Category: Guest Blog Post

Cyberattacks preceded Russia’s invasion of Ukraine, and these attacks continue today as the war unfolds. As the United States and other nations condemn Russia’s actions, the odds of Russian cyber actors targeting the U.S., allied countries, and businesses steadily increases.

Related: Cyber espionage is in a Golden Age

These Russian cyber actors are government organizations and include other parties who take their orders from the Russian military or intelligence organizations – while not technically under government control. Additionally, there are also Russian cybercrime organizations that are not state-sponsored but are allowed to operate.

Each of these organizations performs cyber operations for various reasons. The Russian government, military, and intelligence service may wish to achieve some operational effect, for example, disrupting the power grid or interfering with telecommunications infrastructure, which may be part of a larger war plan. Some Russian cyber actors may gather intelligence while others are financially motivated.

Cybercrime is big business as global losses to ransomware are projected to reach $42 billion within the next two years.The economic sanctions that many nations have put in place to influence Russia will most likely trigger an increase in the illicit business of cybercrime to help offset losses to what was legitimate trade.

Cyber attack targets

Russia isn’t the only cyber actor increasing its pace of cyber operations during this time. While the world focuses on Ukraine, other state actors have increased actions to penetrate government and private sector organizations. While you might think that these actors are interested in government and defense information, their operations prove they are interested in much more – including software development and information technology, data analytics, and logistics.

Boian

Your company’s intellectual property may be a target – and don’t think you are not just because you aren’t associated with defense contracting. Cyber actors are commonly after intellectual property or revenue.

Although there’s no one magic solution to eliminating cyberattacks and cybercrime risks, there are steps you can take to reduce the chances of becoming a victim. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has started a campaign to increase awareness of these risks to U.S. businesses called #ShieldsUp.

The efficacy of hygiene

Many of their recommendations are basic cybersecurity hygiene that require minimal effort to implement but can dramatically reduce your risk:

•Ensure all software (operating system and applications) are updated and patched. Enable auto-update features if available.

•Educate your employees on threats and risks such as phishing and malware.

•Enforce strong passwords and implement multi-factor authentication (MFA) — by educating users about using a unique password for each account and enforcing higher security for privileged accounts (administrators, root).

•Segment or isolate portions of your network that are critical to your business, process, or store sensitive information

•Configure all IT systems with hardened profiles that only allow network services essential to your business function; harden or eliminate the use of protocols such as RDP and SMB.

Accounting for humans

While all these technical steps to reduce the risks of cyberattacks are valuable, the step that’s often overlooked or underfunded is the one that can be the most impactful – employee awareness. Implementing a culture of security and empowering employees to report suspicion of abnormal activity on information systems is key to stopping these threats early.

Not all cyberattacks take advantage of a user and result in penetration of your system. Still, the most common infection vectors are through a user – clicking a link, browsing to a page, sharing their password, or choosing a weak password. Therefore, educating your employees about the importance of security to your network is critical. Enabling employees to be your first line of defense can boost security and reduce risks.

In addition to the best practices above, it’s prudent to also have plans and procedures in place if a cyberattack is successful. These procedures will not only help get your business back up and running more quickly, but are critical to staying compliant with state or federal regulations requiring the reporting of cyber incidents. Just as businesses focus on resiliency and disaster recovery, they must also consider a cyberattack or incident that can cripple their product and/or revenue.

As the world watches the events in Ukraine, cyber incursions by hostile actors will continue across the globe. These threats will continue to plague businesses and our personal lives for the foreseeable future. Instead of falling into the trap of thinking you won’t be a target or have nothing of value for cyber attackers, take these steps to address and prepare to defend against these risks.

For more details on how to harden your IT infrastructure to ransomware attacks, consult the CISA and Multi-State Information Sharing and Analysis Center’s Ransomware Guide.

About the essayist: Don Boian is the Chief Information Security Officer at Hound Labs, Inc., which supplies ultra-sensitive, portable marijuana breathalyzer technology. He  worked at the National Security Agency for 30 years on defensive and offensive cyber operations, and most recently served as CISO for a large regional bank.

From financial institutions to meat producers, it seems every industry has been impacted by ransomware in the past year — maybe even the past week. The world’s largest enterprises to the smallest mom-and-pop shops have been devastated by cybercriminals who are looking to hold assets hostage for a big pay day.

