Today, February 15th, 2018 marks the day that the Department of Financial Services (DFS) cybersecurity regulation Part 500 comes into force.
This means any financial institution either under the direct jurisdiction of the DFS or any financial intuition conducting business in the state of New York must comply with the new regulation.
23 NYCRR 500 emphasizes practices that harden applied security measurements to safeguard nonpublic information. But unlike many cybersecurity regulations, Part 500 takes advanced authentication to a new level.
This is done by recommending authentication procedures that rely on anomaly detection and/or changes in normal use patterns. This is referred in Part 500 as risk-based authentication and can be found under section 500.12 Multi-Factor Authentication.
By including risk-based authentication in the category of multi-factor authentication, the New York DFS clearly acknowledges that such an authentication method requires some form of verification factor to function properly. This is also included in section 500.01, stating that multi-factor authentication systems must rely on three categories of verification factors:
The last one is particularly interesting. Nowadays, we don’t define biometric characteristics as narrowly as we a few years back. Apart from the usual fingerprint and retina scans, there are also so-called, digital biometric identifiers. These are regularly occurring patterns and constantly performed actions that can reflect an individual’s unique behavior. These characteristics are bound to an individual, impossible to mimic or reproduce yet easily distinguish one user from another.
All we need now is a system capable of performing anomaly detection based on digital behavior and that is where User Behavior Analytics (UBA) comes into play. UBA works in three separate phases.
Knowing how to set up a risk-based security environment is one thing but we should also talk about where and why we should use it. Digital biometric identifiers enable us to actually identify the person using an account due to continuous authentication; this is an excellent way to recognize privileged account compromise. Privileged accounts grant users the greatest freedom within a network. If a privileged account has been hijacked, the potential damage is almost limitless.
Risk-based authentication and UBA in particular were designed to recognize if a privileged account is being used by a hacker. It recognizes deviations in behavior patterns and gives security teams the upper hand in preventing any damage from being done. By requiring risk-based authentication in the Part 500 regulation, the New York DFS has been forward looking. It remains to be seen whether other regulatory and standards organization will follow suit.
To learn more on Risk-Based Authentication, watch our recorded webinar here.
With 2017 now done and dusted, it’s time to think ...
Like many years before it, 2017 has seen a large ...
When a child goes near something hot, a parent will ...
“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”
– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser