Multi-factor authentication (MFA) that depends on one of the authentication factors being delivered via SMS and voice calls should be avoided, Alex Weinert, Director of Identity Security at Microsoft, opined.
That’s not to say that MFA should be avoided, though, just that there are safer and more reliable ways to get additional authentication factors.
Why SMS- and voice-based MFA is the least secure option
Last year, Weinert noted that using any form of MFA is better than relying just on a password for security, as it “significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.”
But the delivery of authentication factors via publicly switched telephone networks (PSTN) is the least secure of the MFA methods available, he thinks, because:
- The SMS and voice formats aren’t adaptable to user experience expectations, technical advances, and attacker behavior in real-time
- PSTN systems are not 100% reliable, meaning the message or call may not come when needed
- Changing regulations may get in the way of SMS delivery and phone calls
- SMSes and phone calls were designed without encryption and can be intercepted (e.g., via software-defined radios, femotcells, SS7 intercept services, mobile malware, phishing tools)
- Support agents at companies operating publicly switched telephone networks can be tricked, bribed or coerced by attackers into providing access to the victims’ SMS or voice channel (e.g., via SIM swapping)
MFA is a must
The value of multi-factor authentication is not in question, but as more and more users adopt it, attackers will try come up with new ways to grab the needed OTP authentication codes.
Weinert advised users to, if possible, switch from SMS- and voice-based MFA to using app-based authentication. Naturally, he endorsed the Microsoft Authenticator app, but there are other apps that serve the same function (such as Google Authenticator, Cisco’s Duo Mobile) and the same protections (encrypted communication, more control, etc.).
There are other MFA options available, and some offer an even greater degree of safety against remote attacks, such as smart cards or security keys – actual physical devices attackers should get their hands on in order to gain access to secured accounts.
(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Issue 67 has been released today. It’s a free download, no registration required.
Table of contents
- Cooking up secure code: A foolproof recipe for open source
- Hardware security: Emerging attacks and protection mechanisms
- How can the C-suite support CISOs in improving cybersecurity?
- Review: Netsparker Enterprise web application scanner
- Mapping the motives of insider threats
- Three places for early warning of ransomware and breaches that aren’t the dark web
- The lifecycle of a eureka moment in cybersecurity
- Review: ThreadFix 3.0
- Which cybersecurity failures cost companies the most and which defenses have the highest ROI?
- Justifying your 2021 cybersecurity budget
- Keep remote workers and their devices secure with one click
- How to build up cybersecurity for medical devices
- State-backed hacking, cyber deterrence, and the need for international norms
- DaaS, BYOD, leasing and buying: Which is better for cybersecurity?
Get the latest issue of (IN)SECURE Magazine and subscribe for free.
For the first time, there’s a year-over-year reduction in the cybersecurity workforce gap, due in part to increased talent entry into the field and uncertain demand due to the economic impact of COVID-19, (ISC)² finds.
The research, conducted from mid-April through June 2020, also provides insights from cybersecurity professionals about their organizations’ COVID-19 pandemic response, and the massive effort required to quickly and securely transition their staffs to remote working environments.
Decrease in the global cybersecurity workforce shortage
The study reveals that the cybersecurity profession experienced substantial growth in its global ranks, increasing to 3.5 million individuals currently working in the field, an addition of 700,000 professionals or 25% more than last year’s workforce estimate.
The research also indicates a corresponding decrease in the global workforce shortage, now down to 3.12 million from the 4.07 million shortage reported last year. Data suggests that employment in the field now needs to grow by approximately 41% in the U.S. and 89% worldwide in order to fill the talent gap, which remains a top concern of professionals.
In a historically unprecedented year, the study also focused on how security teams and professionals were impacted by COVID-19. The data shows that 30% of cybersecurity professionals faced a deadline of one day or less to transition their organizations’ staff to remote work and to secure their newly transformed IT environments.
92% of respondents indicated that their organization was “somewhat” or “very” prepared to respond, and just 18% saw security incidents increase during this time.
“The response to COVID-19 by the community and their ability to help securely migrate entire organizational systems to remote work, almost overnight, has been an unprecedented success and a best-case scenario in a lot of ways. Cybersecurity professionals rose to the challenge and solidified their value to their organizations.”
- Job satisfaction rates increased year-over-year, with 75% of respondents saying they are either “somewhat” or “very” satisfied
- The average annual cybersecurity salary is highest in North America at $112,000
- 56% of respondents say their organizations are at risk due to cybersecurity staff shortages
- Cybersecurity practitioners are concerned that security budgets will be impacted by revenue losses related to COVID-19. 54% are concerned about personnel spending while 51% are concerned about technology spending
- 23% said that they or a peer had been laid off as a result of the pandemic
- 78% of cybersecurity professionals who still need to work from an office say they are either “somewhat” or “very” concerned about their personal safety in relation to COVID-19
- Cloud computing security is far and away the most in-demand skillset, with 40% of respondents indicating they plan to develop it over the next two years
- Just 49% of those in the field hold degrees in computer and information sciences, highlighting the fact that many of the professionals responsible for cybersecurity come from other areas of expertise
Organizations underwent an unprecedented IT change this year amid a massive shift to remote work, accelerating adoption of cloud technology, Duo Security reveals.
The security implications of this transition will reverberate for years to come, as the hybrid workplace demands the workforce to be secure, connected and productive from anywhere.
The report details how organizations, with a mandate to rapidly transition their entire workforce to remote, turned to remote access technologies such as VPN and RDP, among numerous other efforts.
As a result, authentication activity to these technologies swelled 60%. A complementary survey recently found that 96% of organizations made cybersecurity policy changes during the COVID-19, with more than half implementing MFA.
Cloud adoption also accelerated
Daily authentications to cloud applications surged 40% during the first few months of the pandemic, the bulk of which came from enterprise and mid-sized organizations looking to ensure secure access to various cloud services.
As organizations scrambled to acquire the requisite equipment to support remote work, employees relied on personal or unmanaged devices in the interim. Consequently, blocked access attempts due to out-of-date devices skyrocketed 90% in March. That figure fell precipitously in April, indicating healthier devices and decreased risk of breach due to malware.
“As the pandemic began, the priority for many organizations was keeping the lights on and accepting risk in order to accomplish this end,” said Dave Lewis, Global Advisory CISO, Duo Security at Cisco. “Attention has now turned towards lessening risk by implementing a more mature and modern security approach that accounts for a traditional corporate perimeter that has been completely upended.”
Additional report findings
So long, SMS – The prevalence of SIM-swapping attacks has driven organizations to strengthen their authentication schemes. Year-over-year, the percentage of organizations that enforce a policy to disallow SMS authentication nearly doubled from 8.7% to 16.1%.
Biometrics booming – Biometrics are nearly ubiquitous across enterprise users, paving the way for a passwordless future. Eighty percent of mobile devices used for work have biometrics configured, up 12% the past five years.
Cloud apps on pace to pass on-premises apps – Use of cloud apps are on pace to surpass use of on-premises apps by next year, accelerated by the shift to remote work. Cloud applications make up 13.2% of total authentications, a 5.4% increase year-over-year, while on-premises applications encompass 18.5% of total authentications, down 1.5% since last year.
Apple devices 3.5 times more likely to update quickly vs. Android – Ecosystem differences have security consequences. On June 1, Apple iOS and Android both issued software updates to patch critical vulnerabilities in their respective operating systems.
iOS devices were 3.5 times more likely to be updated within 30 days of a security update or patch, compared to Android.
Windows 7 lingers in healthcare despite security risks – More than 30% of Windows devices in healthcare organizations still run Windows 7, despite end-of-life status, compared with 10% of organizations across Duo’s customer base.
Healthcare providers are often unable to update deprecated operating systems due to compliance requirements and restrictive terms and conditions of third-party software vendors.
