12 Sep You write scientific papers about My Topic (cybersecurity and IoT) You have to follow each single daitlas for thes

Computer Science and Information Technology

EFFECTIVENESS OF ONE-TIME-PASSWORD AND FINGERPRINT USE TO PROTECT AN ORGANIZATION’S ACCOUNT FROM CYBER-SECURITY THREATS

Author

Abstract

Cyber-security is referred to as the activity and process that entails the protection of information systems and data contained from malicious attackers. Hackers are ever on great demand of the data belonging to various organizations regardless of the geographical distance in between. This paper proposes the adoption of a cyber-security model that involves the utilization of OTP and fingerprint to keep hackers. This is a decision informed by the current study findings which attempted to analyze the major areas of cyber-security concern in an organization. The highlighted threats are aided by two broad mechanisms, which include poor user account management practices and external-based mechanisms.

Keywords: cyber-heist, Cyberspace, One-Time-Password, Buy-Your-Own-Device

1.0 Introduction

Globally, entities/ organizations, as well as economies, have embarked on finding ways to mitigate losses caused by data theft or illegal sharing of files that take place in organization’s IoT accounts as well as information systems which is often perpetrated by disgruntled employees, malicious attackers or intruders. These actions take time to plan but can be executed quickly and involve losses of large sums of money usually described as cyber-heist. According to [1], insecurity in the cyberspace is a worrying trend, 72 percent of the major sampled multinationals consider it as second most concerning factor. Further, [2] claims that over 80 percent of the cyber insecurity incidences experienced by organizations are internally perpetrated crimes. It is agreeable that sealing internal loopholes is way difficult than dealing with external ones.

Furthermore, the majority of these organizations have stuck to the traditional methods of handling cyber-security challenges such as the use of firewalls for network intrusion detection and prevention, anti-virus software to deal with worms and virus injections, event and security information management among others. The effectiveness of these methods has been questioned because of the increasing number of cyber insecurity incidents as well as the extent to which the attacks have metamorphosed in terms of sophistication and ferocity, especially the ones perpetuated by online-based gangs. Sadly, it takes approximately three months and above for vigilant companies to realize they have been attacked unless the type of attack is outward and aggressive, like denial of service (DDoS) [3]. In some cases, organizations may take as long as seven months before realizing compromises within the ranks of their systems, especially if the kind of attack leveled is less aggressive when it comes to day to day service delivery. Such can be data theft or unauthorized gradual data modification. In a worst-case scenario, it can take more than a year for an organization to realize an attack, and in such cases, the magnitude of the loss is often unfathomable. Industry-wise, the cyber threats attributed losses are somewhere in the region of $125 billion annually and in excess of $300 billion if downtimes are also put into consideration, as indicated by [4].

As a consequence, the knowledge of threat surface composition enhances the understandability of the extent of the challenge at hand. Thomas et al. [5] classifies the cyberspace threats into four major layers upon which manifestation of severity is apparent. Fig. 1 below depicts their perspective regarding how the issues should be attended to.

HIGH-LEVEL PERSISTENT THREATS

ORGANIZED CRIME

RANSOM CRIMINALS

SCRIPT KIDDIES

LAYER 1

LAYER 2

LAYER 3

LAYER 4

Figure 1: Cyberspace Threats Classification

From fig. 1 above, High-level Persistent Threats (HPT) tops the threat list. The HPTs are considered to be the most lethal because they are conducted on a large scale and often come from adversary countries. However, they mostly target organizations offering critical infrastructure, which also includes government agencies. The second layer comprises organized crime threats, which also include cyber-heist and related crimes. The above classification provides organizations with the opportunity to comprehend all manner of threats and thereby take note of the ones relevant to their platforms. In this case, we look at the strategies the organizations use to deal with organized crime amounting to cyber-heist.

Entities have been formidable in their response to these challenges. For instance, the industry has come with new user authentication strategies, which are seen to be the optimal way of addressing internally organized cyber-heists. These threats mostly target corporates and government agencies. Ransom criminals represent a group of online extortionists. In the last layer are the script kiddies. These are online codes scavenging for potential weak-lines to attack.

