Blog Archives - Page 6 of 10 - Photos Not Passwords for Secure Login Authentication

Cybersecurity is a complex industry that’s become essential for everyone who accesses the internet on a regular basis. We have accounts for everything now, from online shopping to banking to government applications, so how can we be sure that our information stays out of the hands of people who might want to hurt us while still being able to get into our accounts when we need them?

We use authentication methods, including multi-factor authentication and single sign-ons. Here’s what you need to know about how these two measures work and what they’re used for, as well as the relative safety of both and how they compare to each other.

What is Multi-Factor Authentication?

The process of signing into an account is known as authentication, as you are confirming who you are and that you have the right to be accessing the information you’re looking for. For a traditional online account, you’ll make a unique username or use an email and pair it with a unique password that only you are supposed to know.

While good in theory, this doesn’t provide a particularly high level of security; it’s relatively easy to guess someone’s password if you know them well, people are prone to sharing passwords with their friends or family members for the sake of convenience, and malicious parties have created software that can quickly work through possible combinations to find the correct password in minutes.

That’s why many services use multiple sources of confirmation to ensure that the person trying to access an account is actually who they say they are. This is called multi-factor authentication or MFA, and it’s used on everything from social media to online banking and more.

There are a couple of drawbacks to MFA to be aware of. To start with, if you lose access to your secondary method of identification, unless you have backups in place, you lose access to the entire account. Additionally, if you’re using a phone for access, you need to have cell phone service to get the authentication code. Generally, though, MFA is a relatively useful method of keeping your accounts safe and secure.

What is Single Sign On?

Single sign-on (SSO), as the name implies, is a system of consolidating identifying information to one set of credentials that lets you access multiple applications. This is most useful for companies and larger enterprises but is also popularly used by social media applications to allow third-party access connected to your social media account.

For companies, an SSO can let multiple people access multiple accounts across various devices without having to remember a million passwords. It can also provide a more seamless login experience that reduces frustration in the workplace, especially if the work you’re doing requires you to access many different applications quickly or simultaneously.

The most obvious drawback for SSOs is that, if a hacker gains access to the provider, they then have access to all of the user’s accounts in one fell swoop. That being said, having an SSO encourages stronger passwords and means that your interactions with various applications are encrypted on a higher level.

Which is Safer?

It’s difficult to accurately compare the safety of MFA and SSO given the fact that these are two completely different authentication systems with different goals in mind; on a basic level, MFA is focused on security while SSO is focused on user convenience. Technically, you could argue that MFA is more secure than SSO but with the potential to lock users out more often, and SSO is more accessible than MFA but less secure from outside attacks.

This is why it can be a good idea to use both systems together. SSO systems that also employ MFA get the best of both worlds; users have a seamless login experience across applications while also knowing that their account is secured by outside authentication efforts. Using both adds one step to the process of signing into accounts while streamlining the number of times you have to sign in overall, so you have convenience and peace of mind.

Conclusion

Keeping your accounts secure online is vitally important in an age where everything about our identities – from our financial to our personal information – is tied to the internet in some way. By enabling some form of cybersecurity on your accounts, whether you choose to use Single Sign-On or Multi-Factor Authentication, you can protect your identity from bad actors while still having the freedom to work and explore online as you so choose.

The National Security Agency (NSA) and partners have identified indicators of compromise (IOCs) associated with a People’s Republic of China (PRC) state-sponsored cyber actor using living off the land techniques to target networks across U.S. critical infrastructure.

“Cyber actors find it easier and more effective to use capabilities already built into critical infrastructure environments. A PRC state-sponsored actor is living off the land, using built-in network tools to evade our defenses and leaving no trace behind,” said Rob Joyce, NSA Cybersecurity Director. “That makes it imperative for us to work together to find and remove the actor from our critical networks.”

