When we think about cybersecurity, we usually think about it in terms of an inside and an outside. You have your network, application, and data all instead one system, and cybersecurity is about keeping the bad guys on the outside. For awhile, this “castle and moat” model of cybersecurity made a lot of sense. However, as technology has advanced and business needs have changed, experts are now shifting towards a new way of thinking about cybersecurity: zero trust.
The problem with the traditional approach to cybersecurity is that the lines between inside and outside are now blurred. Instead of keeping all our applications and data in a central location, the introduction of cloud-based services has spread out our network into multiple locations with multiple points of access. What’s more, with the recent rise in remote work, our networks are less centralized than ever before.
In many ways, hackers have understood the implications of these changes far faster than we have. Today, brute force attacks have taken a backseat to credential compromise, phishing, and other attacks that allow bad actors to gain access by using your network settings rather than breaking them. And if you use the traditional cybersecurity model, once a hacker gains access to your network, they can spend months freely moving around your network before launching an attack.
That’s why cybersecurity experts are pushing what is called “zero trust” cybersecurity. In essence, this strategy involves verifying the identity and access needs of every single user — no matter if they are coming from inside or outside your network. Instead of assuming that it’s okay to trust anyone already in your network, zero trust means everyone should be mistrusted until proven to be legitimate.
One aspect of zero trust involves using technology to secure your network from the inside out. Multi-factor authentication, network segmentation, and identity and access management systems are all key tools for a zero trust security posture. It’s important to keep a close watch on the access employees have to move around your network. Best zero trust practice means only giving access to an employee for specific business needs then revoking that access after a fixed period of time. Using these practices can help protect your network if an employee’s credentials are compromised.
While using cybersecurity technology will help you build towards a zero trust framework, without proper governance structures and an overall zero trust culture your organization will remain vulnerable. It’s essential that business leadership understands the concept of zero trust and are active in crafting a culture that values this model of security. If an employee receives an invoice from a vendor, for example, it should be standard procedure to verify the identity of the vendor and the payment request before releasing funds.
At the end of the day, a zero trust approach to cybersecurity requires an active and ongoing effort to prevent cyber threats. Security technology, policies, and culture should be built into your business strategy by design rather than retroactively applied.
We’ve talked about the human factors of cybersecurity and the importance of exposing employees to social engineering scams and other attacks that exploit human vulnerabilities. However, when we look at how to improve our organization’s digital practices, we have to do more than train and simulate phish. We have to take a look at what we are asking staff to do and make sure that the cybersecurity behaviors we want them to do are easy, not difficult. Otherwise, those behaviors will become hard to sustain in the long term.
When you’re trying to create new behaviors — for yourself or for your employees — it’s essential to remember that motivation is not a constant. You might be energized and excited to spot phishing emails when you first learn about it, but overtime that could fade. You might get stressed about other parts of your job, or you might be distracted by friends and family, and overtime your interest in your new habit may start to fade. But that is okay! According to behavior scientist BJ Fogg, instead of trying to keep yourself motivated, focus on creating behaviors that are so easy you can do them without worrying about motivation at all.
So, when it comes to fostering cybersecurity behaviors in your employees, it’s essential to keep things short and easy to do. And the truth is, there are a number of super easy cybersecurity behaviors that will help keep you, your employees, and your businesses from being vulnerable to cyber threats. Here are just a few:
Automated Security Scanning
One example of a simple behavior for your software security is to run applications through an automated security scanning tool. Automation is becoming more and more helpful for relieving some of the burden off your IT and security staff. Now, many scanning tools can be set to run automatically, and will highlight potential vulnerabilities with your applications, systems, and even websites. This will leave your security team to evaluate and patch vulnerabilities, instead of wade through your entire system looking for any holes.
Another important and easy cybersecurity tool is single sign-on (SSO). Essentially, SSO allows employees to use one set of credentials to access a variety of separate services and applications. While it may seem safer to have different credentials for every applications, single sign-on can actually create stronger authentication processes across the enterprise. As companies began to rely on more and more services, each requiring different credentials, it became hard for employees to keep track of all their log in information, leading to worse password hygiene. By combining all credentials into one, it is easier for employees to use smart and secure credentials.
