Category: How To

By Alfredo Hickman, head of information security, Obsidian Security

Earlier this year, I had the opportunity to speak before a group of CISOs about the topic of attack surface management (ASM). While much of the conversation centered around managing the attack surface around on-premise environments and cloud infrastructure, it was interesting to me that not much was said about SaaS. Naturally, that’s where I drove the conversation. Most organizations that use cloud services deal with a small number of cloud infrastructure providers and typically from one or two of the big three: AWS, Azure, or GCP. However, the same organizations typically have dozens—if not hundreds—of SaaS applications deployed through their enterprises. Each of these SaaS applications differs widely from the next and poses a unique set of security capabilities and challenges. It’s easy to see that SaaS security and attack surface management in particular is becoming more critical for our security programs and operations.

Attack surface management is generally defined as taking an adversarial perspective on the continuous discovery, inventory, classification, and monitoring of an organization’s surface area… and then doing something about it.

When it comes to SaaS, this is not as straightforward as we would hope. Staying on top of your SaaS attack surface can be difficult or outright impossible without the right tooling and processes. The dynamic nature of SaaS applications, the limited visibility into configurations, and the fact that many SaaS applications integrate and interact with each other make SaaS attack surface management challenging at best. To make things even harder, there is no generally agreed upon and common SaaS security shared responsibility model and each new deployment, configuration, and integration can change the risk calculus.

However, SaaS attack surface management is not impossible. At the end of the day, SaaS, similar to IaaS, PaaS, and other cloud services, is another security operating domain. As security professionals, we must evolve our security programs and controls to account for SaaS. Taking an adversarial approach can help us be more effective and efficient in our efforts.

Discovery

The age-old truism in security that “you can’t defend what you can’t see” rings especially true in SaaS where you typically don’t control the underlying systems and the applications are hosted on other companies’ infrastructure. With the dynamic nature of SaaS applications and the ease of deployment and integration, SaaS app discovery can be difficult. However, taking an outside-in approach to SaaS discovery can help.

DNS subdomain scanning is a useful tactic to discover internet-exposed SaaS application portals and their APIs. With subdomain scanning, you can target many common SaaS application domains and then search for the common subdomains associated with your organization. As an added bonus, subdomain scanning can help you shed light on what potentially sensitive information about customers, subsidiaries, and partners you may be exposing to the internet.

Another useful approach is implementing a governance process for vendor management. This would require any team seeking to procure a SaaS product to navigate a product risk review process. It’s useful to include finance as a hard gate whereby funding is not authorized until the risk review is complete. This can help ensure that the vendor management process is followed and that others are more supportive of the risk review. While many organizations already do this, the dynamic nature of SaaS and the ease of integration both within and amongst SaaS applications makes it critical to review your SaaS footprint regularly and not just during the initial procurement process.

At the end of the day, discovery is a continuous process. SaaS applications can change often and discovery must be accurate to be useful. The correct tooling can greatly facilitate this process.

Inventory

Keeping track of SaaS applications and their endpoints is critical for knowing what is deployed. Things to consider in your inventory include:

Where is the SaaS application deployed? Know the cloud region and address of the provider if possible. This is important for privacy purposes in addition to security.

What sorts of data are stored in the application? Consider PII, NPI, PHI, IP, and other sensitive types of data.

Who has access? This can be difficult to track at scale, but at least document who has administrative rights, third-party contractors, integrations, interns, and those with sensitive permissions and access that may not be administrators.

What are your security and privacy points of contact? During a security or privacy incident is not the time to try to figure out who to communicate with at the SaaS provider company.

Classification

Just as it’s important to classify the types of data that we are responsible for, it is also important to classify your SaaS applications. Classifying your SaaS apps according to organizational sensitivity, compliance/regulatory risk, integration dependency risk, and so forth can help you triage and respond more efficiently and effectively during a security incident and prioritize security resources and controls. For example, mapping critical organizational processes back to the SaaS applications that support them can help inform incident response and business continuity/disaster recovery processes in the event of an incident. Proper classification of your SaaS application install base can facilitate these critical processes.