The two-factor authentication (2FA), which involves the use of one-time-password (OTP) and biometrics, specifically the fingerprint, has been identified as an effective strategy to deal with the menace. The 2FA has since been christened as dual-factor authentication or two-step verification. It is a security process that prompts system users to issue two unrelated factors of authentication as a means of verifying themselves. The process has been found to be a better option when it comes to the protection of both the regular system users’ credentials as well as the resources available in the system that users utilize on a case by case basis. The process certainly guarantees a higher level of security compared to the previous methods of authentication that utilize single-factor authentication (SFA), where the user is only required to provide one factor – for instance, a passcode or a password. The emerging method of authentication will always require a user to provide a one-time-password, which is the first factor, then go ahead to demand for a second factor of authentication, often either a biometric factor like the fingerprint scanner or a security token which is not quite popular as per now.

By adding an additional security layer to the process of authentication, the two-factor authentication process makes it harder for malicious attackers, whether external or internal, to acquire access to the organization's system as well as the Internet of Things (IoT) devices, as well as various online accounts. The effectiveness of the process is tested when perpetrators of such malicious acts are unable to crack one-time-password. If by chance, they manage, that alone cannot guarantee them a successful pass of the authentication check. The 2FA is gaining wide use in controlling access to data and sensitive systems, together with providers of online services who prioritize protecting the credentials of their clients from abuse by hackers.

The main contributions of this paper are the proposed use of a one-time-password and fingerprint scanner to protect an organization’s account from cyber-heist and IoT insecurities. The model attempts to piece up all important elements with significant contributions towards safer cyberspace among organizations. The model also emphasizes the significance of cooperation among major players in the industry in order to create an environment of reduced incidences of cyber insecurity. Overreliance on the traditional methods of handling cyber-security challenges such as the use of firewalls for network intrusion detection and prevention, anti-virus software to deal with worms and virus injections, event, and security information management among others have delayed wide adoption of new effective strategies such as the 2FA. The proposed approach guarantees a state of a security assessment model that is integrated, proactive, and extendable. Other remaining parts of the paper depict the following organization; section two of the paper comprising a discussion of the related work pertaining to cyber-security generalities. In section three, we discuss the approach, while in section four, we detail the proposed cyber-security framework model. Finally, we put forward conclusions and a framework going into the future.

2.0 Methods

Systems strive to guarantee four major elements; Integrity, Availability, Confidentiality, and Authenticity (IACA). Occasionally, organizational system accounts still suffer from cases of unauthorized access, among other types of cyber-security challenges. In an attempt to ensure consistency with IACA provision and consequently eliminate or significantly reduce cases of unauthorized access, there will be a great need to inject awareness which will be premised on the intervention of factors like the operational, technical as well as industry-level cooperation.

Mendel Jacob [6] issues an insightful explanation of what is meant by the term “organizational account” which he defines as “a user email or application account fully resident on the organization’s administrative means.” To qualify the above assertion, it is important to first consider how and when an organization can create a user account. Organizations can create an account after they have grown to a level they can own a Service Directory, which they use to synchronize their cloud platforms. Tweneboah-Koduah [7] defines a Service Directory as a single place where publishing, discovering, and connecting services in a reliable, seamless, and consistent manner devoid of characteristics and influences of their environment. Service Directory provides support to cloud-based service providers such as Google Cloud, Microsoft Azure (Active Directory) multi-cloud, as well as others like the on-premises environments and has the scalability of up to thousands of endpoints and services for a single project.

According to [8], synchronization between an organization's cloud identity and an active service directory provides necessary usability characteristics such as a holistic view to ending users, among others. An organizational account, therefore, can be defined as an account created by the organization's system administrator to enable users to access services residents in the cloud platform. For example, a company utilizing cloud services offered by Microsoft Azure, Office 365, or Amazon Web Services (AWS) while creating an account will take the form of a user's organizational email address. Users, in this case, can be employees of the organization or clients and can as well be remotely located.