Related: Tech solutions alone can’t stop ransomware

Why the stark increase? Put simply, ransomware attacks are on the rise because of profits. This return on investment is bringing in new players, and the ransomware monster continues to grow…and we’re not ready to fight it off. Why? We’re not prepared to defend against persistent threats.

With ransomware-as-a-service (RaaS) as popular as it is, the attribution conversation becomes more difficult. Most of the ransomware attacks that use RaaS are done by affiliates who bounce from service to service, often using two to four different services at the same time. Shutting down a service doesn’t stop the attacks – the affiliates move to another RaaS provider, the RaaS owners just rename, retool, and go again.

While it’s nice to see law enforcement and governments go after the gangs, that won’t stop the monster that has grown out of control, that we, as an industry, continue to feed. While attribution and following the money can get a few wins, we need a multi-pronged strategy to slay the ransomware beast.

Low cost attacks

Understanding the root cause of these attacks is crucial so we can adjust defenses to protect against them. Actionable forensics on how these attacks were carried out go a long way into understanding the attack methodology and innerworkings of these affiliates and criminal gangs.

Krien

The living off the land/fileless attack methodology has not changed in years, despite the uptick in attack severity and frequency. Behaviors change and tools change, but the methodology remains the same. Yet, at the macro level, we don’t stop known malware, known malicious behaviors, remedy commodity tools that are used maliciously, or patch known actively exploited vulnerabilities immediately.

We’re failing as an industry to make it difficult for attackers to reach their goals. We spend millions to defend while attackers spend as little as $100 to conduct an attack with a potentially huge return on that investment.

Small-to-medium-sized businesses make up 99 percent of all businesses in the United States, and are a big ransomware target. Roughly 60 percent of successful ransomware attacks are against SMBs.

Enterprises have higher payouts, but ransomware gangs know they’re likely to face higher scrutiny after major attacks, especially when the impact of those attacks extends past the company (think the Colonial Pipeline attack).

Because of this, ransomware gangs are starting to focus more on SMBs. They’re easier to attack and provide moderate consistent payouts with little retribution from law enforcement or governments. Most SMBs don’t have the resources to defend against persistent threats and are more vulnerable than large enterprises that have more resources.

Bricks in the wall

There is no silver bullet in an industry that’s evolving (both in good and bad ways) as fast as cybersecurity. However, starting with a strong security foundation goes a long way. A security program built on a strong foundation will be strong, a security program built on a shaky foundation will be shaky.

A few things that are involved in most attacks include social engineering, passwords, and vulnerabilities. At the macro level, password hygiene is abysmal. Avoiding password reuse and using strong hard to guess passwords goes a long way. The use of multi-factor authentication (MFA) that is not easily socially engineered is critical.

Vulnerability management with proper prioritization is also a must. The US CERT has a database of actively exploited vulnerabilities that is consistently updated. If you patch nothing else, patch vulnerabilities you’re affected by that are or have been actively exploited.

BAS technology allows you to test and tune your security controls, exercise your people and processes, and provide visibility not previously available into how your security program is working. Having a security tool such as endpoint protection isn’t enough. You must understand if it’s configured correctly and if you’re getting what you’re paying for.

While there is no one tool that can slay the ransomware beast for good, focusing on areas that are highly exploitable can help prevent the bad guys from reaching their goals. The more expensive it is to attack before a profit, the closer to eliminating the ransomware monster we are. Until the profits diminish to a point that running the criminal organizations is no longer viable, we’ll be stuck in the fight.

About the essayist: About the essayist: Derek Krein is Security Services Director at SafeBreach, supplier of a patented platform that enables security teams to conduct offensive security maneuvers.

Purple teaming is a way to use red teaming to understand and improve your defensive posture. Militaries improve operations through wargames. In the 1820s, the Prussian military labeled the two teams for this as “red” and “blue,” with red traditionally associated with the attackers, while blue represented the defender.

Related: Deploying human sensors

With increased dependence on computers, the military applied this war-gaming concept and color scheme to cyber. It became clear that the blue team could benefit from a more collaborative relationship with red, leading to the creation of “purple teaming.”

This collaboration is the key ingredient to successful purple teaming. The blue team decides on specific threats they want to test themselves against and the red team emulates those threats. The red team helps the blue team understand what’s working – and what they’re missing – by sharing information about their actions. By seeing blue team’s defenses, the red team can modify their attack to help highlight defensive gaps relative to real threats.