Windows devices, Chrome browser dominate business IT – Windows continues its dominance in the enterprise, accounting for 59% of devices used to access protected applications, followed by macOS at 23%. Overall, mobile devices account for 15% of corporate access (iOS: 11.4%, Android: 3.7%).
On the browser side, Chrome is king with 44% of total browser authentications, resulting in stronger security hygiene overall for organizations.
UK and EU trail US in securing cloud – United Kingdom and European Union-based organizations trail US-based enterprises in user authentications to cloud applications, signaling less cloud use overall or a larger share of applications not protected by MFA.
Join Cobalt for an interactive 1-hour Q&A session that tackles real-life examples of what it takes to achieve DevSecOps maturity.
In the security corner will be Caroline Wong, Cobalt’s Chief Strategy Officer. Engineering will be represented by Larry Maccherone, whose extensive experience in lean and agile practices has made him DevSecOps transformation lead at Comcast.
What will be covered:
- Do’s and don’ts of shifting to a DevSecOps mindset
- Learnings on how to improve maturity and track progress
- A look at how team structures can influence results
COVID-19 changed the rules of the game virtually overnight. The news has covered the broader impacts of the pandemic, particularly the hit to our healthcare, the drops in our economy, and the changes in education.
But when a massive portion of our workforce was sent home, and companies moved operations online, no one thought about how vulnerable to cyberattacks those companies had now become. The attack surface had changed, giving malicious actors new inroads that no one had previously watched out for.
The thing is, cybersecurity isn’t a battle that’s ultimately won, but an ongoing game to play every day against attackers who want to take your systems down. We won’t find a one-size-fits-all solution for the vulnerabilities that were exposed by the pandemic. Instead, each company needs to charge the field and fend off their opponent based on the rules of play. Today, those rules are that anything connected to the internet is fair game for cybercriminals, and it’s on organizations to protect these digital assets.
COVID may have changed the rules, but the game is still on. Despite the security threat, this pandemic may have caused a massive opportunity for companies — if they’re willing to take it.
WFH isn’t new, but WFH suddenly, at scale, is
The attack surface changed — and so did the rules of the game.
A work-from-home world isn’t a new thing. Slow transitions to remote workplaces have become more of a norm, though pushes for all-remote workplaces come in cycles. In the past five to ten years, despite the rise of flexible work options and global teams, work still happened mainly in an office.
What is new is a massive amount of the workforce shifting to remote work nearly overnight. Suddenly, the internet became a company’s network—thousands of employees turned into thousands of individual offices. Secured networks were traded in for home Wi-Fi, and gaps and holes in an organization’s attack surface were introduced where they didn’t exist before.
That shift suddenly exposed vulnerabilities in the system, like older systems that were never updated, internet assets that were forgotten, and patches that never happened. These weak links are all the invitation a malicious adversary needs.
Rogue threats—web infrastructure created by criminals—changed, too. Phishing schemes suddenly took a new approach in the form of “COVID lures”: emails and ads that lead to questionable websites providing cure-alls for the virus, taking advantage of people’s increased fear and anxiety.
Attackers realized they had another advantage: employees responsible for diagnosing and fixing these kinds of security issues are now preoccupied with supporting family, supervising their kids’ remote education, or working long hours to cover other cuts. In other words, some of our players were benched.
Combine this easier access to enterprise systems with the increased willingness to hand over information and a drop in vigilance, and you can see how this all became a new kind of game. The good news is that although malicious actors seeking ways into these exposed systems are adapting, a company can adapt as well.
Going on the offensive
Companies can’t afford large-scale cyberattacks at any time, but especially right now. The pandemic has caused consumers who may have lost significant income to be picky with their purchases and investments. Companies need to be focused on retaining customer relationships so that they’ll weather the pandemic, and a take-down of the network could undercut customer trust in unrecoverable ways.
But many companies won’t take action. They may view their older systems as good enough to ride the wave to the other side of the pandemic, and once there, they’ll go back to what they had used before, unprepared for the next attack. They may get through, but nothing will have changed — things will not go back to how they were, and you will no longer be able to rely on systems that protected a pre-COVID world.
Now, there’s an opportunity to huddle up, form a new strategy, and go on the offensive. The pandemic can be an opportunity for businesses to take a look at their vulnerabilities, map their attack surface, and take appropriate actions to secure and strengthen their systems. We’ve seen this after other catastrophic events, such as after 9/11, when companies adopted new resiliency plans for any future recovery events. Companies have the same opportunity now.
Here are some things a company can do to ensure their systems are secure, even if they’ve been running a remote workforce for a while.
Invest in security teams
Companies who understand the value of keeping their systems secure and taking initiatives against potential leaks will want to invest in cybersecurity. Shore up the team and make new hires if needed. Overall, companies have been supportive of their security teams during this time, but if security isn’t a priority, make it one.
Map the attack surface
The quick move to remote work probably meant a fast rollout of new initiatives and quickly standing up new equipment, which means mistakes are the leading cause of a breach. Do an audit of your attack surface to uncover hidden failures and where older systems, forgotten assets, or unpatched issues are creating vulnerabilities.
Ask questions about what changed: What programs were canceled or altered? How are resources shifting around? Can new assets be secured before they roll out? Also, do some threat modeling with your team. Ask what a threat actor would do to attack your systems, or where they would gain a foothold. In other words, anticipate the opposing team’s next move.
Even the best companies miss something, but the more you can anticipate, the better. Then prepare a response plan for investigating attacks quickly, develop a triage system, create a playbook, and run drills so your players know their roles.
Update the old and roll out the new
Now that you’re learning the new rules of the game, can visualize the playing field and anticipate the opposing team’s next move, it’s time to act. Update older systems or trade them in for new ones. Patch security holes. Shrink the attack surface. Roll out new digital initiatives you might have been sitting on.
Finally, create that mobile app. Move to the cloud. Find new digital ways to engage with your customers, since it may be a while before in-store foot traffic returns. As you do this, you may come to realize that your systems were set up in such a way that you need to start over. In that case, do it. Now’s the time.
Support your team
Above all, make sure you have the right team in place, and take care of them. Get them the resources and information they need as they audit, patch, and put new protocols in place for the future.
Communicate with both them and your leadership team to keep everyone informed, and if you think you’re too busy, communicate even more like teammates would on the field. Hedge against burnout. Above all, give your team the time and space they need to find the holes and make the fixes.
Live to play another day
In many ways, this shift to digital has been in progress for a long time. However, because it was never a necessity, the transformation lagged or stalled from a lack of resources and was moved down the priorities list. But today we see stalled-out initiatives finally being implemented. The plans have been in place, and COVID is now forcing us to get it done.
Microsoft 365 is used by over a billion users worldwide, so attackers are naturally deeply invested in compromising its security. One of the ways of making sure this suite of products is as secure as possible, is a bug bounty program.
During an upcoming presentation at HITB CyberWeek 2020, Ashar Javed, a security engineer at Hyundai AutoEver Europe, will share stories from his journey towards discovering 365 valid bugs in Microsoft Office 365. We took this opportunity to ask him about his work.
What are some of the most surprising findings of your bug hunting endeavor with Microsoft Office 365?
I found literally hundreds of bugs in Office 365 but my favourite are All your Power Apps Portals belong to us and Cross-tenant privacy leak in Office 365. In the earlier one, I was able to control the Power Portal sites via Insecure Direct Object Reference (IDOR) while in the later one, as an attacker you can reveal the Lync (Skype for business) status in a cross-tenant manner. An attacker could see that a particular user is online or be right back while at the same time also can reveal the custom location set by the victim.
How would you rate Microsoft Office 365 security in general?
Finding a bug in Microsoft 365 is a challenging task given Microsoft follows a Security Development Lifecycle. Furthermore, Office 365 receives a third-party vulnerability assessment every year.
Microsoft has a public bug bounty program for Office 365 open to anyone, so you could say security is built into the heart of Office 365.
What type of bugs did you find? What was the severity of the discovered issues?
