Guest Post, Author at Cyber Secure Forum | Forum Events Ltd - Page 2 of 14
Posts By :

Guest Post

The Cloud Revolution: A call for improved security measures

 960 640 Guest Post
By:
0
0

By Aleksandr Värä, Technical Sales Director of Crayon

Recent years have seen a significant shift towards the adoption of cloud services by businesses, and the pace is only accelerating. Over 80% of IT leaders already use hybrid cloud solutions, which combine the strengths of public cloud providers like AWS and Google Cloud with private hardware. This change is not just a phase for some, but the new norm for many.

However, the transition to cloud computing isn’t without its own set of challenges. As businesses increasingly adopt a cloud-first approach, the way we understand and implement cybersecurity needs a radical overhaul. Traditional cybersecurity measures that worked in the past are no longer adequate. In fact, a report from IBM revealed that the cost of a data breach has risen to $4.24 million in 2021, the highest in 17 years, emphasizing the need for effective security in the cloud era.

Rethinking cybersecurity best practices

The age-old image of a hooded hacker might seem to embody cybersecurity threats, but the reality is starkly different today. Many cybersecurity threats originate from within organizations due to unintentional mistakes that leave them susceptible to breaches. A statistic from Microsoft has stated that a whopping 98% of cyber attacks could be avoided with better security practices.

These risks become even more prominent in the cloud computing context. Rushing cloud implementation without solid security measures can open up a business to hundreds of vulnerabilities overnight, especially when businesses move their legacy, on-premises infrastructure to the cloud using an Infrastructure-as-a-Service (IaaS) model.

It’s apparent that we need to rethink cybersecurity best practices in the face of these risks. Traditional policies catering to on-premises infrastructure no longer suffice. Organizations need to prioritize cloud security and align their procedures with technology solutions capable of managing the security requirements of both on-premises and cloud infrastructures.

Adopting cloud-native security

Transitioning to the cloud doesn’t need to happen all at once. In fact, quite often – due to limited capacity or financial considerations – businesses will undertake a step-by-step approach. However, one aspect should not be compromised: establishing strong, cloud-native security measures in parallel with cloud transformation.

New vulnerabilities crop up as soon as a business operates in the cloud. Under resourced teams that are accustomed to on-premise systems may lack the skills and time to identify and mitigate these new risks. Therefore, speed is of the essence when it comes to cloud security. The longer you wait, the more security risks you’ll face.

To maximize speed, consistency, and rigidity, companies are starting to adopt security baselines as code. This shift in mindset reduces the time to implement security configurations, controls, tools, and policies from weeks or months to just hours or days. Importantly, this approach is scalable and adaptable to changes in your digital assets over time.

However, setting up such a baseline is a complex task that requires technical knowledge of cloud-related threats and cloud-native security technologies. Many security teams, especially those with limited resources, may struggle to know where to start.

The importance of support

When it comes to transitioning to the cloud, knowledge truly is power. Without a deep understanding of the field and cloud-native security technology, organizations cannot create an effective cloud security posture. In many cases, working with an experienced partner who has pre-existing security baselines can provide the required support.

With the cloud becoming an integral part of business operations and its significance set to grow even further, a strong cloud-native security posture that incorporates the right baselines and modern technologies is not just an option – it’s a necessity.

Six key considerations for ITAD security

 960 640 Guest Post
By:
0
0

IT asset disposition (ITAD) is the practice, method and means of disposing of IT hardware. The legal and compliance demands companies face mean that the data held on computers, devices and other physical assets can become a liability without an audited process in place.

With new methods for data protection becoming increasingly crucial for business owners, organisations need to ensure their chosen ITAD service provider will remove that data and dispose of end-of-life IT assets safely and securely. Yet, only recently have businesses started to recognise the need to securely remove data from any IT asset when it is collected for disposal. Recent European and US legislation, including the General Data Protection Regulation (GDPR), has driven this need.