Marshaling defenses

While traditional red teaming often aims to motivate a network owner to take the threat seriously and identify vulnerabilities, purple teaming focuses on illuminating exactly what actions defenders must take to effectively mitigate or respond to the Tactics, Techniques, and Procedures (TTPs) of real adversaries. This allows cyber defenders to gain valuable insight about what realistic malicious TTPs will look like in their network and how they are impacted by existing defenses.

Luke

The entire process is a much more collaborative effort to truly understand how the current defenses are working and where improvements can be made.With increased communication, defenders can confidently and rapidly design, test, and tune new defenses to keep pace with the constantly evolving threat landscape.

Although it’s still somewhat of a niche practice, there’s a great opportunity to provide defenders more resources to effectively defend their organizations through purple teaming. Also, implementing it on a regular cadence – weekly, monthly, or quarterly – can be beneficial. This way, it’s a regular part of security operations and the industry will see more cases where the first targeted organization detects and stops an attack.

One of the biggest benefits provided by purple teaming is that it leads to meaningful and actionable insight for the defenders. It clearly shows them their current posture, both strengths and weaknesses, against real-world TTPs to see what is and isn’t working to make the appropriate modifications.

The red team can now emulate a known threat that the defenders are very likely to encounter and the blue team will now have known malicious activity in their data to validate that their mitigations and detections will work.

It’s like a scientific experiment, where teams can repeatedly control and update each variable until the desired outcome is achieved.

Flexibility is essential

However, there are a couple challenges associated with implementing purple teaming. For example, there’s often a psychological challenge associated with purple teaming. It’s human nature to always want to “win,” but in the case of purple teaming, the red team can’t be preoccupied with getting the best of defenders. Both sides need to ensure they’re using a repeatable and intelligible process that can mitigate this challenge.

Teams also must be flexible enough with their plan to achieve what the blue team is trying to accomplish, and clearly communicate what TTPs were used in the event. This means that organizations need a red team that understands real adversary TTPs.

Often, the events detected by the blue team are consequences of the red team actions, but not the actions themselves. The red team and blue team must work together to bridge this gap to check if the blue team detections are connected to the red team actions.

Since cyber operations can often be the most appealing approach for criminals to achieve their goals, one of the best ways to fight back is to hit them where it really counts: their wallets. With a threat-informed approach to defense that includes the benefits of purple teaming, defenders have the potential to make cyber intrusions cost more than they’re worth to adversaries.

About the essayist: Steve Luke is Director of Training and Certification, MITRE ATT&CK Defender.

As the dust settles following the recently disclosed hack of NewsCorp, important lessons are emerging for the cybersecurity and journalism communities.

Related: How China challenged Google in Operation Aurora

The Chinese government is well known for its censorship– and frequent harassment and intimidation of foreign journalists. These are the foremost reasons China is ranked fourth worst globally regarding press freedoms.

China has enclosed its national internet servers within what is colloquially called ‘the Great Firewall.’ This firewall even goes as far as to block the latest versions of the encryption service TLS (v1.3) because it puts mechanisms in place to prevent third parties from decrypting traffic.

Internationally, there is no doubt that this predominantly serves to facilitate the detection and blocking of topics sensitive to the Chinese Communist Party, such as the events of June 4, 1989, in Tiananmen Square. The recent Western reporting on the Uyghur internment camps in Xinjiang triggered further sensitivity around how the international community views the Chinese Communist Party’s domestic policies.

In a recent statement, the Foreign Correspondents Club of China (FCCC) commented, “Covering China is increasingly becoming an exercise in remote reporting, as China cuts off new visas and expels journalists.” Only 4 percent of respondents to an FCC poll said their organization received a new J-1 visa in 2021, and 46 percent said their bureaus were understaffed because of a lack of visas.

Even those physically in China increasingly face obstruction as they investigate their stories. This ‘remote journalism’ largely relies on access to in-country sources, typically Chinese nationals willing to share their day-to-day experiences with foreign reporters.

Lewis

If the Chinese government cannot prevent a story from being published outside of the country, it can act against sources. Identifying sources has become a tool in countering the anti-China narrative in the foreign press, and it acts as a powerful disincentive to anyone inside China who might consider speaking to a foreign journalist.

Like many organizations and industries, NewsCorp migrated its digital estate to make greater use of the cloud, including leveraging SaaS providers like Google Workspaces to host email infrastructure.

