AI: Helpful or Harmful
Gordon Lawson, CEO, joins Bret Baier, host of ‘Special Report’ on Fox News as a panelist to discuss AI challenges to privacy and security.
#BeCyberSmart – Month in Review
While October is coming to an end, our commitment to ensuring safety online will continue everyday. In review, this month has highlighted the need for cybersecurity to start with the individual. Below are four steps NCSAM highlighted for businesses of all shapes and sizes can take to better protect themselves against cyber attacks:
Identify Your Crown Jewels
Understanding what information cyber criminals are after most is essential to combating cyber attacks. Therefore, creating an inventory list of the valuable data and assets within your organization and understanding who has access to important data and information will ensure that business leaders have a track record of accessibility so that they know where to look in case of a vulnerability or breach.
Update and Authenticate Assets
At the end of the day, protecting your data and devices from malicious actors is what cybersecurity is all about. In order to accomplish this, make sure your security software is current. Investing in the most up-to-date software, web browsers, and operating systems is one of the best defenses against a host of viruses, malware and other online threats.
Monitor and Detect Suspicious Activity
Companies must always be on the lookout for possible breaches, vulnerabilities and attacks, especially in a world where many often go undetected. This can be done by investing in cybersecurity products or services that help monitor your networks such as antivirus and anti-malware software.
Investing in software that can isolate suspicious activity before it has the opportunity to access your network can be the difference between falling victim to a debilitating attack and continuing business as usual.
Have a Response Plan Ready
No matter how many safeguards you have in place, the unfortunate reality is that cyber incidents still occur. However, responding in a comprehensive manner will reduce risks to your business and send a positive signal to your customers and employees. Therefore, businesses should have a cyber incident response plan ready to go prior to a breach.
The Future
It has been our pleasure being a NACSM champion and participating in the mission to bring about awareness to best online practices. Conceal was founded on the desire to improve safety online and our mission is to think about how you choose to protect your enterprise’s web-based activity. By pushing the boundaries of cybersecurity, it’s easy to safe online. We would love to talk to you more about how we can elevate your organizations online safety, click here to schedule a demo today.
#BeCyberSmart – Unpatched Software
Unpatched and out of date software opens an organization’s network up to a variety of vulnerabilities. Threat actors are able to target software with known vulnerabilities to test an organization’s patch management strategy and exploit vulnerabilities that have not been addressed. With unpatched software, threat actors can exploit vulnerabilities that the patches are looking to remediate.
Examples
Home Depot
In 2014, Home Depot fell victim to its largest data breach in company history and it was not a major surprise to many of its security experts. In fact, many former employees had been warning the home improvement chain for years that with their current security practices, they remained an easy target for hackers. In the years leading up to the data breach that compromised 56 million of its customer’s credit card numbers, Home Depot had been leveraging outdated software for protection. Their inability to patch software that they heavily relied on was the ultimate culprit to the organization’s detrimental breach.
Marriott
Dating as far back as 2014, Marriott fell victim to its largest data breach in history, compromising the data of up to 500 million guests. The breach, which was not detected in 2018, included the exfiltration of customer data including credit cards, addresses and passport numbers of many guests. It is believed by many that the root cause of the breach was due to unpatched software.
WannaCry
In May of 2017, a global epidemic took place in the world of cybersecurity. WannaCry, a ransomware worm that attacked Window PCs, took organizations by storm when the malware spread from PC to PC across the network. Prior to the exploitation of the vulnerability, Microsoft had released a patch to address the threat but as seen by the epidemic response to the weaponization, organizations were not quick enough to patch before the exploitation occurred. This ransomware is said to have affected over 200,000 computers in over 150 countries.
Protect Against Unpatched Software
Simply put, the best solution to protect against unpatched software is to patch your software. CISA has explicitly stated on many occasions that, “Foreign cyber actors continue to exploit publicly known — and often dated — software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.” In this day and age, lack of patching comes from either an overwhelmed security team or the lack of a sufficient patching plan. Patching plans need to prioritize risks. It is understood that a security team cannot patch all applications at the exact moment for which a patch is released. As a result, it is imperative for organizations to include a risk prioritization as part of their patching plan. Another imperative part of your patching plan must be to keep an updated inventory of your network and all the applications running on it so that the security team can have an accurate inventory to conduct patching on.
Conceal’s Solution to Unpatched Software
While Conceal cannot patch your unpatched software for you, our solution can maximize security efforts to minimize the damage of threat actors exploiting known vulnerabilities of web applications. By obscuring a user’s critical identity and enhancing safety, confidentiality, and performance on the web, Conceal is able to address privacy and security needs so your organization can focus on other aspects of your security program, such as patch management.
#BeCyberSmart – Change Your Passwords!
Week two of National Cybersecurity Awareness Month is underway and if there is one thing we have learned it is how important it is to change your passwords! Today, 75% of people don’t know how to create secure passwords. This is especially concerning as data this year has shown that 81% of the total number of breaches leveraged stolen or weak passwords. Now, more than ever, to #BeCyberSmart strong passwords and a password manager are a must.
Best Practices for Strong Passwords
NIST Special Publication 800-63B – Digital Identity Guidelines – is a great resource for educating users on creating a secure password. As an individual user, it is important to understand that password length is more important than complexity. Enforcing complexity, such as including a lower-case letter, upper-case letter, number, and special character, is great in theory but this often results in simple passwords such as “Password123!” being created. Rather, users creating a long password, such as a passphrase that will be easy to remember as the account owner, will prove just as strong.