One other easy cybersecurity behavior you can implement is a phish reporting button within your email provider. It’s essential that your IT department is aware of any phishing emails being sent around the office, and in many cases it’s up to the employees to report any phish they receive. While simply forwarding an email to your IT help desk might not seem like a lot, using a simple button to report potential phish is that much easier. Implementing a feature as simple as a report button can increase your reporting and help your IT department keep the network safe.
There are plenty of additional cybersecurity behaviors that you can make easy. All you have to do is first look at what people do, find out what is making the behaviors you want to see difficult to accomplish, then work to make them easier.
By now, most people have heard about the hack of high-profile Twitter accounts that took place on July 15th. To carry out the attack, the perpetrators used a social engineering tactic called “vishing” — short for voice phishing — in which attackers use phone calls rather than email or messages to trick individuals into giving out sensitive information. The incident once again highlights the risks associated with human rather than technical vulnerabilities, and shows Twitter’s shortcomings in managing employee access controls.
On the day of the attack, big names like President Barack Obama, Elon Musk, Jeff Bezos , and Joe Biden all tweeted a message asking users to send them bitcoin with the promise of being sent back double the amount. Of course, this turned out to be a scam and the tweets were quickly removed, but not before the hacker received over $100,000 worth of bitcoin.
According to a statement by Twitter, the attackers gained access to the company’s internal systems the same day as the attack. By using “a phone spear phishing attack,” — commonly known as vishing — the scammers tricked lower-level employees into revealing credentials that allowed them access to Twitter’s internal system. This access, however, did not allow the attackers to immediately access user accounts. However, once inside they were able to carry out additional attacks on other employees who did have access to Twitter’s support controls. From there, the hackers had access to every account on Twitter and could make important changes, including changing the email address associated with an account.
While vishing is not the most well known or most frequent form of social engineering attack, the Twitter hack shows just how dangerous it can be. It’s the one type of attack that requires no code, email, or usb device to carry out. However, there are key protections businesses can use, and that should have been in place at Twitter. First among them is to have explicit policies and safeguards for disclosing credentials and wiring funds. Individual employees should not be allowed to give out information on their own — even if they think they are giving it to a trusted colleague. Instead, employees should have to communicate with a third-party within the company who can verify an employee’s identity before sharing credentials.
Secondly, Twitter needed to have stricter access controls in place, throughout all levels of the company. While Twitter claims that “access to [internal] tools is strictly limited and is only granted for valid business reasons,” this was clearly not the case on July 15th. And even though the employees that were initially exploited did not have full access to user accounts, the hackers were able to leverage the limited access they had to then gain even more advanced and detailed permission rights. Businesses should therefore ensure all employees, even with limited access, have the proper cyber awareness training and undergo simulations of various social engineering attacks.
This was a striking reminder of how important each person on our team is in protecting our service. We take that responsibility seriously and everyone at Twitter is committed to keeping your information safe.
Lastly, when it comes to vishing, it’s important to use techniques similar to those used to spot other types of scams. When getting a call, the first thing to do is simply take a breathe. This will interrupt automatic thinking and allow you to be more alert. You also need to make sure you are actually talking to who you think you are. Scammer’s can make a call look like it’s coming from a trusted number, so even if you get a call from someone in your contacts it could still be a scammer. That’s why it’s important to focus on what the phone call or voicemail is trying to convey. Is it too urgent? Are they probing for sensitive or personal information about you or others? Is it relevant to what you already know? If anything at all seems off, be extra cautious before talking about that could be damaging.
While you may feel comfortable spotting a phishing attack, hackers and scammers are constantly looking for new ways to trick us. And, as the Twitter hack shows, they are very good at what they do. It’s better to be too cautious and assume you are at risk of being scammed, then think it could never happen to you. Because it can.
