people and data (Lightspring/

How state and local government can defend against identity attacks

In October, the National Association of State Chief Information Officers hosted its annual conference in Nashville. When asked to cite their top concerns at the conference, many of the CIOs and other IT leaders cited identity management, the practice of ensuring only the appropriate people within an organization have access to resources.

Hackers want access – the rise of identity attacks

Government IT leaders know identity attacks are on the rise. A recent report by Proofpoint shows that credential compromise via phishing attacks shot up by more than 70% in the past year. When hackers target an individual, they attempt to access a system by obtaining and leveraging user credentials. A hacker with a victim's credentials has the same level of privilege as the victim – permission to install programs, read and download protected information and upload software, including malware.

State and local governments are particularly attractive targets to hackers because of the amount of sensitive information housed within their networks, such as personal information on employees and residents. In addition, citizens need to interact regularly, securely and efficiently with government. That requirement makes government a prime target for ransomware attacks, which can cripple local agencies and make it impossible for residents to access important documents like marriage and birth certificates as well as permits needed to move forward with various projects.

Identity attacks start with vulnerable individuals, but ensuring the workforce is trained to detect phishing and other identity attacks is a challenge. It only takes one compromised account to open access to the entire organization, and attackers create around 1.5 million new phishing sites each month.

To defend against identity attacks, security teams must understand which user-focused attacks are the most prevalent and prepare employees to defend against them. According to Okta, hackers leverage several common identity attacks, including:

  1. Broad-based phishing campaigns.By identifying basic information about a victim to seem credible, attackers use phishing attacks to trick unsuspecting users into handing over their credentials. More than three-quarters of organizations and businesses surveyed in a 2018 report were targeted by phishing in 2018.
  1. Spear-phishing campaigns. Spear phishing is a more targeted form of phishing. The level of social engineering is sophisticated, with personalized messages containing a call-to-action specific to a particular individual. The message can include personal information such as family member names, accurate identifiable details about the individual or other information that looks and feels real to a victim. Spear phishing was used in 2018, when Iranian state-sponsored hackers stole research, secrets and sensitive information from universities, private companies and U.S. government.
  1. Credential stuffing and password spraying. Attackers leveraging credential stuffing will test stolen credentials on multiple sites to determine if they have been used before. According to Troy Hunt, founder of, 86% of subscribers affected by the CashCrate data breach of 2017 were using passwords already leaked in other data breaches and available to attackers in plain text. In password spraying, on the other hand, the threat actor attempts to break in using the most commonly known passwords, such as "1234" or "qwerty."

4: Man-in-the-middle attacks. These highly targeted attacks intercept a network connection and allow an attacker to hijack sessions, compromising a user's web session by stealing the session token. One example of a MitM attack is an attacker creating a fraudulent Wi-Fi access point designed to look like a legitimate public network -- i.e., a hotel or restaurant's public network. An unknowing victim would then connect to the attacker's network, giving away credentials and access in the process.

Fighting back

The breadth and (unfortunately) frequent success of these credential-focused attacks can seem intimidating. Through informed planning, training initiatives and the enforcement of cybersecurity policy, however, agencies can take action against these common threats. Simple strategies to strengthen identity and access management can go a long way to mitigating these attacks:

Enable multifactor authentication. MFA can help prevent credential compromise resulting from identity attacks, even if a user clicks a malicious link and gives away credentials. MFA prevents an attacker from being able successfully access a system by requiring a second layer of proof beyond a username and password -- factors such as a one-time passcode, soft tokens, hardware tokens or a biometric authenticator -- before allowing access.

Use password-less authentication. By stealing a user's password, an attacker can use it to gain access to a variety of sensitive information. Using tools like WebAuthn, agencies can require servers to authenticate users with public key cryptography rather than a password, greatly decreasing the success of phishing attacks. Since the authentication requires a private-public key pair, databases aren't useful to hackers, because the public keys aren't valuable.

Extend strong authentication to infrastructure and APIs. A 2017 Gartner report predicted that by 2022, application programming interface abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications. To build in additional protection across the entire infrastructure, agency security teams should extend authentication to servers and APIs and consider stronger policies and controls around these technologies to limit access and strengthen the overall posture of the agency.

Leverage network insights. Agencies can benefit from services with built-in intelligence capable of detecting suspicious login attempts and other abnormal activity across the network and utilizing that insight at various points in the ecosystem. This level of insight can prevent attackers from stealing user credentials while mitigating account lockout.

Defending against identity attacks starts with strengthening access controls. The shift to the cloud has allowed remote access to resources from devices outside traditional environments. With so many devices requesting access to resources, the common control point has shifted to the identity of the user.

By evaluating authorization at the individual level, agencies can use these strategies to mitigate some of the most credible threats against their ecosystems and shift their focus back to improving citizen experience through innovation and modernization.

About the Author

Jack Alexander is national director of state and local government and education at Okta.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected