What Privacy and Security Mean for Companies
With Data Privacy Week coming up soon, we’re thinking about the important symbiotic relationship between privacy and security, and ahead to some pending deadlines for cybersecurity and privacy compliance.
How can company leaders best navigate the waters and enjoy peace of mind?
Here are a few upcoming privacy and security compliance deadlines to consider:
March 29, 2024 – California Privacy Rights Act (CPRA) enforcement goes into effect. CPRA grants California residents extensive control over personal data. Organizations that process customer data belonging to Californians must ensure compliance. This includes requiring businesses to delete customer information upon request and stricter consent requirements around sharing or selling data.
March 31, 2024 – Important news for any organization handling credit card payments, The PCI DSS v4.0 (Payment Card Industry Data Security Standard) will come into play in stages. The first set of mandatory requirements around multi-factor authentication (MFA), penetration testing, and password security will take effect on March 31st. Businesses handling card payments must prioritize these areas to stay compliant. Read more here.
June 15, 2024 – SEC breach disclosure rules for SMBs.
The U.S. Securities and Exchange Commission (SEC) is casting a wider net. While larger companies have already had to adhere to SEC cybersecurity incident reporting requirements, smaller businesses (those valued at less than $250 million, for example) have until June 15th to comply. Companies must disclose ‘material’ cybersecurity incidents (those that could impact revenue or cause investor harm) promptly and transparently.
July 1, 2024 – California Consumer Privacy Act opt-out mechanisms and sensitive data consent.
Once again California leads the data privacy effort. Much like GDPR which is Europe’s standard for data privacy (and enforceable for any organization handling European-based data) July 1st marks two CCPA deadlines:
- Organizations must clearly explain how consumers can opt out of data sharing
- they must re-obtain consent for processing personal/sensitive data collected before July 1, 2023.
One Step At A Time
Compliance for companies of any size can be daunting. But, understanding the steps (one at a time) will help leaders better protect their organizations, employees, and customers.
Beyond compliance, developing and maintaining strong security protocols will also help enhance trust and protect reputation; avoid financial loss; and save on costs.
Do you have questions about how to take the first steps toward security and privacy compliance?
We are here to help!
For more information on how to get up and running with what experts are calling the #1 step to achieve a strong cybersecurity posture, book a demo and find out just how simple security can be with passwordless phishing-resistant MFA+SSO.
OFFER ISRAELI GVP & GM, Identity Threat Defense, Proofpoint recently wrote:
“Attackers are increasingly focused on privileged identity account takeover (ATO) attacks because they can compromise organizations much more easily and quickly this way, as compared to the time, effort, and cost to exploit a software vulnerability (a common vulnerability and exposure or CVE). And we should not expect this trend to stop anytime soon, given that these ATOs have reduced attacker dwell times from months to merely days, with very little risk to attackers that they’ll be detected before completing their crime.”
He further wrote that the complex nature of, “management of enterprise identities, and the systems used to secure them” escalates the problem.
An example of the issue OFFER ISREAL is the recent case of RIPE NCC Account Hacking, Spanish internet Orange – went down for several hours after its RIPE account was hacked, likely after malware stole the credentials. In this case the admin credentials. See Edward Koacs Mobile and Wireless article Jan 4, 2024 The setup for Ripe NCC Access is this
To get registered with TraitWare:
There is no password creation and storage. It is time to eliminate passwords. For privileged identity accounts, TraitWare offers, and is further developing, solutions to prevent account takeover (ATO).
First, is TraitWare’s multi-factor passwordless authentication. Admins are allowed only one registered device, preferably a mobile phone, as users continually need this device and maintain close control of it. Further, a biometric can be required to open the TraitWare authentication mobile application. A knowledge factor that can only be generated on the registered device can be added to the biometric requirement using TraiWreWare Photoauth®, a visual PIN. The authentication of the registered device involves stored behavioral traits based on the use of the device that provides a rotating key/dynamic token, cryptographic key pair, and a one-time code. The combination of these makes account takeover very difficult.
Second, TraitWare provides a secured authentication server that uses OAuth, SAML, and OIDC standards for access to relying parties and physical devices such as routers and PCs set up to use these protocols.
Third, the use of the registered mobile device can be GPS-based geofenced to only be used in selected locations. Even if the user account is taken over and a new registered device is created, it is useless unless it is located in the selected approved locations. The privileged account user will quickly notice the takeover since their registered device will no longer work and they will have to contact another admin to register them and disable the account takeover device. (Note: usernames and passwords can be shared and used by multiple users, and if the registration code for a one-time password generator is obtained, it can be used on multiple devices.)
Fourth, the use of a registered TraitWare Authentication browser extension can be required to prevent a phishing attack from directing a privileged account to use a fake login page.
While this may seem like a complex solution, most processes are transparent to the privileged account holder and thus simple to use.