Monitoring/Threat Detection

This is an area where having the right processes and tools can make all of the difference. Security threat detection and monitoring in SaaS is hit or miss. Some SaaS apps have robust native capabilities and some don’t have any. It’s not like you can deploy an agent or tap on a SaaS app. CASB is mostly focused on access and does not have visibility into what happens within and amongst the SaaS apps and their integrations. Further complicating the issue is the fact that many SaaS applications are platforms with a plethora of third-party integrations. Each integration having its own permissions requirements, data access requirements, access grants, and so forth. Monitoring individual apps with native capabilities does not scale and trying to apply traditional tools to the challenge is like trying to pound a square peg into a round hole. It does not make sense.

Here is where purpose-built SaaS security tools coupled with regular adversarial simulations, such as red team exercises and penetration tests, can help. The right tools and adversarial exercises can shed light on your surface area, identify gaps in your detection capabilities, and assess the effectiveness of your security tools and controls. Effective SaaS security products will have an in-depth, integrated, and enriched view of your SaaS application install base. The products will understand the entities involved and their activity within and amongst your SaaS apps, and will provide a unified view of your SaaS attack surface and posture.

Posture Management

Most security professionals would agree that prevention, while not always possible, is ideal. This is especially true in SaaS where an ounce of prevention is worth a pound of cure. Posture management, especially when focused on an organization’s attack surface, is an ideal method for identifying the settings and configurations that contribute to either a strong or weak security posture. Once again, this is an area where native capabilities within SaaS applications can be hit or miss. Having the right tool in place that can understand the state of your SaaS applications, understands the implications of the configuration, and surfaces the findings with the context required to make informed decisions on the risk and methods to improve over time is critical. This is particularly important given the dynamic nature of SaaS apps where the security posture can change faster and more easily than with traditional applications and systems.

Moving forward with integrated SaaS security

While SaaS is a relatively new operating domain for many security organizations and there are many unique considerations, at the end of the day, the SaaS security challenge is not impossible. Evolving our security programs to factor SaaS, implementing appropriate governance controls, and deploying purpose-built tools to stay on top of SaaS threat detection, incident response, compliance, and posture management are critical to effectively securing our business-critical SaaS applications against the latest cyber threats.

The post Attack Surface Management for the Adoption of SaaS appeared first on Cybersecurity Insiders.

As the adoption of cloud storage is growing, it is becoming easy to carry documents, passwords, movies, images, music, etc. on one go. Though it is convenient for us, data upload to a third-party platform might fetch some security risks that are as follows. First, we never know what is happening behind the screens in the server farms, as anyone working in or for the data center can easily have access to data.

Thus, to avoid all future digital embarrassments, it is better to take precautionary steps to ensure that the data on the cloud is safe and secure.

So, here are a few tips that could help in keeping data safe on cloud-

Using a strong password makes sense as it helps keep information from being accessed by prying eyes. Therefore, using a strong password- in sense, the combination of alpha-numeric characters tucked with one or two special characters that are 10-14 characters longs makes complete sense. Avoid using phrases that are commonly used like ‘I love you’ and such.

2FA usage is a must– This is nothing but a double or a triple authentication requirement before accessing an account. It can be a text or an OTP sent to a phone or email, thus making it a challenge for a threat actor to access an account.

Storing sensitive info offline– It is always better to store sensitive information offline and away from the cloud. And anyone having access to the server can sneak into the data and analyze what is being stored.

Avoid using public wi-fi- While on the go, better to not access a cloud platform from a public wi-fi as it can allow hackers sniff the credentials and re-launch an attack. Better to use mobile data as 4G and 5G are considered as most secure networks.

Use a CSP with several security levels– Using a cloud storage platform having several security levels like encryption and 2FA makes complete sense.

Backing up files on a regular note will make recovery possible, if/when the situation arises.

Using an anti-virus platform makes complete sense and helps in protecting the data from being stolen or corrupted.

Figure out the access policies in advance. Keeping a limit to who can access files like who can read them or edit them will help in keeping unwanted activity at bay.

Using an ISO 27001 certified cloud storage provider makes sense as they are certified in keeping information security high, as per the international standards.

Hope it helps!

 

The post How to keep cloud storage secure and safe appeared first on Cybersecurity Insiders.