I found all sorts of bugs ranging from a simple rate limiting issue to a critical SQLi in Dynamics 365. Further, I found hundreds of XSS issues in SharePoint. I also reported dozens of XSS issues in Outlook. Furthermore, I also found privilege escalation, SSRF and CSRF.
When it comes to the severity of the discovered bugs, it varies from a low severity issue to a critical one. Most of my bugs were rated high by Microsoft.
What’s your take on modern bug hunting in general? Do you work on your own or use a service for disclosure?
Bug hunting is still in early ages as a field. I would call it an amateur field where both parties (a bug hunter and a bug receiver) are learning.
Today’s hostile web environment makes it imperative for organizations to boost their security, and allowing bug hunters to inspect products is a win-win situation for both parties.
When it comes to my work, I directly report security issues to Microsoft instead of reporting via a service.
New Zscaler threat research reveals the emerging techniques and impacted industries behind a 260-percent spike in attacks using encrypted channels to bypass legacy security controls.
Showing that cybercriminals will not be dissuaded by a global health crisis, they targeted the healthcare industry the most. Following healthcare, the research revealed the top industries under attack by SSL-based threats were:
1. Healthcare: 1.6 billion (25.5 percent)
2. Finance and Insurance: 1.2 billion (18.3 percent)
3. Manufacturing: 1.1 billion (17.4 percent)
4. Government: 952 million (14.3 percent)
5. Services: 730 million (13.8 percent)
COVID-19 is driving a ransomware surge
Researchers witnessed a 5x increase in ransomware attacks over encrypted traffic beginning in March, when the World Health Organization declared the virus a pandemic. Earlier research from Zscaler indicated a 30,000 percent spike in COVID-related threats, when cybercriminals first began preying on fears of the virus.
Phishing attacks neared 200 million
As one of the most commonly used attacks over SSL, phishing attempts reached more than 193 million instances during the first nine months of 2020. The manufacturing sector was the most targeted (38.6 percent) followed by services (13.8 percent), and healthcare (10.9 percent).
30 percent of SSL-based attacks spoofed trusted cloud providers
Cybercriminals continue to become more sophisticated in avoiding detection, taking advantage of the reputations of trusted cloud providers such as Dropbox, Google, Microsoft, and Amazon to deliver malware over encrypted channels.
Microsoft remains most targeted brand for SSL-based phishing
Since Microsoft technology is among the most adopted in the world, Zscaler identified Microsoft as the most frequently spoofed brand for phishing attacks, which is consistent with ThreatLabZ 2019 report. Other popular brands for spoofing included PayPal and Google. Cybercriminals are also increasingly spoofing Netflix and other streaming entertainment services during the pandemic.
“Cybercriminals are shamelessly attacking critical industries like healthcare, government and finance during the pandemic, and this research shows how risky encrypted traffic can be if not inspected,” said Deepen Desai, CISO and VP of Security Research at Zscaler. “Attackers have significantly advanced the methods they use to deliver ransomware, for example, inside of an organization utilizing encrypted traffic. The report shows a 500 percent increase in ransomware attacks over SSL, and this is just one example to why SSL inspection is so important to an organization’s defense.”
Zoom Video Communications, the maker of the popular Zoom video conferencing solution, has agreed to settle allegations made by the US Federal Trade Commission (FTC) that it “engaged in a series of deceptive and unfair practices that undermined the security of its users.”
The settlement requires Zoom to – among other things – establish and implement a comprehensive security program and to not engage in further privacy and security misrepresentations.
The conditions put forth by the settlement
The FTC complaint said that:
- Since at least 2016, the company misled users by touting that it offered “end-to-end, 256-bit encryption” to secure users’ communications, when in fact it provided a lower level of security, i.e., it encrypted communications but stored the encryption keys on its servers
- The company misled users by saying that recorded meetings that were stored on the company’s cloud storage were encrypted immediately after the meeting ended, which was untrue in some cases
- In July 2018, the company compromised the security of some users when it secretly installed a hidden web server on Macs that helped with frictionless installation of the Zoom application
The settlement does not oblige Zoom to admit fault or pay a fine, but obligates it to:
- Refrain from misrepresenting privacy and security practices, including about how it collects, uses, maintains, or discloses personal information; its security features; and the extent to which users can control the privacy or security of their personal information
- Implement a comprehensive information security program and obtain biennial assessments of its security program by an independent third party and notify the FTC if it experiences a data breach
- Implement a vulnerability management program
- Assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks
- Deploy safeguards such as MFA to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials
- Review any software updates for security flaws and ensure the updates will not hamper third-party security features
Two of the FTC commissioners disagreed with the settlement
FTC commissioner Rohit Chopra pointed out that it provides no help for affected users, does nothing for small businesses that relied on Zoom’s data protection claims, and does not require Zoom to pay a fine. Also, that Zoom’s misrepresentation of its security practices allowed it to steal users from competing players in the video conferencing market, and to “cash in” on the pandemic.
“Zoom stands ready to emerge as a tech titan. But we should all be questioning whether Zoom and other tech titans expanded their empires through deception,” he added.
FTC Commissioner Rebecca Kelly Slaughter also stressed that many Zoom customers were left stranded.
“Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false. This failure of the proposed settlement does a disservice to Zoom’s customers, and substantially limits the deterrence value of the case,” she said.
She also noted that Zoom should have been ordered regularly “engage in a review of the risks to consumer privacy presented by its products and services, to implement procedures to routinely review such risks, and to build in privacy-risk mitigation before implementing any new or modified product, service, or practice. ”
It remains to be seen if Zoom will fulfill and continue to fulfill the conditions of the settlement. Each violation of an FTC order may result in a civil penalty of up to $43,280, which is a negligible sum for a company that’s worth $35 billions.
UPDATE (November 10, 2020, 4:10 a.m. PT):
“The security of our users is a top priority for Zoom. We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs,” a Zoom spokesperson told Help Net Security.
“We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC. Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.”
Since spending more time at home, my appetite for reading has increased. In fact, I recently picked up again one of my favorites – J. R. R. Tolkein’s Lord of the Rings trilogy. In the first book, The Fellowship of the Ring, a conversation between Frodo and Gandalf goes something like this:
“I wish it need not have happened in my time,” said Frodo.
“So do I,” said Gandalf, “and so do all who live to see such times. But that is not for them to decide. All we have to decide is what to do with the time that is given to us…”
The CTO role keeps changing
Such is also the fate of the Chief Technology Officer (CTO). Many things are beyond their control. Yet, in times of crisis, CTOs are relied upon. They often peer into the future and must address dangers to the business and contend with many unknowns. The key to being a successful CTO is deciding the best things to do with what’s in front of us.
Undoubtedly, COVID-19 has placed extensive demands on CTOs who have had to redesign or redistribute technology resources in rapid order with minimal time to research, strategize and execute.
In partnership with IT managers, hybrid work environments had to be constructed and deployed to accommodate remote workers. The number one priority (in addition to equipping employees with devices) was to secure the distributed network against evolving cybersecurity threats.
Now the question is: where do we go from here? Years’ worth of digital transformation progress was made in a matter of weeks. How will we now maintain and scale these systems for years to come? How do we future proof for other disruptions? These questions are what CTOs and their staff are now grappling with.
Being a CTO is about more than just choosing technology solutions or making sure people can work from home successfully. The CTO role is changing to encompass supply chain resiliency, communications solutions and support for sales teams, preventing technological surprise and meeting broader business unit needs.
In this environment, a CTO’s unique combination of technical and institutional knowledge has only become more vital. The CTO must be much more than a technical expert. They must be knowledgeable about every aspect of the business from HR to Finance and everything in between.
Clearly communicating the evolving role of tech across sales, security and more
According to Deloitte, more than half of CEOs say that tech leaders in their companies will be key drivers of business strategy. Filling that role means wearing many hats, the specifics of which differ from enterprise to enterprise.