• U.S. Cybersecurity and Infrastructure Security Agency (CISA)
• U.S. Federal Bureau of Investigation (FBI)
• Australian Cyber Security Centre (ACSC)
• Canadian Centre for Cyber Security (CCCS)
• New Zealand National Cyber Security Centre (NCSC-NZ)
• United Kingdom National Cyber Security Centre (NCSC-UK)

“For years, China has conducted operations worldwide to steal intellectual property and sensitive data from critical infrastructure organizations around the globe,” said Jen Easterly, CISA Director. “Today’s advisory, put out in conjunction with our US and international partners, reflects how China is using highly sophisticated means to target our nation’s critical infrastructure. This joint advisory will give network defenders more insights into how to detect and mitigate this malicious activity. At the same time, we must recognize the agility and capability of PRC cyber actors, and continue to focus on strong cybersecurity practices like network segmentation and ongoing investments in promoting the resilience of critical functions under all conditions. As our nation’s cyber defense agency, CISA stands ready to aid any organization affected and we encourage all organizations to visit our webpage for guidance and resources to make their networks more resilient.”

“The FBI continues to warn against China engaging in malicious activity with the intent to target critical infrastructure organizations and use identified techniques to mask their detection,” said Bryan Vorndran, the FBI’s Cyber Division Assistant Director. “We, along with our federal and international partners, will not allow the PRC to continue to use these unacceptable tactics. The FBI strives to share information with our private sector partners and the public to ensure they can better protect themselves from this targeted malicious activity.”

“It is vital that operators of critical national infrastructure take action to prevent attackers hiding on their systems, as described in this joint advisory with our international partners,” said Paul Chichester, NCSC Director of Operations. “We strongly encourage UK essential service providers to follow our guidance to help detect this malicious activity and prevent persistent compromise.”

“The Canadian Centre for Cyber Security joins its international partners in sharing this newly identified threat and accompanying mitigation measures with critical infrastructure sectors,” said Sami Khoury, Head of the Canadian Centre for Cyber Security. “The interconnected nature of our infrastructures and economies highlights the importance of working together with our allies to identify and share real-time threat information.”

The CSA provides an overview of hunting guidance and associated best practices. It includes examples of the actor’s commands and detection signatures. The authoring agencies also includes a summary of indicators of compromise (IOC) values, such as unique command-line strings, hashes, file paths, exploitation of CVE-2021-40539 and CVE-2021-27860 vulnerabilities, and file names commonly used by this actor.

As one of their primary tactics, techniques, and procedures (TTP) of living off the land, the PRC actor uses tools already installed or built into a target’s system. This allows the actor to evade detection by blending in with normal Windows systems and network activities, avoiding endpoint detection and response (EDR) products, and limiting the amount of activity that is captured in default logging configurations.

NSA recommends network defenders apply the detection and hunting guidance in the CSA, such as logging and monitoring of command line execution and WMI events, as well as ensuring log integrity by using a hardened centralized logging server, preferably on a segmented network.

Defenders should also monitor logs for Event ID 1102, which is generated when the audit log is cleared.

The behavioral indicators noted in the CSA can also be legitimate system administration commands that appear in benign activity. Defenders must evaluate matches to determine the significance, applying their knowledge of the system and baseline behavior.

A new survey of government office workers across the world found that “digital natives” — those who grew up with modern technology — are actually more likely than older employees to exhibit bad password habits.

For those who grew up with smartphones, technology tends to come naturally — except when it comes to password hygiene, apparently.

A new report from the cybersecurity and IT asset management company Ivanti, in which it surveyed about 800 government office workers across the world, found that younger employees were more likely to use the same or similar passwords for multiple devices or accounts. They were also more likely to share passwords between personal and work accounts.

The survey also found that those in leadership positions demonstrated worse cyber hygiene than others. They were more than four times as likely to have clicked on a phishing link and five times as likely to share passwords with people outside their organization. Leaders also take longer to change passwords and use easy-to-find information such as birthdays in their passwords, according to the report.

Other findings from the survey:

Respondents rated the complexity of their organizations’ tech stacks as the single biggest barrier to security excellence, followed closely by a lack of cybersecurity skills.
Only 61 percent of respondents worldwide said their organizations mandate cybersecurity training; in the U.S. that rises to 78 percent.
Half of respondents reported that their organizations were entirely or mostly in-office, with the rest engaging in some mix of remote work. The percentages were mostly consistent between the U.S. and global average.
Nearly half of security professionals said they lack high visibility into all users, devices, applications and services on their networks.