[ This article was originally published here by Indusface.com ]

Data from a recent report revealed that bots take up two-thirds of internet traffic. However, not all bots are safe and well-intentioned. Research further suggests that of all the web traffic, nearly 40% is bad bot traffic, and around 25% is good bot traffic. Given how destructive bad bots are, it is essential to use a bot protection solution to detect bad bots, manage bot traffic, and mitigate bot threats. Read on to know more about bot protection solutions and how they help organizations.

The Bot Problem: Why is it Necessary to Mitigate Bot Threats? 

Bad bots harm your business in several ways, some of which are detailed below.

1. Leveraged in a Range of Attacks 

From phishing, spamming, ad frauds, data harvesting to DDoS attacks, account takeovers, and brute force attacks, bad bots are leveraged by attackers to orchestrate a wide range of attacks. These attacks could cause downtimes, make the website/ application unavailable to legitimate human traffic, enable illegitimate access to critical assets, and/or lead to the loss of sensitive information, among others. Further, bad bots are also used by attackers to illicitly snoop and scan websites for vulnerabilities to exploit.

2. Content Scraping That Negatively Impacts SEO

Scraper bots are often deployed by attackers and even competitors to extract copyrighted/ trademarked/ proprietary content from a website and duplicate it elsewhere. This is often done by competitors or adversaries looking to negatively impact your SEO rankings as duplicated content diminishes your site’s authority over that content. Content scraping is also used by attackers to orchestrate phishing attacks and scams. They create fake websites by duplicating scraped content to trick visitors and do their bidding.

3. Price Scraping

Competitors looking to undercut prices typically deploy scraper bots to scrape prices from e-commerce and other websites. Competitors, thus, gain an edge in the marketplace and win the SEO war on price. You will find lower conversions, SEO ranking drops, and unexplained downtimes caused by aggressive scrapers.

4. Skewed Analytics That Lead to Poor Marketing Decisions 

By leveraging botnets, attackers could orchestrate DDoS attacks to make your website unavailable to legitimate traffic while affecting your traffic metrics. Bad bots are also leveraged to create and abandon shopping carts on e-commerce sites, thereby, creating non-existent leads. Similarly, bad bots are leveraged by attackers/ competitors to commit click fraud, creating non-existent shoppers and driving up advertising costs. Such skewed metrics often lead to poor marketing decisions and a reduction in ROI from advertising and marketing.

5. Loss of Customer Trust and Confidence

Bad bots are used by attackers to spam the comments sections with malicious code/ provocative comments/ scathing reviews, inflate views, write false or biased content by creating fake social media accounts, write fake user reviews, and so on. Such activities lead to the loss of customer trust and confidence in your brand and drive customers away from your website.

Overall, bad bots cause revenue losses to organizations by negatively impacting the bottom line. Further, the attacks caused by bad bots bring massive financial losses, legal bills, penalties, and reputational damage. By mitigating bot threats, you save yourself millions of dollars.

Bot Protection Solution: Why it is Vital to Mitigate and Manage Bot Threats?

Bot protection solutions or bot management solutions enable organizations to effectively identify and manage bot traffic while mitigating threats. All this without affecting your legitimate and business-critical traffic.

1. Keep Your Website Protected  

Bot protection solutions offer round-the-clock protection against bad bots. They are automated and capable of identifying and blocking malicious/bad bots in real time. They can automatically detect bad bots and block them. This enables organizations to keep their bot risk to a minimum and proactively protect their website from a range of known and emerging threats.

2. Make Your Website Always Available to Business-Critical Traffic

The best bot management solutions like AppTrana are equipped with global threat intelligence and insights on past attacks, and they have self-learning abilities as well. This gives them the ability to intelligently decide the action to be taken based on the context. Such a solution will be able to decide whether to allow, block, challenge or flag a particular request/ user. This way, unwanted traffic is kept at bay without affecting business-critical traffic.

3. Optimize Business Intelligence and Analytics

By identifying and mitigating bot threats, the bot protection solutions help to ensure that business analytics and intelligence are not skewed. So, you will get the right picture of your visitors and the state of your marketing and advertising campaigns. You can, thus, focus your time and resources on real customers and on engaging & converting real leads.

