If you neglect the basic and the obvious, the basic and the obvious will return to bite you.
Cybersecurity Awareness Month: a call to follow best practices.
The US Cybersecurity and Infrastructure Security Agency (CISA) hopes to use Cybersecurity Awareness Month to inculcate familiar best practices.
This is no October surprise, but it’s a useful reminder.
CISA is particularly interested in encouraging strong passwords, multifactor authentication, phishing awareness, and sound patching practices. None of these are exotic, none of them unfamiliar, and all of them are all too often still overlooked.
Andrew Hollister, CISO and VP Labs R&D at LogRhythm, noted the importance of the reminder:
“Each year, Cybersecurity Awareness Month serves as a valuable reminder of the critical importance of fortifying our organizations’ cybersecurity posture in an increasingly interconnected world. This year, Cybersecurity Awareness Month’s focus is on four key behaviors: enabling multi-factor authentication, using strong passwords and a password manager, updating software, and recognizing and reporting phishing attempts—all essential practices in safeguarding against cyberattacks. Our growing reliance on digital technology within the business landscape is accompanied by escalating threats and vulnerabilities that pose significant risks to sensitive data, financial stability, and even national security.
“In the face of these escalating threats, it is worth noting that 67% of respondents in a recent study reported their companies losing business deals due to customers’ lack of confidence in their security strategies. A solid security strategy has become a business imperative, and all too often, organizations either fail to do the basics or don’t truly understand the full scope of the threat they are facing. Digital transformation over the past decade has led us to a place where much of our data has moved to the cloud and our user communities have also at least partially “moved to the cloud” as well post-pandemic-- in various forms of hybrid work patterns. Let us use Cybersecurity Awareness Month as a catalyst for action. Strengthen your organization's defenses, educate your teams, and invest in technology solutions that enable you to reduce your overall risk. By doing so, we can collectively fortify our digital foundations, protect our critical assets, and ensure a safer digital future for all.”
CISA’s four basic recommended practices are listed below.
Use strong passwords.
“Use strong passwords that are long, random, and unique to each account, and use a password manager to generate them and to save them,” says CISA.
Jeff Reich, Executive Director at IDSA, explained why strong passwords are necessary but not sufficient for effective security:
“So far, 2023 has shown us that all it takes is one compromised identity to have a huge effect on the targeted organization, the industry vertical, and society at large. And year after year, the IDSA’s research demonstrates that it takes more than a strong password to keep bad actors at bay. Today’s questions swirl around what it will take to stem the increasing onslaught of identity-related breaches. From the Least Privilege principle to Multi-Factor Authentication (MFA), routine access reviews, and Zero Trust, it will take parts of each of these, plus more, to address this problem.
“The bigger question is, how do we get this done? Security, as part of a larger risk management program, is the answer. This year marks the 20th anniversary of Cybersecurity Awareness Month and the new theme is Secure Our World. This is appropriate because, as we have seen, the effects can and do shape events around the world. By continuing to better educate ourselves and raise awareness around this global issue, we will solve this problem.
“The key is to better know the environments in which we operate, the associated risks, and ways to eliminate or lower the severity of the outcomes. This is incumbent upon each of us and all of us. The message is the same, although updated. Learn what you can do to protect yourself and help others. Security professionals: work to make systems more resilient and frictionless. For users of these systems: learn to use them and make them work for you.”