TraitWare, pioneering modern Passwordless Multi-Factor Authentication (MFA) and adaptive Identity and Access Management (IAM) has announced its strategic partnership with the Acronis CyberApp platform, revolutionizing cybersecurity for Managed Service Providers (MSPs) and their customers. This collaboration will deliver cutting-edge Phishing-Resistant Passwordless MFA and Single Sign-On (SSO) capabilities to Acronis MSPs, to reduce cyber risk and address critical market needs.
In addition to providing Passwordless MFA to Acronis users and customers for simplified and secure login, TraitWare future integrations will give MSP admins control of MFA enrollment/recovery and enforcement. Integrations will provide value to the MSP by reducing support tickets and time to manage access controls.
TraitWare integrations start with alerts for failed login attempts or user lockout of their MFA token, along with alerts for attempted logins outside a GPS-based boundary. Testing is underway for several additional integrations that will further enhance security and improve ease of use for Acronis MSPs.
The Acronis-TraitWare partnership also enables the management and deployment of Passwordless MFA for Windows Endpoints.
“Our integration with Acronis signifies a quantum leap in robust cybersecurity solutions for the MSP. Moving away from traditional ‘Phishable’ MFA methods, we offer Passwordless MFA/SSO from account creation, to empower MSPs with control over authentication processes. TraitWare reduces cyber risk, simplifies access to digital valuables, encourages wider adoption of modernized security, and saves on costs.”
– Heath Spencer, CEO of TraitWare.
For more information about our Partnership Program, have a look here and get in touch any time with questions.
There have been so many articles and posts about the recent Securities Exchange Commission (SEC) lawsuit against SolarWinds and their #ciso – and plenty written about recent breaches via the Okta platform. So much has been said about how attackers used social engineering to lure users to give up information or reset accounts. …
Still, I feel like I need to share my $.02.
I want to focus on what did go right, particularly with the Okta attacks affecting 1Password and BeyondTrust. In both cases, the companies had processes in place to reduce blast radius and stop the sprawl of the attackers’ ability to gain a foothold. Huge kudos to the teams and specifically the admins who caught the alerts. Something was not right and they acted quickly on it.
The Human Factor
Having an environment that empowers your people to act without fear, even when their account has suffered an account takeover, is critical. It reminds me of telling my kids to always reach out no matter the circumstances, even when I may not be stoked about what transpired. At least I can help address the problem and move forward. Making your teams know they have your support – no matter what – is the only way we can all do better together.
The key takeaways for me from these two examples are:
1. Have the right security controls and alerts in place and 2. Pay attention to them in a way that eliminates alert fatigue and empowers your people.
I also believe we have to always evaluate ways to improve and reduce the ability for a person to make a mistake or for that mistake to result in a successful account takeover. For example, using a personal browser that auto saves passwords as Okta has pointed to as the cause of the initial point of entry. When using Real Passwordless MFA there is no password to be saved in the browser. This eliminates the risk of a user having one accidentally saved in the browser’s personal profile or not. Modern solutions offer this type of innovation. It’s not Wonder Woman’s shield, but it’s better than the legacy access controls being used today.
Which leads me to the next part. … Don’t Promote the Wrong Behavior
First, unless a CISO’s actual malicious intent can be proven, or that he/she committed a crime and intentionally tried to conspire or cover up evidence, pointing the finger at CISOs as a fall guy will incentivize the wrong behavior and negatively impact our industry. It’s like the time the coach for the England soccer team put the blame for the World Cup loss solely on David Beckham’s shoulders instead of standing behind him and supporting him. Compare that to the coach at Manchester United who gave Beckham his and the team’s full support and said, “We are all in this together.”
If a real crime was committed with malicious intent then the rest of the industry needs to look at this as an individual offense and not as a blanket statement of how all CISOs and companies will be treated.
Sure, there does need to be accountability. We need to take the responsibility of cybersecurity seriously. For example, the article Bad Passwords are Securities Fraud on Bloomberg highlights one area where we all know there are ways to use modern solutions to address this problem, which must be taken seriously. It is astonishing to me that, with today’s modern authentication solutions, companies are still using passwords across most access controls.
The Role of the Service Provider
Part of this falls on service providers that are charging an SSO.tax to have access to SAML 2.0 or OIDC-based integrations or that PKI / FIDO 2.0 standards are not yet available at their respective endpoints. I believe that the above-mentioned bad password case the SEC is making will force many service providers to re-evaluate their account creation process and what type of access control they use.
However, there are more and more applications that do have these available and you should choose to use the ones that have it and vote with your $ to convince the others they need to do the same.
TraitWare – How We Can Help
Now I know that the first part of this article addressed an IDP that was beaten. However, when using the most modern access controls for Okta or any other IDP, you can move to Strong Phishing-Resistant MFA with either a hardware-based token or an App-based authenticator that is Real Passwordless MFA.