4. Accelerate Site Performance

Bad bots consume excessive bandwidth and create excessive load on servers. This impacts your website’s performance. By mitigating bad bots, you can accelerate your site’s performance and keep downtimes at bay.

The Way Forward

Malicious bots are everywhere and are more sophisticated than ever. Only blocking bots is not an efficient and long-term solution to a growing threat. Instead, it is vital to have a proactive bot protection approach to move forward.

By choosing a managed, intelligent, and advanced bot mitigation solution like AppTrana, you can ensure multi-layered, real-time protection against all kinds of bad bots. It also offers visibility into the threats to block ongoing attacks.

The post Why Do You Need a Bot Protection Solution for Your Business? appeared first on Cybersecurity Insiders.

Cybersecurity is swiftly evolving and opening the door for new career opportunities. People are transitioning away from traditional computer science careers to work in digital security. However, the sector is facing many challenges in filling open positions.

Professionals must leverage their worth in the cybersecurity field to achieve success. They should improve their confidence levels, education and communication strategies to land high-paying jobs. Employees may feel more appreciated, perform more efficiently and increase their quality of life by attaining competitive positions.

Challenges in the Cybersecurity Field

The cybersecurity sector is facing a huge talent gap. This could be because many professionals are unaware of the technologies’ importance, but there are many jobs for the taking.

Industry professionals predict the field will expand in the near future and open up even more new positions. Currently, low employment rates limit individuals’ abilities to work their way up in the cybersecurity industry.

Another challenge in cybersecurity relates to the ideal education needed to succeed in this sector. Universities just recently established cybersecurity degrees. Individuals holding cybersecurity positions may have varying education backgrounds, from computer science to engineering. They have different levels of training and knowledge, which influences the talent gap.

The talent gap creates inequitable divisions in the industry. People should attain higher education degrees to expand their knowledge and leverage their worth in the field.

Expanding Cybersecurity Knowledge and Credentials

The cybersecurity industry is expanding and supporting different professional sectors. Individuals can increase their chances of finding work by exploring the various opportunities and expanding their knowledge. Engaging in advanced certification programs and gaining new credentials may make them stand out.

Lawyers are investing in cybersecurity to protect their cases and clients’ personal information. Cybersecurity professionals can expand their knowledge of the law, data storage and processing to improve their credentials. Learning about the legal industry can make an applicant more appealing.

They can also study cybersecurity integration in the architectural field. Professionals may protect projects’ endpoints and minimize potential threats with digital security systems. Learning about the architectural industry may increase individuals’ abilities to work in the industry.

Negotiating a Cybersecurity Salary

Professionals should learn how to negotiate higher salaries in cybersecurity. Individuals applying for new digital security positions need confidence and the ability to represent their qualifications.

The first step is for them to determine their worth. They can use Bureau of Labor Statistics information to determine a potential salary range. Individuals may also create a list of three potential salaries before negotiating a contract. They can also outline the skills which set them apart from other workers in the field.

Applicants should strengthen their conversational skills before negotiating their salaries. It’s best to avoid talking about money right away and instead focus on understanding what the employer wants.

They can use phrases like “I’ll entertain any reasonable offer” to defer the conversation. Individuals may mention salary expectations by the end of the meeting when it is time to sign a contract.

Asking for a Promotion in Cybersecurity

Cybersecurity workers who want to be promoted should showcase their skills in the office before asking. They can increase their chances of moving up the ladder by saying yes to new projects.

Cybersecurity professionals may also take independent courses to receive advanced certifications and improve their current work before asking for a promotion. Individuals can plant a seed in their employers’ minds before bringing up the conversation. They may ensure their employers know they are looking to progress in their careers.

Is a Career in Cybersecurity Worth it?

The cybersecurity industry is expanding and creating more job opportunities. Individuals may need to engage in advanced learning programs to succeed in the field. Professionals who work to expand their knowledge can thrive in the industry and attain success.

The post Leveraging Your Worth in Cybersecurity appeared first on Cybersecurity Insiders.

Because of Covid-19 lockdowns, the banking world across the globe has switched to the online banking plan. For all the basic needs, people need not visit the bank premises on a physical note. As they can opt for online banking services, to quench all their account needs.

But as soon as the world started taking the help of online banking, it started giving multiple opportunities to cyber criminals to exploit the users and siphon money from their accounts.