The CTO doesn’t necessarily even sit in the same place in every management hierarchy. For example, depending on who runs the IT department, the CIO reports to the CTO, and vice versa. The common thread: CTOs have to be versatile.
Some companies see the CTO as an interface between the firm’s customers and its knowledge, capabilities and products. This is largely a sales leadership role, where a CTO can use their technical expertise to connect services and clients. Other times, the CTO is charged with ensuring employees can interact with one another, enabling collaboration, communication and innovation.
What’s important for any organization today, whether it’s an SMB, federal agency or large enterprise, is that the role of the CTO is adaptable to manage disparate tasks: from serving as a C-suite partner advising on operational decisions to counseling customers on specific services.
Of course, CTOs must understand technology in great detail, but they also need to be able to articulate how technology works in a way that average individuals understand.
They must be able to communicate clearly with decision-makers from all departments on issues ranging from cybersecurity to sales enablement platforms to secure supply chains. This is what we call a “T” shaped individual: depth in their specific field of expertise and breath in all other business areas. The best CTOs are truly Renaissance individuals.
Meeting transformation with expansive knowledge and sharp agility
Research from McKinsey demonstrates that companies that are aware of new technologies and work to build them into their operating models tend to be more successful than those that do not. The responsibility for finding those technologies, understanding them and incorporating them into an enterprise’s strategy at the proper scale falls squarely on the CTO.
Greater digitization has only increased the number of innovative technologies CTOs need to track. The market for global digital transformation products and services is expected to expand at a compound annual growth rate of 22.5 percent from 2020 to 2027.
Greater digitization has also made CTOs more valuable because it has dramatically and substantially expanded their sphere of influence. Increased reliance on technology throughout companies offers CTOs more insights into lines of business and back-office operations.
These insights can be valuable in finding efficiencies and opportunities to innovate. What’s more, the increased reliance on technology means CTOs often have visibility into talent, operations, and partners as well.
As more potential disruptions loom, the fact that every organization looks at its technology roles differently is a good thing, because the people filling those roles also have diverse backgrounds and will bring their own unique perspectives to the job. For example, my own strong background in engineering combined with a doctorate in economics has given me a different view on technologies from some of my peers.
The circumstances surrounding the COVID pandemic have made the blend of deep institutional knowledge and a wide breadth of technical aptitude an essential combination for any agile CTO.
They are often the target of many attackers who search for them like gold. Some can be easily found, while others can be more difficult to come by. However, inevitably, they can certainly be the weakest link in the security for your entire organization. What is this highly desirable, often stolen, and targeted resource? Passwords. Specifically, Active Directory passwords.
Most enterprise organizations use Microsoft Active Directory (AD) as their centralized identity and access management solution. The standard AD username and password provide users access to any number of systems, including email, file shares, windows desktops, terminal servers, SharePoint, and many other systems integrated with Active Directory.
End-users often use dangerous, easy to remember passwords for their user accounts, even with Active Directory password policies in place. Finding risky passwords in your environment is more important than you might think. Why is that? How can password security in your organization be bolstered?
Why finding risky passwords is important
Ransomware attacks and data breaches are continuously making news headlines. There is often a common thread among data breach events or ransomware attacks – stolen or weak credentials. Take note of the following:
- Kaspersky – “The vast majority of data breaches are caused by stolen or weak credentials. If malicious criminals have your username and password combination, they have an open door into your network.”
- Verizon 2020 DBIR – “Over 80% of breaches within Hacking involve Brute force or the Use of lost or stolen credentials.”
- Infosecurity Magazine – “A year ago, researchers found that 2.2 billion leaked records, known as Collection 1-5…With this treasure trove, hackers can simply test email and password combinations on different sites, hoping that a user has reused one. This popular technique is known as credential stuffing and is the culprit of many recent data breaches.”
Cybercriminals are after your organization’s passwords. Why are passwords such a target? Put simply, stealing credentials is the path of least resistance into your environment. If an attacker has your username and password combination, they have a “wide open door” to your network and business-critical systems. These may include email, websites, bank accounts, and other PII sources. Even worse, if an attacker can get their hands on administrator credentials, they have the “keys to the kingdom” and can do anything they want.
Attackers use any number of techniques to get their hands on stolen credentials. These may include brute force attacks, password spraying, and also, using databases of leaked passwords. Leaked passwords that result from prior data breaches are also known as pwned passwords.
Passwords are hashed in Active Directory and cannot be read, even by administrators. So, how can you effectively find weak, reused, and even breached passwords in your environment?
Built-in tools are not enough
There is no built-in functionality in Active Directory that natively allows you to check for reused or breached passwords. The only real built-in tool in Active Directory that administrators have at their disposal is Active Directory password policy. Password policies are part of an Active Directory Group Policy Object, and they define the required characteristics for passwords. These characteristics may include uppercase, lowercase, numbers, special characters, and minimum characters. While this helps prevent weak password usage, certain passwords are still easily guessed with letter and number substitutions. Additionally, most organizations enable the minimums for password length and complexity.
Below is an example of a default, unconfigured Active Directory password policy.
Active Directory password policy
Specops Password Auditor: Bolstering Active Directory password security
Native tools are not enough to protect your environment from weak, reused, and breached credentials. Hackers are quick to capitalize on these types of passwords used to have easy access to your business-critical data. Specops Password Auditor, a free tool, provides an automated tool to proactively scan and find weak, reused, and breached passwords in use in your Active Directory environment. The best part – it makes this process extremely easy.
After installation, define the domain, scan root, and the domain controller you would like to use for the scan process.
Defining the domain, scan root, and domain controller
The Password Auditor will:
- Search Active Directory users
- Read password policies
- Check for breached passwords
- Reads user details
- Check password policy usage
- Read custom password expiration
Running the Specops Password Auditor scan
- Blank passwords
- Breached passwords
- Identical passwords
- Admin accounts
- Stale admin accounts
- Password not required
- Password never expires
- Expiring passwords
- Expired Passwords
- Password policies
- Password policy usage
- Password policy compliance
It scans various Active Directory user account attributes, including:
After Password Auditor scans the environment, it presents you with an easy-to-read dashboard. The dashboard quickly displays relevant password information. Critical points of interest are noted with the red “bubble tips” with the number of findings for the particular password risk.
Scan results displaying password risks in the environment
When you click the password finding details, you will see the specific list of user accounts with the password risk displayed. Additionally, Specops Password Auditor shows the location, last logon, and associated password policy of the particular user account.
Displaying Active Directory user accounts with known breached passwords
Specops Password Auditor allows you to easily handoff official reports to management, internal or external auditors, and others with the Get PDF Report function.
Generating the Password Auditor report
The Specops Password Auditor executive summary report allows quickly handing over information to business stakeholders in the environment. The report contains concise, easy-to-read information regarding the password audit and risk level.
The overview page of the Password Auditor report
Cybercriminals are capitalizing on weak, reused, and breached passwords in Active Directory environments. By stealing credentials, attackers gain easy access to business-critical data and systems. There are no native tools found in Active Directory to find reused or breached passwords.
Using Specops Password Auditor allows quickly gaining visibility to weak, reused, and breached passwords in the environment and auditing many other important AD components such as password policies. You can also generate and provide a concise and easy-to-read executive summary report to provide to business stakeholders and auditors.
Learn more about Specops Password Auditor here.
The cybersecurity industry no longer has an image problem, but many things are still stopping individuals from considering a career in cybersecurity: a high cost of entry (the need for more education /certification / technical knowledge / training), the inability to code and the perception of the field as too intimidating.
In addition to this, many don’t have a clear, realistic view of the profession and are confused by its breadth and sprawl.
Cybersecurity career: A look from the outside
(ISC)² has recently asked 2,500 people across the US and the UK who don’t currently work in cybersecurity roles and have never worked in the field about how they view cybersecurity workers, whether they would consider entering the field, and what’s stopping them from doing it.