Migrating from on-premises infrastructure to the cloud has substantial benefits, including increased efficiency, capabilities, and cost-savings. But it also has a considerable downside. If your staff can log on to the internet to access their emails, so can an attacker. These bad actors are no longer constrained by the need to access a physical device in an office location.

For organizations that have made that jump, sticking with a simple username and password to protect a globally accessible email server is far from good enough. Password leaks are commonplace. Employees often reuse passwords between other services and accounts. Credential harvesting attacks via phishing emails are now a daily occurrence. With these factors compounded, it’s only a matter of time before an attacker acquires an email address and password and can simply log in—no need to hack; no need to exploit a zero-day vulnerability.

Multi-factor authentication (MFA) is a powerful defense from these sorts of attacks, limiting the use of a username and password to the individual who possesses the physical key. MFA is a must for organizations using SaaS for email.

MFA can be challenging to implement for some organizations from a technology or cost perspective or due to user pushback. In some cases, there have been attacks against MFA systems targeting the companies that make them or exploiting the underlying technology. MFA, however useful, is no silver bullet.

From a detecting and monitoring perspective, determining what is and is not a legitimate user log-on event can be difficult, often reliant on attackers mounting their heists from known bad infrastructure on the internet, infrastructure known because systems caught attackers using it before. But this leaves security teams powerless to stop novel threats and zero-days.

Some mitigation techniques rely on simply blocking vast swathes of the internet, based on the country from which the IP address allegedly exists – but even geolocation of an IP address is more art than science, and this heavy-handed security can disadvantage an international business. In the case of NewsCorp, blocking access to any IP address believed to be in China would make reporting remotely even more challenging.

We have entered a new era of cyber threats. If measured as a country, cybercrime would possess the third-largest economy in the world, behind the U.S. and China. Cyber tools now undoubtedly play a role in international espionage, and last month, NewsCorp bore the brunt of cyber-attackers using the most sophisticated tools in their arsenal to breach its digital estate. 

About the essayist: Toby Lewis is Global Head of Threat Analysis at Darktrace, which supplies technology that applies Self-Learning AI to enable machines to understand the business in order to autonomously defend it.

APIs have become a security nightmare for SMBs and enterprises alike.

Hackers don’t discriminate based on the number of employees or the size of the IT budget. The same types of security risks impact businesses, whatever their size.

Related: Using employees as human sensors

Day in and day out, small-to-medium businesses are targeted by cyberattacks. They are often unaware of the risks they take on, which can include hacking, fraud, phishing, and more. A primary culprit of these attacks is the lack of understanding of application programming interfaces, or APIs.

SMBs and enterprises alike have been struggling with APIs as a mechanism for information security. According to Forbes, “the first half of 2018 was marked by an increase in API-related data breaches, with the 10 largest companies reporting the loss of 63 million personal records.”

These types of attacks can allow hackers to steal massive amounts of sensitive data, disrupt operations, and even take down websites. To protect against these attacks, businesses need to implement a wide range of strong API security measures such as authentication, authorization, encryption, and vulnerability scanning. The sheer number of options has a direct impact on the budget.

The fact that there are so many different APIs is the main challenge for enterprises when it comes to API security. Storing authentication credentials for the API is a significant issue. This can be compounded by certain enterprises using the Internet of Things (IoT) that don’t have good security.

Sitbon

Companies are realizing that they have to keep putting out fires on personal devices, leaving them vulnerable to attacks. The other issue with APIs is that once one is compromised, it’s likely that all of your accounts are affected because whoever does gain access will just use your username and password to log in to other sites, apps, etc.

The threat that API security breaches pose to enterprises should not be taken lightly. A breach should always trigger a comprehensive crisis communication plan involving the board, C-suite, and other stakeholders. This communication plan should specify how governing bodies will stay informed should there be a data breach as well as.

As you can see, handling API security is a tedious operation, none the less expensive, even for enterprises. But big budget enterprises can mitigate similar breaches, while SMBs can barely spare a budget for them, thus making them an easy target for similar attacks.

For the most part, SMBs believe that they’re small targets and are unlikely to be attacked, but that’s really not true. We see high numbers of attacks against SMBs. Hackers aren’t looking for buckets of cash.

SMBs  tend to be the target of common criminals. In some cases, they’ll start with a specific target in mind and work their way up to attempting to breach that specific target, but in other cases, it’s very opportunistic. It’s really about finding the easiest target to penetrate or a low-hanging fruit.