As an organization, there is a lot to learn from NIST’s special publication. First of all, it is encouraged that all new passwords are screened against a list of commonly used and compromised passwords. This way, you ensure common, easily guessable passwords are avoided. Secondly, NIST suggests that organizations do NOT enforce regular password resets. While controversial, their stance is that forcing employees to change their passwords regularly results in the creation of new passwords that are virtually the same as the old one just with a minor change. And to make matters worse, these changes are typically predictable patterns. NIST additionally suggests a limit to the number of failed password attempts before account lockout. This protocol will minimize a threat actor’s ability to brute force their way in as a user, minimizing account compromise. And lastly, in line with the theme from last week, it is recommended to implement MFA on all eligible accounts. This way, users must authenticate into their account with an additional means beyond the typical username and password.
Password Manager
In the words of the National Cybersecurity Alliance, don’t take a pass on a password manager. In this day and age, it is genuinely impossible to remember all the passwords to your online accounts, especially if you are abiding by all the best practices we mentioned above. Some may think the simple solution is to just use the same password for most, if not all, of your accounts, but the reality is, that’s not safe. While this may sound great in theory, using the same password for multiple accounts exponentially increases the likelihood of multiple breached accounts. In a breach, if a bad actor can exfiltrate your credentials, and the credentials are the same you use for all your accounts, the threat actor just hit the jackpot and can now gain access to all of your accounts and sensitive information.
Luckily, a simple solution exists. Through the investment of a password manager, you don’t have to risk using the same login credentials for all of your accounts. When you invest in a password manager, you will end up saving time in the long run, not having to guess and check until you remember the right password. Typically, managers work across all your devices and operating systems, making it easy to share between computers, phones, and other compatible endpoints. Additionally, password managers help protect your identity. Make sure to check out last week’s article on the importance of identity management here.
Conceal Supports Password Managers
Here at Conceal, we understand the importance of a password manager. Conceal’s suite of solutions support password managers so that even in an isolated environment you can access your stored strong password habits with ease. It is also worth noting that we practice what we preach. All employees at Conceal are proud users of a password manager, an aspect of our online presence that we are not shy to share. Oftentimes during demos, you will see our engineers and VPs access their manager to login to different accounts to show you our platform functionality. Strong unique passwords are a must in 2022 and a safe, encrypted database to house them allows your memory to focus on other things!
#BeCyberSmart with Identity Management
Week one of Cybersecurity Awareness Month is underway and we at Conceal could not be more thrilled that identity management made the cut this year! The National Cybersecurity Alliance has been highlighting how you, as the star topic of this month’s approach, can #BeCyberSmart through enabling multi-factor authentication (MFA). Identity management is an imperative aspect of an organization’s cybersecurity strategy, helping ensure that you p have the access to the tools and data you need to do your job.
Aspects of Identity Management (AIM)
Identity management goes beyond MFA. We could spend the entire month talking about the ins and outs of a top notch IAM program, but, since we only have a week dedicated to identity, we will keep it brief. MFA is great, as we will see below. But, not all accounts or applications offer MFA. As a result, a solution that can obfuscate an identity can also be a key strategic component to identity management.
MFA
Multi-factor authentication is a security control that requires a user logging into their account to navigate through a multistep process while checking in to verify their identity. This extra security measure minimizes the threat actor success rate in leveraging a legitimate account by being able to gain access to the username and password of a legitimate user. There are many types of MFA. The National Cybersecurity Alliance mentioned six different authentication measures this week including:
- An Extra Personal Identification Number
- Extra Security Question
- Additional Code Emailed or Texted to the User
- A Yes or No Button or Unique Number Through a Third-Party Application
- A Biometric Identifier
- A Secure Token
MFA is continuing to grow in popularity, but it is not an intrinsic part of every login today. While it is seen in many accounts holding valuable data, such as a bank login, there is value in having MFA on all applications and logins. In the meantime, it is important for organizations to invest in other identity management strategies, such as obfuscation.
Obfuscation
Obfuscation refers to the obstruction of some type of data so that it is unrecognizable by others. For identities, obfuscation can mask an identity, making it difficult for a threat actor to gain access to the user credentials. This is important for logins and applications that do not leverage Making it impossible for threat actors to identify a user minimizes the need for MFA in many instances.
Here at Conceal, we specialize in obfuscation. Conceal’s patented design obscures and varies network pathways while protecting your identity and systems across multiple cloud providers. Conceal improves performance, increases privacy and security, and creates redundancy to provide better resiliency and a reduced cyber-attack vector. Conceal’s unique network design lowers your cyberattack profile by isolating, obfuscating, and dynamically shifting your communications pathways. With Conceal, your network communications are not attributed back to your organization. Conceal’s functionality as part of your overall identity strategy addresses shortcomings in other components, such as MFA.
Use Case
As mentioned above, identity management is vital for logging into accounts that pertain to the most sensitive and confidential information, such as banking details. As a result, bad actors target these organizations and accounts more than others. Therefore, a security strategy that maximizes identity and access management is imperative. Conceal provides critical identity obfuscation for organizations within the financial services industry that need to protect customer data, financial transactions, investment research and branch communications. Our solutions provide complete misattribution and privacy for personnel operating on the internet, leaving no identifiable footprint. Additionally, ConcealCloud keeps its users unidentifiable to criminal elements, prevents websites from filtering or denying content, enables discreet online surveillance and provides a reduced cyber-attack vector. To find out how investing in Conceal can add unparalleled value for your identity management strategy, request a demo today.