The good news is that 71% of participants said that they view cybersecurity professionals as smart, technically skilled individuals, 51% view them as “good guys fighting cybercrime,” and 35% said cybersecurity professionals “keep us safe, like police and firefighters.”
The bad news is that even though most view cybersecurity as a good career path, they don’t think it’s the right path for them. In fact, only 8% of respondents have considered working in the field at some point.
“One of the most unexpected findings in the study is that respondents from the youngest generation of workers – Generation Z (Zoomers), which consist of those up to age 24 – have a less positive perception of cybersecurity professionals than any other generation surveyed. This issue in particular merits close attention by the cybersecurity industry at a time when employers are struggling to overcome the talent gap,” (ISC)² noted.
The analysts posited that Generation Z’s perceptions of the cybersecurity field are shaped negatively by social media exposure, as social media platforms “tend to focus on the negative – arguments and venting.”
The survey revealed that respondents view the profession as having a high cost of entry: 61% said they believe they would need more education or would need to earn a certification before getting a cybersecurity job, and 32% believe it would require too much technical knowledge or training.
37% of the female and 17% of the male respondents said that they found the profession intimidating, and a higher number of women are more discouraged than men by a perceived lack of diversity in the field (13% to 7%).
The respondents don’t have a clear idea about what they can expect from the field, and the school curriculum of 77% of the respondents never included cybersecurity.
“Even when cybersecurity education is available, it tends to come much later in the educational path when many students may have already determined another area of focus,” (ISC)² pointed out.
One of the biggest deterrents to entering the field is the distorted perception that, to work in it, you have to have highly specialized, technical skills.
“When survey participants were simply asked about the first thing that came to mind when they thought of the term cybersecurity, their responses included sentiments like, ‘smart computer skills that I don’t have’ and ‘I’m not qualified to apply for the jobs’,” the non-profit shared.
“In reality, many cybersecurity teams are searching for a wider pool of skillsets to complement their technical staff, including those individuals who possess legal, risk, compliance or communications knowledge, among other areas.”
Making cybersecurity more accessible
Correcting the perceptions about the cybersecurity field should be a broad goal for the industry. Emphasis should be placed on the many positive cybersecurity career attributes and a better educational foundation should be introduced.
“Co-develop cybersecurity programs with school districts and higher learning institutions to awaken earlier interest in the field. Creating a stronger pipeline of candidates who understand the realities and the benefits of a cybersecurity career will help to reduce the global talent gap,” (ISC)² advised to hiring managers and organizations.
More immediately, they should:
- Increase the focus on the non-technical aspects of certain positions in job descriptions, such in order to get a larger pool of candidates to consider
- Develop recruitment strategies that focus on outreach to individuals with complementary experience (e.g., in communications, law enforcement, data flow, process development and controls, regulatory compliance, etc.) and consider recruiting employees in different departments that are looking to enter the field.
It is a mathematical certainty that data is more protected by communication products that provide end-to-end encryption (E2EE).
Yet, many CISOs are required to prioritize regulatory requirements before data protection when considering the corporate use of E2EE communications. Most Fortune 1000 compliance and security teams have the ability to access employee accounts on their enterprise communications platform to monitor activity and investigate bad actors. This access is often required in highly regulated industries and E2EE is perceived as blocking that critical corporate access.
Unfortunately for enterprise security and compliance teams in most companies, unsanctioned communications platforms like WhatsApp are being used outside to conduct sensitive business in contravention of corporate policies. Just recently Morgan Stanley executives were removed from the firm for using WhatsApp.
Employees have come to understand that their IT, compliance and security teams are not the only ones who have special access to their communications. They know that Slack, Microsoft, Google, etc., can also access their data and communications. As such, many have turned to consumer E2EE products because they are not comfortable conducting sensitive business on systems where the service provider is both listening and responsible for security.
Why consumer apps running rampant is bad for business
Taking sensitive business to consumer products is risky. These consumer-grade platforms are not purpose-built for secure and compliant communications. They prioritize engagement and entertainment resulting in an ongoing pattern of security flaws, like person-in-the-middle attacks and remote code execution vulnerabilities. WhatsApp users have borne the brunt of these security vulnerabilities for years.
CISOs have been left to choose between turning a blind eye to employees using consumer E2EE products like WhatsApp or, worse yet, relenting and creating policy exceptions that they hope will placate regulators. Yet this approach is an endorsement of long-term use of non-compliant and insecure consumer products.
End-to-end encryption is more flexible than you think
Corporate security teams have operated under the misconception that E2EE is rigid. That not having a backdoor implies that there is only a one-size-fits-all implementation of the world’s most reliable cryptography. In reality, E2EE is flexible and can be deployed in concert with corporate policies and industry regulations.
CISOs don’t need to choose between compliance and strong encryption. Organizations, regardless of industry, can use E2EE that adheres to regulations, internal policies and integrates with IT workflows. This means that the corporate decision to use E2EE can be focused on protecting data from adversaries, competitors and service providers, instead of a fear of breaking the rules.
Choosing an E2EE-enabled communications platform
When it comes to choosing an E2EE-enabled communications platform, security professionals need to assess vendors’ claims, capabilities and motivations. While some mainstream platforms advertise E2EE, they only encrypt the traffic from endpoint to server. This is called Client-to-Server encryption (C2S). This happened most notably with Zoom earlier this year when they sold their product as E2EE.
Most reasonable security professionals agree this was not a malicious attempt to trick end users, rather a genuine lack of cryptographic understanding and sophistication. The company decided that a green lock symbol would make end users feel good – despite a C2S architecture that was prone to person-in-the-middle attacks.
Providers who are not in the business of securing critical user information will almost certainly make claims they do not understand and ship solutions that “don’t suck” rather than serious security technology.
CISOs who embrace E2EE will benefit from the certainty of math. It’s important to ensure that the service provider is capable of, and committed to, providing true E2EE.
There are three important pillars to a strong E2EE solution:
- Both the cryptographic protocols and results from third-party security reviews are public
- Their servers do not store data; and
- The service provider’s business model isn’t reliant upon access to customer data
This is to say that the CISO’s zero trust security policy should be extended to the service provider. If your Unified Communications service provider can access, mine and analyze your data, then they are an attack surface. We know that this access can lead to unauthorized access. Strong E2EE eliminates the service provider risk with mathematical certainty.
Compliance-ready E2EE is a relatively new phenomenon. But it is more important than ever for CISOs to weigh the risk of giving service providers access to all of their company’s data and the unparalleled benefits of taking control of their data while adhering to corporate compliance requirements.
When it comes to providing no-compromise security for enterprise communications, E2EE is a must-have for organizations, and now implementing it can be done without breaking the rules. Further, when organizations deploy enterprise E2EE with forethought they can pull end users off dangerous products like WhatsApp, We Chat and Telegram by giving their employees the security and privacy they need and deserve.
80% of companies say that an increased cybersecurity risk caused by human factors has posed a challenge during the COVID-19 pandemic, particularly in times of heightened stress.
This is according to Cyberchology: The Human Element, a new report that explores the role employees and their personality play in keeping organisations safe from cyber threats. Including that:
- Cybercrime has increased by 63% since the COVID-19 lockdown was introduced
- Human error has been the biggest cybersecurity challenge during the COVID-19 pandemic, according to CISOs
- Just a quarter of businesses consider their remote working strategy effective
- 47% of people are concerned about their ability to manage stress during the coronavirus crisis
Cyberchology research investigates the attitudes of 2,000 consumers and over 100 Chief Information Security Officers in the UK, with psychological research examining the link between cybersecurity, personality, and stress in a virtual world.
The report found that 75% of companies say that half of their business is being undertaken by employees who are now working remotely – but weren’t doing so before COVID-19, showing a highly dispersed current workforce.
With CISOs reporting a 63% increase in cybercrime since the lockdown began, and remote working here to stay for many employees, businesses are more at risk than ever.
