Cybersecurity Awareness: Is One Month Enough for a Passing Grade?
When we consider today’s persistent and sophisticated threat actors, shouldn’t every month be Cybersecurity Awareness Month? The month has four themes according to the Cybersecurity and Infrastructure Security Agency and National Cybersecurity Alliance. BlastWave graded them and provided additional education to help enterprises address the shortcomings of outdated technologies such as hardware-based VPN, traditional MFA, cloud-based SASE, CASB services, and others.
The Cybersecurity Report Card: Morbid at Best
Today’s cyber report card looks scary, so it’s fitting that Cybersecurity Awareness Month aligns with Halloween. Even Twilio, Microsoft, and Uber are getting hacked, indicating that the current enterprise security approach is ineffective. Identity is the lynchpin of secure remote access, but many products allow threat actors to exploit human error and spoof identity. To comply with the federal memorandum on Zero-Trust architecture, enterprises need to “give up the ghost” and stop clinging to trust-inclined security. Let’s see if we can get some better grades on these themes.
Enable Multi-Factor Authentication: C+
The idea behind multi-factor authentication is headed in the right direction. However, unauthenticated attack surfaces are skyrocketing as enterprises rely on hybrid work models and turn to digitalization to improve efficiency in their critical infrastructure, in turn making the business environment more complex. Despite the elimination of user-generated passwords, traditional MFA does not adequately reduce the surface of attack or the possibility of human error, and still allows for exploitation of exposed web services, bugs, CVEs, and more. As a result, MFA is still susceptible to phishing, SIM jacking, and social engineering.
To pass with flying colors, enterprises can implement a software-defined perimeter that includes phishing-resistant passwordless MFA. Phishing-resistant authentication eliminates credentials and one-time passwords (OTP) to reduce attack surfaces and security holes. With this solution, users are authenticated continuously through biometrics, hardware-based FIDO2 keys, and cryptographically-signed challenge-response systems before they are allowed to connect. This addresses the pain point of spoofability because you cannot anonymously connect to an asset protected by phishing-resistant MFA. If your phishing-resistant MFA eliminates the need for digital certificate management or cloud-based exchanges, that’s even better.
Strong Passwords: F-
It’s 2022 - why is anyone still using a password? Compromised credentials are the cause of nearly 61% of cyber breaches. It doesn’t matter how “strong” your password may be. Credentials depend on the human element. But the human element is the weakest link in enterprise security, amounting to the underlying cause of 82% of breaches. To address this, enterprises can choose a Zero-Trust solution that eliminates passwords and controls both sides of the authentication handshake to remove human decisions from the authentication process, thereby reducing the possibility of human error. The overarching theme of the Month is “see yourself in cyber.” This is pertinent in terms of education and shared experience. Yet I think the less we “see” humans actively involved in the authentication process, the better we can atone for passwords - the original cyber sin.
Update Software: B+
This is important to address the evolving nature of the threat landscape. As adversaries continue to innovate and implement automation in their own attack vectors, cybersecurity solutions must evolve to keep pace and help enterprises achieve a preventative security approach. However, software updates are pointless if they aren’t informed by the right mindset to solve the actual pain points facing IT managers and CISOs. As business environments become more distributed and complex, security upgrades should simplify the security stack, not add layers of complexity.
Recognize and Report Phishing: A-
Phishing accounted for 36% of data breaches last year and often leads to credential theft, so this theme is important. But it isn’t enough to rely on your hybrid workforce to recognize a spoofed authentication page. Again, you’re just involving human decisions in your authentication process. It’s important to prioritize performance when protecting critical infrastructure against phishing. Recent studies show that 79% of employees sacrifice security for speed. Latency and performance are significant challenges presented by hybrid work as users seek remote access to third-party resources outside of the enterprise security perimeter.
To protect against phishing, enterprises need fast Zero-Trust solutions that their employees will not bypass for the sake of convenience, yet they need to keep connected machines, users, and applications invisible to internal and external attackers. Technologies like cloud-based SASE may claim to improve manageability, but what about performance or security? These products backhaul traffic through a shared gateway on a third-party cloud server, leaving enterprises vulnerable to performance bottlenecks and third-party risk challenges.
High-performance, peer-to-peer Zero-Trust Network Access provides enterprises with fast, secure remote access via full-mesh tunnels. This peer-to-peer architecture eliminates the performance issues of other products such as cloud-based SASE or CASB services without compromising security.
What are your thoughts on these themes? Are they helpful? Let us know your best practices and follow us on Twitter and LinkedIn. To see how our ZTNA product BlastShield™ satisfies these requirements as a single solution and was rated the fastest ZTNA solution on the market by Tolly Group, download the free performance report. You can also visit our Get Started page for demo videos and a free trial download of BlastShield.
The CyberSecurity Mindset is Broken
Why are cyber attacks exploding while investment in security products is growing at double digits? Equifax CISO Jamil Farshchi’s recent Q&A in the WSJ here illustrates a...
4IR - Driving new cybersecurity requirements
I reminisced with a friend yesterday about spending hours in my local Blockbuster store looking for the perfect video rental. Blockbuster had very little cybersecurity...
Is network security the new definition of ...
They say the definition of insanity is doing the same thing over and over expecting different results. I swear, network security - specifically using VPNs to protect...
Have we simply given up on securing our critical ...
A few weeks ago I wrote an article asking the question, "is network security becoming the new definition of insanity?"
Is it just me or does the emperor have no clothes ...
I am having trouble sleeping at night these days, it's not the pandemic and the stress that it brings on, it's not the groundhog day feeling you have when sitting in on...
The Many Flavors of Back to Office and Why ...