TraitWare® offers simple secure access that delivers Real Passwordless MFA/SSO to all the major IAM providers – ranging from Ping/Forgerock, Okta, IBM Verify, Microsoft Azure, JumpCloud, and more, or can function as an IDP as well. Choosing an IDP that was built from the ground up as a security company with Real Passwordless MFA/SSO as your IDP – like TraitWare – becomes a no-brainer. Or, bake it in at the OEM level.
Identity is today’s perimeter and needs to be taken seriously. We are here to help. Just ask us. We don’t care whether or not you choose us. We just want everyone to be better together, and we have faith that once you experience us you’ll choose our solution because it actually works the way it should. Single-step MFA in seconds and admin-deployed, removing the user requirements – all while reducing password support tickets by greater than 90%.
Any questions, please feel free to reach out.
Thanks for listening!
–Heath Spencer – CEO TraitWare, Inc.
As 2023 Champions, we’re sharing our Top 4 Tips to Stay Safe Online
** For more information on simple steps you can take toward maximum security for your company, contact us any time.
WHY SCHOOLS ARE PRIME TARGETS FOR CYBERATTACK, AND HOW WE CAN DO BETTER TO PROTECT THEM
The University of Michigan was in the news recently following a cyberattack that caused an internet outage across all campus networks, eventually requiring password resets for all users. This is just one event amid a series of cyberattacks on schools, and growing concern for the security of the education sector worldwide.
Education is the number one target for ransomware, according to Sophos. Threat intelligence company, Recorded Future, reported that more than 120 schools had ransomware attacks in the first six months of 2023, compared to a total of 188 in 2022. And not only do they struggle to recover from attack – many are forced to shut their doors entirely.
Some examples of shutdowns:
- Highgate Wood School – North London – September 6, 2023
- Nantucket – Four public schools (1700 students) shut down after January 31, 2023 attack
- DesMoines (Iowa) Public Schools cancel classes for 33,000 students – January 23, 2023
- Swansea Public Schools shut down after the January 11, 2023 attack
- Alabama – Jefferson County schools go all-on-paper for two weeks after computer system are shut down post cyberattack – April 11, 2023
- November 16, 2022 – 2 Michigan counties closed their doors
- LA School District computer systems rendered inoperable after an attack in September 2022
- Minnesota – 42 Schools
… and the list goes on
A few more eye-opening facts about cybercrime in schools today:
Why are schools prime targets for cybercriminals?
For one, there is a wealth of relatively easily obtained personal information in schools. From passcodes to financials, and potentially on to family members’ info via shared devices and access codes, schools have a lot that criminals want.
Because cybersecurity budgets are generally low in school systems, systems are typically lacking in proper protection, and criminals know it. Experts warn that schools have become easy prey for cybercriminals.
What’s the Primary Motive? Money.
Despite the known lack of budget being allocated to cybersecurity in schools, organizations are primarily driven by financial gain – either selling information to the dark web, using information for fraud, or (#1 method for bad actors) ransomware. Attackers can obtain data and threaten to expose it – unless a ransom is paid.
Unique Challenges for IT in Education
- BYOD (Bring Your Own Device): Students typically use a variety of devices and change them often, and IT needs to secure them. This makes the IT and Help Desk workload significant.
- Remote Learning: Online learning and hybrid models are a part of today’s curriculum, which means devices and locations can be outside IT’s control.
- Remote Teaching: Teachers, especially in higher education, are connecting from various devices to various resources, many of which are also outside of IT sanctions.
- Changing User Identity Landscape: Every semester brings new students and faculty needing to get set up for access and authentication. At the same time, graduates’ accounts need to be closed and/or devices recycled.
- Shared Computing: IT supports and secures shared computers in libraries, common areas, and science, research, or technology labs. This poses clear security challenges.
- Federal Mandates: Higher educational facilities face regulatory pressure to protect students’ applications and personal data. Most call out Multi-Factor Authentication (MFA) as the first measure of security:
- NIST-800-171 requirements to receive government and defense funding grants
- Family Education Rights and Privacy Act (FERPA)
- Gramm Leach Bliley Act (GLBA)
- The Federal Information Security Management Act (FISMA) for institutions receiving federal grants
- HIPAA for protecting medical information
- Reputation is the highest on the list of CISO priorities. Being known for delivering a high-quality, safe, rewarding experience is essential for attracting top faculty, and students (who, one hopes, become top contributing alumni). Reports of compromised personal information, poor security, or ransom payments by schools will negatively impact reputation.
Unfortunately, schools – particularly higher education – have a history of paying high ransoms despite the FBI and others’ advice against it.
The Pushback is Real,
But strong security is now more critical than ever.
With government mandates tightening on cybersecurity for any institution handling sensitive personal information (such as financial), school administrators are urged to make it a priority. …
The BEST News? The most effective tools are simpler to use and more cost-effective than ever.
- Too expensive to implement? … The average cost of a breach (roughly $3.7 million) will be far higher than the cost of implementing strong security.
- Too difficult to effect change across campuses? … Getting every user in the system to reset passwords after an attack can be a massive undertaking, not to mention expensive.