Meanwhile, the report found that over two thirds of consumers were concerned about their cybersecurity but didn’t know what to do about it, and nearly half of respondents were concerned about their ability to manage stress during the pandemic.
Stress affects different personality types in different ways, meaning that each individual employee has their own specific blind spot when it comes to cybersecurity. As the pandemic has raised stress levels, staff members may be more likely to panic and click on a malicious link, or fail to report a security breach to the IT team, depending on their personality type.
The paper therefore encourages businesses to implement a holistic cybersecurity strategy that takes individual personalities into account.
“Remote working has brought greater flexibility to the workforce, but has also dramatically altered business processes and systems. The combination of fractured IT systems, a lack of central security, the sudden shift to home working, and a global climate of stress and concern is a perfect breeding ground for a successful cyberattack. The fact that only a quarter of businesses have faith in their own remote working strategy is shocking, and shows there is much work to be done to secure working from home,” said Jake Moore, Cybersecurity Specialist, ESET.
John Hackston, Head of Thought Leadership at The Myers-Briggs Company, commented: “Cybersecurity has long been thought of as the responsibility of IT departments alone, but in order to build a holistic cybersecurity strategy that accounts for the human factor, IT and HR departments must work together. Using psychometric testing and self-awareness tools, HR can help to identify the makeup of teams and pinpoint potential vulnerabilities. IT teams can use this insight to create comprehensive security protocols and a proactive cyber strategy to stay one step ahead of potential threats.”
November Patch Tuesday and the end-of-year holidays are rapidly approaching. Microsoft gave us a late release or maybe an early gift depending upon how you look at the new version of Windows 10. The Patch Tuesday updates appear to be light, so things are looking much better as we enter the final stretch for 2020.
The big announcement this month is the release of Windows 10 version 20H2 on October 20. Yes, you read that correctly – not the 2020 Fall Release or Windows 10 version 2009, but Windows 10 version 20H2. Name changes once again!
This update follows the feature enablement model that began last year with Windows 10 versions 1903 and 1909. The new features in Windows 10 version 20H2 are also included in the October cumulative update for Windows 10 version 2004, although they are dormant. They can be turned on via a special enablement package.
A big change regarding servicing stack updates (SSU) and the latest cumulative updates (LCU) has finally been made – LCUs and SSUs have been combined into a single cumulative monthly update! Moving forward we don’t have to worry about managing these separately. Microsoft recommends applying the latest SSU for Windows 10, version 2004 and then you can forget about SSUs in the future because they are automatically applied as needed in the cumulative updates.
This release also includes a few security updates for Microsoft Defender Advanced Threat Protection (ATP), Microsoft Defender Application Guard for Office, and biometric enhancements for Windows Hello.
Each new release comes with its share of reported issues, so please review before you update to this latest version. From some of the forums I monitor, I’ve noted a lot of conversations around device drivers and device support in general. I suspect this is not an issue unique to Windows 10 version 20H2, but is part of a carryover from Microsoft now enforcing properly signed drivers, which began last month in the cumulative update. There are a lot of good reasons to update your OS, but always ‘look before you leap’ to ensure a smooth transition.
November 2020 Patch Tuesday forecast
- Expect Microsoft to get back on track this month. There was a major dip in common vulnerabilities and exposures (CVEs) addressed last month, and for the first time I can remember there were no updates for Internet Explorer or Edge. Anticipate updates for the standard operating systems, browsers, Office, and extended support updates for Windows 7 and Server 2008. Servicing stack updates to include ESUs are expected.
- Security updates were released this week for Adobe Acrobat and Reader, so I don’t expect anything next week.
- Apple released their latest security updates for iTunes and iCloud in late September. The next updates will probably show up late this month or early December.
- Google Chrome 86 was updated this week with a few security updates; there is a slight chance another release may come out on Patch Tuesday but don’t count on it.
- Mozilla Firefox and Thunderbird were updated in mid-October. We should see some additional security updates next week.
It looks like an average Patch Tuesday for November. If you have some spare time, check out Microsoft’s latest and greatest in Windows 10 version 20H2.
The race is on to build the world’s first reliable and truly useful quantum computer, and the finish line is closer than you might think – we might even reach it this decade. It’s an exciting prospect, particularly as these super-powerful machines offer huge potential to almost every industry, from drug development to electric-vehicle battery design.
But quantum computers also pose a big security problem. With exponentially higher processing power, they will be able to smash through the public-key encryption standards widely relied on today, threatening the security of all digital information and communication.
While it’s tempting to brush it under the carpet as “tomorrow’s problem”, the reality of the situation is much more urgent. That’s because quantum computers don’t just pose a threat to tomorrow’s sensitive information: they’ll be able to decrypt data that has been encrypted in the past, that’s being encrypted in the present, and that will be encrypted in the future (if quantum-resistant algorithms are not used).
It’s why the NSA warned, as early as 2015, that we “must act now” to defuse the threat, and why the US National Institute of Standards and Technology (NIST) is racing to standardize new post-quantum cryptographic solutions, so businesses can get a trusted safety net in place before the threat materializes.
From aviation to pharma: The industries at risk
The harsh reality is that no one is immune to the quantum threat. Whether it’s a security service, pharmaceutical company or nuclear power station, any organization holding sensitive information or intellectual property that needs to be protected in the long term has to take the issue seriously.
The stakes are high. For governments, a quantum attack could mean a hostile state gains access to sensitive information, compromising state security or revealing secrets that undermine political stability. For pharmaceuticals, on the other hand, a quantum computer could allow competitors to gain access to valuable intellectual property, hijacking a drug that has been in costly development for years. (As we’re seeing in the race for a COVID-19 vaccine, this IP can sometimes have significant geopolitical importance.)
Hardware and software are also vulnerable to attack. Within an industry like aviation, a quantum-empowered hacker would have the ability to forge the signature of a software update, push that update to a specific engine part, and then use that to alter the operations of the aircraft. Medical devices like pacemakers would be vulnerable to the same kind of attack, as would connected cars whose software is regularly updated from the cloud.
Though the list of scenarios goes on, the good news is that companies can ready themselves for the quantum threat using technologies available today. Here’s how:
1. Start the conversation early
Begin by promoting quantum literacy within your business to ensure that executive teams understand the severity and immediacy of the security threat. Faced with competing priorities, they may otherwise struggle to understand why this issue deserves immediate attention and investment.
It’s your job to make sure they understand what they’re up against. Identify specific risks that could materialize for your business and industry – what would a quantum attack look like, and what consequences would you be facing if sensitive information were to be decrypted?
Paint a vivid picture of the possible scenarios and calculate the cost that each one would have for your business, so everyone knows what’s at stake. By doing so, you’ll start to build a compelling business case for upgrading your organization’s information security, rather than assuming that this will be immediately obvious.
2. Work out what you’ve got and what you still need
Do a full audit of every place within your business where you are using cryptography, and make sure you understand why that is. Surprisingly, many companies have no idea of all the encryption they currently have in place or why, because the layers of protection have been built up in a siloed fashion over many years.
What cryptographic standards are you relying on today? What data are you protecting, and where? Try to pinpoint where you might be vulnerable. If you’re storing sensitive information in cloud-based collaboration software, for example, that may rely on public key cryptography, so won’t be quantum-secure.
As part of this audit, don’t forget to identify the places where data is in transit. However well your data is protected, it’s vulnerable when moving from one place to another. Make sure you understand how data is moving within your business – where from and to – so you can create a plan that addresses these weak points.
It’s also vital that you think about what industry regulations or standards you need to comply with, and where these come into play across the areas of your business. For industries like healthcare or finance, for example, there’s an added layer of regulation when it comes to information security, while privacy laws like the GDPR and CCPA will apply if you hold personal information relating to European or Californian citizens.
3. Build a long-term strategy for enhanced security
Once you’ve got a full view of what sensitive data you hold, you can start planning your migration to a quantum-ready architecture. How flexible is your current security infrastructure? How crypto-agile are your cryptography solutions? In order to migrate to new technology, do you need to rewrite everything, or could you make some straightforward switches?
