Even though companies would like to have employees return to the office after the pandemic, the norm of working-from-home or even working-from-anywhere is here to stay. This means that uncontrolled connectivity options are resulting in increasing attack-surfaces where home routers, public Wi-Fi spots, shared personal hotspots and more, are causing headaches for many businesses to secure their end-points.
Many very good end-point security solutions like Crowdstrike, Microsoft and SentinelOne provide an active method of securing endpoints with state-of-the-art software which provide an excellent overview of your overall security state for those end-points.
The main issue is that upon detection of a security problem, the threat has already arrived at the end-point. There are a few things that end-point security solutions can do in such cases like containing the threat quarantining it in some sort of sandbox for later analysis, erasing it by deleting the malware entirely, using forms of AI to try and detect what the malware does and resolve vulnerabilities in software that is being misused for such attacks and a few others.
What many solutions do not cover is yourself, the human factor. As I mentioned, no security solutions is 100% full-proof. Hackers and security analyst are in a constant battle of outsmarting each-other. This leads to the inevitable conclusion that at some stage and threat actor may be able to find a loophole in your software which is not detected by any of the defence solutions you may have in place.
Secondly, what all these solutions cannot prevent is active interaction with the person sitting behind the screen. If tactics are involved which bypass any technical surface but simply \”social-engineer\” their way into people\’s accounts via, seemingly valid, normal procedures, there isn\’t much that defence solutions can do. Therefore, the defence strategy needs to contain a more holistic approach which includes multiple layers of technical and non-technical solutions.
The layers can be summarised in a few ways which may, or may not, be applicable to your organisation.
- Hiding, decrease exposure to reduce attach surface
- Prevention, keep threats outside by using specialised services
- Lock credentials and enforce Role Based Access Control (RBAC)
- Knowledge, include the human factor, educate and involve employees
- Use Verifier Impersonation Resistant MFA (Multi-Factor Authentication)
- Anonymise data in such a way that only dataset correlation would provide the full picture
Hiding
The first one is subject to many debates. In essence, it is somewhat like behaving like an ostrich and putting your head in the sand, as seasoned threat-actors will not be thwarted by this and will find you anyway. Changing attack surfaces on a timely basis may only get you so far and is most likely just a delay strategy. For
Prevention
![\"\"](\"https://erwinvanlonden.net/wp-content/uploads/2023/04/Proofpoint-logo-reg-K-scaled.jpg\"){kind=logo}
Prevention is the best way to stay out of trouble. Stopping threats outside your organisation will not only prevent malicious actors from infringing on your properties but even better is that productivity is not impacted either. If your employees are seeing large amounts of spam and/or phishing emails, a lot of time is spent to separate the valid from the bad ones. On average, people spend around 2 minutes per email to try and assess if an email is actually valid or if it could contain malicious content. Reducing the amount of emails that could impose a threat to your organisation is one of the best ways to both improve on your security exposure and significantly increase productivity. Extrapolate that to the number of emails and employees you have, and you can do the numbers on the back of a napkin.
When it comes to securing access to systems and services that reside inside your organisation, the most used method has been to deploy VPN like schemas, most often connected to radius type authentication and authorisation. If an end-point is compromised, there is a high chance that this will not be noticed at the gateway. A newer kind of technology is ZTNA, Zero Trust Network Architecture, which enabled inbound and outbound connections to be tunnelled through a security enabled perimeter where the policies you set can be enforced. This way the third party, like for example Cloudflare or Netscope, is able to monitor these connections and act accordingly on unexpected traffic patterns as well as other sorts of threats.
Credential security
![\"\"](\"https://erwinvanlonden.net/wp-content/uploads/2023/02/1Password-Partner-Logo_BitsBlue05.png\"){kind=logo}
Securing credentials should be one of the top priorities of every organisation. It simply needs to be automated, with various safeguards in place. Humans cannot be trusted in this. Around 95% of all data breaches are a result of stolen credentials where cross-account sharing (i.e. using a username/password combination on more than one website) is an underlying cause of a successful account takeover or malicious abuse. Using password managers should no longer be an afterthought. Username and password authentication is not going anywhere soon and until the time is there that all websites offer passkeys and/or support for hardware based authentication, usernames and passwords should be software generated with a high enough entropy that would keep even the most advanced CPUs/GPUs very busy for a very long time.
Role Based Access Control (RBAC) should be implemented across the board. Employees who do not have any involved in a particular application or data set should not be allowed to access this. A dataset should be sandboxed and associated to the applications that require it. Applications and datasets should be linked to the various roles, and each of those should be linked to a human resources system. If someone changes a role, the appropriate access control are then automatically implemented. The same goes for people joining or leaving the company. As soon as someone leaves, he/she will be deactivated from the payroll and any accounts associated will then be immediately disabled or removed. Any access therefore is then revoked. External systems, like for example cloud applications, should also be linked as there would not be a real barrier from a network connectivity side as is the case with on-premises systems.
Knowledge
![\"\"](\"https://erwinvanlonden.net/wp-content/uploads/2023/02/nggallery_import/KnowBe4-Logo-BW-SM.png\"){kind=logo}
Even with the best tools, policies and procedures in place, there is a very high chance that at some stage a malicious email may pass through your defences. It is these kinds of scenarios that should keep any CISO awake at night, as the entire security strategy could then depend on a single person. This is also the cause of the majority of breaches that you see in the news. It is therefore of the utmost importance to test, educate, re-test and re-educate your organisation on all sorts of phishing, SMS-ing and social engineering attempts that could be impacting your organisation. Being able to identify and report dubious emails will significantly reduce your risk factor across the entire organisation. Make sure you know the exposure quotient of your people and organisation as a whole is mapped and that the appropriate education is implemented across your various departments.
Multi Factor Authentication
![\"\"](\"https://erwinvanlonden.net/wp-content/uploads/2023/04/nggallery_import/2-MSYK335.png\")
I cannot emphasize this enough. This is more or less your last line of defence. If all the above fail and a malicious party is able to gain access to one of your accounts, a second authentication factor could well be saving your day. That being said, you need to know there are good and not so good ones. Most service providers do enable some sort of MFA option with, unfortunately, sending an SMS is the most prevalent one but also the least secure one. A short Google search on \”smishing\” will show you that even this can be relatively easily compromised.
A software based push or OTP (One Time Password) option is the next best thing, however, even that is subject to social engineering attacks. You will see bypass attempts happening by malicious parties who use cold-calling techniques to try and lure people to push an allow button on their phone or provide a OTP during the call. These tactics are very sophisticated where a form of intelligence gathering has already taken place in order to obtain the trust of the victim and lure him/her in some false sense of security. The ramifications are most often the same as if no security policies and defence mechanisms were implemented at all. The malicious actor would still be able to log in and do harm wherever he/she sees fit.
The only way to prevent this from happening is a hardware based, VIR – Verifier Impersonation Resistant, token which is tied to the account. This makes it impossible for any attacker to obtain access to an account as he/she does not physically owns the authentication token which is a requirement in order to obtain access.
Overall solution
As you can imagine from the information above, there is no real silver bullet to achieve a watertight, secure and trustworthy IT environment. Even if you do not have control over the entire IT stack, for example when you use a cloud-based bookkeeping application, you still can benefit from password managers, MFA tokens and other solutions to level up your security profile and keep the bad guys out.
Get in touch and see what we can do for you.
Kind regards
Erwin van Londen