To block such online banking frauds, here are some tips that can help in making your online presence safe and secure.

Often change your password– It is better if you change your online bank account password every month. Also ensure that the password is a minimum of 12-15 characters and is mixed with alpha-numeric characters tucked into one or two special characters.

Avoid using public Wi-Fi’s- Some people have a habit of using public Wi-Fi’s in airports and transit stations for their online banking needs. Remember, such public routers are always messy, as they can be induced by spying malware by criminals who then prey on the user accounts to siphon money at a later stage.

Always use genuine banking apps– The Internet is filled with many fake and malicious websites and applications. So, online users should be vigilant while using such applications and use a 2FA for accessing their accounts online.

Beware of phishing and Vishing scams- Phishing is a kind of online fraud where hackers use fake websites of companies to fraud users. Like they can create a login webpage of a noted bank and send a link to victims to urgently update their personal details of their account by following the malicious link. As the web page looks similar, the victim never gets suspicion and hands over the credentials by typing them onto the webpage. Vishing is a similar scam where hackers make phone calls or leave voice messages purporting to be from genuine companies. But in reality, they just entice the user to reveal personal info, such as card numbers to fraud them.

Secure the PC or the smart phone with the best anti-malware solution as it will keep all kinds of security issues at bay.

Avoid revealing debit or credit card info– Better to avoid revealing debit or credit card PINs or CVV numbers data is high on demand on the dark web and can be used by criminals.

Hope, the above stated information saves online banking users from all kinds of cyber frauds!

 

The post Tips to stay safe from online banking frauds appeared first on Cybersecurity Insiders.

The attack surface of organizations is nowadays more complex than ever.

As more and more businesses increase the number of their digital assets and incorporate new technology to operate, they turn their attack surface into an intricate network.

Securing all the systems that include remote employees’ endpoint devices and multi-cloud environments has been a challenge.

Cybersecurity teams also have to keep pace with exposed business intelligence and information that could be used for the cyberattack, freely available online.

Attack Surface Management (ASM) is the tool that scans for leaked assets that could turn into incidents.

How is ASM used to protect companies and how best to communicate with CEOs and teams in the company to weed out leaked corporate intelligence at its root?

Following Three Phases of the Attack Surface Management

Attack Surface Management has three stages that are continually repeated — discovery, analysis, and mitigation.

The initial discovery phase includes scanning for any digital assets or exploitable corporate intelligence. During the reconnaissance, ASM seeks any shadow IT, leaked credentials, or data available online that could be used for phishing attacks.

To bring the exposed data and assets into the light, the tool acts like a cybercriminal, scanning for vulnerabilities within the organization’s infrastructure as well as intelligence that is available online.

The discovery is followed by the analysis of the data that is revealed during the reconnaissance phase. The classification phase of the ASM is all about determining the severity of businesses’ exposure.

High-risk threats, such as misconfigurations, are separated from the previously gathered information. Exploitable intelligence is cataloged for a clear overview of the existing assets.

The generated report will reveal the gravity of the risk and which uncovered intelligence and assets should be handled before everything else. Some companies also include an interactive dashboard that shows all the ASM discoveries in one place.

Mitigation is the third stage of ASM that involves patching up the gaps in the security and replacing security control with different vectors (if necessary).

It’s often not possible to remove or retrieve assets that have been exposed on hacking forums, dark web, or the internet.

Teams can focus on strengthening security controls, changing emails and passwords that have been leaked, adding new security tools, and fixing errors such as misconfigured tools.

The three steps are continually repeated and automated for security teams. In that way, ASM takes a lot of legwork from them by scanning the attack surface and highlighting the top high-risk assets that could lead to incidents in the company.

Continuity also ensures that the system is protected against the latest methods depicted in the MITRE ATT&CK Framework.

Focusing on External Attack Surface Management

Leaked corporate intelligence available online has been the blind spot of Firewalls, anti-malware, and endpoint detection and response (EDR).

Therefore, besides the internal infrastructure and services that can be found on the top of the businesses’ infrastructure, special attention has to be paid to the data that is circulating on the network as well as the internet.

Sensitive data leaks can lead to cyber breaches and significantly damage a company’s funds as well as reputation. Many of whom never recover.