- Too time-consuming? … Schools have the longest post-cyberattack recovery time (more than a month) of all sectors, according to studies. A good MFA solution can be up and running in less than a day.
These are just a few points. But, whatever the reason for doubt, THIS is the season for cybercrime in schools, and schools need to up their game and boost security NOW, or likely suffer grave consequences.
CISO’s Choice – Modern methods for security are better, more affordable, and much easier to use.
The choice between increased risk of attack and putting good security controls in place for education may once have been a difficult one for the CISO, but not only are security controls more readily available now, today’s workforces and students are also much more adaptable to employing new tools.
Resources and guidelines for education and cybersecurity are out there.
Here are a few links:
Protecting Our Future: Partnering to Safeguard K–12 Organizations from Cybersecurity Threats.
Experts Say …
- Backup data
- Regularly install updates
- Employ or begin the move toward a zero-trust security posture. This means making sure all users are who they say they are before they are granted access to digital resources.
- Segment your campus network so the whole system can’t be shut down by one single threat.
- Implement Phishing-Resistant Multi-Factor Authentication (MFA)* to prevent phishing and strengthen verification processes.
- Make it REAL Passwordless Phishing-Resistant MFA by eliminating any knowledge factor – from enrollment to login. *
*It’s important to note the difference between a passwordless experience, where the password is simply obfuscated or hidden, and a Real Passwordless login, where the password has been eliminated – to simplify and secure login.
Anything that has to be typed in, remembered (or forgotten), or that can be shared or guessed, is a security risk you don’t need to take.
Instead, choose a solution that ties the user directly to the login at all times, using biometrics and/or geolocation combined with “something you have” or a device the user already carries. This will not only save on costs and vastly improve security but also make life easier for users and admins.
The Truth About Multi-Factor Authentication / Keeping it Phishing-Resistant
While Multi-Factor Authentication (MFA) is not uncommon, even in schools, it’s important to employ the right form of MFA – both for security reasons and for ease of use.
First, most MFA still uses a password followed by an “OTP” or one-time passcode sent via text, email, or push notification to a device, asking the user to click ‘approve’ to grant access. Unfortunately, the OTP is still a knowledge factor and therefore carries risk. It can be phished, guessed, intercepted, etc. The layer-cake approach is simply not good enough and can be avoided by using a REAL Passwordless method.
For more on the difference between Phishable and Phishing-Resistant Passwordless MFA, take a look here.
Hear it from the Experts – On ReadySetCyber
As we move into this school year, cybercrime is a top concern. Whether you’re in IT, a professor, a student, a staff member, or a parent, your choices around cybersecurity could be hugely impactful for many.
On this month’s edition of ReadySetCyber, we’ll tackle the issues surrounding cybersecurity and our educational systems with a panel that includes IT decision-makers in our academic institutions, educators, experts, and service providers. We’ll tackle the issues, take questions LIVE from the audience, and engage in lively unscripted discussion.
On the Roster:
Darren Mott – HOST – FBI Special Agent (Ret.)
Randall Trzeciak – Carnegie Mellon
Kevin Powers – Boston College
Evan Rice – GuideStar
Heath Spencer – TraitWare
Hope to see you there!
Any questions, we’re always happy to chat
Multifactor Authentication (MFA) and Layered Security have long been recommended best practices for enterprise security. But what exactly are they? … At what point are there too many layers? And WHICH layers of security should I deploy?
What is Layered Security?
Layered security attempts to secure organizations by employing various tools – ideally complementary tools. The problem is, these tools, or layers are often not complementary, and we know that disparate systems can create lots of work, lots of frustration, and arguably the number one enemy of security … complexity.
Without a proper plan, it’s easy for companies to purchase several overlapping or disconnected systems which can lead to unsecured gaps and ultimately lower security posture
How can this lower security posture?
- Whatever the system, it will need to be maintained. This will require staff. In many cases, the technology is obtained in order to meet a compliance need or simply to be crossed off a list – without proper management. Unmanaged, it is not only a waste of money but potentially adds vulnerability.
- Different systems will require different types of management – outsourced or not. This can create difficulties in communication and compatibility. The more layers in place, the more likely it is that one or more will conflict or cause problems with business operations.
- Restrictive security layers can cause pushback among users. For example, they may use the same credentials for multiple accounts. If email is used as the username for a company system and the same password is used for internal and external accounts, this makes a bad actor’s job easier.
These layered security challenges are arguably THE biggest problem in the cyber threat detection and mitigation space. And, because attackers are well aware of these issues, they can relatively easily exploit the gaps they create.
Multi-Factor (NOT Multi-Layer) Authentication
Multi-factor authentication (MFA) requires that users prove they are who they say they are before granting them access to digital resources. MFA requires two or more factors for authentication. The factors can be a combination of two or more of the following: 1. Knowledge – Something you know, 2. Possession – Something you have, or 3. Inherence – Something you are.
