Watchguard Threat Lab claimed earlier this year over half of military, government and enterprise employee passwords - largely across the US - weak enough to be cracked in less than 24 hours. Is everything that bad with the global cybersecurity infrastructure?

Authentication has been one of the major problems in cybersecurity for the last few years. We are witnessing so many security breaches and cyber attacks now, some are not even covered by the media or available to the public due to such a large number. Cyber-attacks and data breaches become a common thing in our live. People keep using weak passwords or same password for all the accounts; people leave their browsers open on public computers, writing passwords down on paper or using .txt files. We've noticed critical importance of secure authentication few years ago and therefore decided to create a solution, which will help mitigate risks of the password- and credential-focused threats. 2FA initiative is simply not enough to resolve the issue of the weak passwords - there are plenty of methods to bypass the two-factor authentication.

The world is changing dramatically, the Internet is changing even faster, yet there are many old vulnerabilities and outdated technologies in use. For example, the X509 standard of the format of public key certificates was originally issued in 1988. The X509 certificates are used in TSL\SSL protocols which is the basis for HTTPS, the well-known and mostly wide-used protocol for browsing the web today. The attackers are improving their skills constantly, they find new ways to steal the credentials. Cyber security has to keep up and improve faster. The implementation and adoption of new cyber-security technologies is still too slow. The organizations implementing modern approaches are more secure, as they are far ahead of cyber-criminals.

Computational capabilities of the “black hackers” are also developing rapidly. Passwords’ hash hijacking has become a real business. The number of currently active botnets is simply through the roof. Cyber-criminals use botnets for distributed hacking as well.

We believe that blockchain is here to change lots of areas and improve cyber security. We are also convinced that passwords will sink into oblivion within the next few years because of how many companies and enterprises are working on digital identity solutions, passwordless authentication, MFA, etc. With every action on the blockchain digitally signed and timestamped, there can be no second guess on who’s accessed or moved it, and when. Every transaction on the chain can be correlated with the cryptographic signature of a particular user.

Any other recalls on how neglecting basiс digital hygiene turned into major hack breaches?

Unfortunately, many of the successful hacks are successful due to the violation of basic cyber hygiene. It usually happens on the intrusion stage of the cyber attack. Once hackers get access to the infrastructure, it is more difficult to detect any sign of their presence within the infrastructure, and it’s even harder to clean the system out and get rid of the hackers. According to CheckPoint Security report 2018, only 1% of successful cyber-attacks exploited vulnerabilities of 2018, while 40% of vulnerabilities were “older” than 2012. It means that 99% of the threats are based on the well-known vulnerabilities and bugs. This is obvious that the reason for such exploits is non-compliance with the basic rules of cyber hygiene.

Basically, what is the mainframe of keeping my authentication process safe and secure?

There should be a root or network of trust and secure communication during authentication process between all subjects of the process. Major threat is compromising the authentication process itself with malicious intent, enumeration for instance. Another one is the failure or compromise of the root of trust, which can cause the compromise of the entire authentication process.

How does blockchain address the issue of data safety exploits? To this end, why at all do you need decentralization to prevent the hack?

Blockchain significantly mitigates the risk of human error by eliminating much of the human element from data storage. Bitcoin blockchain has not been successfully hacked since its inception. When configured properly and suitably distributed, a blockchain can safeguard data of all kinds and for all industries. Blockchain makes failure of the root of trust impossible, as it replaces a single point on the network. In such a way there is a network of trust. If cybersecurity professionals can be thought of as the guardians of the world’s data, it follows that they should be drawn to distributed ledger technology. Blockchain is not a silver bullet, but it’s a highly effective way of storing, sending, and encrypting critical data (or its hash) and monitoring, in real time, who accesses it and how. And that’s pretty powerful.

What are the major use-cases for the blockchain-based authentication enhancement solution?

The possible applications for blockchain-based authentication are numerous, spanning every major industry. Any situation where you’d like to eliminate the weaknesses posed by centralized systems is an opportunity for a distributed alternative to prove its worth. When you think about it, the number of attack vectors a hacker may use to gain entry to your business’s key infrastructure is already huge. Removing the temptation of a hackable database, a particularly soft target if it’s only password protected, makes it a lot harder for a sophisticated attacker to gain entry, and reduces the value of the prize they can steal even if they are successful.

With REMME, we’ve identified a number of primary ways in which our technology can be deployed to create more robust authentication systems. In particular we’ve been looking at WebAuth for enterprises in various industries, for example medtech, where we enable users to authenticate remotely, ensuring that medical records are only accessible by those with the permission. The same concept is also being applied to platforms such as cryptocurrency exchanges, where PKI solution can be paired with 2FA to create a virtually impregnable combination. This technology isn’t limited to humans either: it’s equally suited for machine-to-machine, such as IoT devices that need to communicate and connect. It could be a car authenticating with a charging point, or connecting to an approved repair center to perform system diagnosis. Any situation where authentication is required, at any level, is an instance where such solution can be deployed to provide a more secure alternative, than incumbent solutions that don’t make use of blockchain technology and thus don’t enjoy the inherent benefits that come from fully distributed systems with no single point of failure.

- How do you see the ultimate cocktail shielding the data from fiendish hacker campaigns? Theoretically, is the absolute impenetrability of protected information achievable?

Theoretically, there are only absolutely crypto-resistant ciphers. Based on non-zero risk principle we can come to conclusion that it is impossible to achieve absolute security. Security is a negative goal. That’s why cocktail shielding depends solely on the properties of the system protected, and is useful only “this evening”. Absolute security is unattainable by nature. One of the goals of cyber security experts is to make the cost of hackers attack as expensive as possible. And in the case of REMME, our task is to make the cost of an attack as expensive as possible for those who attack.