Rich vein of possibilities

Hitachi and Ubisecure are joining forces to integrate their finger vein recognition and Identity-as-a-Service (IDaaS) technologies. Will similar collaborations follow?

I see that the move into the deeper levels of recognition technology is showing no signs of letting up. Indeed, two of industry's heavyweights are stepping into that ring as a formidable 'tag team', looking to deliver a knock-out blow to any other contenders, if they can.

The twosome are Hitachi and Ubisecure, with the former looking to integrate its finger vein recognition technology as a biometric authenticator within Ubisecure's Identity-as-a-Service (IDaaS) solution. According to the new alliance, the new partnership will provide "an unrivalled frictionless biometric experience that delivers high quality usability and reduces the risk of data breach - making it ideal for customer-facing use cases". So, what's it all about? In a nutshell, Hitachi's finger vein biometrics solution, Hand Gesture Technology, can be used at the user authentication stage for onboarding and subsequent logins. It can be activated quickly and easily, it is reported, through Ubisecure IDaaS, an SaaS product that allows developers to plug in the latest in identity management functionality - such as single sign-on and multifactor authentication - to apps and services.

What Hand Gesture Technology does is to enable fast and secure user identification through the unique vein patterns in fingers. This way, identity can be verified via a simple hand gesture to a camera in a standard laptop or desktop.

By delivering the benefits of biometric authentication, while sidestepping the usual requirements for specialised and expensive reader equipment, the offering is seen as especially suitable for mass adoption.

According to Simon Wood, CEO at Ubisecure: "We're committed to providing customers with a range of secure authentication options, including biometric technology. For biometrics to be adopted at scale, they must be easy to use and, preferably, require no additional hardware.

"In this sense, Hand Gesture Technology is an ideal way of implementing the security and convenience of biometrics without the common deployment challenges."

For his part, Ravi Ahluwalia, general manager, Security Business Group at Hitachi Europe, identifies one clear advantage: finger veins are non-replicable and cannot be lost or stolen. He comments: "While the solution is now pervasive in the banking sector, our collaboration with Ubisecure will help us to expand that reach into other verticals."

Elsewhere, all has not been as it should be at the offices of the United Nations. In fact, the UN's offices in Geneva and Vienna came under attack recently, compromising more than sixty of their servers. Interestingly, we know that the attack was explicitly aimed at the Active Directory component; and worryingly, the sophistication of the attack indicates it may have been state sponsored.

The Active Directory is a known weak point in most organisations' security stance, plus it's essentially the only way a hacker can move around an organisation once inside - as they did in this hack. In fact, as Jérôme Robert, a director at Active Directory cybersecurity specialist Alsid, points out, it's pretty much the Holy Grail of access. And he is fairly sanguine about this particular breach. "No less an authority than the UN is the latest organisation to fall victim to a serious cyber-attack, proving that it really can happen to anyone. We don't know how long they were in the UN's systems, but we do know that a total of 67 servers were deemed as compromised or suspicious by the UN's security team.

"That volume points to some serious lateral movement over a chunk of time, which is how we can be certain the Active Directory was compromised in this case. The attackers would have used AD access to jump from machine to machine, looking for data and access to further internal systems to strengthen and prolong the attack while they hunted for their targets."

No one can say with any real accuracy how long the attackers were 'active' in the UN's systems, but with 67 servers in the equation, that suggests serious lateral movement over a chunk of time, "which is how we can be certain the Active Directory was compromised in this case", Robert continues. "This attack reinforces that security teams have to win every time they are attacked and cybercriminals only need to get lucky once to gain access to the AD, at which point they already have their hands in the cookie jar and you're in big trouble."

For anyone who thinks bitcoin might be losing its appeal, not a word of it. A Dutch university has paid nearly 200,000 euros worth of the cryptocurrency to Russian hackers after 267 servers were compromised in December last year. "Ransomware is certain to remain a key threat to all organisation's networks globally throughout 2020," warns Carl Wearn, head of E-Crime at Mimecast. "The latest indication from Mimecast's data is that threat actors are now almost certainly re-concentrating their efforts to focus on ransomware attacks and have been doing so since last year." As research from the Netherlands' National Cyber Security Center illustrated last year, something like 1,800 organisations globally were thought at that time to have been subject to ransomware attacks. "As with any piece of crime-related research, we should expect that this is in fact a gross undercounting of the problem as it is."

Ransomware is making criminals a lot of money. "Ransomware can be delivered by electronic communication, exploit kit or other means," Wearn continues. "Ensuring non-networked backups are in place, and that a comprehensive solution to provide fallback email and archive capabilities is in place, are the key solutions to ensuring business can continue as uninterrupted as possible, should a ransomware attack take place.

Relying on the threat actors to restore your data in the case of attack is obviously riddled with issues, not least of which is that they are prone to errors themselves and may not even be able to restore your data once they've encrypted it. Paying any ransom is also likely to make you a future target of choice, through proven willingness to pay. I would urge all organisations to plan for this threat to be realised, if adequate steps are not taken to provide a suitable fallback or recovery solution now."