From Microsoft to CISA, all the way up to the White House – most experts agree that MFA should be a requirement for any organization. The Federal Trade Commission (FTC), for example, requires that any institution handling financial data, be required to deploy MFA. A 2021 Executive Order from President Biden outlined requirements for strong security for Federal contractors. …
But is all MFA more secure? The answer is NO. In fact, MFA is only as secure as the factors chosen.
When Layers are Just “Band-Aids”, They Don’t Work
Adding layers to MFA can sometimes mean ADDED risk! Here’s an example: Password plus one-time passcode (OTP). Or how about three factors? Password, plus OTP, plus push notification. The problem here is that all those factors are weak. Even the longest, most complicated string of characters can be shared, phished, or guessed. Cybercrime has become too sophisticated for these methods, as evidenced by repeated cyber-attacks. Using a password manager with a master password? What if that master password is compromised? Then, that bad actor has access to multiple resources.
The password, or any “knowledge factor” … any Human Readable Credential (HRC) is inherently risky for security and should be considered obsolete. Passwords and usernames are frustrating, forgettable, shareable, and Phishable. When they sit at the base of your security posture – just adding another layer merely adds a layer of inconvenience, worsening user experience. The most common approach is to send an SMS code, which can potentially be intercepted by bad actors.
The National Institute of Standards and Technology (NIST) cautions against this approach
Google reported that 1 in 5 phishing kits collect phone data in order to intercept these codes. And according to Google, less than 10 percent of its users even bothered to turn on 2FA. The other 90 percent are protected only by passwords.
The Question We Should Be Asking About Passwords
If we need another factor for authentication on top of one that has long been deemed unsecure, why are we using the first factor at all? Any information that can be entered into a form field by one person could also potentially be obtained and entered by a hacker.
The Good news is, we don’t need the password or HRC, and neither do we need complicated or disparate layers for security.
Un-LayerCake MFA
At TraitWare, we’ve eliminated the need for the #1 risk factor behind 81% of cyber-attacks – the password. In fact, with TraitWare there’s no need for any shareable or Phishable secret for login.
TraitWare is not a layered approach to security. Passwordless MFA is not an add-on. It’s inherent in the solution. This means 1. It’s more secure because it’s Always On for all your users, and because you can’t Phish the password if it doesn’t exist! 2. It is not only easy to use, but it also actually simplifies login. Once your biometric is registered to the secure TraitWare app via the mobile device you already carry, the MFA is just there – invisible to the user. Nothing to type in, nothing to remember (or forget).
What’s more, TraitWare is quick and easy to deploy and will save on costs. Thinking of cyber insurance? TraitWare’s solution can also help lower insurance premiums.
If you’re curious about Passwordless, Phishing-Resistant MFA+SSO to simplify and secure your company login, please reach out any time.
Angry LastPass users have taken to social media with reports that they’ve been struggling to access their accounts since the company’s security upgrade back in May. What’s more, there doesn’t seem to be a simple solution in sight.
What does this have to do with MFA?
The trouble began on May 9, 2023, when LastPass sent an alert to users, urging them to reset their multi-factor authentication (MFA) preferences. Yet, even after resetting codes on their authenticator apps, many users have reported being unable to log in to their accounts or access their LastPass vaults.
The Infinite Loop
Even worse, locked-out users can’t get help because one must be logged in to access support! Instead, they are prompted to reset the authentication app again and again while the system fails to recognize the new codes they’ve created.
“After resetting my MFA I completely lost access to my Vault. MasterPW is not working and resetting as well as the reset eMail never gets delivered to me. Cannot contact my ‘Premium’ Support as a Login is required,” said one user.
What happened with the upgrades?
According to LastPass, the company has now strengthened its Password-Based Key Derivation Function (PBKDF2), an algorithm “that makes it difficult for a computer to check that any 1 password is the correct master password during a compromising attack.”
The default minimum number of password iterations post-upgrade is now 600,000. In order to carry out this upgrade, LastPass says it was necessary to log users out of their accounts and require them to reset their MFA.
Lessons Learned About MFA
1. Keep It Simple
We all know that when processes are complicated, adoption rates are low. Bad for user experience = bad for security.
As evidenced by the recent LastPass situation, when processes are too complicated, they’re likely to be ignored (as in, the MFA doesn’t get enabled at all, or fails due to human error.)
LastPass issued instructions on how to reset MFA. For many, the instructions were just too complicated. If the instructions (several pages) weren’t followed correctly, users couldn’t log in.
2. Ditch the shareable secret
Password managers certainly can add a layer of security. However, a master password is still a password, so it’s potentially shareable, Phishable, and forgettable. Especially when following new protocols for an extra-long, extra-complicated string of characters. Once the master password is compromised, so can all your accounts potentially be accessed by unwanted visitors.
Furthermore, resetting passwords is costly, time-consuming, and annoying.
What’s the Solution?
Strong security, notably MFA, doesn’t have to be complicated. In fact, it should simplify the process – from enrollment to login while enhancing security.
