Security happens where you least expect it

As the awareness of cyberattacks increases globally, we can see organizations paying more attention and investment to cybersecurity solutions. These can come in many shapes and sizes –hardware, software or know-how.

IT professionals are expected to keep up with modern security technologies and maintain high security in their own companies’ or customers’ infrastructure. In this ever-present cold war between cybersecurity and hackers, there is a battlefield often left unattended – the back office. An organization may invest heavily in firewalls and security procedures to protect its’ internal network, but there is often privilege and information to be found outside the network that lies exposed. This low-hanging fruit may be the first target and can lead to unnecessary risk management and incurring costs, which would have otherwise been avoidable.

One piece of common wisdom that gets repeated ad nauseam in today’s security world is this:

The security does not come from systems, it comes from users.

Therefore, you can find in many modern organizations introductory or periodic training for users that is supposed to make sure they behave in a way that does not put their organization at risk. Nevertheless, adherence to secure procedures gets often overlooked with a certain type of users and even the most intense training cannot eliminate human error.

In other words, training the users can become a serious investment whose returns are by nature limited.

This brings an opportunity to implement a system which is A) secure and B) so comfortable for users that they are inclined to utilize it on their own. Let us look at an example.

A very common occurrence nowadays is for the back-office personnel to use various e-shops, partner portals, online resources etc. These systems are outside your security control and special attention should be paid to what sort of information is sent there. Especially e-shops are a regular target of cyberattacks and we often read in the news how many millions of logins and passwords was stolen from this or that webserver.

These portals are most interacted with through a web browser. This is where the danger lies as well as the solution.

Securing users with a web browser plugin   #

Fortunately, securing the users access to web pages can be achieved through technology. But no mere user-controlled password manager is going to cut it.

SecureAnyBox browser plugin together with SecureAnyBox Launcher 2.0 connects to SecureAnyBox server in order to provide a webpage with correct credentials. It takes login and password from a secure space on a SAB server and fills the login field.

How does it work and what are the benefits for both user and organization?

A typical web page uses scripts to provide content and function to the user. Web browser runs these scripts one by one, and the result is the interactive environment on your screen that you are used to. Scripts happen both in the foreground and background of a web page. The content script on a page can recognize a username and password field and give this information to the SAB plugin. The plugin takes this information and via SAB Launcher asks the SAB server if it has credentials for a particular URL. The username and password are only provided only to an authenticated user who has the proper Access Code. Access Code is a unique security feature of SecureAnyBox. Bear in mind that the SAB launcher (in other words “the user”) must be authenticated to the SAB server (not just locally). This authentication can be based on KeyShield token (a sibling product to SecureAnyBox) or on user specific credentials.

Once the user selects the provided credentials, SAB launcher hands them to the content script which fills out the web field.

How does all this look from the point of view of the user?

Coming back to our example of back-office personnel, imagine that you are a user who accesses tens or even hundreds of web pages (e-shops, portals) daily. Proper security procedure commands that each portal should have unique login and password, but too often this is not the case. Users often find ways to circumvent this rule and either employ the same password in multiple instances or utilize a “system” for creating the passwords. Therefore, if even one portal is compromised, multiple other portals can be compromised with it. For example, stolen invoices can be invaluable information to a would-be attacker!

In a SAB secured scenario the user can operate without even knowing the passwords. Once they enter a webpage, a button appears in the password field that then leads the user to first authenticate themselves to the SAB server and choose the corresponding option for the URL. Subsequently they input their access code and the credentials are fill up their respective fields.

SecureAnyBox includes an option to set up a time-out for authentication and access, so that the users do not have to input their own password and access every time.

The whole operation takes less than a few seconds.

Since the login and password saved on the SAB server is matched to a specific URL, this offers protection against a phishing attack. Attackers have grown increasingly ingenious in creating fake websites that imitate the websites the employees use daily. With use of the SAB plugin, the password is never to offered for the fake URL, thus immediately alerting the user that something is wrong.

Security done smarter, not harder #

SecureAnyBox solution combines the benefits of securing the behaviour of all employees while offering them an easy to adopt and use way to manage their passwords.

From the point of view of an organization, it bears to highlight the function of an audit log. Every time an employee uses their access code to fill out a password, this action is logged and can be audited later.

So far, this article has focused on the dangers of an outside attack. It is just as important to be aware of all the systems that (e.g.) a leaving employee has accessed. Ordinarily this would be an almost impossible task, but with the use of SAB audit log, this information can be brought forth immediately.

The thing to remember is that there does exist a solution for securing your users online behaviour while not obstructing their work.

Please visit our website to learn more about smart security solutions for a modern business world.

Powered by BetterDocs