Darryl Jones, VP of Product (CIAM) at Ping Identity, pointed out that passwords represent a common vulnerabiltiy. “This Cybersecurity Awareness Month, it’s critical to remember that passwords pose one of the biggest cybersecurity threats to organizations and consumers alike. In fact, in 2022, there was a whopping 233% increase in U.S. data breaches exposing user credentials, compared to 2021. Credentials are attractive targets as they enable unauthorized access to sensitive systems, networks, and data." It's not a problem amenable to solution with better passwords, he argued. "While multifactor authentication is a great step in the right direction for protecting user credentials, the reality is that password-based authentication practices fail at actually securing accounts. They inhibit a smooth user experience and are easy to exploit for financial gain. With the accelerated growth of phishing, malware, and ransomware attacks, which are all exacerbated by the rise in artificial intelligence (AI), organizations underestimate the risks associated with using passwords to protect valuable enterprise assets. For example, generative AI can be used to guess passwords in an extremely human-like manner. It’s time to move away from this outdated form of authentication and move towards more innovative methods like biometrics, passkeys, and face IDs with liveness checks to avoid generative AI threats - not just this month, but all year round.”
(Added, 6:30 PM ET, October 2nd, 2023.) “Cybersecurity Awareness Month serves as a reminder of the critical role that strong passwords and password managers play in safeguarding our digital lives,” Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea, wrote. “Weak passwords pose a significant risk as they can be easily exploited by cyber criminals using well known hacking techniques. Reusing passwords across different accounts further increases this vulnerability, as a breach in one account could simply lead to a compromised access in another account. Strong passwords are even better. Using passphrases provides a strong defense by making passwords long and strong, making them more difficult to correct. To effectively manage this complexity of using multiple strong passwords, use a password manager or of your business, consider using a Privileged Access Management solution. These digital vaults offer secure solutions by storing all the passwords in a central secure vault accessible only through a single master password and improve it even further with additional security controls such as Multi Factor Authentication”.
Use Multifactor Authentication (MFA).
As CISA puts it, “Turn on multifactor authentication on all accounts that offer it. We need more than a password on our most important accounts, like email, social media, and financial accounts.”
Bala Kumar, Chief of Product at Jumio, makes a similar point about mulitfactor authentication–it’s necessary, but not sufficient:
“There are a number of commonly used verification tools out there today, like multi-factor authentication (MFA) and knowledge-based authentication. However, these tools aren’t secure enough on their own. With the rise of new technologies like generative AI, cybercriminals can develop newer and more complex attacks that organizations need to be prepared for. Fraudsters can leverage ChatGPT, for instance, to create more convincing and targeted phishing scams to increase their credibility and impact, victimizing more users than before.
“This month’s emphasis on cybersecurity reminds us that organizations must build a strong foundation starting with user verification and authentication to efficiently protect customer and organizational data from all forms of fraud. Strong passwords and MFA are always beneficial to have, but with the increasing sophistication of cyberattacks, organizations must implement biometric-backed identity verification methods. By cross-referencing the biometric features of an onboarded user with those of the cybercriminal attempting to breach the company, organizations can prevent attacks and ensure that the user accessing or using an account is authorized and not a fraudster, keeping vital data out of criminals’ reach.”
(Added, 2:45 PM ET, October 2nd, 2023.) Theresa Lanowitz, Head of Cybersecurity Evangelism at AT&T Business, wrote about the various modalities that can be used in MFA. "As edge computing expands, we expect the popularity of MFA to grow and include biometrics and biometric behaviors - like how you sign your name or your cadence in entering a numerical sequence. While the use of biometrics to authenticate identity is not new, advancements in digital twins, deepfakes, and purpose-built IoT devices mean there is a need to secure our physical identities. Deep fakes may spoof more than your identity," she said. "Consider autonomous vehicles that have built-in MFA in key fobs. IoT devices are frequently ‘set and forget’ with a default password that may be as simple as ‘1234’, making it easy for cyber adversaries to either guess or have knowledge of the default password. It makes sense that biometrics, MFA, and device authentication are utilized in new endpoints such as autonomous vehicles since there are no direct inputs into vehicle networks—however, without an added layer of security, an adversary can execute DDoS attacks or gain access to the network by moving laterally through an IoT device with a default password. With this, endpoint detection and response (EDR), managed detection and response (MDR), and extended detection and response (XDR) are becoming baseline requirements.”