Earlier this week we wrote about the cost of human-factored, malicious cyber attacks. However, there are also other threats that can lead to a malicious attack and data breach. According to this year’s Cost of a Data Breach Report, the stolen or compromised credentials tied for the most frequent cause of malicious data breaches, and took the lead as the most costly form of malicious breach.
The root cause of compromised credentials varies. In some cases, stolen credentials are also related to human-factored social engineering scams such as phishing or business email compromise attacks. In other cases, your login information may have been stolen in a previous breach of online services you may use. Hackers will often sell that data on the dark web, where bad actors can then use the data to carry out new attacks.
Whatever the cause, the threat is real and costly. According to the report, compromised credentials accounted for 1 out of every 5 — or 19% of — reported malicious data breaches. That makes this form of attack tied with cloud misconfiguration as the most frequent cause of a malicious breach. However, stolen credentials tend to cost far more than any other cause of malicious breach. According to the report, the average cost of a breach caused by compromised credentials is $4.77 million — costing businesses nearly $1 million more than other forms of attack.
Given the frequency of data breaches caused by compromised credentials, individuals and businesses alike need to be paying closer attention to how they store, share, and use their login information. Luckily, there are a number of pretty simple steps anyone can take to protect their credentials. Here are just a few:
There are now a variety of password managers that can vastly improve your password strength and will help stop you from using the same or similar passwords for every account. In my cases, they can be installed as a browser extension and phone app and will automatically save your credentials when creating an account. Not only are password managers an extremely useful security tool, they are an incredible convenient tool for a time when we all have hundreds of different accounts.
Another important and easy to use tool is multi-factor authentication (MFA), in which you are sent a code after logging in to verify your account. So, even if someone stole your login credentials, they still won’t be able to access your account without a code. While best practice would be to use MFA for any account offers the feature, everyone should at the very least use it for accounts that contain personal or sensitive, such as online bank accounts, social media accounts, and email.
Check Past Compromises
In order to ensure your information is protected, it’s important to know if your credentials have ever been exposed in previous data breaches. Luckily, there is a site that can tell you exactly that. Have I Been Pwned is a free service created and run by cybersecurity expert Troy Hunt, who keeps a database of information compromised during breaches. User’s can go on and search the data to see if their email address or previously used passwords have ever been involved in those breaches. You can also sign up to receive notifications if your email is ever involved in a breach in the future.
Cyber Awareness Training
Lastly, in order to keep your credentials secure, it’s important that you don’t get tricked into give them away. Social engineering, phishing, and businesses email compromise schemes are all highly frequent — and often successful — ways bad actors will try to gain access to your information. Scammers will send emails or messages pretending to be from a company or official source, then direct you to a fake website where you are asked to fill out information or login to your account. Preventing these scams from working largely depends on your ability to accurately spot them. And, given the increased sophistication of these scams, using a training program specifically designed to teach you how to spot the fakes is very important.
On Wednesday, The New York Department of Financial Services (NYDFS) announced their first ever cybersecurity charges against title insurance company First American for a data breach that exposed hundreds of millions of records containing sensitive information over the course of nearly five years.
The First American data breach initially occurred in October 2014 after an error in an application update left 16 years worth of mortgage title insurance records available to anyone online without authentication. These documents included information such as social security numbers, tax records, bank statements, and drivers license images. The error went undetected until December 2018, when First American conducted a penetration test that discovered the venerability. According to the NYDFS, however, First American did not report the breach and left the documents exposed for another 6 months, until a cybersecurity journalist discovered and published about the breach.
Charges against First American for their role in the data breach is the first time the NYDFS is enforcing the department’s cybersecurity regulations established in 2017. The regulation requires financial organizations with a license to operate in New York to establish and follow a comprehensive cybersecurity policy, provide training for all employees, implement effective access controls, and conduct regular venerability tests in line with a cybersecurity risk assessment.