With TraitWare, we’ve eliminated the need for any shared secrets – from enrollment to login. And the MFA is built into the solution, which means there’s no added friction for the user. It’s infinitely more secure, and there’s nothing to reset. Users can log in with a biometric that they’ve previously registered with the secure TraitWare app – and a mobile device that scans a one-time dynamic QR code for access to any screen. Single sign-on means users can access multiple accounts in one go.
Login in 3 touches. A few seconds and you’re IN.
If you must use a password manager, one option is to deploy passwordless MFA to log in to your vault. Keeper offers this option for enterprise accounts with TraitWare.
Seeing is Believing
Curious? We’d love to show you how TraitWare works to enhance security and vastly simplify login for the enterprise.
The digital age has brought radical change to many industries. And, as the world becomes increasingly connected, long and complex supply chains are common for companies of all sizes.
While connectivity has been good for international commerce, it also comes with elevated risk – particularly for the supply chain. Regardless of size or industry, cybersecurity threats have increased dramatically over the years. According to reports, there has been a whopping 742% increase in software supply chain attacks over the past three years. Phishing campaigns, identity theft, email-based impersonation attacks, etc. … are among methods that have been all too successful, with often devastating effects on victim companies and individuals. Since large quantities of money and sensitive information travel along the supply chain, this is not surprising.
Best Practices For Security
While the threat of supply chain attacks is growing, there are basic steps that businesses can take now to mitigate risk. The key is to apply security measures across the entire supply chain and to regularly evaluate and refine them to ensure they remain effective.
The following are basic actions companies should take:
- Ensure that remote admin interfaces used by service providers are secured. If credentials must be used (usernames and passwords) use a password manager and protect it – preferably with passwordless MFA.
- Establish measurable quality standards and make sure your suppliers adhere to them. Ideally, suppliers themselves should also be required to have proper security measures in place.
- Ensure that only relevant parties have access to sensitive information.
- Ensure that remote interfaces and security credentials used by service providers are fully revoked at the end of the supplier-business contract.
- Vet all hardware and software before admitting it into your business network. Once added to the network, both should be continuously monitored for potential security risks.
- Keep software up to date.
- Implement multi-factor authentication (MFA) across devices and platforms. The goal is MFA 100% of the time, for 100% of your users. *
More on Multi-Factor Authentication (MFA)
While all of the above measures are important, MFA is the first step recommended by experts like CISA to secure devices throughout the supply chain. It is also the easiest step.
Not All MFA is Created Equal
While multiple factors of authentication are better than one to help deter cybercriminals, there’s a difference between Traditional MFA and MFA that is Phishing-Resistant.
Unfortunately, cyberattacks targeting traditional MFA have become more frequent. Why? This is usually because one of the (fallback) factors is Phishable – meaning something that a bad actor could guess or gain access to via various methods.
Let’s break it down: What are the “Multiple Factors of Authentication” in MFA?
MFA uses at least two of three types of factors:
- Something you know, such as a password, PIN, or response to a security question or prompt.
- Something you have, like a smartcard, key, physical token, or software certificate.
- Something you have, such as a fingerprint or facial scan.
Back to Phishing-Resistant MFA. In order to achieve it, the MFA cannot include “something you know”, the knowledge factors, or shareable secrets because they are easily phished! As mentioned above, there are multiple ways in which bad actors can obtain these credentials. Eliminating the password or shareable secret drastically reduces risk.
Fortunately, Real Passwordless Phishing-Resistant MFA is not only more secure, but it also simplifies login. Nothing more to remember (or forget) nothing shareable or Phishable, it is also easier to deploy, use and maintain. PLUS, passwordless reduces IT support costs!
Centralized MFA vs. Disparate Systems
The other aspect of MFA to consider is – is it centralized. In other words, does it require a separate ‘key’ or set of credentials for access to each application? Having MFA + Single Sign-On (SSO), for example, allows admins and users access and controls from a single console. This not only vastly improves user experience (and therefore user adoption rate) but also enhances security because companies can ensure MFA is in use and enforced 100% of the time for all users.
The benefits of phishing-resistant passwordless centralized MFA across supply chains are many.
For more information on TraitWare’s Passwordless Phishing-Resistant MFA+SSO, please reach out at any time.
Two years ago (August 25th, 2021) business leaders – including some of Silicon Valley’s biggest Tech players, water and energy companies, banking and insurance firms, and academic institutions – were summoned to the White House to discuss one of the world’s most pressing concerns: Cybersecurity.
The meeting came in the wake of several cyber-attacks – including on Solar Winds and the Colonial Pipeline – which cost companies billions of dollars and compromised millions of users’ valuable data.
President Biden called cybersecurity a “core national security challenge,” and initiated the meeting as a “call to action” for private sector organizations to take steps toward strengthening cybersecurity postures.
Reports say the discussion revolved around a collective effort to not only enhance user security as a whole but also by default – meaning that proper security should be built in. Some likened the effort to when seatbelts and airbags became the standard for automotive. It was a change, but now virtually everyone wears them as a matter of habit.