However, in recent years, we can see that SMBs are increasingly using cloud-based services to manage many areas of their information technology. These services used to be enterprise-only solutions.

At the same time, the same goes for cybersecurity, where SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and penetration testers which help organizations identify and resolve security vulnerabilities are readily available to SMBs, as well as enterprises.. used to be solutions aimed at those businesses.

However, solutions such as BLST (Business Logic Security Testing) that provide automatic penetration testing at a budget price are increasingly used. These are tools that cans continuously scan APIs; security vulnerabilities can be accurately identified and located, allowing development and security testing to detect and remediate vulnerabilities more quickly.

In conclusion SMBs are at a disadvantage when it comes to API security because they often don’t have the same level of security resources as larger enterprise size businesses. Hackers know this and often target SMBs because they’re an easy target. However, nowadays, solutions that were commonly used by enterprises are more commonly used by SMBs, and the price is reasonable.

About the essayist:  Nathan Sitbon is a penetration tester at BLST Security which supplies technology that finds broken logic in your API and maps it, with an easy-to-use & integrated platform.

Cybersecurity has never felt more porous. You are no doubt aware of the grim statistics:

•The average cost of a data breach rose year-over-year from $3.86 million to $4.24 million in 2021, according to IBM.

•The majority of cyberattacks result in damages of $500,000 or more, Cisco says.

•A sobering analysis by Cybersecurity Ventures forecasts that the global cost of ransomware attacks will reach $265 billion in 2031.

The FBI reports that 3,000-4,000 cyberattacks are counted each day.

That’s just a sample of what is obvious to anyone in the industry: we’re in a war with cybercriminals, and we can hardly say we’re winning.

The vulnerabilities of internet security, once mostly a nuisance, have become dangerous and costly. Data privacy breaches expose sensitive details about customers, staff, and company financials. Security software may have been a satisfactory product at the turn of the century, but despite massive levels of investment, many experts now realize that it is not adequate for dealing with contemporary threats.

We reached this point of friction because of the compound effect of two shortcomings. One, security was too often treated as an afterthought by the industry, taking a backseat to a device’s speed, functionality, and design. Security remains an added expense that isn’t easy to market, especially when third-party software solutions have been so widely adopted.

But those software choices have proven to be lacking in dependability and often require patches or upgrades that are costly to the end user. Second, the design of security solutions struggled to scale up properly or adapt to the technological changes in the industry, especially in disaggregated compute networks.

Sirineni

Meanwhile the attack surface keeps broadening with the increasing interconnectivity of services, product chains, and user interfaces. Seeing the flaws continue year after year, the industry began linking authentication of valid software components to the underlying hardware, or the “root of trust”.

This approach allows for compromised software to be identified during the authentication process. However, hackers have attacked unsecured hardware and compromised this root. Thus, secure implementations are critical.

Compounding issues is the nature of threat response: it’s reactive, searching for known threats, while cybercriminals regularly devise new, surreptitious methods to avoid detection. Too frequently, security upgrades occur only after successful attacks have taken place, and most fixes are not sufficient to stand up to a new type of attack.

The good news is, artificial intelligence is here and is showing great promise to deliver what the market needs, that is, pre-emptive and proactive threat detection. In fact, AI is on the verge of providing a remedy for problems that have seemed insurmountable. New AI-based applications are poised to be game-changers for cybersecurity.

Implementing security solutions, such as secure hardware root-of-trust and proactive AI in a piecemeal approach and through multiple compute processor vendors, creates complexity and increases the attack surface for cybercriminals. That can cause deficiencies because of varying implementation quality.

Ideally, these security measures can be offloaded to a dedicated security co-processor that would reside in the control and management plane, separated from the data plane of the main processors. Such a co-processor would be positioned to act as a security watchguard for the entire system and provide a pre-emptive measure to fight cybercrime.

At Axiado, we believe an AI-driven trusted control/compute unit, or TCU, provides the level of protection the data-communications industry is demanding. The TCU is designed as a stand-alone processor that will reside on a motherboard next to a CPU, GPU or other compute engine.

This security-by-design solution for the control and management plane is based on proprietary Axiado technology, including Secure Vault™ (a secure hardware root-of-trust, cryptography engine and secure key/certificate storage), Secure AI™ (a pre-emptive threat-detection hardware engine), and firewall advancements.