The majority of this data is available online, and teams have been focusing on addressing internet-facing intelligence and assets to discover them before cybercriminals do.

Attack Surface Management has been designed to scour the web for leaked intelligence and includes the discoveries in the generated report that is updated for the latest discoveries.

Discussing Attack Surface Management with Businesses

Companies extensively invest in cybersecurity and understand the repercussions of unsecured data and assets.

One thing that is worth keeping in mind when conversing with board members is that they get a majority of their information about security in magazines that cover breaches and the latest technological developments.

Full coverage and protection of the organization’s attack surface might include having to broaden the company’s understanding of its major attack vector —  without going too deep into the technicalities.

How should you discuss the security with the CEOs and board of directors that hired you to protect their assets?

They want to save on operating costs and ensure that their app is safe enough to be released and that their system doesn’t have vulnerabilities that could lead to expensive data breaches.

Be honest and help them understand that they might need to halt the app release, or invest in cybersecurity training for their employees.

Developing Healthy Cybersecurity Culture

Culprits of leaked data are often employees that don’t know a lot about cybersecurity. Less tech-savvy employees are likely to fall victim to social engineering attacks or reveal their or company’s data to a threat actor accidentally.

While they might have been through some basic training on cybersecurity in theory, they may not recognize they’re creating a security risk in practice.

Even those that might recognize that they’ve put the company at risk, are reluctant to reveal it, from fear of repercussions.

Work on creating a safe space and a cyber culture that enables them to report if they possibly exposed the company’s assets or maybe even called for the phishing scam in the email.

Most employees aren’t responsible for security management in the organization and don’t have the same level of responsibility for keeping data safe like companies and IT teams.

Regardless of that, they still can help with strengthening the security, and they’re likely to be the primary target of social engineering attacks.

To Conclude

Attack Surface Management is a tool that continually scans for digital assets that could lead to damaging cyber breaches and major data loss.

To deal with the issue of unsecured assets, it’s necessary to leverage the employees that are working in the company and use the right tools to decide on the next steps in security.

Cybersecurity is dynamic and ever-changing and the accessibility of employee data and possible leaked data on the web complicated the security management.

The post How to Discover Exploitable Intelligence with Attack Surface Management appeared first on Cybersecurity Insiders.

By Gunnar Peterson, CISO, Forter

Earlier this year, cybercriminals infiltrated Okta’s systems, an authentication company thousands of organizations around the world use to manage access to their networks and applications. The threat actor gang, known as Lapsus$, gained access to the laptop of one of Okta’s third-party support engineers for five days, potentially affecting a small number of the company’s customers.

Okta said the access was limited, but this wasn’t even the biggest issue. While cyberattacks are so frequent these days, this incident was different because the bad actors cleverly targeted the very tools that so many customers use to restrict network access.

Blue team defenders are used to protecting our data, applications, and users with access controls and other security mechanisms, which is why attacks like this are especially challenging when they target identity and access control systems – the very thing defenders rely on to keep intruders out. Identity is now much more than a glue layer for distributing access. It is a frontline perimeter for defenders. In fact, Microsoft’s CVP and CISO Bret Arsenault summarized the issue perfectly: “Hackers don’t break in, they log in.”

Identity and authentication mechanisms, like multifactor authentication, are commonly used as a first line of defense. However, the FBI ) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert warning that this technology on its own is failing against sophisticated, evolving cybercriminal groups and tactics.

According to the alert, the exploitations occur after actors gain access to a victim’s on-premises network and then leverage privileged access to subvert mechanisms that grant access to cloud and on-premises resources. They are also compromising administrator credentials to manage cloud resources. Simply put, our adversaries are dynamic and intelligent, and defenders cannot rely solely on static, list-based access control systems. Our access control protection layers need to be backstopped by monitoring systems that can detect malice and continually improve access control quality.

Access control mediates communications between users and the applications and data. But when attackers turn their focus from the applications and data and instead focus on companies’ identity and access control systems, the job of defending systems gets more fiercely complicated.

To cope with a more targeted malicious environment, access control systems need to adapt to user behavior and types of requests and flows. The protective access control layers must co-evolve with the intelligence gained from the detection layer. And it requires automation to efficiently scale.