Those responsible for data within an organisation are already aware of a data breach’s financial, legal, and reputational impact. Steve Hollingsworth, Director, Covenco explores six ways how every organisation that collects, stores and processes data must always secure it, including when it is time to dispose of hardware and data-bearing assets…

1. Confirm that data destruction is effectively carried out

When undertaken correctly, ITAD data destruction procedures are 99.999 percent effective, a percentage acceptable even for the U.S. Department of Defence, the German Federal Office for Information Security (BSI) and the UK HMG Infosec Standard No. 5.

An organisation can sanitise its own data using software – or even destroy it with physical destruction methods. However, most organisations opt to use third-party ITAD services because these include a full and proper audit trail and recognised data destruction standards – and avoid the time and resources needed to conduct data destruction on multiple devices.

In addition, an organisation fully accredited with the requisite systems in place will be able to sanitise all types of data-bearing media, from spinning disks to solid-state drives.

2. Review your asset security during transit

The theft of electronics in transit is a major crime factor in 2023. Since 2012, the theft of electronic goods in cargo has risen by 22%, with an estimated per-theft value of over $400,000 (excluding the value of data held on the stolen devices). Key steps below are crucial when reviewing businesses assets during transit:

  • Secure collection
  • Secure customer delivery
  • Transfer of Custody
  • Record Keeping
  • Processing Time

3. Verify asset tracking and facility surveillance 

While it’s essential to ensure the secure transportation of IT assets, the obligation to secure all IT assets continues within the ITAD facility. These should include the secure tracking of IT assets while they are processed. Additionally, selecting a third party company that applies thorough asset tracking through serial number capture, scanned barcodes and sophisticated internal reporting systems will allow a business to understand where its assets are in the process and track them for internal audit.

4. Applying appropriate standards to your IT asset disposition

Companies that operate within ISO/IEC 27001 are proven and required to apply best practices for managing the security of data assets such as financial information, intellectual property, employee details, clinical and research data and more, which are vital for ITAD.

5. Understanding the reuse and resale of IT assets

This is where asset ‘disposition’ takes priority over ‘disposal’. In many cases, a customer’s assets may have a resale value. As such, the companies third party supplier can offer a fair market price to buy these assets after their data has been completely sanitised within ADISA and ISO27001 standards.

6. Destruction and recycling of end-of-life assets

If all data has been destroyed and an IT asset no longer holds resale value, end-of-life disposition would be the next step. Understanding the final processing of end-of-life IT assets is essential because if done irresponsibly, a business and company directors could be liable for the repercussions.

Some parts of the developing world have used illegitimate recyclers to dump old e-waste. If the equipment ended up in a third-world country, someone could pull the asset tags and determine the business was a company contributing to the toxic environment and wrongful disposition of e-waste.

So, when an asset reaches the end of its useful life, it is vital that the businesses’ partner follows a process that securely destroys it beyond recovery and can provide certificates of destruction and recycling, which can be helpful for compliance or security documentation and any reporting or recognition for the businesses environmental efforts.

Conclusion

Choosing an ITAD partner requires careful research and due diligence. The company’s data security is at risk, as is the reputation of the business.

Using a reliable third party that provides the necessary chain-of-custody control, data destruction options, compliant recycling, detailed reporting, downstream audit control, and solid remarketing returns demanded by diligent customers, is vital for both company and customer satisfaction.

Additionally, partnering with a company who is qualified in ADISA and ISO 27001 accreditations, provide customers with complete peace of mind by delivering comprehensive audit-ready compliance and reporting at a forensic level.

By selecting an honest and dependable third party as a chosen ITAD partner, companies can rapidly improve the security and control of the data it manages while generating an additional revenue stream for its IT department.

The Cyber Security Roadshow you should be at in London on 19th April!

 961 640 Guest Post
By:
0
0

Your peers are registering for Tessian’s Fwd: Thinking Roadshow and so should you! This half day, complimentary event will take place aboard HMS Belfast, London, and is dedicated to helping forward thinking security teams navigate the ever-changing threatscape.

Hear from the top CISOs and industry experts who have paved the way when it comes to stopping email threats and building stronger security cultures.

It will be an afternoon of knowledge complete with peer networking, private tours of the ship, and a drinks reception with entertainment to finish, all set against the breathtaking backdrop of HMS Belfast and the London skyline!