Hardware with a TCU included will allow companies to pre-emptively detect threats and minimize the endless and often inadequate number of security patches they have been forced to choose for years.

Cybercriminals are nimble, use updated software, and are often determined. With an unprecedented number of attacks inundating global databases, it is the time to end threats with an AI-assisted hardware solution that denies cybercriminals entry into networks and the precious data they store.

About the essayist. Gopi Sirineni is the CEO of Axiado, which supplies advanced technologies to secure the hardware root of trust.

Some 96 percent of organizations — according to the recently released 2021 Cloud Native Survey — are either using or evaluating Kubernetes in their production environment, demonstrating that enthusiasm for cloud native technologies has, in the words of the report’s authors, “crossed the adoption chasm.”

Related: The targeting of supply-chain security holes

It’s easy to understand why a cloud-native approach elicits such fervor. By using flexible, modular container technologies such as Kubernetes and microservices, development teams are better equipped to streamline and accelerate the application lifecycle, which in turn enables the business to deliver on their ambitious digital transformation initiatives.

However, despite cloud-native’s promise to deliver greater speed and agility, a variety of legitimate security concerns have kept IT leaders from pushing the throttle on their cloud-native agenda.

According to the most recent State of Kubernetes Security report, more than half (55 percent) of respondents reported that they have delayed deploying Kubernetes applications into production due to security concerns (up 11 percent from the year prior) while 94 percent admitted to experiencing a security incident in their Kubernetes or container environment in the past year.

It’s clear that until we can deliver security at the same velocity in which containers are being built and deployed that many of our cloud-native aspirations will remain unfulfilled.

Cloud-native requirements

Traditionally, developers didn’t think much about application security until after deployment. However, as DevOps and modern development practices such as Continuous Integration and Continuous Delivery (CI/CD) have become the norm, we’ve come to appreciate that bolting security on after the fact can be a recipe for future application vulnerabilities.

Security must be ‘baked in’ rather than ‘brushed on’—and this current ethos has given rise to the DevSecOps movement where security plays a leading role in the DevOps process. However, it’s not enough to simply shoehorn these practices into the dynamic cloud-native development lifecycle.

Sivasankaran

Because traditional enterprise network security relies on static firewall rules that can only be updated in maintenance windows after a change approval process, securely developing and deploying applications in an automated way will not work in dynamic cloud environments where rules and policies are constantly in flux.

For this reason, most cloud environments come with built-in concepts like security groups and container service meshes that provide a way to control how different parts of an application share data with one another. While such methodologies might work well for simple applications, they lose their effectiveness as soon as you make a connection to or from various regions, clouds or technology stacks. For example, there is no interoperability between different cloud vendors’ security groups or different Kubernetes clusters.

Being cloud-native demands an approach that provides control and visibility across the entire application development lifecycle. A modern cloud-native security approach should tick the following three boxes:

•Dynamic: The ability to dynamically express and administer policies for controlling network traffic both to and from a Kubernetes pod should be considered table stakes, especially as software is being deployed across multiple cloud environments.

•Granular: Secure controls must extend to the ‘pod level’ of a container, not just the cluster level. A software-defined approach makes it easier to dispense granular access controls based on pre-defined policies that connects users to authorized functionality rather than simply at the network level.

•Unified: Slicing cloud-native security across multiple point solutions leaves you with a partial view. A unified policy engine should be omnidirectional and able to manage user-to-resource access (for both traditional and cloud native applications) and resource-to-resource access (in cloud native development environments).

Cloud-native Zero Trust

A Zero Trust security approach, which applies the principle of least privilege access, assumes there is no clearly defined network perimeter. Because it’s software-defined, policies can be easily applied to systems, applications and users alike.

As one of the original vendors in the Zero Trust access market, Appgate has a long history of success in helping our customers ensure secure access as they migrate more of their applications and workloads to the cloud. To support them as they grow their cloud-native development initiatives, we recently introduced new Kubernetes access control capabilities for our flagship Appgate SDP product.

By deploying Appgate SDP natively inside a Kubernetes cluster as a “sidecar”—a helper application of sorts that runs alongside an application container in a Kubernetes pod—Zero Trust principles can be universally applied throughout the cluster, while providing fine-grained, differentiated access controls on a per-pod basis, thereby delivering greater control over service-to-service access.

This effectively limits the potential attack surface and makes it more difficult for an attacker to escalate privileges in the event of a network compromise.

