Breaches, breaches everywhere: IAM deals respond to rising identity threats
Cloud-based biometric privileged access management (PAM) firm Delinea announced in a release it has acquired Iowa-based Fastpath for the latter’s identity governance and administration (IGA), identity access rights and risk management resources. The move comes on the heels of Delinea acquiring Israel-based ID threat detection and response firm Authomize, and will further bolster Delinea’s AI-driven authorization and security capabilities and commitment to industry standard compliance.
In combining the firms’ toolsets, Delinea hopes to address the issue of authorization gaps in decentralized identity schemes by detecting over-privileged and suspicious access and providing automated remediation through smart access controls.
“This strategic acquisition by Delinea heralds a new era in identity security, establishing pioneering standards for PAM in an increasingly digital and interconnected world,” says Art Gilliland, CEO of Delinea. “The addition of Fastpath will empower the Delinea platform to dynamically control authorizations by assessing user risk. This advanced approach is crucial for securing modern, distributed environments across infrastructure, applications, and data.”
The terms of the acquisition, which is pending closing conditions and regulatory review, were not disclosed.
BIO-key signs $1.5M contract extension for retention of services
Netflix, eat your heart out: BIO-key International has issued a release announcing a two-year pre-paid subscription for its biometric customer identification tools, to the tune of $1.5 million. A financial services client secured the deal to continue using the company’s workforce and customer identity and access management (IAM) software infrastructure and biometric ID proofing processes.
The initial engagement between the two parties involved exhaustive testing for BIO-key’s accuracy, scalability and scanner interoperability. Projected growth is built into the fresh subscription deal, with ten percent of the money being reserved for anticipated expansion, and selected payments targeted to milestones.
BIO-key SVP of Strategy and CLO Jim Sullivan says the subscriber “has been a global leader and first mover in deploying biometrics to secure client identity against identity theft and fraud. Since beginning our relationship, they have grown their BIO-key client enrollments to more than 3.5 times their initial count, and are now the largest bank in their country.”
Crowdstrike Global Threat Report identifies new attackers
There is no mystery as to why identity verification and biometric security tools are seeing validation as worthwhile investments; according to the 2024 Crowdstrike Global Threat Report, “significant threat gains in data theft, cloud breaches, and malware-free attacks show that despite advancements in detection technology, adversaries continue to adapt.”
The report says that speed and stealth are key factors enabling fraudsters and other digital criminals, noting a record cybercrime breakout time for 2024. It anticipates an imminent “cyber arms race where AI will amplify the impact for both the security professional and the adversary,” pointing to generative AI used maliciously in software and social engineering, creating a surge in identity-based attacks.
Crowdstrike’s list of 232 total adversaries – including 34 that are newly identified – reads like a Marvel comic, with notorious villains from the worlds of eCrime and international espionage, such as Scattered Spider, Brain Spider, Cascade Panda and Banished Kitten. Major problems include stolen credentials, supply chain attacks and the potential for electoral interference. Cloud environment intrusions are on the rise. Adversaries are exploiting trusted third-party relationships.
Part of an adequate response, according to the report’s recommendations, is making identity protection a must-have. “To counter threats, it is essential to implement phishing-resistant multifactor authentication and extend it to legacy systems and protocols, educate teams on social engineering and implement technology that can detect and correlate threats across identity, endpoint and cloud environments,” it says.
Stolen credentials enable logging in versus hacking in
The IBM X-Force Threat Intelligence Index 2024 affirms that stolen credentials are increasingly the path of least resistance for cybercriminals, noting a 266 percent surge in info stealing malware to collect and exploit valid account data and user identities, and 71 percent year over year increase in volumes of attacks using valid credentials.
The report says the biggest trend is “a pronounced surge in cyberthreats targeting identities. “In this era,” it says, “the focus has shifted towards logging in rather than hacking in, highlighting the relative ease of acquiring credentials compared to exploiting vulnerabilities or executing phishing campaigns. Lack of identity protections was corroborated by IBM X-Force penetration testing data for 2023, which ranked identification and authentication failures as the second most common finding.”
Indeed, valid accounts are not tied with phishing as the top initial access vector for attacks.
The IBM X-Force’s top recommendations for meeting the threat include reducing the risk of credential harvesting attacks by deploying endpoint detection and response (EDR) tools, removing fragmented identity solos, and hardening credential management practices with passkeys.
The full report is available for download here.
Tangerine breach exposes data of nearly a quarter million customers
Mobile telecom provider Tangerine Australia has had a lesson in the advanced capabilities of today’s hackers, reporting a breach that exposed personal information of approximately 232,000 customers stored in a legacy database. The breach happened on Sunday February 18 and was reported to Tangerine on February 22, triggering a security response.
A statement from the company confirms that the exposed data included full names, dates of birth, mobile numbers, email addresses, postal addresses and Tangerine account numbers. There was no disclosure or theft of credit or debit card numbers, driver’s license numbers, banking details or ID documentation details, or passwords.
“We know that the unauthorized disclosure relates to a legacy customer database and has been traced back to the login credentials of a single user engaged by Tangerine on a contract basis,” reads the statement. It emphasizes that all Tangerine customer accounts are protected with Multi-Factor Authentication (MFA), requiring customers to enter a temporary code texted to their mobile in order to log in.
Article Topics
BIO-key | biometrics | cybersecurity | Delinea | identity access management (IAM) | passwordless authentication
Comments