The meeting resulted in a host of promises from the private sector to do better to protect the nation’s companies, government agencies, and individuals from cyber-attack.
What did they pledge? Here are the highlights:
Google promised to spend $10 billion on cybersecurity initiatives, including training cybersecurity experts to help bring more talent to the industry.
Similarly, IBM would initiate training programs for cybersecurity personnel and announced a new data storage solution for critical infrastructure companies, and progress on safe encryption methods for quantum computing.
Microsoft pledged $20 billion over five years on cybersecurity initiatives and $150 million that would go to support federal, state, and local governments looking to improve security.
Amazon’s cloud computing division said it would provide free multi-factor authentication (MFA) devices to US customers who average a monthly spend of $100 on Amazon Web Services.
Apple said it would encourage its suppliers to boost cybersecurity practices by deploying multi-factor authentication (MFA) and better logging.
The National Institute of Standards and Technology (NIST) said it would work with Microsoft, Google, and insurance companies to help guide the creation of more secure products and to audit the security of existing ones.
Educational institutions were there, including the University of Texas and Girls Who Code, which announced accelerated or minority-focused cybersecurity credentialing programs.
Cyber insurance provider Resilience said it would require policyholders to have proper cybersecurity measures in place before granting coverage.
But what has happened in those two years?
With reported risk and instances of cyber-attack still on the rise, how have we done?
The good news is that companies like Microsoft, who has been very vocal about security measures such as MFA, along with Google, who has announced products with better security, and Apple who has launched enhanced security programs with its suppliers, are taking their leadership roles seriously as they encourage industry best practices.
Insurance companies have also stepped up to encourage best practices for their customers – many of them requiring that policyholders have good security in place before signing them on. Brightline Insurance, with whom we’ve partnered to provide customers with passwordless native MFA, is clear in its messages to clients about strong security as not only mandated by providers but a sure way to minimize insurance premiums.
Just this past week, at the RSA conference, I sensed that the industry is moving in the right direction, and was happy to see so many players – large and small – with a real drive to address the cybersecurity risks we face as a nation and across the globe.
We have work to do, but we’ve come a long way. I believe it’s our job to help people understand those risks, but also the viable solutions out there that will mitigate risk, be easily adoptable and be cost-effective for companies of all sizes.
We’re pleased to be working with partners in the effort to simplify and secure login for the enterprise. Stay tuned for more exciting news on that front!
Speaking of Promises
At TraitWare, we’ve made our own promises since our foundation. And we’ve kept to every one of them. …
- Build a product that works. Right from the get-go.
- Build it with cutting-edge and scalable technology, to weather change and growth
- Make life easier for both users and admins – quick and easy to deploy, use, and maintain.
- Build it to comply with the highest quality, privacy, and security standards available. *
- Work with a team of individuals and partners who share the same high standards for integrity, transparency, innovation, and passion for what we do.
* In case you missed last week’s news, we are pleased to join the FIDO Alliance and a collective effort to bring strong authentication to companies of all sizes, worldwide.
For any questions about our solution, or if you just want to chat, please reach out any time.
TraitWare’s patented innovation is part of what makes us stand out from the competition. Find out more about our unique technology.
Patented Innovations (5 Granted)*
- Unique, confidential, and secure (>1 in 300 billion) token on every authentication request
- User-unique and cryptographic token matched with the server before access is granted.
- Confidence score based on a statistical analysis of authentication factors.
- TraitWare grants access only after initial user confirmation via a user biometric or PhotoAuth (photo PIN)
- Can require pre-authentication to the app before requesting a push notification from the app
Patents Pending
- Uniquely, confidentially, and securely authenticate a user and any of their devices
- Secure login via a Direct Login button
- MFA-inherent upon deployment of QR-based secure login includes a unique proprietary QR flow
- Minimal touch-only registration for app users. No typing needed
*US patents (101649740, 1050388, 11068476, 11301555, 11406196, 11805121)
Selected TraitWare processes (such as registration, Windows authentication, and Linux authentication) are also covered by pending US and international patent applications.
For more information about our technology or our Passwordless MFA+SSO Solution, please get in touch.
And why you should use Strong MFA instead
Despite the call from world leaders for strong Multi-Factor Authentication (MFA) to protect individuals and organizations against cyber-attack, the vast majority just isn’t up to snuff when it comes to security.
Most of us know that security starts with Identity and Authentication – ensuring that users Are Who They Say They Are before they’re granted access to company resources and digital valuables.
One of the questions we get often is, “How is your solution – or any strong MFA solution – different from a free authenticator app.? … Isn’t all authentication essentially doing the same thing?”
The short answer is No. Not all authentication is doing the same thing, and the differences are many. The Gist?