Post-quantum encryption standards will be finalized by NIST in the next year and a half, but the process is already underway, and the direction of travel is becoming clearer. Now that finalist algorithms have been announced, businesses don’t need to wait to get quantum-secure – they must simply ensure that they design their security infrastructure to work with any of the shortlisted approaches that NIST is currently considering for standardization.
Deploying a hybrid solution – pairing existing solutions with one of the post-quantum schemes named as a NIST finalist – can be a good way to build resilience and flexibility into your security architecture. By doing this, you’ll be able to comply with whichever new industry standards are announced and remain fully protected against present and future threats in the meantime.
Whatever you decide, remember that migration can take time – especially if your business is already built on a complex infrastructure that will be hard to unpick and rebuild. Put a solid plan in place before you begin and consider partnering with an expert in the field to speed up the process.
A risk we can’t see
Just because a risk hasn’t yet materialized, doesn’t mean it isn’t worth preparing for (a mindset that could have come in handy for the coronavirus pandemic, all things considered…).
The quantum threat is serious, and it’s urgent. The good thing is that we already have all the ingredients to get a safety net in place, and thanks to strong mathematical foundations, we can be confident in the knowledge that the algorithms being standardized by NIST will protect businesses from even the most powerful computers.
The next step? Making sure this cutting-edge technology gets out of the lab and into the hands of the organizations who need it most.
Qualys Container Runtime Security: Defense for containerized applications
Qualys Runtime Container Security, once instrumented in the image, will work within each container irrespective of where the container is instantiated and does not need any additional administration containers. This new solution addresses, in real time, container security use cases like critical file-access monitoring and blocking, network micro-segmentation, vulnerability and exploit mitigation, and virtual patching.
iStorage launches diskAshur M2, a portable PIN authenticated, hardware encrypted SSD
The diskAshur M2 is iStorage’s smallest, lightest, fastest and most rugged FIPS compliant encrypted portable SSD and includes connectivity for both USB type A and C ports. The new diskAshur M2 SSD encrypts data using FIPS PUB 197 validated, AES-XTS 256-bit hardware encryption and uniquely incorporates a Common Criteria EAL4+ ready secure microprocessor, which employs built-in physical protection mechanisms.
Ermetic’s platform provides full stack visibility and control over multi-cloud infrastructure entitlements
By analyzing identity and access management (IAM) policies as well as the configuration of network, storage and secrets assets, Ermetic eliminates attack surface blind spots and enables organizations to enforce least privilege across their entire cloud infrastructure.
McAfee launches MVISION XDR, a cloud-based advanced threat management solution
MVISION XDR improves security operations centers (SOC) effectiveness with quick risk mitigation and delivers total cost of ownership (TCO) for threat response with the inclusion of MVISION Insight’s proactive threat analytics.
SailPoint updates its SaaS identity platform to accelerate enterprises’ identity processes
SailPoint announced a series of planned updates to its SaaS identity platform to enable enterprises to automate important identity processes that match the speed and pace of today’s dynamic business environment. The new features, which include role insights and access request recommendations, leverage machine learning algorithms to deliver on the SailPoint Predictive Identity vision.
According to HP Enterprise’s Business of Hacking report, ad fraud is the easiest and most lucrative form of cybercrime, above activities such as credit card fraud, payment fraud and bank fraud. Luke Taylor, COO and Founder of TrafficGuard, explains why businesses should do what they can to detect and prevent it.
What is ad fraud?
Invalid traffic, which encompasses advertising fraud, is any advertising engagement that is not the result of genuine interest in the advertised offering. This could be fake clicks generated by malware, competitors clicking ads in order to drain your ad spend, or users clicking ads by accident. Ad fraud is a subset of invalid traffic, characterized by its malicious intentions, and has been around for as long as digital advertising.
Every time a consumer sees or clicks on an advertisement, the company advertising pays the website for that displayed ad, as well as any number of adtech vendors and traffic brokers that facilitate the process such as ad networks and exchanges. The more advertising engagement, the more money goes to the pockets of these vendors. Some genuinely grow their audiences, while others use trickery to get non-genuine human engagement or fake bot engagements.
Ad fraud and other forms of invalid traffic can cost up to 30% of an advertiser’s budget. Due to a lack of solutions, many advertisers have become complacent with this aggressive attrition to their ad campaigns, considering it an additional cost of online advertising. In 2018, advertisers lost $44 million of advertising spend per day to fraudulent traffic in North America alone. It’s anticipated to reach $100 million a day by 2023.
The reality is the advertising ecosystem is quite complex, making it difficult for businesses to see whether ad fraud is impacting them. As a result, businesses aren’t taking steps to check their risk, let alone seek protection.
How common is this form of cybercrime and does it affect everyone equally?
Wherever there is money in digital advertising, there is invalid traffic. All digital channels, all geographies and all players in the advertising ecosystem. Every advertiser is aware that ad fraud exists, however, most reject the idea that it is happening to them, because it’s difficult to detect without the proper tools. However, just because one chooses not to see the problem, doesn’t mean it’s not there – advertising fraud makes its way into every campaign (CPM, PPC, install campaigns) and every stage of the advertising journey (impressions, clicks, installs, events).
With fraud mitigation and ad quality assurance tools, businesses could achieve big improvements to their advertising performance. The average company now spends 16% of its IT budget on cybersecurity protection measures, yet the issue of ad fraud goes unaddressed, as security decision makers remain oblivious to this challenge. From fake mobile display traffic to bots, ad fraudsters are undercutting businesses’ marketing and customer acquisition efforts.
How do these fraudsters operate, what’s in it for them and how much money are they “collecting” from businesses’ advertising budgets?
Ad fraud is both easier to commit and more costly to businesses than other forms of fraudulent activity. Sophisticated criminal organizations are making billions from ad fraud. The reality is that it’s nearly impossible to pinpoint their exact origins given how complex the digital advertising ecosystem is. Like any successful business, fraudsters are adapting and diversifying in the pursuit profit. The more funds that flow to fraud, the more attractive and formidable this type of cybercrime will become. The more money that flows to fraud perpetrators, the less effective the whole digital advertising ecosystem will be.
What are its consequences on businesses’ bottom line and intelligence?
In addition to drained advertising budgets, there are several other negatives consequences coming from ad fraud that limit businesses’ bottom lines, intelligence and ability to grow.
Ad fraud, and other forms of invalid traffic skew advertising performance data. This is quite detrimental to marketing efforts, affecting everything from future budgeting to campaign optimization. The impact doesn’t just stop at advertising. Product, user experience and website design teams rely on data to improve the customer experience. If their baseline data is skewed, their efforts can be spent in the wrong areas.
Fraudulent advertising activity also reduces the effectiveness of the digital advertising ecosystem for everyone. Advertising intermediaries, the companies who connect advertisements to traffic sources, must spend time and money to address ad fraud. This reduces their ability to scale advertising to the best quality sources of traffic – limiting growth for all advertisers.
How can business protect their digital ad campaigns from this illicit activity?
The cost of ad fraud is much bigger than just the wasted media spend, which is why it is imperative to evade. Preventative, transparent tools which stop fraud at the source are the most effective. This prevents wasted media spend, polluted data and the time-consuming process of manual volume reconciliations.
Optimization is significantly more effective when based on verified traffic data, enabling you to safely and confidently scale your advertising. Some anti-fraud tools occur in a black box, where you’re asked to trust that it works. Businesses should have access to reporting that shows you how fraud prevention is helping your business overall. Transparency is essential to be able to see clear and defendable reasons for each invalidation.
Ransomware groups have realized that their tactics are also very effective for targeting larger enterprises, and this resulted in a 31% increase of the average ransom payment in Q3 2020 (reaching $233,817), ransomware IR provider Coveware shared in a recently released report.
