There have been so many articles and posts about the recent Securities Exchange Commission (SEC) lawsuit against SolarWinds and their #ciso – and plenty written about recent breaches via the Okta platform. So much has been said about how attackers used social engineering to lure users to give up information or reset accounts. …
Still, I feel like I need to share my $.02.
I want to focus on what did go right, particularly with the Okta attacks affecting 1Password and BeyondTrust. In both cases, the companies had processes in place to reduce blast radius and stop the sprawl of the attackers’ ability to gain a foothold. Huge kudos to the teams and specifically the admins who caught the alerts. Something was not right and they acted quickly on it.
The Human Factor
Having an environment that empowers your people to act without fear, even when their account has suffered an account takeover, is critical. It reminds me of telling my kids to always reach out no matter the circumstances, even when I may not be stoked about what transpired. At least I can help address the problem and move forward. Making your teams know they have your support – no matter what – is the only way we can all do better together.
The key takeaways for me from these two examples are:
1. Have the right security controls and alerts in place and 2. Pay attention to them in a way that eliminates alert fatigue and empowers your people.
I also believe we have to always evaluate ways to improve and reduce the ability for a person to make a mistake or for that mistake to result in a successful account takeover. For example, using a personal browser that auto saves passwords as Okta has pointed to as the cause of the initial point of entry. When using Real Passwordless MFA there is no password to be saved in the browser. This eliminates the risk of a user having one accidentally saved in the browser’s personal profile or not. Modern solutions offer this type of innovation. It’s not Wonder Woman’s shield, but it’s better than the legacy access controls being used today.
Which leads me to the next part. … Don’t Promote the Wrong Behavior
First, unless a CISO’s actual malicious intent can be proven, or that he/she committed a crime and intentionally tried to conspire or cover up evidence, pointing the finger at CISOs as a fall guy will incentivize the wrong behavior and negatively impact our industry. It’s like the time the coach for the England soccer team put the blame for the World Cup loss solely on David Beckham’s shoulders instead of standing behind him and supporting him. Compare that to the coach at Manchester United who gave Beckham his and the team’s full support and said, “We are all in this together.”
If a real crime was committed with malicious intent then the rest of the industry needs to look at this as an individual offense and not as a blanket statement of how all CISOs and companies will be treated.
Sure, there does need to be accountability. We need to take the responsibility of cybersecurity seriously. For example, the article Bad Passwords are Securities Fraud on Bloomberg highlights one area where we all know there are ways to use modern solutions to address this problem, which must be taken seriously. It is astonishing to me that, with today’s modern authentication solutions, companies are still using passwords across most access controls.
The Role of the Service Provider
Part of this falls on service providers that are charging an SSO.tax to have access to SAML 2.0 or OIDC-based integrations or that PKI / FIDO 2.0 standards are not yet available at their respective endpoints. I believe that the above-mentioned bad password case the SEC is making will force many service providers to re-evaluate their account creation process and what type of access control they use.
However, there are more and more applications that do have these available and you should choose to use the ones that have it and vote with your $ to convince the others they need to do the same.
TraitWare – How We Can Help
Now I know that the first part of this article addressed an IDP that was beaten. However, when using the most modern access controls for Okta or any other IDP, you can move to Strong Phishing-Resistant MFA with either a hardware-based token or an App-based authenticator that is Real Passwordless MFA.
TraitWare® offers simple secure access that delivers Real Passwordless MFA/SSO to all the major IAM providers – ranging from Ping/Forgerock, Okta, IBM Verify, Microsoft Azure, JumpCloud, and more, or can function as an IDP as well. Choosing an IDP that was built from the ground up as a security company with Real Passwordless MFA/SSO as your IDP – like TraitWare – becomes a no-brainer. Or, bake it in at the OEM level.
Identity is today’s perimeter and needs to be taken seriously. We are here to help. Just ask us. We don’t care whether or not you choose us. We just want everyone to be better together, and we have faith that once you experience us you’ll choose our solution because it actually works the way it should. Single-step MFA in seconds and admin-deployed, removing the user requirements – all while reducing password support tickets by greater than 90%.
Any questions, please feel free to reach out.
Thanks for listening!
–Heath Spencer – CEO TraitWare, Inc.