Mackey et al. [9] postulate that many corporate organizational user accounts face authorization challenges as a result of bad practices in relation to the general use – and abuse – of privileged accounts. The discussion further outlines that these companies are fond of applying ‘copy-pasted’ unrealistic policies that are often bypassed or abused by users without repercussions. Alternatively, some exist without policies in place to guide users, thus little or no control. Typically, organizational user accounts permit administrative rights, often referred to as a superuser. The discussion indicates that these superuser accounts attribute to 38 percent of loopholes that aided cyber-heist in among multinationals sampled. In general, there should never be situations where some accounts are subjected to strict policies while others are allowed to operate in less restrictive policies under the disguise of being senior compared to other low ranking ones. All system users should be subjected to similar policies; hence the accounts just as well exist in identical access privileges.

Cohen et al. [10] reiterate that IT staff in many companies are frequently involved in creating user accounts using administrative rights. This is often the case in organizations that use UNIX systems. The approach presents several problems since the legitimate account user will often find it normal to use their actual user account for general access. Later on, it further creates more security challenges for the IT Security Team while undertaking to audit and is faced with a hard time as they attempt to decipher the kind of log-ins utilized during the time of conducting administrative tasks as well as the log-ins for general access. It is observed that such practices are capable of introducing Trojan horse attacks into the system, especially in environments such as the Windows.

Thomas et al. [11] suggest solutions to these problems created out of bad practices such as allocating administrative rights to several accounts as well as establishing shared accounts UNIX and Windows environments as limiting the number of privileged accounts as well as keeping passwords of such accounts in secure locations. The suggestion continues that passwords to the shared accounts should also be changed regularly and be availed on a ‘need to have’ basis. Also, there is a need to capture the management of the shared accounts’ passwords as well as the administrative and account service/root passwords in a comprehensive IT security policy. This, among other benefits, will also enhance tracking of audit trails of password access attempts. As a final solution to the above security challenges, designating each shared account to a legitimate owner who will take responsibility for account activities, including controlling access. It is believed that such arrangements enhance chances for a contingency procedure where any group member can be legitimized to release a password.

As much as organizational user account security challenges and inefficiencies are blamed on poor user account management practices, [12] indicates that 50 percent of organizational user account cyber-security challenges originate from external sources. With the employees in need of access to an ever-expanding list of applications, both in-house and IoT-based systems, and other numerous IT assets, the threat level has almost tripled. The new phenomenon, IoT, has aggravated cyber-security issues due to the need to connect to all manner of applications and devices with the ability to connect to the internet. Further, policies and practices such as the 'Bring Your Own Device' (BYOD), which encourages the use of private devices like the laptop to access the organization's user accounts and carry out tasks has compounded the problem. Emails, printers, files, databases, as well as web applications all require proper security measures since attackers can exploit any of them and use them as an attack vector into the organization's information infrastructure. What used to be regarded as lone attackers have metamorphosed into sophisticated entities, some of which operate as as-a-service-type of automated attacking tools and possess extremely high replication ability across the Internet. If a group of attackers intends to launch an attack on an organization, the process has increasingly been made easy in that the group will only be a few clicks away from executing the intention.

Trotter et al. [13] expose the inadequacies of the suggested solutions to bridge gaps created by poor user account management practices. A quick reminder to these solutions includes limiting the number of privileged accounts, keeping passwords of such accounts in secure locations, frequent change of passwords for the shared accounts, and only availing them on a ‘need to have’ basis. Also suggested is the need to develop an IT security policy to capture the management of the shared accounts' passwords as well as the administrative and account service/root passwords. The argument advanced by this author relegates the poor user account management practices suggested solutions relevant to the level of peer-to-peer traditional organizational architecture where communication between devices is under control of the server. There is a total lack of mechanisms of how to handle challenges from the adoption of BYOD policies, as well as the IoT and sophisticated nature of the modern-day attackers.

