por Rebeca | Ene 5, 2022 | Ciberseguridad, Soffid
Cybercriminals
Throughout 2021, global news seemed to ricochet between the rapid spread of new iterations of COVID-19 and cyber criminality — both becoming increasingly creative and disruptive as they mutate in a battle for survival; both interlinked as cybercriminals profit from rapid digitalization forced by COVID-19 lockdowns. In a recent interview, a prominent cybersecurity executive pointed out that alongside birth, death and taxes, the only other guarantee in our current lives is the exponential growth of digital threats.
Because security is not built into new technology from the ground up, cyber criminals quickly get a foothold and cause untold damage before we can catch up.
Much has been said about the cybersecurity skills shortage. Millions of cybersecurity positions are unfilled, and this is causing serious problems at many organizations. Cybercriminals the magnitude of the skills shortage is based on a specific model of doing security. This model is reactive rather than proactive and takes a labor-intensive, “brute force” approach to threat response. We need more bodies in cybersecurity because our methodology is to “throw more bodies at the problem.”
For example, rather than doing threat modeling and building strong, proactive controls as they develop an application, organizations scan for vulnerabilities, manually analyze the scans and manually remediate the problems — or else let the vulnerabilities accumulate. Cybercriminals this consumes a lot of resources and ultimately does not leave an organization significantly safer than if it had done nothing.
Moving Beyond Brute Force
While most people may see the logic in moving beyond this scattershot approach, it has an incredibly strong gravitational pull. IT governance policies at many organizations require the use of antiquated security technology and processes when other approaches would provide better protection using fewer resources. At the same time, the rapidly evolving marketplace means that development teams face continual pressure to crank out applications even faster than they do today. This makes it easy to rush into development rather than taking the time to architect an application to be secure before coding even begins.
But what if we were to break from the gravitational pull of reactive security and refocus on what really matters? We could build security into new technologies as they are developed, rather than adding it as an afterthought. We could become consistent, prioritized, focused, structured and strategic in the use of people, processes and tools. help developers learn to write safer code by providing real-time feedback.
At the same time, we need to be making security more visible. If users had an idea which software was safer and which was less safe, they would choose accordingly. The White House issued an executive order in May that can potentially move us in this direction. For example, it requires software vendors to provide a “Software Bill of Materials”. Something of an “ingredients list” for an application. We need dramatically more information about why we should believe something. Secure before we trust it with important things — like elections, finances and healthcare, for example.
Proactive cybersecurity strategies
Aggregate a multitude of perspectives, which brings the benefit of innovation, problem-solving and consensus-building.
From the growing adoption of distributed cloud to the proven benefits of remote mobile workforces. The attack surface for bad actors is ever-widening. This means the requirements for network security have also evolved with the growing threats of increasingly distributed systems.
Security should not take a backseat to innovation in digital businesses. Of course, innovation and speed will require businesses to build secure systems, which means we can no longer afford to implement security only at the service level. We need to apply adaptable solutions from the architecture level that will change with digital business requirements.
See how Soffid can help you stay ahead of the curve in a rapidly evolving digital world. Let us know how we can help you
Sources:
(1) Forbes
(2) Information Week
por Rebeca | Dic 8, 2021 | Noticias, Recursos, Soffid
There is no “one size fits all” when it comes to cybersecurity.
Over the last six months, we have seen an escalation in the number of reported cyberattacks, in their range, sophistication and in their long-lasting impact on businesses such as the Colonial Pipeline attack, and SolarWinds to name just two. These events obviously highlight the importance of having an effective cybersecurity strategy per organization, one size fits all because even if an organization undergoes such an attack, there should be company processes in place to mitigate the severity of the consequences. To do that, companies must monitor and be aware of the main existing security risks and effectively respond to these types of incidents as they occur.
Still, each organization is different in its make-up, business needs, productivity measurements and workflows. Each organization has different network architectures and software. There is no “one size fits all” when it comes to cyber security.
CISOs
Security teams are usually aware that they need to identify the cyber risks most likely to affect their own business’ smooth running and build a security infrastructure aligned with the company’s risk tolerance level. But that is easier said than done.
Even now, with everything that has occurred, many enterprises do not prioritize personnel and budgets for this purpose, often leaving the CIO or CISO and her/his team to “fend” for themselves. Without the appropriate resources and without full company involvement and support, that is a very tall order.
In addition to organizational support, with the plethora of different approaches and tools, identifying the optimal security path requires adopting proactive and scalable methods and the ability to prioritize the different types of cyber threats.
Whether you obsess about cybersecurity every day or you are completely new to the process, there are certain things that you should consider to make your company’s cybersecurity strategy successful. In this post, we’ll reveal five elements you should include in your strategy, regardless of whether you are the sole proprietor of a brand new business or looking to transform the security posture of a large, well-established organization.