What’s more; as an approved (ISC)2 CPE Submitter Partner, you can earn 2 CPE credits for attending this event.

Don’t miss the opportunity to join your peers at the Fwd: Thinking Roadshow with Tessian on 19th April.

Register now!

Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.

The role of network cameras as sensors to support digital transformation

 960 640 Guest Post
By:
0
0

Axis Communications’ Linn Storäng explains how high-quality video data on open IT architecture might support the digital transformation of business functions…

To think of the network camera – an essential part of any company’s security infrastructure – as being a tool for security purposes alone could be a missed opportunity. Today’s cameras are versatile IoT devices capable of offering a number of additional benefits through analysis of high-quality video data that can be used to accelerate and enhance digital transformation efforts. The key to discovering that potential is to refocus; if a camera can see it, your systems can act upon it.

Digital video is not simply about security – it is also an extraordinary source of data. Over the years network cameras have been bolstered by higher grade image quality, improved bandwidth efficiency, and more powerful processing both on board and in the cloud, while the addition of advanced analytics and AI capabilities adds a wealth of functionality. And when wedded to open IT architecture that paves the way for ease of integration, a world of smarter possibilities awaits.

Benefits of the camera as a sensor

Thinking of network cameras as sensors and applying analytics to video data can help identify trends that develop over time, or highlight issues and insights in real time, all without requiring a human to constantly survey the output. Properly applied, that data may also be valuable in building predictive models which can help improve future efficiency or discover brand new directions for your IT provision or the business.

Cameras can provide secondary security reassurance, monitor critical systems for temperature changes, ensure production lines are running efficiently and even detect the early signs of an outbreak of fire. Ease of deployment and integration means cameras can be employed on a smaller scale, keeping a digital eye on otherwise difficult-to-access equipment, and simultaneously on a wider scale, using their vast field of view to monitor large areas.

Exploiting camera data in this way may reduce complexity, removing the need to install and administer additional banks of sensors. It may, conversely, help existing granular sensor data to be enhanced and contextualised. It can help the introduction of novel functions, adding value to digital transformation efforts without incurring further costs.

Important considerations for platform selection

However, the picture isn’t, perhaps, quite that clear. The ubiquity of cameras means they are theoretically straightforward to integrate into a digital transformation effort, but that all-important data must be reachable in a safe way. The camera’s hardware, firmware and ecosystem need to be flexible enough to support whatever application your business wishes to build – open enough to be useful, but robust enough not to present a risk.

They must also be accessible by all entities that need that access – be they personnel, third-party integrations, or bespoke applications – opening as many data points as possible without exposing security holes. To be effective, cameras should be deployed as part of an overall IT infrastructure rather than being siloed into merely acting as part of a security function or chosen without consideration of additional use cases. This also helps to guarantee that such hardware can be properly managed and updated over its lifetime.

To that end, today’s cameras should be backed by dedicated support whenever and wherever it is required. These devices must be cybersecure. Firmware that keeps pace with the latest threats is crucial when using IoT devices in a corporate setting, but rolling out a firmware update to a network of hundreds or perhaps thousands of mission-critical cameras is no trivial task.

Good network cameras are those which offer administrative control, a considered upgrade path which suits your business but can react quickly to new threats, and the tools to make applying such upgrades as simple as possible – all while leaving third-party integrations intact and unharmed. And these decisions must be made when considering product lifecycles too; long-term support and sustainability may be one of the most vital properties of a network camera given the expense and upheaval of purchasing and installing hardware.

A new generation of IP cameras

The network camera space has grown to meet the needs of its traditional users and this new set of wider IT use cases. Cameras can now routinely integrate neatly with, for example, DCIM systems to help the creation of bespoke applications. They can include features like visual overlays which make alerts and analytics clear and concise. Today’s cameras are built to be lean, with technology designed to minimise energy use, demand minimal network bandwidth, and even reduce the load on cloud servers by performing complex computation on the edge – all while simplifying maintenance through secure tools which smooth the process of managing large networks of IoT devices.