Consequently, [14] critiques the effectiveness of traditional cyber-security defense mechanisms that the majority of organizations still rely on. For some time now, the use of a firewall for detecting and preventing network intrusion remains a top priority for many organizations. Hackers have developed several ways of bypassing firewalls, including backdoor strategies, taking advantage of vulnerable websites; exploit BYOD devices after the employees have left working premises, among others. Similarly, the use of anti-virus software to deal with worms and virus injections is still in use despite the availability of overwhelming evidence indicating how the strategy has become less effective. According to [15], China alone generated 82, 000 malicious worms in a single month. However, updated antivirus can be the rate at which malware is generated and fed into cyberspace is unmatchable. Event and security information management has also been a reliable means of protecting organizational information technology infrastructure against external attacks. Although still effective, its applicability is limited to the simple network system topologies. In other words, its use is widely hindered by veracity exhibited by modern technologies like the IoT that virtually connects all devices with the ability to access the internet.

Generally, the effectiveness of these methods has been questioned because of the increasing number of cyber insecurity incidents as well as the extent to which the attacks have metamorphosed in terms of sophistication and ferocity, especially the ones perpetuated by online-based gangs. Sadly, it takes approximately three months and above for vigilant companies to realize they have been attacked unless the type of attack is outward and aggressive, like denial of service (DDoS). In some cases, organizations may take as long as seven months before realizing compromises within the ranks of their systems, especially if the kind of attack leveled is less aggressive when it comes to day to day service delivery. Such can be data theft or unauthorized gradual data modification.

Gheyas & Abdallah [15] delves into the issue of cyber-security and IoT with a focus on the 2FA, which involves the use of OTP and biometrics, specifically the fingerprint that has been identified as an effective strategy to deal with the menace. The model is a two-step verification security process that prompts system users to issue two unrelated factors of authentication as a means of verifying themselves. The process has been found to be a better option when it comes to the protection of both the regular system users' credentials as well as the resources available in the system that users utilize on a case by case basis. The process certainly guarantees a higher level of security compared to the previous methods of authentication that utilize single-factor authentication (SFA), where the user is only required to provide one factor – for instance, a passcode or a password. The 2FA is a two-tier authentication process that first requires a user to provide a one-time-password as the first factor, then the second factor of authentication often either a biometric factor like a fingerprint or a security token which is not quite popular with users. The extra security layer present in 2FAs is actually the game-changer. In the IoT platform, there is high-level interconnectivity of devices. There is a great chance that malicious attackers in the IoT platform find it easy to develop digital footprints of the connected devices, especially the ones with vulnerability issues. The effectiveness of the process is tested when perpetrators of such malicious acts are unable to crack one-time-password. If by chance, they manage, that alone cannot guarantee them a successful pass of the authentication check. The 2FA is gaining wide use in controlling access to data and sensitive systems, together with providers of online services who prioritize protecting the credentials of their clients from abuse by hackers.

Fayans [16] provides an insightful discussion of how 2FA authentication schemes utilize biometrics. The use of biometrics stands out as one of the competing technologies as far as the implementation of 2FA is concerned. The difference here is that biometrics utilizes 'what you are’ to authenticate instead of ‘what you have’ mechanism that traditional authentication methods rely on. Several studies encouraged the use of biometrics in conducting authentications. The use of biometrics in authentication has evolved over time. Sleeman et al. [17] proposed the use of smartcard remote-based user authentication. This scheme relied on the nonce and simplified hash functions to enhance efficiency. The use of the random nonce over synchronized clock made the proposed scheme cost-effective. However, the scheme presented some weaknesses, especially in preventing the man in the middle attacks. The proposal was later improved by [18] input, which attempted to resolve the weakness earlier shown towards the man in the middle attacks by including session key agreements. It used a password alongside random nonce to perform authentication in both phases of user login. However, the scheme, too, failed to carry out user verification hence needed further improvements.

