As we approach the November general U.S. elections, things are heating up, with both candidates now making actual campaign appearances. We have also seen an increase in cyberattacks and other threats to our elections. This includes efforts to hack into campaign staff’s accounts by foreign governments, physical threats during these campaign stops, and changes to how votes will be recorded.
You can read my full post on Avast’s blog here,where I review the latest in election interference news.
As college students try to return to campus, some are being asked to allow the college unprecedented access to their whereabouts and health information, as we posted last week. Many are learning about the personal implications of their data security for the first time, let alone dealing with being quarantined. I’ve previously explored the wide ranging methods colleges are using to try to bring students back to campus safely and how they are planning to track their students (and staff). In this post, I talk about some of the infosec issues with tracking the college crowd. It all comes down to having solid IT leadership and necessary skills on staff to do proper security vetting.
IT security has evolved from being a completely binary operation to taking a more nuanced approach. Back in the days when R, S, and A first got together, it was sufficient to do security on this pass/fail basis – meaning a large part of security was letting someone in or not to your network. Or allowing them to use a particular application or not or allowing them access to a particular network resource (printer, server) or not. In some of my other blog posts, I have mentioned this nonbinary approach in passing, particularly when I have talked about adaptive authentication. This is the core reason that the authentication “adapts” to particular conditions – for example, if someone is attempting a second login with “impossible travel” conditions. Or if you are trying to authenticate not just the user but their device as well.
But the nonbinary issue is bigger than authentications. And it is a product of our times: First, because of the pandemic and more remote working conditions, IT shops have had to make drastic changes in their infosec policies, procedures, and products. But more importantly, a nuanced approach is needed more than ever because everyone has somewhat different security circumstances. “It isn’t just one size doesn’t fit everyone; it is that one size doesn’t fit many circumstances,” said Erik Jost, the Chief Technologist for NTT Data in a recent conference session. Everyone’s network infrastructure is different and has changed greatly since the beginning of the pandemic. Let me give you a few examples:
— Figuring out attribution to the source of an attack. Sometimes there are shades of grey that could indicate a variety of outcomes, or even that an attack wasn’t from an adversary but just from a badly configured laptop of an employee. Or an attacker may deliberately confuse things by planting false flags in their code so that they could slip inside your network undetected, such as by disguising their malware as a normal piece of code that is part and parcel to the underlying operating system. The ability to block these sneakier methods calls for a nuanced approach, so you can link the various steps in a malware’s kill chain and make it harder for an attacker to move around your network before more damage is done.
—Password rules that are too complex. Many IT shops put in place requirements for password construction that are too onerous: 20-character passwords that must be changed every month, for example. This makes employees more motivated to come up with more predictable passwords that they can remember and manage, which defeats the whole purpose of having complex passwords to begin with.
–Over-protective endpoint security. While it is great to plug as many holes as possible across your endpoint collection, if you lock down your endpoints too much, employees will shift their work to the cloud and their personal devices that aren’t locked down. That is also self-defeating.
— Finding “missing” network segments. It is just human nature: we can be forgetful, and in some cases as a result of misconfiguration, we can forget about an entire network segment or collection of servers. Your endpoint/intrusion detection tools tend to be more pass/fail on this and can give you false results. If these tools offered a more nuanced approach, you might recognize that the forgotten equipment is legitimate and you need to modify your system asset tables to properly account for them, rather than collect a bunch of false warning messages.
— URL shorteners. Remember how they were all the thing not too long ago? Now they are less favored, because they can hide malware or take you to places that will compromise your endpoint’s browsing session. Again, nuance please. This is what happened at the email provider SendGrid, which is now owned by Twilio. Many of their customers give the shortened URLs generated by their software an automatic pass. That turned out to be one way that attackers could compromise their customers’ accounts.
–Dealing with detecting impossible travel. The impossible travel situation once was absolute: after all, no one can travel across the globe very quickly, especially these days. But as more of us work remotely and make use of VPNs, that means calculating what is possible is a lot harder to do just by computing the raw distance between the implied geolocations. If I change my VPN endpoint from one continent to another, does that mean my account has been compromised or is it because I am trying to obtain a better or faster Internet connection? Nuance once again.