-
-
Understand the difference between compliance and security.
In any instance where your company collects personal information or data as part of your relationship with your customers or vendors, you have an ethical if not legal obligation to be a responsible steward of that data. It is not enough to say “we won’t share your personal information” or be able to produce required audit reports if asked, because that’s not really security. The first step to creating a security strategy is knowing what data you collect, where it’s stored, who has access to it, and why. This enables you to establish what is “normal” data use for your organization and makes it much easier to see when someone is trying to steal it.
-
Make data security everyone’s responsibility.
Forrester Research recently reported that 80% of security breaches involve privileged credentials. That means an insider either unwittingly or with malicious intent exposed their credentials, and likely sensitive personal data, to a cyber-criminal. Another pillar of a cybersecurity strategy should be educating employees on the fundamentals of how to proactively limit exposing their credentials. This can be as simple as asking people to log out of sensitive databases when finished with them or helping them identify a likely phishing attack. An organization like the National Cyber Security Alliance offers great resources to get you started. It’s also important to consider data access control issues. With the right technology, organizations can apply role-based user privilege access control rules to align individuals; privilege levels with the actual requirements of their job function. Not just once, but on a continuous basis.
-
Account for the roles of your cloud vendors and ISPs.
Organizations large and small share sensitive data with cloud-native architectures for a myriad of reasons. AWS’ very useful Shared Responsibility Model explains; very well that cloud vendors provide secure architectures in which their customers can store data; but it’s the customer’s responsibility to apply their security policy to the data. This detail seems to be lost on the vast majority of organizations. Gartner reports that at least 95% of cloud security failures until 2022 are predicted to be the customer’s fault.
Part of your security strategy should be working with all your cloud-native vendors to ensure that their environments. Many retail and services organizations use ISPs to host their websites. They depend on their ISPs to keep their websites up and running regardless of traffic levels.
If your website were ever subject to a Distributed Denial of Service (DDoS) attack; an incident whose sole purpose is to make your website and servers unavailable to legitimate users; you could be facing an existential threat. In many instances, to ensure the other websites they host are not subject to diminished performance. One size fits all an ISP will simply shut down a website under a DDoS attack until it stops. Part of your security strategy needs to account for DDoS attacks and have a solution in place to disperse; illegitimate web traffic without shutting down your website and ensure real customer traffic reaches your organization.
-
Have a plan for if you are breached.
In spite of best efforts, breaches happen and your data security strategy needs to account for what happens next. You should have a disaster recovery plan in place to secure your network; prevent further damage and identify the breach source as well as inform stakeholders and law enforcement. The plan should turn the incident into a positive by ensuring knowledge gleaned.
While these elements are essential, they are not all you need. We strongly recommend working with cybersecurity experts to accurately evaluate your specific threat landscape; and help you build a sustainable data security strategy for today and the future.
Today’s hyperconnected and decentralized workforce maneuvers within dynamic network; architectures and programs that have moved to the edge and the cloud. Therefore any effective cyber defense strategy must start with open communication between the CIO/CISO. One size fits all security teams, and company executives.
This open line of communication is especially important since 2020.
one size fits all
With the increased number of employees working remotely, security officers face the added challenge of providing remote workers with additional layers of security, as the organization is more exposed to cybercriminals.
Integrating business operations with security personnel helps employees understand security better. It also allows cybersecurity professionals to consider the organization’s business strategy and priorities. While establishing cyber security policies and managing cyber risk solutions and monitoring.
Additionally, establishing the following core security principles and policies empowers the CIO/CISO; to focus both on individual applications and the broader company infrastructure.
Sources:
(1) Security Boulevard
(2) CIO.com
(3) The World Economic Forum
Picture: <a href=’https://www.freepik.es/fotos/negocios’>Foto de Negocios creado por rawpixel.com – www.freepik.es</a>
por Rebeca | Oct 6, 2021 | Ciberseguridad, Noticias, Soffid
Pre-COVID-19
Private and public organizations were on a journey towards a digital business model, digitalization in companies travelling at varying speeds. But the scale of the pandemic has forced a dramatic acceleration, both in the speed of change and the required investment in digital transformation.
According to KPMG’s 2020 global survey, organizations are investing heavily in technology to address immediate concerns like falling revenue and interrupted supply chains, and to build longer-term competitiveness and resilience.
t’s a struggle to find many positives about the current coronavirus pandemic, however there are a few interesting aspects that are starting to emerge. Trends that may well bring significant positive benefits as their full impact is felt in the months and years to come. One of these is the likely acceleration of digital transformation projects.