Cameras should not only be included in your digital transformation plan but should also become a core part of it. The potential of digital video, and the number of solutions edge processing and hardware integration can offer, is growing fast. Video analytics offers accurate, fast results – and even if your transformation is in the early stages, building a strong infrastructure now opens doors for a smarter future.

Learn more about how network cameras can support your digital transformation agenda

About the Author – Linn Storäng, Regional Director Northern Europe, Axis Communications
Linn has held senior positions within strategic roles at Axis Communications for the past 5 years, recently becoming Regional Director for Northern Europe. Linn is a strategic thinker who likes to be very closely involved with business and operations processes, leading by example and striving to empower colleagues with her positivity and passion for innovation. Linn relishes the ongoing challenge to find new ways to meet the needs of her customers, and strives to forge ever stronger relationships with partner businesses. Prior to joining Axis, Linn held senior sales and account management roles within the construction industry.

Say goodbye to traditional security training: How to keep your staff engaged!

 960 640 Guest Post
By:
0
0

As the saying goes, what got you here, won’t get you there. While the traditional method of once-a-year security awareness training for your staff may have been an acceptable method in the early 2000’s, times change, and so do the needs of staff. Simply providing information to employees is not enough. For best results, information delivered needs to be relevant, timely, and appropriate.

Take the example of teaching a child to cross the road. The best time to teach them is when you’re at a road. This makes the lesson timely and relevant. It also needs to be explained to them in terms they will understand and connect to, this makes it appropriate.

With KnowBe4, you can deliver training to employees which is relevant, timely, and appropriate. It contains a huge library of content covering training modules, video modules, mobile optimised content, assessments, games, newsletters, posters, and much more. Plus, the content is localised in many languages and with many different tones and formats available, there is certainly something for every organisation.

Smart groups can also be used to deliver specific training to selected users. For example, there is no point in making everyone go through security awareness tips when travelling, if most people never travel to a remote location. Putting your road warrior employees in one group and only sending them the training makes it far more relevant.

Perhaps the hardest part of training is delivering it at the right time. There is never an ideal time for employees to take time out of their day to complete their training. Which is why it’s important to not just provide the option of short and quick modules which can be completed during a tea break. But have a method to intervene with training when it is needed the most. With SecurityCoach users can be coached in real-time based on their real-world behaviours.

Whichever tool you use, make sure the training provided is relevant, timely, and appropriate to make it stick.

Find out what percentage of your employees are Phish-prone™ with our free test.

INDUSTRY SPOTLIGHT: Protect your top attack vectors, across all channels by Perception Point

 960 640 Guest Post
By:
0
0

Perception Point is a Prevention-as-a-Service company for the fastest and most accurate next-generation detection, investigation, and remediation of all threats across an organisation’s main attack vectors – email, web browsers, and cloud collaboration apps.

Perception Point streamlines the security environment for unmatched protection against spam, phishing, BEC, ATO, ransomware, malware, Zero-days, and N-days well before they reach end-users.

The use of multiple layers of next-gen static and dynamic engines along with patented technology protects organizations against malicious files, URLs, and social engineering-based techniques. All content is scanned in near real-time, ensuring no delays in receipt, regardless of scale and traffic volume. Cloud-based architecture shortens development and deployment cycles as new cyber attacks emerge, keeping you steps ahead of attackers.

The solution’s natively integrated, free of charge, and fully managed incident response service acts as a force multiplier to the SOC team, reducing management overhead, improving user experience and delivering continuous insights. By eliminating false negatives and reducing false positives to bare minimum, the solution provides proven best protection for all organizations.

Perception Point empowers security professionals to control their full security stack with one solution, viewed from an intuitive, unified dashboard. Users can add any channel, including cloud storage, CRM, instant messaging, and web apps, in just one-click to provide threat detection coverage across the entire organization.

Deployed in minutes, with no change to the enterprise’s infrastructure, the patented, cloud-native and easy-to-use service replaces cumbersome legacy systems.

Fortune 500 enterprises and organizations across the globe are preventing attacks across their email, web browsers and cloud collaboration channels with Perception Point.

Contact us to learn more about how Perception Point can secure your business. 

Connect with us on LinkedIn, Twitter, and Facebook.

