When remote working seems to continue post-Covid; what companies, employees, and even people on the computer should be aware of. To learn how enterprise-based companies are working with the challenges indica News had a chat with Cyber Security veteran, Tasawar Jalali, who has over seventeen years of experience working with startups and fortune 500 companies in risk-based Information Security programs, Compliance, and Privacy. He is the co-founder and CEO of Securenode & Smashon Inc, an online health and wellness portal. Jalali holds a BS in Engineering, an MBA in Technology Management, and a masters in Information Management Systems from Harvard University.
In a Q &A with indica News, Jalali, highlighted and talked about the growing cybersecurity risk of working remotely. He holds users responsible as well, says even though there are software tools but users’ loss of visibility is one of the areas hackers break in. Another reason is device risk like devices running entirely unsupported [OS] versions, and there are many unseen ways, the way cyber security attacks are occurring. Jalali pointing to President Joe Biden’s executive order on cyber security passed in May early this year says the president has emphasized ‘zero trust architecture’, which means trust should not be automatically granted based on the device being on enterprise network infrastructure.
How has the increased need for distributed work changed requirements?
That’s a good question. A lot of requirements have changed. The increased access to business-critical applications, Authentication Methods, and the increase in types of attacks organizations have experienced has also changed i.e., increase in credential theft and phishing/social engineering.
Some of the big cybersecurity risks stem from the fact that there is loss of visibility of user activity, potential of data leakage through end-points, mixing personal use on the work laptops increases the risk of drive-by-downloads, and maintaining compliance with regulatory requirements.
Organizations are focusing more on remote employee activity versus human-centric visibility, improved network analytics, stronger authentication, and next-generation anti-virus and endpoint detection and response technologies.
IT security budgets and in-house expertise need to increase, new effort to educate remote workers about the risks such as password hygiene and up-to-date AV/EDR and vendor security patches/updates.
How has traditional Multi-Factor-Authentication (MFA) been working, and how to address its vulnerabilities?
MFA solutions have been available for decades, since the onset of the current pandemic, there is now an ongoing, wide scale, rapid adoption of MFA across all organizations. While MFA does reduce, and in some cases, significantly reduce particular computer security risks, most of the attacks that could be successful against single-factor authentication can also be successful against MFA solutions.
Once the authentication is successful, the authentication token assigned to the identity is usually the same for all authentication methods. There is a huge difference between the authentication method being used to authenticate and the resulting access control token that is used for authorization afterward.
There are several ways MFA can be defeated such as Session Hijacking, Session Unique Identifier Prediction, Man-in-the-Endpoint Attacks, Banco Trojans(second hidden browser session), Malicious MFA Hardware Modifications, SIM Swaps Attacks, Duplicate Code Generators, Duplicate Code Generators, Skimming Attacks, Social Engineer Tech Support, Stolen Biometrics, ROCA Vulnerability, etc.
Some easy ways to prevent MFA attacks are to avoid in-band MFA implementation, prevent malicious exploitation of end-point, implement end-user education to ensure they don’t get socially engineered into installing something malicious, and making sure the device and software is fully patched.
Can we gain risk-reduction improvements by converging the traditionally disparate identity and security processes and technologies?
Although Centralized management creates a single, centralized target but converging the traditionally disparate Identity and Access Management (IAM) solutions provides much greater security. It ensures regulatory compliance, reduces password issues, provides for centralized access control, enhances the on-boarding and off-boarding process, enables cost savings, simplifies and enhances the user experience. Other benefits such as the ability to access application/data from anywhere especially with current pandemic, is significant in optimizing remote user experience.
What is device risk, and why is the real-time assessment of endpoint security important?
The percentage of devices running entirely unsupported [OS] versions has not changed, remaining constant at 0.4% (between 2019 and 2020). This includes now obsolete Windows OSes like Windows XP and Windows Server 2003. Identifying and classifying these devices running legacy operating systems are critical for risk mitigation.
Some of the ways to improve security in medical devices are:
– Incorporate procedures that would make the software both trustworthy and resilient
– Ensure software design and update practices are transparent
– Include in the design and implementation of the software a specification of cybersecurity features and validation of those features, and a Cybersecurity Bill of Materials (“CBOM”)
– Employ static and/or dynamic vulnerability testing of the software.
– Establish privileged access
While cybersecurity is seen as a shared responsibility among all stakeholders, the ultimate responsibility for cybersecurity lies with the manufacturer. It’s their product, so it’s their responsibility. Fortunately, the FDA has issued comprehensive recommendations that, if followed, will either prevent or mitigate the impact of a cybersecurity attack.
Real-time assessment is extremely crucial for endpoint protection. If enterprises can efficiently monitor or analyze their endpoints, they can recognize anomalous activity and block threats in a Real-time. It’s imperative that organizations employ real-time endpoint monitoring solutions, while intelligently aggregating, correlating, and analyzing data to initiate an automated response to counter any threats. Currently, several vendors offer cloud-based correlation, aggregation and analysis using ML and AI to detect threats in a near real time.
What role do you think credential theft plays?
The number of attacks resulting in large-scale credential theft has almost doubled over the past four years and they are very hard to clean up because credentials do not get changed often by the users and IT Security policies don’t enforce password changes that often. As far as the cyber criminals are concerned, there is little to no risk in reusing the list of stolen credentials, and plenty to gain if they work. Phishing has been the most common method of stealing the credentials phishing compromises less than 4% of credential farming. Once the attacker in on the network, they can use different techniques to gain access to credentials.
This attack is driving new protection mechanisms such as advanced email and browser protections, single sign-on (SSO) solution combined with user education about the dangers of password sharing. SSO can help reduce the likelihood that end users will compromise password security for the sake of convenience. MFA can be a single most effective action to combat credential theft.
What additional steps can we take to advance a Zero Trust strategy?
Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location and focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource. There are several ways orgs implement ZTA i.e., Enhanced Identity Governance, Micro-Segmentation, Network Infrastructure and Software-Defined Perimeters.
To further the ZTA strategy organizations must:
– Develop clear and precise Inventory of all the assets – SW/HW.
– Trust should not be automatically granted based on the device being on enterprise network infrastructure
– Grant access with the least privileges needed to complete the task
– Access based on dynamic policy such as application being accessed, software version, network location, previously observed login and behavior
– Establish a continuous diagnostics and mitigation (CDM) to monitor the state of devices and applications and ensure software patches are applied on a consistent and frequent basis
– Use of MFA to ensure strict and dynamic enforcement of authentication and authorization