Cyber security and IT operational challenges, cost pressures, risk aversion and the skills gap are all driving the digital transformation agenda. On the plus side, benefits such as innovation and improvement of products and services, efficiency and an uptick in organizational agility are all expected outcomes.
Why Will COVID-19 Accelerate The Pace Of Change?
As vast swathes of the workforce shift to remote working and pressure increases to enable digital delivery of products and services traditionally rooted outside the online space, the pressure to be a truly digital organization will only increase. Organizations of all shapes and sizes will face renewed commercial pressure to negate the downsides through digital transformation and realize the benefits it offers in order to remain viable.
Organizations and investment in digital transformation
We are in a time where COVID-19 has transformed the future of business forever. Organizations from all sectors globally have been focusing on transforming digitally to ensure that the needs of their organization, customers, citizens, patients, and greater stakeholder community are met. The move from physical and on-premises to digital was critical to ensure organizations’ survival through COVID-19, as well as setting an example for potential challenges that may occur in the future.
There are very few industries unimpacted by the COVID-19 pandemic.
However, retail is an industry that has seen Digital Transformation skyrocket. With the breakneck pace of change required for retailers to compete for business online further compounded by the influx of bricks-and-mortar businesses to e-commerce due to global restrictions and lockdowns, full-scale Digital Transformation very quickly became inevitable.
All this is to say that the conversations in business have shifted rapidly over the past year to a unanimous; understanding that digitization of services in addition to industry disruption due to rapid advancements in the technologies available to businesses are now changing the shape of commerce forever. Businesses that want to keep up, or survive in reality, will need to transform radically – not just digitally, but in mindset too.
A McKinsey report argues that “Now is the time to reassess digital initiatives”. The current pandemic is forcing the hand of many to adapt to survive. Never has the phrase, ‘necessity is the mother of invention’ been more relatable.
Over the last few months
The way we interact with services has changed. Many of us are now fully ‘remote’—not only are we working from home, but also learning, shopping, exercising, and other day to day activities.
We’ve all had to adjust. But for companies in particular, it’s raising questions about how to maintain business continuity. Unable to conduct business as normal, many have turned to alternative solutions and business models. Restaurants have started providing food deliveries, gyms are offering virtual classes; and even hairdressers are offering tutorials online to help people cut their own hair.
These alternative solutions will likely require some form of digital innovation or optimization. In some cases, it’s fast-forwarding digitization processes that businesses were already exploring; and in others, it’s bringing to light new ones which hadn’t been considered.
What does this mean for a post-Covid world?
With many businesses turning to alternative digital solutions now more than ever before. Will there be no going back once the Covid pandemic has passed?
If digital solutions are more convenient, offer a better user experience; and are more scalable for businesses, why would we then revert to time-consuming, inefficient manual or face to face processes?. Are we seeing a glimpse into the future, where digital processes dramatically improve the way businesses function; and the way they serve customers?
We’re familiar with new tech start-ups, for example challenger banks, using digital processes to their advantage. But we may see more digital processes taken up by traditional services, such as mainstream banks. Hotel check-ins, voting and car rentals.
One thing to keep in mind with digital transformation however; is that as it develops, we risk widening the gap between those; who turn to digital options and those who don’t. Not only could this impact businesses, but we must also consider customers who might find it more difficult; to use digital alternatives, for example older generations.
However, if done right, digital transformation could help secure the future of many companies. The pandemic has highlighted the fact that businesses around the world need to become more flexible and more digital. And that through doing so, it could ensure that they emerge from the Covid pandemic stronger than they were beforehand.
Sources:
(1) KPMG
(2) Deloitte
(3) CioInsight
Picture: <a href=’https://www.freepik.es/fotos/icono’>Foto de Icono creado por rawpixel.com – www.freepik.es</a>
por Rebeca | Jun 23, 2021 | Ciberseguridad, Soffid
Management and authentication of identities
While IAM controls provide authentication of identities to ensure; that the right user has the right access as the right time. PAM layers on more visibility, control, and auditing over privileged identities. Management and authentication of identities is really important.
In a Tuesday session, titled «Security Leader’s Guide to Privileged Access Management,» Gartner research director Felix Gaehtgens said privileged access management is a crucial component of any security program because of the increasingly large scope of IT environments, users, administrative tools, and IAM data such as passwords, and certificates.
Organizations face multiple challenges on Management and authentication of identities:
More over, insufficient oversight and auditing: Most organizations lack adequate controls to regulate the privileges and use of highly privileged accounts. However, but regulations such as Sarbanes-Oxley (SOX), J-Sox and GLBA dictate that organizations must demonstrate who has access to what data and resources, when, why and who approved such access and defined rights.