First American is facing 6 charges, including failing to follow their internal cybersecurity policy, misclassifying the exposed documents as “low” severity, as well as failing to investigate and report the breach in a timely manner.
While the fine for a violation of the regulation is only up to $1,000, the NYDFS considers each exposed document as a separate violation. So, with up to 885 million records potentially exposed, First American could be looking at millions of dollars in fines if the charges stick.
News of the charges should serve as a wake-up call to U.S. organizations unconcerned with cybersecurity regulations. While the U.S. does not have any federal regulations, and there are a number of state regulations that have gone into effect in the past 5 years. This is merely one of what is likely many companies that will face enforcement unless they take steps now to ensure compliance.
When it comes to cybersecurity practices, there is an overwhelming amount of options available today, which can make it hard for businesses to figure out what they need. It’s easy to think you need newest and most expensive cybersecurity technology with all the bells and whistles to be protected. But the truth is that every business will have different needs and will need to develop cybersecurity practices that suit their specific business goals and strategies. If you don’t align your cybersecurity with your business objectives, chances are all your fancy security practices will end up hindering your business. There are, however, a number of critical cybersecurity practices that every business should consider. Each of these practices are all easy to implement and will leave your business a lot more secure:
One of the most critical cybersecurity practices is also the simplest: updating your applications and operating systems. Software updates aren’t just about adding new features, but in most cases also includes security improvements and patches to any known vulnerabilities. And while it can be tempting to put off updating your applications for another day, it is very important to install these updates as soon as you can. Hackers are constantly looking through popular applications for potential vulnerabilities, so keeping your systems up to date will help ensure the bad guys can’t exploit any weaknesses in the outdated version.
2. Access Control
Another vital component to any cybersecurity policy is controlling access to your networks, systems and data. This includes limiting employee access to areas of your system that aren’t relevant to their work. You also need to ensure that your employees are using passwords that meet certain length and complexity requirements, as well as using multi-factor authentication for all remote logins. This is especially important now that many employees are working from home.
3. Lockdown Mobile and Remote Devices
Whether employees are using company-issued or personal devices, it is important to ensure certain security settings are in place if those devices are used to access your network remotely. This includes ensuring that all devices are using a virtual private network (VPN) to keep internet data anonymous, and malware scanners to detect infected devices. Another big risk with mobile and remote devices is that potential for them to be lost or stolen. It’s therefore important to make sure your devices are encrypted and that you have a system in place that allows you to delete the data from any remote device if it goes missing. This will keep the anyone who finds the device from access any sensitive data it might contain.
4. Back up and Recovery Tests
It is also critical to keep regular backups are your most important networks and most sensitive data. This is especially important to protect yourself against ransomware attacks, where hackers lock you out of your own system. Having a backup may prevent you from having to pay to get your data back. However, it’s not enough to just keep backups, but to regularly test your recovery process. Backups will sometimes be corrupted and If you make a mistake or your backup settings are misconfigured, it’s possible you won’t be able to fully recover your data. Testing your backups regularly will ensure you can get your data back if sometime bad happens.
5. Firewall Configuration
Firewalls are essential for monitoring incoming and outgoing network traffic, and blocking any traffic that doesn’t meet your security standards. It’s often considered your first line of defense, so should be set up with care. The specific configurations you need depends on a number of factors, but overall you should make sure you don’t have any unnecessary open ports and ensure that traffic coming and going from the most critical and sensitive areas of your network have stricter traffic limitations. It’s also very important to change any default account and passwords that come with the firewall. Hackers can cause a lot of damage if they gain administrative access to your firewall, so you want to keep access to it as secure as possible.
6. Security Awareness Training
Last but definitely not least, it is critical that your employees receive security awareness training. Phishing and other social engineering attacks are now the number one cause of data breaches, meaning your employees are your frontline defense against cyber attacks. If your employees don’t know how to spot phish or business email compromise attempts, you leave your system dangerously vulnerable to attack. Simply put, by giving your employees the tools to develop safe online habits, you dramatically increase the security of your organizations.