Opinion: Agencies Need More Reliable Authentication to De-Weaponize Stolen Data During SolarWinds Breach
Tom McNeal, vice president of the partner channel and public sector for Neustar, emphasized the need to de-weaponize the civilian data released during the SolarWinds hack.
At the hands of cyber actors, personally identifiable information could be further exploited to launch new attacks, McNeal wrote in an opinion piece published by Nextgov.
To de-weaponize stolen data, he said federal agencies should adopt more effective authentication practices and not be over-reliant on the use of knowledge-based authentication.
According to McNeal, KBA is a non-effective authentication method since it relies on basic questions that are easily answerable by identity thieves.
Citing a National Institute of Standards and Technology guideline, he noted that KBA has been deemed to have an unacceptably high risk of successful use by attackers given the ease with which they can supply the answers to questions and the relatively small number of possible choices for many of them.
McNeal said several alternatives are already being used in the private and public sectors.
In his opinion, device-based identity verification is a standout means of authentication as it provides an integrated view of identity and identity reputation based on the data inherent to the device itself.
He added that using device-based identity resolution solutions can inform agencies whether a device has been linked to unsafe behaviors in the past or if it is in the possession of its owner.
The SolarWinds breach could serve as an opportunity for Chris Inglis, who is widely expected to be appointed national cyber director, to introduce the adoption of new identity resolution practices across the federal government, McNeal said.
Tags: authentication practices Chris Inglis civilian data cybersecurity device-based identity verification knowledge-based authentication Nextgov Tom McNeal