Cybersecurity Ventures released a new report that claims cybercrime is going to cost the world $8 trillion in 2023. If it were measured as a country, then cybercrime would be the world’s third largest economy after the U.S. and China.

The number sounds outlandish, but they stated: “We expect global cybercrime damage costs to grow by 15 percent per year over the next three years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.

“Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.”

The 2022 Official Cybercrime Report published by Cybersecurity Ventures and sponsored by eSentire, provides cyber economic facts, figures, predictions and statistics which convey the magnitude of the cyber threat we are up against, and market data to help understand what can be done about it.

LastPass divulged that although user’s plaintext passwords were not accessed, what the hackers did get included the following information:

In summary, if your LastPass password was at least 12-characters long (the current LastPass default), contained some complexity, wasn’t an easy-to-guess password, and was not used on any other site or service, then you’re probably OK. If not, you need to immediately change all your passwords, both the LastPass master password and all the passwords you stored in LastPass.

However, the plaintext information that was stolen (listed above) is incredibly useful to any hacker doing social engineering and phishing. It allows an attacker to specifically target (i.e., spear phish) a potential victim using information not known to the general public and other hackers.

For example, with a list of the web sites that someone logs onto, a phisher can craft specific phishing emails that pretend to be from that web site. It could include the user’s name, telephone number and mailing address. Each added detail adds to the veil of false legitimacy to a social engineering email. Each included detail increases the percentage of people who will become victims.

The sky is the limit on the types of spear phishing scams that can be created and delivered using the information that was stolen in the LastPass breach. Kudos to LastPass for making sure the most critical user information, the user’s passwords, were stored in an encrypted state.

But this breach, like all the others before it, are calling into question about what type of user information should or shouldn’t be considered “critical information” and always stored in an encrypted state. If the information can be used to identify or contact you, it should probably be encrypted by default.

LastPass users were relieved to learn that their stored passwords were not directly compromised, but what information was taken by the hackers is likely to have spear phishing repercussions for years to come.

To start off I’m repeating the tradition of my same New Year’s wish as a newsletter editor since 1996: “A world without war, crime and insanity, where honest people can flourish, prosper and reach greater heights”.

At the end of the year I spend a few days reading all the IT security pundit’s 2023 predictions and synthesize them with my own perspective. The Crystal Ball editorial is the shortest of the year and takes the longest to write, but it’s fun.

President Ronald Reagan once said, “The future doesn’t belong to the fainthearted; it belongs to the brave.” Sci-fi writer William Gibson added a few decades later: “The future is already here, it’s just unevenly distributed.” So, what will come next in our world of cybersecurity as we head into 2023?

The industry as a whole covered the following topics: This year will bring significant shifts to the world of cybersecurity. We could very well see a barrage of nation-state cyberattacks inspired by Ukraine’s hybrid hot- and cyberwar, an increase in MFA attacks, innovative strikes against drones and space vehicles, and skyrocketing social engineering attacking social media with deepfakes.

As the reach of hacktivism continues to expand, organizations are being compelled to look beyond endpoint solutions and invest in new “umbrella” platforms like XDR, Managed XDR and HDR that can help them manage increasing Infosec complexities. Furthermore, ransomware is expected to remain a major threat as malicious actors experiment with new, even more damaging forms. We must be especially vigilant when it comes to emerging technologies such as self-driving automobiles, humanoid robots or the Metaverse that highly likely will provide cyber criminals with new attack surfaces. It is sure to be an eventful 2023.

As usual, I’m donning my asbestos undies, so you can safely flame my poor behind after reading the new 2023 predictions. Good riddance of ‘annus horribilis’ 2022 which was the year of permacrisis.

In “The Big Lessons From History”, financial writer Morgan Housel sums it up succinctly: “Risk is what you don’t see,” and “The riskiest stuff is always what you don’t see coming.” All the more reason to keep your eyes peeled and send monthly simulated phishing tests to keep your users on their toes!