Making the right hybrid choice when it comes to UC

 960 640 Guest Post
By:
0
0

As hybrid working strategies mature, companies are fast discovering that choice is vital. Employers need to offer a flexible approach to balance diverse home and office working preferences. But they must also provide a choice of technology options, especially in key unified communication (UC) tools. Consolidating onto a single UC platform may appear to be the best solution, but limiting every employee to a single solution can constrain productivity, undermine morale and encourage the use of Shadow IT, explains Jason Barker, SVP EMEA & APAC, IR.

Hybrid Flexibility

There is no one-size-fits-all approach to hybrid working. For every middle-aged parent revelling in the chance to do the school run, rather than sitting on a crowded train, there is a Gen Z desperate for the interaction – and warmth – of an office environment, rather than being stuck in a spartan shared flat. For every business leader bemoaning the lack of productivity, there is another embracing the impact on recruitment and ability to attract potential new talent.

Rigid hybrid strategies will never meet the needs of a diverse workforce, but a flexible attitude must extend beyond HR policies and include the UC tools used by employees. Wherever they choose to work, it is vital that employees are able to make meaningful connections, both with colleagues and business partners. They need to be confident in their ability to use a variety of tools, from video conferencing to collaboration.  But are they?

Over the past two years, IT teams have accelerated strategic UC deployments in a bid to wrestle back control over corporate infrastructure. A prime objective is to put an end to the costly and high-risk Shadow IT adopted in the early days of enforced WFH, when individuals made their own choice of video conferencing, file sharing and messaging solutions. Yet many of these ‘emergency’ solutions are an employee’s WFH comfort blanket. People have adapted to their preferred tools and, where possible, adapted the tools to work for them. Attempts to close down the UC environment and restrict users to the corporate platform can backfire spectacularly. The problem is that most businesses have absolutely no idea.

Trusted Communications

Today, 85% of businesses are using two or more meeting platforms and many companies are looking to reduce costs by consolidating onto one platform. Yet how can an IT team make the right decision when the business is completely blind to the reality of UC usage and adoption? While UC performance is routinely monitored, the information is collected on a system-by-system basis. There is no visibility of the entire operation, no understanding of the way 10,000s of employees are using the systems. Businesses don’t know when individuals or teams are ignoring the corporate UC tools and opting instead for their own preferred solutions.

Even this piecemeal UC information is fundamentally limited by covering only the office environments. Companies are not monitoring the tools individuals are using at home or their preferred out-of-office locations. From coffee shops to local hubs, employees are opting to use their favourite Shadow IT solutions and side-lining the corporate standards. The result is not only an unseen and unquantified operational security risk but also a missed opportunity to understand how employees are adapting to hybrid working and any signs of a lack of engagement with the business.

Guiding Strategies

End to end monitoring of the entire UC environment, including home working, can provide the business with invaluable insight to support the evolution of hybrid strategies. Are individuals increasing their use of a certain platform? If so, is that because people prefer that solution or simply due to performance problems with the alternative? Companies cannot blithely assume that growing usage equals preference; the IT team needs to also understand if there are any issues with the solution, the network, even frustration due to the lack of personalisation options.  Is there perhaps a change to mandate a single tool if staff can personalise it to suit the way they want to work?

Hybrid working will only succeed if staff are committed, engaged and able to collaborate effectively, wherever they are located. And that is far from inevitable if IT attempts to impose a solution that simply doesn’t work as well as their Shadow IT alternative. Clearly it is essential that everyone uses the UC solutions that are purchased, implemented and run by the corporate IT team – and that the infrastructure is secure, compliant and well managed. Choice is key. To offer employees the right choice, it is essential to understand how UC platforms are working at home and in the office, for both individuals and the business.

What more, if anything, should governments be doing about cyber actors?

 960 640 Guest Post
By:
0
0

By Will Dixon, Global Head of the Academy and Community at ISTARI

Cyberattacks are becoming more frequent, and their potential consequences are becoming more severe. With Critical National Infrastructure and other important services constantly in the virtual crosshairs of both state actors and cybercriminals, it is entirely conceivable that an attack, or a series of attacks, will lead to significant public harm.

