopilot. But one thoughtless click can download malware that can expose the organization’s entire digital environment.

Many IT professionals, meanwhile, continue to discover that staff members log into networks from devices that aren’t compliant with their organization’s security protocols. Anti-malware and anti-virus tools may be outdated or not even installed. Jailbroken cell phones are a particular problem because they are likely to expose tokens to attackers.

However bad actors get themselves into a position where they can nab security authorizations, the number of enterprise-threatening issues that can arise is seemingly endless: Identity theft. Espionage. Transaction tampering. Malware injection. 

Tools to support people

No one believes, of course, that committed and well-trained users will be able to withstand token-theft attacks on their own. They need the powerful tools and strategies that are coming to market. At the minimum, effective protection of security tokens should include:

• Use of storage encryption on devices, including on tokens themselves, in case the device ends up in the wrong hands.
• Strategies that address the full universe of known threats to tokens, including the Man-in-the-Middle and Cross-Site Scripting attacks that steal identification during authorization or from browsers.
• Careful selection of services and apps to ensure they offer token protection as well as routine updates to ensure they remain strong.
• Development of aggressive token-expiration policies that keep tokens in effect no longer than necessary. Long-lived tokens allow attackers longer time to work under a stolen identity.
• Use of HTTPS to send tokens. Non-HTTPS connections can allow tokens to be intercepted. 
• Deployment of strong anti-virus and endpoint-detection tools that can detect malware that might lead to theft.
• Commitment to monitoring and logging protocols that identify unusual behavior in the network.

Bringing people, tools together

Implementation of these IT tools will be far more powerful if they’re accompanied by close attention to the human factor. 

All too often, we hear cybersecurity professionals refer to people as “the weakest link” in enterprise security.  But when we treat people as just another component whose behavior can be controlled, we open ourselves to trouble.  After all, it is people who ultimately direct the use of digital assets and benefit from them. It is people who will decide whether the additional work required by security measurements is worth the hassle.

Good cybersecurity teams will involve people from across the enterprise as early as possible and as often as possible in the battle against token theft. It is imperative to dedicate proper time and resources to  regularly inform the entire organization about current initiatives — preferably in some language other than digital-speak. They will commit themselves to be teachers of valuable skills and support an enterprise-wide culture that’s always attentive to potential threats. 

Theft of tokens isn’t going to go away. User identification that provides access to companies’ digital assets is a highly valuable prize. Protection of this valuable jewel — perhaps the most valuable owned by any organization — will demand the work of savvy cybersecurity professionals, the development of robust tools and the understanding and commitment of every single person across the enterprise.

About Michael Cocanower

Michael Cocanower is founder and chief executive officer of AdviserCyber, a Phoenix-based cybersecurity consultancy serving Registered Investment Advisers (RIAs). A graduate of Arizona State University with degrees in finance and computer science, he has worked more than 25 years in the IT sector. Michael, a recognized author and subject matter expert, has earned certifications as both an Investment Adviser Certified Compliance Professional ® and as a Certified Ethical Hacker. He is frequently quoted in leading international publications and served on the United States Board of Directors of the International Association of Microsoft Certified Partners and the International Board of the same organization for many years. He also served on the Microsoft Infrastructure Partner Advisory Council.