Every finger has its own unique fingerprints, including those of identical twins. Fingerprint-based biometrics currently enjoys wide use, especially in controlling physical access to restricted premises. As the most widespread biometric technology, devices used for fingerprint recognition PC access are increasingly becoming available at affordable costs. The presence of these devices has caused the relegation of the password used in several platforms. A combination of fingerprint and an OTP code provides a high-level user authentication scheme that can secure organizational user accounts from a wide range of compromises.

3.0 Results

The proposed solutions aimed at addressing poor user account management practices are deemed inadequate. These solutions include limiting the number of privileged accounts, keeping passwords of privileged accounts in secure locations, frequent change of passwords for the shared accounts, and only availing them on a ‘need to have’ basis. The proposed solutions lack the capacity to address sophisticated threats such as DDoS, ransomware, phishing, among others that are often encountered by the organization's information technology infrastructure. On the other hand, traditional cyber-security defense strategies such as the use of a firewall for detecting and preventing network intrusion and using anti-virus software to prevent malware from attacking the system. They, too, are deemed less effective as far as cyber-security defense is concerned. OTP password and fingerprint authentication are considered effective.

4.0 Discussion

In [8], and an organizational account is defined as an account created by an organization's system administrator to enable users to access services resident in the cloud platform. The account, therefore, is part of the organization's information infrastructure that deserves utmost security. In [9][10][11][12][13], the authors outline various cyber-security threats that organizational user accounts face. The highlighted threats are aided by two broad mechanisms, which include poor user account management practices and external-based mechanisms. Considering the internal threat aiding mechanisms, it is postulated that many corporate organizational user accounts face authorization challenges as a result of bad practices in relation to the general use – and abuse – of privileged accounts. Still, on the internal attack vectors, the discussion indicates that the superuser accounts attribute to 38 percent of loopholes that aided cyber-heist among multinationals sampled.

The solutions proposed include limiting the number of privileged accounts, keeping passwords of such accounts in secure locations, frequent change of passwords for the shared accounts, and only availing them on a ‘need to have’ basis. Also suggested is the need to develop an IT security policy to capture the management of the shared accounts' passwords as well as the administrative and account service/root passwords. The proposed solutions lack the capacity to address sophisticated threats such as DDoS, ransomware, phishing, among others, that are often encountered by the organization’s information technology infrastructure.

As initially indicated, 50 percent of organizational user account cyber-security challenges originate from external sources. Employees actively utilize applications both in-house and IoT-based, further exposing them to phishing, ransomware, DDoS, hacking, among others. Also, policies and practices such as the 'Bring Your Own Device' (BYOD), which encourages the use of private devices like the laptop to access the organization's user accounts and carry out tasks has compounded the problem. Emails, printers, files, databases, as well as web applications all require proper security measures since attackers can exploit any of them and use them as an attack vector into the organization's information infrastructure.

Subsequently, there is strong evidence that the widely used traditional cyber-security defense mechanisms have become less effective. If the hackers can maintain their current pace of carrying out their work, then the industry will soon be overwhelmed by hacking incidences. As earlier indicated, hackers have developed several ways of bypassing firewalls, including backdoor strategies, taking advantage of vulnerable websites; exploit BYOD devices after the employees have left working premises, among others. Fig. 2 below depicts the trend of data representing the successful rate of firewall bypass.

Figure 2: Data Trends Showing the Rate of Firewall bypass by Hackers over the years

The fig.2 above shows the hacker's success rate on bypassing various organization firewalls between 2011 and 2019. The graph shows a steady rise in the part of hackers. Also, the use of anti-virus software to deal with worms and virus injections is still in use despite the availability of overwhelming evidence indicating how the strategy has become less effective.

In [17], the author issued various perspectives concerning the application of biometrics in the authentication. As noted earlier, biometrics utilizes truth and nothing more. With the online organizational environment becoming busier and riskier, the need to engage new cybersecurity strategies becomes a necessity. Hackers' sophistication equally continues to grow amidst various developments and milestones that the industry is registering. There are several types of biometrics that are equally for authentication. There are those that use smartcards; others use face, fingerprints, among others. A combination of fingerprint and an OTP code provides a high-level user authentication scheme that can secure organizational user accounts from a wide range of compromises. Fig. 2 below depicts the author's perspective regarding the conceptual framework of 2FA.