Identity and access control systems focus on enforcing authentication and authorization policies. However, detecting malice requires more insight, and technology exists to fill that gap. Identity graphs go beyond the access control matrix to inspect user behavior for tactics like token tampering, forgery, and other tactics, techniques, and procedures (TTPs) that can adversely impact networks with account takeovers and lateral movements. Access to systems should be monitored not only for policy compliance, but also for known malicious behaviors.

Interestingly, a NSA/CISA alert also recommends cloud tenants pay attention to locking down tenant single sign on (SSO) configuration and service principal usage, as well as hardening the systems that run on-premises identity and federation services. Monitoring the use of SSO tokens and the use of service principals in the cloud can help detect the compromise of identity services.

If you have a chance to observe a red team attack on your system, you may notice that your access control system probably functions the same during a legitimate log-in as it does when it’s under attack. It shouldn’t. The access control system should be defended by looking for known attack behaviors and step up its posture to meet these challenges. As attacker tactics dramatically increase in frequency and sophistication, defenders must co-evolve and add ongoing malice detection to our identity and access control stacks.

The post Identity and Access: The Game is the Same – It Just Got Fiercer appeared first on Cybersecurity Insiders.

By Amanda Fennell, CSO and CIO, Relativity

Sophisticated security tools and well-constructed processes can help insulate an organization from the relentless cyberattacks that are part of the digital reality businesses face every day and everywhere. But tools and processes alone are two variables in an incomplete equation. People are the linchpin in any organization’s security posture—and the wildcard. Getting people personally invested in security is how organizations will strengthen their resilience to increasingly insidious threats from cybercriminals seeking a payday and from state actors sowing deliberate chaos. That investment requires shifting attitudes from general awareness of security, which most workers already have, to genuinely caring about it and seeing themselves as a true part of their company’s security defenses.

A human-centric approach to security is one where good tech and creative use of process meet well trained and empowered employees who are motivated to learn and act. Cultivating real human interest in security, or in any other practice, will never come from a work environment of blame, fear or mistrust, or even from dangling financial incentives once needs are met. So how can organizations truly reach their people and transform their defenses? Consider the following strategies.

Remember That Energy Feeds Energy

First, it’s vital to dig into some basics of the human personality. People respond to energy. Positive, energetic conversation lights up a room (physical or virtual) and acts like a magnet for human interaction. When security professionals direct the same old messages, conveyed in stale ways, to teams across an organization, it can sound like background noise. This doesn’t mean artificial hype is helpful. An energetic posture should be real, engaging and rooted in a security professional’s love of what they do. People will sense that and it’s the first step in keeping their attention—which is a sine qua non condition to make human change happen.

Understand Others’ Context and the “Why” That Makes Sense to Them

Think about an individual on the product marketing team or in engineering, operations, communications or human resources. What’s their typical day like? What tasks are unique to their role? What are their goals? How does security impact what they care about and what their job is focused on? Why does security make sense to them on a daily basis? Discover each “why” that influences employees in different roles. To borrow a concept from marketing, think about personas in a meaningful way and try to understand the exact message that resonates with different audiences.

Considering the full context in which people operate is important when organizations and security teams evaluate whether their fellow employees have the resources, tools, timeframes, and parameters to perform the security functions relevant to their jobs. Security programs must shoulder accountability for setting employees in different roles up for success.

Help People Become Curious About Security with Content That Offers Depth

When security pros have an energetic stance and convey that they understand the context in which people are operating, they are much better positioned to imbue curiosity about security in others. As soon as humans become curious about something, they get invested in it in a different and internally elevated way. Curiosity is a motivator and action-driven in people’s minds. One of the best ways to cultivate curiosity is with content presented well that offers depth and generates questions. Exceptional educators know that it’s a mistake to drone on about basics and not offer thoughtful challenges and problem-solving quests to learners.

Reviewing best practices in a creative way is good, but security programs and training should go beyond this. While exploring phishing examples and best tools to manage passwords, offer to dive into how tools actually work. Share with those who are interested the kind of training provided to security professionals themselves. Have sessions where everyone can “nerd out” and learn the nitty-gritty of how different threats invade systems. Show what a Log4j vulnerability is and how the library is exploited. Don’t be surprised when learning content that goes past the surface and offers depth generates new curiosity and a larger following!