(Added, 6:30 PM ET, October 2nd, 2023.) Delinea’s Carson also commented on the importance of multifactor authentication from his point-of-view as an ethical hacker. “In today's interconnected world where digital threats are always present, MFA offers an additional layer of defense against unauthorized access,” he wrote. “MFA goes beyond the traditional passwords by requiring users to provide multiple forms of verification before gaining access to an account. This can involve something that they know like a password, something that they have like a smartphone or a security token, or something that they are like a fingerprint or a facial scan. By combining these factors, MFA significantly reduces the risk of unauthorized access, even if a password is compromised.”
Become aware of phishing.
CISA calls out phishing as a major threat “Recognize and report phishing, as we like to say, think before you click. Be cautious of unsolicited emails or texts or calls asking you for personal information, and don't click on links or open attachments from unknown sources.”
Anurag Gurtu, Co-Founder & CPO at StrikeReady, commented on the importance of being aware of this form of social engineering. “Phishing remains a relentless and highly effective cybersecurity threat,” he wrote. “Despite advances in security technology and increased awareness, attackers continue to exploit human vulnerabilities through deceptive emails and messages. Organizations must recognize that their staff can be the first line of defense against phishing attempts. Investing in comprehensive cybersecurity training programs that teach employees to recognize and report phishing emails is essential. Additionally, implementing advanced email security solutions that can identify and block phishing attempts in real-time can significantly reduce the risk associated with this prevalent threat.”
Patrick Harr, CEO of SlashNext, described how phishing has grown into a pervasive, sophisticated threat:
“We have seen phishing grow from targeted email attacks into a widespread multi-channel problem that has become the top security threat for both organizations and individuals. In 2023 especially, the introduction of Generative AI technologies like ChatGPT has been a game changer for cybercriminals, particularly in relation to cyberattacks launched through email, mobile and collaboration apps including business email compromise (BEC) and smishing.
“These new AI tools have helped attackers deliver fast moving cyber threats, and has ultimately rendered security defenses that rely on threat feeds, URL rewriting and block lists ineffective. Combine these new tools with the way people work using multiple devices communicating and collaborating outside of traditional security defenses, users and businesses are more exposed than ever to cyberattacks.
“Perhaps even more concerning is the rise of AI tools proliferating on the dark web – such as WormGPT, FraudGPT, and others – that are specifically designed to apply generative AI technologies for criminal purposes.
“Now, we are even seeing the likes of BadGPT and EvilGPT being used to create devastating malware, ransomware, and business email compromise (BEC) attacks. Another grave development involves the threat of AI “jailbreaks,” in which hackers cleverly remove the guardrails for the legal use of gen AI chatbots. In this way, attackers can turn tools such as ChatGPT into weapons that trick victims into giving away personal data or login credentials, which can lead to further damaging incursions.”
Harr argued that detecting this new forms of phishing is hard, and requires assistance from AI. “Training users to detect these new AI-developed types of phishing attacks can be extremely difficult. It’s crucial to leverage AI-based cyber security protection to successfully battle cyber threats that use AI technology. Whether you’re a business with thousands of customers, or an employee using a personal device for work, you have to fight AI with AI.”
(Added, 2:45 PM ET, October 2nd, 2023.) Why is there so much phishing? Because organizations, their stakeholders, and their customers just can’t quit email. “Both consumers and organizations rely on email as a primary collaboration and communication tool so raising awareness of the prevalence of phishing attacks and how to recognize and report them is important,” Marcus Fowler, CEO of Darktrace Federal said, in (of course) emailed comments.
But as familiar as email may be, the threat environment in which it exists isn’t static, Fowler noted. “However, the email threat landscape is constantly evolving and attackers regularly pivot and embrace new techniques to try to thwart defenses. For example, between May and July this year, Darktrace’s Cyber AI Research Centre observed an 11% decrease in VIP impersonation attempts – phishing emails that mimic senior executives – while email account takeover attempts increased by 52% and impersonation of the internal IT team increased by 19%. This is just one example of how attackers pivot as tactics become less effective and more easily recognized. This challenge is only poised to grow in the future as the widespread availability of generative AI tools provide novice attackers the ability to craft sophisticated, personalized phishing scams at scale.”