In the event that this happens, governments and law enforcement will find themselves facing calls to act. In the eyes of the public, we might assume that doing so would seem natural; after all, offensive cyber operations are not as risky as military operations in the real world, so why not do more to disrupt these groups?

The picture is, of course, not as simplistic. The negotiations currently taking place at the United Nations on a treaty on cybercrime are demonstrative of the complexity of getting international agreements on what constitutes a cybercrime. The penalties that should be enacted against the perpetrators and the powers global law enforcement agencies should have in order to prosecute these perpetrators are also up for debate.

That definition is fiercely contested, given the significant implications for countries such as Russia and China that want the definition to include terms allowing them to impose strict censorship laws and pursue dissidents. While this debate continues, the lack of agreed rules of the road is leading to action against cyber criminals.

Nonetheless, the relentlessness of cybercrime means that it is worth considering how governments and law enforcement should deal with cyber criminals. We have seen how knee-jerk reactions to major events have led to poor outcomes in the past. The cyber community should endeavour to avoid making the same mistakes.

Change in Policy

There needs to be more cooperation between national and supranational agencies, which includes better access to global data sources. This would require deep, scalable operations and partnerships with law enforcement agencies on an international scale. Some of these partnerships will likely involve countries that would rather not collaborate.

It will also require better collaboration between victim organisations and law enforcement, as the recent takedown of Hive, a ransomware group that targeted more than 1,500 victims in over 80 countries around the world, has shown. Close cooperation between victims and forensics investigators at the FBI ultimately allowed law enforcement to map and disrupt the entire Hive network. If law enforcement agencies want to do this on a wider scale, they must open their doors to victims and make sure that these victims are not afraid of further penalties for being more open about the events that resulted in an attack.

Implementing Positive Incentive Models

It is an unfortunate reality that there are not nearly enough cybersecurity companies or organisations that possess the bespoke capabilities, human resources, and training to safely secure the convergence of enterprise software, the Internet of Things (IoT), and Operational Technology (OT) environments associated with Critical National Infrastructure. Preventing harm to the public requires that we fix this.

While there are many negative incentive models, such as regulation and fines for non-compliance, this can only take us so far. More positive incentive models are needed, whereby the government works alongside the community to provide resources and the financial support required to create a strong ecosystem of organisations that can navigate the complexity of critical national infrastructure environments. There has been some evidence of this in the USA, such as the federal government’s investment in cybersecurity controls following the Colonial Pipeline attack. However, more meaningful public-private cooperation is needed in order to create the ecosystem of advanced capabilities we need.

Moving Forward

There is no escaping the fact that the cyber-threat level is growing, and it appears that we are on an unavoidable path towards law enforcement campaigns acting against cyber criminals. Whilst an appetite for more muscular action against cybercriminals is entirely understandable, we must also accept that it is not guaranteed to make a positive difference; campaigns against international criminal networks of other kinds have proved ineffective before. If we want to keep digital systems and the public they serve safe from harm, we need to invest more time and effort in creating the capabilities to do so.

OPINION: Don’t let fatigue be the cause of MFA bypass

 960 640 Guest Post
By:
0
0

By Steven Hope (pictured) , Product Director MFA at Intercede

If names such as Conficker, Sasser and MyDoom send a shiver down your spine, you are not alone. In the not-too-distant past computer viruses, whether simple or sophisticated had the power to cripple organisations large and small, as cybercriminals sought to wreak havoc, and gain notoriety and wealth.

For security professional’s endpoint/perimeter protection was the name of the game, with firewalls and anti-virus software providing the first line of defence. Whilst this type of malware still exists it is no longer the main attack vector, however, the threat landscape is ever evolving and, with the growth of man-in-the-middle (session hijacking), SIM hacking and targeted phishing attacks, preying on vulnerable authentication, including Multi-Factor Authentication (MFA).