Most authenticator apps are using 2FA – typically a One-Time Passcode (OTP) or push notification on top of a password for access. The problem is that all those factors are ‘Phishable’ – or often easily accessible by an attacker. Why? Because they are typed, remembered, and/or shareable (something you know or a ‘knowledge factor’) which means bad actors can use various methods to obtain them. Guessing, social engineering, MFA fatigue, push attack, etc. are among the common and increasingly easy methods used by attackers.
Arguably, 2FA is not much better than a password alone. Why? Because free authenticator apps will likely fall back on that password or unsecured or ‘Phishable’ factor for authentication.
What’s Phishable and What’s Not?
And Now, 7 Reasons you shouldn’t use authenticator apps for login security
1. Physical access and people looking over your shoulder
Someone might look over your shoulder when you’re using an authenticator app and see the one-time code. And maybe not just one code, as authenticators often display several codes in a row, which could allow the attacker to log in to any of those accounts.
Worse, if someone got their hands on an unlocked smartphone with an authenticator, they could gain access to all your accounts without much difficulty.
2. Phishing sites
While most phishing sites are set up primarily to harvest usernames and passwords to sell on the dark web, and 2FA can help protect against these kinds of attacks, cybercrime is rapidly advancing, and sophisticated methods are more accessible to cybercriminals and more common.
In many cases, attackers can imitate the two-factor authentication mechanism, and not only intercept the login and password but also the one-time code. They can then log into the victim’s real account.
Phishing is the #1 attack method for cybercrime and it can be difficult to protect against it.
3. Stealing malware
One critical truth is that services aren’t keen to lose customers because of friction, or because of the loss of an authenticator. So, they usually provide an alternative login method such as sending a one-time code or confirmation link to the owner’s email address.
This means that if a leak occurs and attackers have the password and email address, a bypass attack is not only possible, it’s likely. … 2FA then essentially becomes no more secure than a password for access.
What happens then?
After you’re successfully logged in, the service saves a small cookie on your computer, which contains a secret number. This file is what your browser will present to the service for authentication from that point on. So, if someone manages to steal this file, it can be used to sign into your account. No password or one-time code will be necessary.
These files (along with a host of other information like browser-saved passwords, cryptocurrency wallet keys, etc.) can be stolen by Trojan Stealers. With a Stealer on your computer, you’re at serious risk of other accounts being taken over as well.
In fact, experts say that most mobile authentication apps can be breached by malware.
Most authentication apps use cryptographic keys which generate the codes used to identify users. If these keys are stolen, they give a bad actor the ability to authenticate transactions or sign documents on a user’s behalf. This is why most authentication apps try to make use of the safest storage available for these keys.
For many developers, this means a mobile phone’s Trusted Execution Environment. In Android phones, this is known as the StrongBox Keystore. In Apple, this is the iOS Secure Enclave (which has a companion software called Keychain that stores encrypted data such as passwords).
V-Key CTO Er Chiang Kai points to a flaw in the architectural design of these apps – called the ‘Trust Gap’, “which hackers can exploit using malware to illegally obtain a target’s authenticator keys. This enables bad actors to make unauthorized transactions or sign bogus documents, opening up a digital service to account takeovers, data leakage, fraud, or worse. This is an insidious and sophisticated attack as the targeted authentication app doesn’t even need to be running or be tampered with to be compromised.”
4. Lack of authenticator backups
If you somehow lose your authenticator, access to your accounts can also be lost – even permanently. This can happen if your phone breaks to the point that data is no longer retrievable or if your phone is lost or stolen.
- In the event that your authenticator can’t back up data properly (which is often the case) you’ll need to install the authenticator on more than one device, or even use several apps to ensure recovery.
5. Compliance Requirements:
Many regulatory standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR) require MFA to be implemented in order to protect sensitive information. Most authenticator apps won’t meet these requirements.
6. Flexibility:
Most strong MFA solutions can be customized to meet specific security needs. This includes the ability to employ different authentication factors such as biometrics, tokens, and/or mobile devices. Authenticator apps are generally limited in their flexibility.
7. Ongoing Support:
A good MFA solution includes ongoing support and regular updates so that the solution remains effective against emerging security threats.
What’s the Solution?
- We recommend companies use Strong MFA that is non-phishable or Phishing-Resistant (as the above table outlines). Non-phishable factors include factors that tie login to the user. and are typically not available as factors for authentication on free authenticator apps.
- Make sure the solution is compatible with the systems you’re running. Google Authenticator, for example, works with other Google products but not for others.
- Make sure the solution allows for Single Sign-On (SSO) so you can access all your applications from a single console. Most authenticator apps don’t allow for this.
- The Bottom Line = YOUR Bottom Line. … Deploying simple secure Passwordless MFA + SSO should be affordable but also save on costs.
In summary, there are too many situations where the free authenticator apps using 2FA are vulnerable and will potentially result in devastatingly costly results.
If you have questions about how TraitWare’s ‘Phish-Proof’ Passwordless MFA+SSO works to eliminate the highest risk factors, friction, and complication, please get in touch.
We’re here to help!
But, Seeing is believing. Don’t take our word for it. Read what our happy customers have to say.