Learning from Security Lapses- Lessons for a More Robust Defense
The news is filled with security lessons in the form of cautionary tales. Organizations must use these learning opportunities to improve their security position to stay ahead of evolving threats. Our security experts have extracted two vital lessons for you to keep you on trend and secure.
Security Lesson: Reduce Vendor Risk
Vendor risk management (VRM) is a critical function of modern business operations, especially in a world where organizations rely on an ecosystem of suppliers, vendors, and third-party partners.
The Security Situation
On Dec. 11, 2021, Kronos, a workforce management company that provides services to over 40 million people in over 100 countries, realized its Kronos Private Cloud was compromised by a ransomware attack. The impact of this attack didn't just affect Kronos, but severely impacted many businesses that relied on Kronos software, impacting timekeeping and payroll.
The Lesson
As much as an organization can have its act together, your company is still at risk if you rely on a vendor that has security gaps. Protecting your organization from a ransomware attack like the one that happened to Kronos means going beyond just protecting your organization from malware. The COVID-19 pandemic alongside the outpouring of Ransomware attacks during that time, highlights the importance of assessing and mitigating supply chain risks. VRM played a crucial role in identifying vulnerabilities in supply chains and finding alternative suppliers.
What You Can Do
Identify and Prioritize vendors based on Risk
Analyze risk for each vendor
Monitor continuously
Establish contingency plans based on “Cybersecurity What If” Scenarios
Test, validate, and continuously evaluate “What If” scenarios
Security Lesson: Secure Accounts Vs. Forgetful Humans
Two Factor and Passwordless authentication are becoming the new standard for preventing unauthorized access to front line and critical business systems.
The Situation
Many organizations continue to require their users to change their passwords on a set interval; while this practice was once hailed as the best defense to keep unauthorized users out, even Microsoft has dropped this requirement from the Windows 10 security baseline documents (published 5/23/2019) as the practice of continuously creating secure passwords often leads to employees writing down storing these passwords insecurely. Mariott in 2020 had 5.2 million guest details stolen by hackers who obtained two employee’s login credentials.
The Security Lesson
Two-factor and Passwordless authentication are the keys to allowing users to set and commit a secure and unique password to memory while still maintaining account security.
Two-factor authentication requires the user to prove who they are by providing a secondary factor; a six-digit code from an app or text message and press “#” for a voice call to a known phone number are a few examples of this at work. Even if an attacker were to gain access to the password, they wouldn’t have access to the secondary factor and thus couldn’t breach the security of an account.
Above and beyond is to enable Passwordless authentication by utilizing hardware tokens. A token, such as a FIDO2 key can be thought of as both the password and secondary factor of authentication. This enables even further security as the user must be in physical possession of a device that cannot be duplicated.
What You Can Do
There are safer and more effective ways to keep accounts secure than to use rotating passwords; by providing for the use of a secondary factor of authentication or allowing Passwordless login employees are much less likely to need to write down or utilize easy-to-guess passwords.
Security Assessment Whiteboard
Free one hour assessment with our security experts. You'll recieve a map of your gaps and custom recommendations for how to improve security.
Sign Up Now →Recommendations for Further Research:
Ensure that your environment meets or exceeds Microsoft’s security baseline.
Utilize the Microsoft Authenticator Application as a secondary form of authentication when utilizing Azure AD single sign on.
If your environment supports Passwordless, consider migrating to Passwordless authentication by performing small rollouts with FIDO2 based tokens.
Shared Assessments: Shared Assessments is a trusted industry standard body that provides tools, best practices, and resources for managing third-party risk. Their website offers whitepapers, webinars, and assessments.
SANS Institute: SANS offers specialized training in various aspects of information security, including vendor risk management.
Check websites of regulatory authorities like the U.S. Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), and the European Data Protection Board (EDPB) for guidance on vendor risk management within the context of regulations.
October 3, 2023
Thomas Burgman
Consultant