In the same way that anti-virus has never been able to protect systems from 100% of trojan, worms, botnets, ransomware etc, there is no such thing as a phishing-proof solution, bar hardware-based PKI & FIDO for now. However, there are ways to be more resistant to phishing attacks. Unfortunately, the weakest form of resistance is also the most commonplace – passwords. Guess, buy or socially engineer a password and you instantly have access to whatever it is ‘protecting’, be it a social media account, or a mission-critical system. If it was deemed important enough to have a password in front of it, then the chances are that it has a degree of value, financial, or otherwise to the organisation that can be exploited.

The obvious choice, therefore, is to add another layer of security, so if the password is breached then there is another obstacle to overcome. This is commonly known as multi-factor authentication (MFA), but this can be a misnomer, if, for example, one of those factors is a poorly managed password programme (not following NIST guidelines and failing to have a Password Security Management solution). Given the weakness of passwords, MFA of this type is typically only as secure as the second factor. So, whilst potentially more secure than a standalone password, it is far from being resistant to phishing and some might argue whether this really is MFA.

Brute force attacks to guess passwords are still used today, but many cybercriminals are far more likely to focus less on cracking the computer and more on engineering the employee through techniques such as spear phishing, BEC (Business Email Compromise) and consent phishing. The aim here is to encourage the identified target to unwittingly handover the information they need.

A perfect example of this is the exploitation of the complacency surrounding push notifications (commonly known as ‘push fatigue’). Push notifications are increasingly used as the second factor when logging on to a system, or making a purchase. A message asks the account owner to accept, enter a one-time-code (OTC), or use a biometric (via the fingerprint reader on a mobile device).

Cybercriminals have learnt that bombarding accountholders with push notifications, creating a fatigue, can than result in the owner complying with their request; after all if pressing decline a few times doesn’t make the popups stop, may pressing Accept will. If they already have the username and password (readily available and traded at very low cost on the dark web) they can do as they please, whether that be making a transaction, emptying an account, downloading or deleting data. If the term ‘trojan horse’ had not already been attributed in the world of cybersecurity it would be an apt description of what cybercriminals are doing with push notifications.

So, if poorly managed passwords are weak and 2FA easily bypassed, it is a valid question to ask where that leaves authentication, especially given the lack of recognised standards (although I would encourage anyone to look at FIPS 201, published by NIST). The reality is that a multi-faceted and multi-factor authentication (MFA) approach needs to be phishing resistant. The better staff are trained (CUJO AI reported in January that 56% of Internet users try to open at least one phishing link every month), the more factors there are, the more secure you are. How far you go on the scale from passwords (not phishing resistant) to PKI (the highest level of authentication assurance) will very much depend on where you sit in the food chain and whether the organisation could be perceived to be a high value target, whether of itself or for its role in a wider and richer supply chain.

The reality for most organisations of any size is that different people and tasks will require different assurance levels, so any MFA solution used needs to have the ability to scale how credentials are applied appropriately. Authlogics Push MFA has been built with the end user in mind, giving them useful information with which to make a more informed accept/decline decision. Furthermore, after declining a logon they can simply tap the reason why and push fatigue protection will automatically kick in.

In the third quarter of 2022, the Anti-Phishing Working Group (APWG) reported 1,270,883 phishing attacks, the worst ever recorded by the group. The reason is simple – phishing works. Every expectation is that 2023 will continue to see numbers rise. However, using the right MFA as part of an overall security strategy can provide the resistance needed to repel ever more sophisticated, persistent and persuasive attacks.

INDUSTRY SPOTLIGHT: iSTORM – Your trusted advisory service

 960 640 Guest Post
By:
0
0

iSTORM believe that strong privacy and information security practices are beneficial to every organisation.

Their team has more than 2 decades experience covering information security, cyber security, ISO 27001, information governance, data protection and penetration testing.

iSTORM understand the issues that 21st century businesses face and our hand-picked team of experts are here to provide pragmatic support to cover all your governance, risk management and compliance needs.

  • CREST approved penetration testing – including Red Team engagements
  • Cyber Essentials & Cyber Essentials Plus certification
  • ISO27001 Gap Analysis, Internal Auditing & Implementation
  • ISO23301 Business Continuity Management Systems
  • GDPR Consultancy and an Outsourced DPO service

To find out more visit https://istormsolutions.co.uk/