Embrace Learning Management Systems That Enable Microlearning and Self-Service

Effective learning management systems are available that take into account the human attention span. At work, people’s regular job tasks eat up their day. Mobile devices and social media, among other forces, have advanced a kind of rapid and fragmented consumption of information that’s influenced the way we all operate. There’s, of course, still a time and place for lengthier learning and contemplation especially in one’s own area of expertise, but for people whose work is not security, microlearning can be impactful. Break down traditional, multi-hour training sessions into micro segments—small, short, sharp learning campaigns. A regular cadence of creative lessons, each shared in two minutes or so, that both reinforce and build on other short segments, caters to limited attention spans and helps people retain key messages.

Making sure that steady flow of brief, creative learning content is self-service is also key. People must be able to learn at their own pace and at times that make sense to them in their work. It’s useful to engage with a micro-module on a particular tool when a person actually needs the tool. Otherwise, the material will be quickly forgotten.

Consider Cultural Relativism When Developing Security Training and Programs

Cultural relativism is not an absolute, but a useful concept holding that a person’s beliefs and practices can be understood in the context of that person’s own culture. The U.S. has a cultural zeitgeist focused on individual freedom. Family and honor are a defining feature of Japanese culture. It’s important to balance notions of everyone being on the same page with cultural differences, while not over-generalizing or stereotyping people. But cultural distinctions can impact the effectiveness of learning scenarios and the ways in which we communicate, especially as businesses become increasingly global operations.

With cybersecurity, notions of privacy can be understood with different nuances in different cultures. The roll out of GDPR has demonstrated this, with Europeans leading the standards movement. Being empathetic to cultural differences—and language differences—means better programs and better learning.

Nurture the Trust Dynamic in Security Programs and “Testing”

Many companies engage in simulations of security breaches and testing of employee security behaviors. This can be tricky ground. Security professionals need to nurture a trust dynamic, where they demonstrate respect to their colleagues outside of the security team and are not perceived of as condescending or trying to trick others. What precedes a zero-day simulation matters. Create implicit or explicit “permission” to test people. Let them know in advance that testing exercises are about building muscle memory in security processes, not about blame. Building open and respectful relationships prior to simulations goes a long way in keeping trust intact.

Integrate Fogg and Pink Behavioral Theories into Security Programs

The Fogg Behavior Model presents a human equation. Motivation to do a thing, ability to do a thing and a prompt to do a thing, together, will yield a behavior—doing the thing desired! Think about password management. The average person, in their personal and professional life, may be managing as many as 200 application accounts, each with a password. That person may want to have distinct, strong, rotating passwords for each account, and may be requested to do so, but doesn’t have the physical ability to do it. Security professionals can step in and offer the ability, or capability, piece—the tool, a password manager—and show how to use it.

Daniel Pink’s work on motivation in the workplace, drawing on decades of scientific research, is also worth considering. In his seminal book, Drive, he evidenced that high performance at work is the result of three elements that yield true motivation: autonomy (our desire to be self-directed), mastery (the urge to improve our skills) and purpose (the desire to do something meaningful and important). Designing security training with intrinsic motivators in mind yields results.

Is it possible none of these human-focused strategies to bolster security will work with some employees? That punitive measures must be used instead? Maybe, maybe not. Punitive actions aren’t likely to change behavior in a lasting way for employees who fail to meet security standards, and they can backfire by creating resentment. If someone can’t be induced to participate in security, building strong behavioral guardrails around them and keeping the emphasis on organizational protection instead of punishment is probably the best approach. In certain circumstances, anyone, even a security professional, can be hacked.

About Amanda Fennell

Amanda joined the Relativity team in 2018 as CSO and her responsibilities expanded to include the role of CIO in 2021. In her role, Amanda is responsible for championing and directing security strategy in risk management and compliance practices as well as building and supporting Relativity’s information technology. She also hosts Relativity’s Security Sandbox podcast, which explores “the power of people” diving deeper into themes explored in this article about how people are an organization’s greatest security asset.

The post Beyond Awareness: How to Cultivate the Human Side of Security appeared first on Cybersecurity Insiders.