— Sloppy outboarding of former staff. Did your recently fired employee access your network? We don’t always outboard former staff completely and can sometimes leave residue of access rights scattered around the network. Detecting these mistakes will require a finer – and more thorough — touch.
As one article written back in 2017 stated, “Cybersecurity requires a more nuanced approach than rushing headlong into the cyber-security marketplace to snap up the shiniest solutions, sanctioning wholesale Internet separation, or locking out USB devices entirely. Senior management of large organizations should also be wary of blanket cybersecurity policies that conflict with local operational needs.” I couldn’t agree more.
Passwords are known as the bane of every IT security manager, but often it’s the way they’re used that creates the most problems. Passwords are shared and reused across numerous logins and can frequently be easily guessed by using pet and children’s names. In other cases, passwords are compromised by users who stick with the default manufacturer settings years after their hardware is installed. This has given rise to a number of solutions that are labeled ‘passwordless,’ even though they technically still use some form of authentication.
You can read more with my post for Network Solutions blog here.
The news is filled regularly with attacks on misconfigured cloud servers and the leaked data that criminals obtain from them. The errors happen because we are all human. We might set up a cloud server with loose (or no) credentials and forget to tighten them when the server is placed into production. Or we fail to keep software up to date when exploits are discovered or get IT involved to audit the finished production app to ensure that it is as secure as possible.
You can read my post for CSOonline here on the 10 most common cloud configuration mistakes.
As more remote work from home happens, your collaboration tools need more scrutiny. A popular choice for instant messaging and video conferencing is Microsoft’s Teams, and securing this application will be a challenge. There have been Teams-specific exploits observed, for example. And even if Teams isn’t targeted, it could fall victim to general DDoS or ransomware attacks, which would be an issue if you depend on Teams for internal communications post-attack. And while Microsoft has published numerous suggestions on how to better secure Teams, the process is vexing and error-prone.
You can read my published analysis for CSOonline here. I also compare how Teams security stacks up with Slack. Avanan, pictured above, has versions for both.
Last month, a massive data leak exposed more than 300 million different accounts from social media platforms. The collection included 192 million records scraped from two different Instagram collections, along with 42 million records scraped from TikTok and an additional 4 million records scraped from YouTube.
The records include usernames, profile photos, emails, phone numbers, age and gender along with specifics about followers and other engagement for each account. The leak involved a set of three open data shares from the company Social Data: a few hours after being notified, the shares were properly secured.
There are several things that are interesting about this leak: its source, how the data was obtained, and what this means for your own social media consumption. You can read more on the Avast blog.
One of the best ways to manage your password collection is to use a single sign-on (SSO) tool. These tools centralize the administration of user authentication services by having one login credential that can be used for multiple applications.
You might think this creates a security loophole. We all have been drilled into not sharing the same login across multiple apps, right? The way that SSO works is somewhat different. Yes, you have a single login to gain overall access to an SSO tool. But once that is accomplished, the tool then automatically sends out separate credentials to sign in so you can use each of your apps. In many cases, you don’t even know what the details of each credential is — they could be using very complex passwords that are created at random by the tool. The good news is that you don’t need to remember each one, because the SSO does it for you. The bad news is that implementing SSO can be confounding, costly and complex.
You can read more on this topic on my blog post for Network Solutions here.
Today, RSA once again becomes an independent company, after being owned by EMC and then Dell Technologies for the past several years. I’m commemorating this milestone by looking at a few of my favorite products from the RSA portfolio and set some context for the longevity of this iconic company.
Ironically, for those of you that might not recall the early days of RSA, you may not realize that the actual “RSA” name almost disappeared altogether. This was as a result of an early acquisition by Security Dynamics in July 1996 – fortunately the RSA name was adopted after the acquisition. Speaking of longevity, the company’s initials of course stand for its three founders:
It has been almost 40 years and RSA is still a significant player in the information security marketplace. Formed back when mainframes walked the earth, it has thrived during the Internet era and continues to innovate with new products and new ways to deliver security.