Primary

Authentication

Figure 3: Two Factor Authorization

USERNAME

PASSWORD

Fingerprint for Sec Auth.

Cloud service

OTP

Two-factor clearance

The fig. 3 above is a depiction of how the 2FA functions. As earlier indicated, the major difference is that biometrics utilizes ‘what you are’ to authenticate instead of ‘what you have’ mechanism that traditional authentication methods rely on. The game-changer, as far as the use of OTP and fingerprint, is actually the implementation of two-factor authentication to issues users’ identity based on the premise that an unauthorized actor is unlikely to be able to supply both factors required for access. For instance, if a hacker or just a normal person launches an illegal authentication attempt, at least one of the components is missing or incorrect, the user’s identity is not established with sufficient certainty, and access to the user's organizational user account is protected by two-factor authentication remains blocked.

Conclusion

Cyberspace resembles a battlefield where intelligence is intensively sought for strategic positioning, vindication, distinguishing, and elimination of threats for the seamless running of an organization's critical system. This paper proposes the adoption of a cyber-security model that involves the utilization of OTP and fingerprint to keep hackers. This is a decision informed by the current study findings which attempted to analyze the major areas of cyber-security concern in an organization. The highlighted threats are aided by two broad mechanisms, which include poor user account management practices and external-based mechanisms. The solutions proposed include limiting the number of privileged accounts, keeping passwords of such accounts in secure locations, frequent change of passwords for the shared accounts, and only availing them on a 'need to have' basis. On the other hand, there are cyber-security challenges that originate from external sources. The implication of the study is that it can play a role in influencing cyberspace security policy direction. The model evaluation was mainly based on expert views. On the other hand, the study is expected to expand horizons, especially for oncoming cyber-security. From the study, it is discernible that the situation of cyber-security still needs attention.

References

[1] Lamba, Anil, Satinderjeet Singh, Singh Balvinder, Natasha Dutta, and Sivakumar Rela."Mitigating Cyber Security Threats of Industrial Control Systems (Scada & Dcs)." In 3rd International Conference on Emerging Technologies in Engineering, Biomedical, Medical, and Science (ETEBMS–July 2017). 2017.

[2] M. Kumar, "The Hacker News," 22 April 2016. [Online]. Available: http://thehackernews.com/.[Accessed 22 April 2016]

[3] L. Christian, S. David B., and T. Victoria E., "Beyond the Castle Model of Cyber-risk and cybersecurity, "Elservier Inc,2016

[4] Thomas, Bernard, David Scott, Fred Brott, and Paul Smith. "Dynamic adaptive defense for cyber-security threats." U.S. Patent 10,129,290, issued November 13, 2018.

[5] Thomas, Bernard, David Scott, Fred Brott, and Paul Smith. "Dynamic adaptive defense for cyber-security threats." U.S. Patent 10,616,265, issued April 7, 2020.

[6] Mendel, Jacob. "Smart grid cybersecurity challenges: Overview and classification." e-mentor 68, no. 1 (2017): 55-66.

[7] Tweneboah-Koduah, Samuel, Knud Erik Skouby, and Reza Tadayoni. "Cybersecurity threats to IoT applications and service domains." Wireless Personal Communications 95, no. 1 (2017): 169-185.

[8] Narayanan, Sandeep Nair, Ashwinkumar Ganesan, Karuna Joshi, Tim Oates, Anupam Joshi, and Tim Finin. "Early detection of cybersecurity threats using collaborative cognition." In 2018 IEEE 4th international conference on collaboration and internet computing (CIC), pp. 354-363. IEEE, 2018.

[9] Mackey, Tim K., and Gaurvika Nayyar. "Digital danger: a review of the global public health, patient safety, and cybersecurity threats posed by illicit online pharmacies." Bri