About 23 NYCRR 500

In response to the increasing growth in cyber-attacks, the New York Department of Financial Services has established a new cyber security regulation, Part 500. It emphasizes practices that harden applied security measurements to safeguard nonpublic information. But unlike many cybersecurity regulations, Part 500 takes advanced authentication to a new level.

This is done by recommending authentication procedures that rely on anomaly detection and/or changes in normal use patterns. This is referred in Part 500 as risk-based authentication and can be found under section 500.12 Multi-Factor Authentication.

Risk-based authentication

By including risk-based authentication in the category of multi-factor authentication, the New York DFS clearly acknowledges that such an authentication method requires some form of verification factor to function properly. This is also included in section 500.01, stating that multi-factor authentication systems must rely on three categories of verification factors:

  • Knowledge factors, such as passwords,
  • Possession factors, such as a token or text message on a mobile phone
  • Inherence factors, such as a biometric characteristic.

Digital biometric identifiers

The last one is particularly interesting. Nowadays, we don’t define biometric characteristics as narrowly as we a few years back. Apart from the usual fingerprint and retina scans, there are also so-called, digital biometric identifiers. These are regularly occurring patterns and constantly performed actions that can reflect an individual’s unique behavior. These characteristics are bound to an individual, impossible to mimic or reproduce yet easily distinguish one user from another.

User Behavior Analytics

All we need now is a system capable of performing anomaly detection based on digital behavior and that is where User Behavior Analytics (UBA) comes into play. UBA works in three separate phases.

  • First, it generates a custom profile for each user based on collected, digital biometric identifiers. This will act as a baseline to identify a specific user.
  • In the second phase, called continuous authentication, the UBA engine continually compares the baseline profile to actual behavior during the whole period of time the user is operating within the security perimeter.
  • The last phase, occurs when the difference between the baseline and the current behavior exceeds a tolerance threshold, which, apart from the digital biometric identifiers is also based on a risk-scoring system integrating contextual information, such as the user’s privileges, commands used, and the type of data accessed. These anomalies are presented to security teams in a detailed fashion and the risk scoring enables security experts to judge how critical the event is.

Benefits of risk-based authentication

Knowing how to set up a risk-based security environment is one thing but we should also talk about where and why we should use it. Digital biometric identifiers enable us to actually identify the person using an account due to continuous authentication; this is an excellent way to recognize privileged account compromise. Privileged accounts grant users the greatest freedom within a network. If a privileged account has been hijacked, the potential damage is almost limitless.

Risk-based authentication and UBA in particular were designed to recognize if a privileged account is being used  by a hacker. It recognizes deviations in behavior patterns and gives security teams the upper hand in preventing any damage from being done. By requiring risk-based authentication in the Part 500 regulation, the New York DFS has been forward looking. It remains to be seen whether other regulatory and standards organization will follow suit.

To learn more on Risk-Based Authentication, watch our recorded webinar here.