Importance of Auditing over privileged identities
Shared access to account IDs and passwords; The typical problem with shared accounts is that everyone uses the same ID and password, which creates compliance challenges, as it is impossible to determine who has access to the accounts and who actually performed a specific action.
So, inadequate segregation of duties: IT resource personnel who use and maintain privileged; accounts are often the largest access holders in any organization. Certain highly privileged accounts, also especially those designed for emergency operations and incident management; can allow misuse to go virtually undetected or leave no traceability. Organizations must choose between compliance and the ability to recover or resolve problems quickly.
It is a pleasure to invite you to our new webinar we are celebrating today, 23rd June.
During the webinar we will discuss about how PAM is emerging as one of the hottest topics in cybersecurity; and why it must be a part of your overall IAM strategy.
por Rebeca | Jun 9, 2021 | Ciberseguridad, Soffid
The 2020 Global State of Least Privilege Report (Least Privilege Technologies and Solutions) shows that two-thirds of organizations now consider the implementation of least privilege a top priority in achieving a zero-trust security model.
Below, we take a look at some of the critical drivers for the adoption of least privilege Solutions and Technologies. We also explore the failure of traditional systems and how modern solutions such as Software-Defined Perimeter, Secure Web Gateway and Risk-Based Authentication, among others, engender greater enterprise network security.
Access is Responsibility and Least Privilege Technologies and Solutions
According to an Identity Defined Security Alliance (IDSA) study published last year, 79% of enterprises experienced an identity-related security breach in the previous two years. Last year, just as the COVID-19 pandemic gathered momentum, another report revealed a rise in attacker access to privileged accounts, which puts businesses at a greater risk.
It is important to note that in this age where data is everything, access is equal to responsibility. Therefore, the greater access a person has at a given moment; the greater responsibility they have to protect the data that they have access to. According to the State of Security blog, author Anastasios Arampatzis states that the central goal of privilege access management, which he admits covers many strategies, is the enforcement of least privilege.
Privileged accounts are a liability precisely because the data they have access to makes them attractive targets to cyber attackers. The greater the level of access an account has, the more significant the impact of an attack would be. More so, the greater the number of privileged accounts on a network, the more catastrophic an account compromise could be. Basically, every additional privileged account multiplies the risks on a network. Therefore, it is crucial to keep the circle of privilege small in order to limit unnecessary data exposure.
Legacy Systems: The Failure of VPNs to Adequately Secure
Amidst the current challenges in privileged access management, organizations are beginning to explore alternative solutions to traditional VPN technology and other legacy security solutions which have failed in actively securing privileged accounts. One notable problem is the lack of remote user security on many VPN products, and they neither integrate well with identity providers nor properly implement user policies on identity access and authorization. The weakness of VPNs are made more apparent in this age of remote work.
Least Privilege Technologies and Solutions
At the turn of the pandemic, companies had to allow their employees to work from home. This led to a surge in VPN adoption. According to the Global VPN Adoption Index report; VPN downloads reached 277 million in 2020 based on data collected from 85 selected countries.
The cybersecurity landscape can be described as a kind of cat-and-mouse race. In response to this trend, cyber attackers shifted their focus to exploiting VPNs, amongst other techniques such as phishing. However, being a legacy technology that has somehow due to its ubiquity made its way to more modern times, VPNs have become quite weak; based on the assertion that “VPNs are designed to secure data in transit, not necessarily to secure the endpoints. ” it is easy to see why the ‘new normal’ in cybersecurity is the protection of endpoints in an age where data is gold.
Least Privilege Solutions and Technologies
The current overhauling of our approaches to access management and authentication; has given birth to the rising adoption of the cybersecurity of least privilege. This principle is connected to another swelling trend in cybersecurity: the zero-trust model.
True zero trust technologies adopt the principle of least privilege by default.
The need for privileged accounts is common to most information systems. These accounts are necessary to perform scheduled configuration and maintenance tasks, as well as supervening tasks such as the recovery of a hardware or software failure or the restoration of a backup. Due precisely to the need to use these accounts in an unplanned manner, their management must combine security, procedures and flexibility.
In order to effectively manage these accounts, the Soffid product has the necessary logic to Identify accounts. Classify them according to the level of risk and its scheme of use; distribution and assignment to responsible users, automatic and planned password change process. Passwords delivery process to authorized users and automatic injection of passwords, when this injection applies and makes sense.
Conclusion
The principle of least privilege in cybersecurity is not just an exciting fad that would go away soon. Rather, it is becoming a standard model and best practice for network protection in the new normal of cybersecurity.
Sources:
(1) Tripwire
(2) Security Tech