While RSA offers a range of products – from SIEM to integrated risk management – it’s their authentication and fraud prevention products that have frequently caught my attention. At a time when cybercrime is increasing and organizations need solutions to help them secure the future dynamic workforce, these three products will play a significant role in the future of many businesses:
The iconic, one-time-password generator RSA SecurID Access hardware or software token has been around for decades and can be found in the hands (or on the devices) of millions of workers globally. Over the years, the fob form factor has been tweaked, augmented by an added USB port, and other minor changes. This fob can be used in a variety of authentication circumstances, and is a significant multi-factor method. One of the most significant recent developments is something announced last year and involves the Vulcan mind-meld with Yubico’s Yubikey.
What I like about this partnership is that you never have to type another series of PINs ever again. All you need to do is to press the gold-colored button on the Yubikey to acknowledge that you have it in your possession, and the PIN stored within the device will make its way into the RSA SecurID infrastructure and authenticate you.
I like to think of this offering as a marriage between RSA’s longest running and most famous product and the latest authentication standards. It’s worth taking a closer look, especially if you are an existing RSA SecurID Access customer and want to step up your authentication game. As more passwords find their way to various security leak lists, having a hardware key is still the most secure method to protect all of your logins.
If you are using any kind of authentication system, you need to be using adaptive authentication (AA) and the RSA version is a solid product. The issue is that we all have to stop thinking about authentication as a binary event. In the past, you were either authenticated or you were not. What AA does is operate more continuously, checking your actions (defined variously) against trustworthy norms to evaluate whether you are who you should be as you go about your computing daily life. As the criminals get better about compromising our accounts with various phishing lures, AA is going to become an essential defense mechanism.
As I mentioned in a October 2018 blog post, AA can be combined with various RSA multi-factor authentication and biometric tools to beef up your identity and access management strategy and help improve your login security.
As an example of its use, the British credit company New Day has deployed AA to help reduce fraudulent credit card usage. The AA routines pre-screen questionable transactions and determine whether they should be allowed or escalate them to human examiners, thus creating fewer challenges for their customers. These screens include looking for geolocation conflicts (a consumer who is making withdrawals in two different places that aren’t physically near each other) or an odd purchase (someone who hasn’t recently bought a suit such as what happened to me once, which was mildly embarrassing), or making a large cash withdrawal at a new ATM location.
Speaking of fighting fraud, one of the more interesting RSA offerings is a service called RSA FraudAction. This is not a consumer offering but geared towards defending the consumer’s endpoints which are fraud and phishing targets. It is based on having two operations and command centers that provide fraud intelligence and defense. One of them is outside Tel Aviv (where I visited in 2018 and wrote this report for CSOonline) and another located on the Purdue University campus. The centers proactively monitor (typically) a bank’s transactions and block suspect ones, using the AA products mentioned above to provide the risk scores. The goal is to flag something suspicious before the transaction clears, so that both the consumer and the bank are protected. The team also produces regular intelligence reports (such as this sample report) for customers on the various, real-time threats on the Dark Web.
My point in highlighting these three products or services is that they all work together in an interesting way to help you harden your authentication and reduce potential compromises. It’s also a testament for a company that has helped pave the way for the rest of the information security industry and developed a portfolio of solutions that can work together to help you manage digital risk.
Nearly 40 years after its inception at the MIT campus, RSA remains at the forefront of this market and well positioned to help businesses both large and small addresses security, risk and fraud concerns in a world that’s increasingly complex.
The Domain Name System (DNS) is the Rodney Dangerfield of Internet protocols. By that, we mean that DNS has trouble getting respect for all the important things that it does. Over the years, the DNS has been abused by spammers, its weaknesses exploited by distributed denial of service (DDoS) attackers and domain hijackers. Given that the spate of attacks is increasing (according to one 2019 IDG report), it is time to get more serious about how you manage your DNS infrastructure and how you can harden it to prevent future threats. DNS attacks are often used by bad actors to reach their victims and do damage to business reputations. In this post for Network Solutions’ blog, I talk about the role that DNS plays and how you can evaluate a potential DNS supplier and use various means to protect your network assets.