They also warned that cases where the attackers exfiltrated data and asked for an additional ransom to delete it have doubled in the same period, but that paying up is a definite gamble.
“Despite some companies opting to pay threat actors to not release exfiltrated data, Coveware has seen a fraying of promises of the cybercriminals (if that is a thing) to delete the data,” they noted.
The data cannot be credibly deleted, it’s not secured and is often shared with other parties, they said. Various ransomware groups have posted the stolen data online despite having been paid to not release it or have demanded another payment at a later date.
“Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end. Once a victim receives a decryption key, it can’t be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future,” the company said.
“The track records are too short and evidence that defaults are selectively occurring is already collecting. Accordingly, we strongly advise all victims of data exfiltration to take the hard, but responsible steps. Those include getting the advice of competent privacy attorneys, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel.”
Coveware’s analyst also found that improperly secured Remote Desktop Protocol (RDP) connections and compromised RDP credentials are the most prevalent way in for ransomware gangs, followed by email phishing and software vulnerabilities.
What’s interesting is that the “popularity” of RDP as an attack vector declines as the size of the target companies increases, bacuse larger companies are typically wise enough to secure it. The attackers must then switch to using more pricy means: RDP credentials can be purchased for less than $50, but email phishing campaigns and vulnerability exploits require more effort and time/money – even if they are performed by another attacker who then sells the access to the gang.
“The foothold created by the phishing email or CVE exploit is used to escalate privileges until the attacker can command a domain controller with senior administrative privileges. Once that occurs, the company is fully compromised and data exfiltration + ransomware are likely to transpire within hours or days,” they explained.
Companies/organizations in every industry can be a target, but attackers seem to prefer those in the professional services industry, healthcare and the public sector:
A critical vulnerability (CVE-2020-27955) in Git Large File Storage (Git LFS), an open source Git extension for versioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked into cloning the attacker’s malicious repository using a vulnerable Git version control tool, security researcher Dawid Golunski has discovered.
It can be exploited in a variety of popular Git clients in their default configuration – GitHub CLI, GitHub Desktop, SmartGit, SourceTree, GitKraken, Visual Studio Code, etc. – and likely other clients/development IDEs (i.e., those install git with the Git LFS extension by default).
“Web applications / hosted repositories running on Windows which allow users to import their repositories from a URL may also be exposed to this vulnerability,” Golunski added.
About the vulnerability (CVE-2020-27955)
Golunski found that Git LFS does not specify a full path to git binary when executing a new git process via a specific exec.Command() function.
“As the exec.Command() implementation on Windows systems include the current directory, attackers may be able to plant a backdoor in a malicious repository by simply adding an executable file named: git.bat, git.exe, git.cmd or any other extension that is used on the victim’s system (PATHEXT environment dependent), in the main repo’s directory. As a result, the malicious git binary planted in this way will get executed instead of the original git binary located in a trusted path,” he explained.
The vulnerability can be triggered if the victim is tricked into cloning the attacker’s malicious repository using a vulnerable Git version control tool.
Golunski says that CVE-2020-27955 is trivial to exploit, and has released PoC exploit code, as well as video demonstrations of the exploit in action on various Git clients.
What to do?
The vulnerability affects Git LFS versions 2.12 or earlier on Windows systems (but not on Unix). According to the Git LFS maintainers, there is no workaround for this issue other than avoiding untrusted repositories.
Affected users and product vendors are advised to update to the latest Git LFS version (v2.12.1, released on Wednesday), which plugged the security hole. Git for Windows has also been updated to include this Git LFS version.
The story of digital authentication started in an MIT lab in 1961, when a group of computer scientists got together and devised the concept of passwords. Little did they know the anguish it would cause over the next 50 years. Today, most people possess more than 90 username-and-password combinations and would rather click “Reset password” than try to remember them all.
Unfortunately, passwords are not only inconvenient, but dangerous as well – it’s a problem the world has been grappling with for the last 20 years, at least. Somewhere in the background, though, the authentication wheel has been turning and recently, at the Apple Worldwide Developer Conference (WWDC), two promising announcements were made.
But first, let’s backtrack a bit…
Everybody loves pizza
Authentication has evolved in several interesting ways. Two-factor authentication, for example, was developed in response to account takeover fraud – and it had its place. But when people started doubling up on the knowledge factor, we started seeing instances of knowledge-based authentication where, if you forgot your password, you could enter your mother’s maiden name, the title of your favorite book or your favorite food. Attackers could still succeed by guessing because, as it turns out, most people like pizza!
What if those scientists had started out differently and looked more closely at how other valuables were being protected?
House and car keys, for example, still represent strong possession factors that grant access to high-value assets. They’ve been used for ages with great success and, as a result, make the concept of possession as a primary factor easy for users to understand: “keep your keys safe, it grants you access.” There was never a need to add an extra layer of authentication.
Fast-forward to the digital era, and car keys have evolved to enable keyless entry. Houses, too, are commonly accessed with a remote. In both cases, unique challenge-response mechanisms are used for every transaction, making them impossible to intercept or copy.
Which brings me back to the first of two Apple announcements mentioned earlier.
Where physical meets digital
After much experimenting with identification and endpoints, the iPhone can now act as a car key. Though Apple devices are protected by biometrics and PINs, isn’t it ironic that after all this time, the iPhone – in all its sophisticated glory – has become like a physical key in a sense?
Had that MIT team been able to use an uncopiable “digital key,” perhaps today’s digital world would not be littered with billions of passwords, and attackers would have had to physically approach their victims to steals their keys. That would have cost money and exposed them to capture, making attacks much more costly and risky when compared to attacks that are carried out by sending out thousands of phishing emails at a time.
Of course, there have been several attempts to come up with alternatives. Many dedicated hardware devices have been used over the years with varying degrees of success, but no-one has ever hit the nail on the head.
Some companies allocated a number but did not generate it themselves. Instead, they used a number found or calculated on the device (like the phone’s IMEI or browser fingerprinting), breaking the challenge-response paradigm and nullifying the isolation principle. Others issued physical hardware (like keys) that created cost and distribution challenges, not to mention them being yet another thing for users to carry around.
A vision of endpoint perfection
Companies entering this space need to recognize the value of secure endpoints and find a solution that will:
- Ensure that each endpoint instance is allocated a unique, once-off value
- Ensure that each challenge-response mechanism is unique every time
- Limit the “key” to a single use and having a unique “key” for each mobile app
- Have the ability to issue new keys for each new use case and make the linking easy
- Have the ability to issue keys to devices that users already have in their possession
This can result in stable endpoints. Though certain requirements may force a business to include passwords here and there, the endpoint always needs to be the anchor.
When looking at companies that applied the security principles mentioned above, many arrived at similar solutions. The FIDO Alliance, for example, launched eight years ago to tackle the world’s over-reliance on passwords. They chose to focus mainly on protecting website logins. However, there are ways that businesses can obtain certifications and become FIDO compliant.
Android announced that FIDO would be built into their devices. Microsoft then followed suit, adding it to their authentication setup in Windows (Windows Hello). Only one dominant player remained – Apple – and they were silent. Then, suddenly, with iOS 13.3, Safari started supporting external FIDO tokens. So, when Apple joined the FIDO Alliance in February this year, many were already anticipating a WWDC unveiling – yes, the second announcement.
Now, the endpoint puzzle is finally complete and later this year, all major desktop (Windows and macOS) and mobile (iOS and Android) operating systems will feature built-in FIDO authenticators operating as secure endpoints.
Trusted endpoints: Where we need to be
The vision of trusted endpoints is becoming a reality and finally, context-specific identities can be provisioned into most consumer devices. Consumers can now trust in a physical device, not in some digital thing that can easily be lost or forgotten.
To succeed, attackers will need to gain access to the physical device, which is not easily done.
Of course, there are many challenges we still need to tackle. However, they pale in comparison to the potential that now exists to create exciting new customer journeys using a universal platform authenticator.