Employees aren’t clueless about the phishing risk, but here emerging generative artificial intelligence technology enables attackers to avoid some of the familiar and stereotypical markers of phishbait. “ In a recent survey,” Fowler explained, “we found that the top three characteristics that make employees think an email is risky are: being invited to click a link or open an attachment, an unknown sender or unexpected content, and poor spelling and grammar. But generative AI is creating a world where ‘bad’ emails may not possess these qualities and are nearly indistinguishable to the human eye. It is becoming unfair to expect employees to identify every phish and security training, while important, can only go so far. Increasing awareness of and the ability to recognize phishing attempts is an important first step, but an effective path forward lies in a partnership between AI and human beings. AI can determine whether communication is malicious or benign and take the burden of responsibility off the human.”
(Added, 6:30 PM ET, October 2nd, 2023.) “Cybersecurity Awareness Month also serves as a reminder of the ongoing threat posed by phishing attacks and the importance of recognizing and reporting them,” Delinea’s Chief Security Scientist and Advisory CISO Joseph Carson, wrote. “Phishing remains a prevalent method used by cyber criminals to trick individuals into revealing sensitive information or engaging in harmful actions. Recognizing phishing attempts involves being vigilant about suspicious emails, messages, or links that attempt to imitate a trusted source. Cyber criminals often use urgent language, false claims, or deceptive URLs to manipulate victims into taking action that compromise their security. By educating ourselves and others about these tactics, we can reduce the risk. Reporting phishing attempts is equally crucial. Many organizations have established mechanisms for reporting suspicious emails or incidents promptly. Reporting phishing attempts can also reduce the risk and impact to business and help security teams take the appropriate action and measures to protect individuals and the networks.”
And, of course, patch.
“Update software. In fact, enable automatic updates on software so the latest security patches keep devices we are connected to continuously up to date,” CISA cautions. Look to your systems for known vulnerabilities, and apply updates in accordance with the vendors’ instructions.
(Added, 6:30 PM ET, October 2nd, 2023.) Delinea’s Joseph Carson also commented on the too-often overlooked importance of an effective patching program. “Finally, Cybersecurity Awareness Month underscores the critical role of regularly updating and patching software to maintain a strong digital defense,” he wrote. “In an era where cyber threats are constantly evolving, staying up to date with software is a fundamental and basic step to safeguarding our digital lives. Software updates and patches often include vital security fixes that address known vulnerabilities discovered since the software's original release. Cyber criminals frequently exploit these vulnerabilities to gain unauthorized access or launch numerous cyber-attacks. By promptly applying updates and patches, users close potentially entry points that attackers could exploit. Neglecting software updates can have dire consequences, leaving systems exposed to a range of cyber-attacks, including malware, ransomware, and even data breaches. The proactive act of updating software safeguard sensitive information, reduces the risk of compromising attacks and helps maintain the integrity of both personal and business digital landscapes.”
In sum, don’t neglect what’s both basic and obvious.
Nick Carroll, Cyber Incident Response Manager, Raytheon, an RTX business, urged organizations to stay “As cyber threats continue to quickly evolve, organizations are being challenged to act just as fast in counter defense. This rush to keep up can often lead to the harmful practice of organizations skipping the foundational basics of cyber defense and failing to establish a general sense of cyber awareness within the business. Without a solid security culture at the foundation, security tools, such as expensive firewalls or endpoint detection and response (EDR), will ultimately become ineffective in the long term. It’s imperative to build cybersecurity awareness among employees and third parties that work with the business, as well as determine the ways in which security will be integrated into the organization’s culture and operations. Once these steps are taken, organizations will be better positioned to build off of a solid organizational footing that will be most effective for cyber defense initiatives in the long run.”