CyberSecurity Awareness Month: Be Cyber Smart to Phight the Phish

October is CyberSecurity Awareness Month, and the first week’s theme is Be Cyber Smart. We’ll combine it with the second week’s theme of Phight the Phish because the two are necessarily interlinked for organizations that want to prevent breaches.

As the average cost of a cybersecurity breach reaches an eye-watering $4.24 million in 2021, companies are reminded that they either adopt cyber smart practices before it’s too late or suffer the consequences. When company revenue and reputation is at stake, it’s not unlikely for employees responsible for cybersecurity to be fired and in some cases, for boards to replace their C-level executives.

What exactly does it mean to be “cyber smart?”

While there’s no official definition, to be cyber smart is to decrease cybersecurity risks and protect yourself online. It is a continuous process of being aware and educated about the dangers that you or your organization can come across when working online or interacting with the internet.

The underlying assumption is that you or your organization has data or an identity that is valuable or can be misused by bad actors. Being cyber smart is the first step towards prevention and protection against their methods. Because cybersecurity is a combination of applying best practices with knowledge, organizations and individuals that are cyber smart can limit themselves from attack vectors and loose gaps.

Ultimately, cybersecurity is like trying to plug up holes in a dam, except bad actors only need to find that one hole you or your organization didn’t know about to dismantle the entire dam and release the floodwaters. But if you are cyber smart, you become aware of where holes can show up so you can proactively address them. Furthermore, being cyber smart means you can limit the blast radius of a breach by having precautions in place. You do this by limiting the scope and reach of any entry point by requiring additional authentication and authorization verification when the bad actors attempt to move laterally in your infrastructure.

While the process of being cyber smart can seem daunting and varied, there exists two simple best practices that any organization can utilize. These practices act upon the premise of authentication and authorization, the two pillars of access.

1. Limit Phishing With 2-Factor Authorization (2FA)

As Google configures 2FA to be the default status for millions of users, we are reminded of the stark reality that relying on a password to protect our accounts and assets is no longer adequate when login details are constantly being phished for on the internet.

We’ll let the Verizon 2021 Data Breach Investigations Report describe how bad phishing is:

Even in a year as unexpected as 2020, there are some things we can trust to stay the same. Phishing remains one of the top Action varieties in breaches and has done so for the past two years. Not content to rest on its scaly laurels, however, it has utilized quarantine to pump up its frequency to being present in 36% of breaches, (up from 25% last year). This increase correlates with our expectations given the initial rush in phishing and COVID-19-related phishing lures as the worldwide stay-at-home orders went into effect.

You or your organization should enable 2FA by default for all internal users because this serves as an extra degree of authentication — the entity attempting to use the login details isn’t just anyone with those login details, but is the person who should have those login details.

A multi-factor authentication system such as 2FA works to authenticate with the principles of increasing context. The contexts that are normally used are:

• Knowledge — something the user would know, such as a password or answer to a question
• Possession — something the user would have, such as a phone or laptop, identified through digital certificates
• Inherence — something the user is (biometrics), such as facial recognition or fingerprints

Context clues are used all the time to confirm things in real life, so it makes sense that we should use them in digital space as well. You wouldn’t trust someone to be a family member if they walked in dressed in that person’s clothes but the voice and face didn’t match, so why would you trust someone who merely has a password?

Google themselves have come on record to say that phishing attempts have evaporated when they began enforcing 2FA systems. 2FA can exist in many forms, though the most common form we see is a code sent to an email (which is still single-factor and can backfire if the email is also compromised, being a skeleton key to all our accounts) or sent to a phone number/authenticator app. At Pomerium, we recommend a hardware-based security key to prevent phishing attacks from compromising your organization’s data and infrastructure in the future.

2. Have A Good System for Internal Access Control and Security

By far the biggest culprits of breaches fall under Privilege Abuse and Data Mishandling, otherwise described by Verizon 2021 Data Breach Investigations Report as:

… the Action varieties that are understood to be so common that, if they were to cause a breach, someone (most likely on a bird website) would say, “That organization should have known better.”

This access provisioning works by authorization — that whoever is trying to gain access to data or infrastructure has the authority to do so. It’s important to remember that the golden rule of cybersecurity is giving the least amount of personnel the least amount of permissions and time necessary to do their job without friction. By applying this holistically across the organization as a whole, businesses can limit the amount of Privilege Abuse and Data Mishandling breaches.

This comes down to your IT Management team having a good internal access control and security platform that allows them to configure and control privileges for internal users, granting authority when necessary and as limited in scope as possible. Employees should have no more access privileges than necessary, and for no longer than necessary to be productive. Access data should be logged and preserved, so that businesses can have relevant logs on hand to monitor for anomalous activity and audit in case of a breach.

3. Zero Trust

After Twitter’s infamous hack of 2020, Damien Kieran, Chief Privacy Officer at Twitter, put it best:

“We had to assume everyone was untrustworthy.”

DAMIEN KIERAN, TWITTER

Either an organization adopts a zero trust policy or the reality of the world forces them to do so. So, what is zero trust?

Zero trust is an architectural concept packed into the heart of good cybersecurity:

• Nothing should be implicitly trusted
• Access should be continuously authorized
• Least-privileged access should always be enforced

As enduring guidelines for authentication and authorization, the concept of zero trust also ties in to Phight the Phish and Being Cyber Smart. At the heart of these cybersecurity issues is the core aspect of “trust” and how it intersects with authentication and authorization.

1. Is this user who they say they are? Because I shouldn’t trust them until I have managed to authenticate anything they claim.
2. Is this user authorized to do this action? Because I shouldn’t allow them until I have managed to verify their authority.
3. Are we giving too much privilege for access? Because if someone has too much privileges, the best case scenario is they won’t use it and the worst case scenario is…they do. The ideal state is that a user has just enough access to do their job — they should be given no more access than that.

These guiding questions double as best practices for all non-face-to-face actions in an increasingly remote-first and internet-based world.

How Pomerium Helps Organizations Stay Secure

Pomerium is an open-source platform for managing secure, identity aware access to applications and services. Organizations can easily deploy Pomerium on top of their existing infrastructure to adopt a cybersecurity first stance over their internal services. IT management teams can easily use Pomerium to provision access and security for all users without sacrificing productivity. Context-aware access is increasingly necessary as the workforce shifts to remote-work and organizations open their internal infrastructure up to the dangers of the internet.

Pomerium provides the following key features for organizations looking to improve their cybersecurity posture. Pomerium ensures that:

1. Every request is authenticated and authorized.
2. Authorization is not all or nothing. Each request is re-validated for the appropriate user identity, device state, and context.
3. Administrators can standardize, manage, and layer in top-level authorization policy to all their applications and services.
4. All activity within the infrastructure can be audited.

Additionally, being an open-source platform has 3 benefits:

1. Transparency: There is nothing to hide in the code. You or your organization can easily audit the source and understand exactly how Pomerium works to deliver the features above.
2. Crowd-audited: Many eyes on the code means bugs are less likely to fall through the gaps and more likely to be found and fixed early.
3. Free-to-use forever: You can immediately try the solution on your infrastructure without needing to pay for it in addition to lifelong updates, as frictionless as you get.

Check out our open-source Github Repository and give Pomerium a try today!