Organizations gain a single unified policy engine for Zero Trust access that enables them to control user-to-resource access (i.e., for remote user access) and resource-to-resource access (i.e., for containerized workloads) to streamline management and reduce complexity. This allows them to protect all users (remote, onsite and hybrid), all resources (traditional, cloud-native and legacy applications) and all environments (cloud, hybrid, multi-cloud and on-premises) with one solution.

Cloud-native application development brings enormous capacity for innovation and efficiency gains for many organizations. By embedding Zero Trust security principles into the process, we can realize the full potential of cloud-native.

About the essayist: Jawahar Sivasankaran is the President & COO of Appgate, a supplier of secure cybersecurity solutions for people, devices, and systems based on the principles of Zero Trust security.

It can be a real hassle to keep track of the passwords you use. So many people use the same combination of username and password for every account. However, this isn’t a good idea. In fact, it’s terrible.

Related: Kaseya hack exacerbates supply chain exposures

You see, these days, many data breaches could be traced back to people using the same password across multiple accounts. And once the bad guy finds his way in, especially logging into your email, it is game over. From there, it’s easy to reset the pass code for almost all of your accounts when the bad guy controls your email too.

All it takes is a cracker to find this password, and now every account you have is compromised. And finding that password is even easier. Some studies show as many as 40 billion records were compromised in 2021. Many of those records are passwords.

At ProtectNowLLC.com, we have a tool that has access to over 12 billion compromised records where you can search your username aka your email address to find out if your username and associated password have been compromised on a variety of breached accounts.

Thankfully, there is an easy solution: use a password manager. I’ve had a password manager in place since 2004. At this point I probably have close to 700 different online accounts. And I might know the password for maybe five of them.

The rest, only my password manager knows the password which I can easily look up. But I’ve never committed them to memory. Most people say “what if the password manager gets hacked” while this might be a valid concern, it’s not a concern of mine.

The low hanging fruit isn’t a password manager getting hacked, it’s people reusing the same passcode across multiple accounts and those credentials being available on the dark web. But, if you don’t want to use a password manager because you’re afraid the password manager is going to get hacked, you can also do the following:

Creating a Unique Password

Siciliano

Research shows that the best passwords are 14 characters long. Those that are shorter than that are easier to figure out. If a site doesn’t let you create a password that is 14 characters, it is possible to adapt it. Password managers do a very good job of creating/generating long strong unique complicated passcodes.

First, make a list of all of the sites you have a username and password for, and then put those sites into categories. For example, all of your sites for social media would be in a category, all of your email sites together, all of your banking sites together, and all of your shopping sites together.

Then you want to create a password that is eight characters. This will serve as the first part of any other password that you create. For example, the first eight characters might look like this:

CM&@t*yZ

Next, remember your categories? You will create a three-character password that is significant to those. For instance:

•Social media sites – SM#

•Email sites – &eM

•Shopping sites – $h0

•Banking sites – 8aN

So, this gives you 11 characters of the recommended 14-character password that you want to use. Now, you need three more characters, and that would be specific to the site. So, let’s say you are creating a password for your bank. This is made up like the following:

Eight-character + three-character password (category) + three-character (site)

So, for your bank, it would look like this:

CM&@t*yZ8aNp$X

This is a very difficult password to guess, and for many people, easier to remember. But it’s not easy for everyone to remember. There is a solution, but first, keep this in mind. When you have to change your password, you can keep the final six characters and just change the first eight.

Now, how can you remember the first part of the password? One way to do this is to simply write it down and store it in a safe place. However, don’t keep it near your computer. Another thing you can do is to create a phrase that will help you remember.

Here’s an example. Let’s say our phrase is “My brother asked me for bread and salt.” If you take the first letter for all of the words, it would be this:

MBAMFBAS

This could be your eight-character first part…and you can make it more secure by making some swaps:

M3@MFBA$

This still makes the password very difficult for a hacker to guess but makes it easier for you to remember. You can use the same method, of course, for the smaller parts of the password.

Honestly, if you’ve got even this far in this article, congratulations to you. You must be some weird math savant with an elephants memory. Frankly, the above gives me a headache. Like I said in the first three paragraphs, it’s best to just use a password manager and forget all of this work, but if you don’t want to, this method works pretty well.

About the essayist. Robert Siciliano is CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

(Editor’s note: This article was originally posted on LinkedIn.)