Locks and Security News: your weekly locks and security industry newsletter
27th September 2023 Issue no. 673
Your industry news - first
We strongly recommend viewing Locks and Security News full size in your web browser. Click our masthead above to visit our website version.
Businesses cannot rely on surface-level fixes for their cybersecurity, says MyCena
In mid-March, the Cybersecurity and Infrastructure Security Agency (CISA) released a report highlighting how cyber actors routinely exploit poor security configurations, weak controls, and other poor cyber hygiene practices to gain access and compromise user systems. These included not enforcing multifactor authentication, primarily with remote desktop access, the use of vendor-supplied default login usernames and passwords, and the failure to detect and block phishing attempts.
CISA suggested organisations can help strengthen their network defences against commonly exploited practices by adopting a zero-trust security model, which enables users to be assigned only the access rights required to perform their assigned tasks. Access control can limit the actions of malicious cyber actors and reduce the chance of user errors.
However, CISA also stresses the importance of implementing multi-factor authentication (MFA) protocols, employing antivirus programs and detection tools and searching for vulnerabilities, as well as initiating a software and patch management program. These are all said to provide a higher degree of visibility into endpoint security, or else effectively aid in protecting against malicious cyber actors.
Julia O’Toole, Founder and CEO of MyCena Security Solutions, believes that these recommendations are simply not enough and that organisations need more than surface-level fixes to prevent cyber-breaches.
“Preventing malicious actors from gaining network access won’t happen through antivirus programs. These are simply temporary fixes that do nothing to correct the fundamental vulnerabilities in how organisations approach their cybersecurity. It’s time for businesses to take control and lead their own cyber resilience, rather than hide their difficulties behind third-party software.”
“We’ve seen earlier this year how MFA can be easily exploited by malicious cyber actors wishing to gain network access. These vulnerabilities are often known and exploited by hackers for months before affected organizations are made aware, posing a significant danger to those whose systems are compromised.”
“MFA is not the solution CISA wants to pretend it is and enforcing the use of stronger passwords doesn’t stop the problem either. When, according to the 2022 Verizon Data Breach Investigation Report, 82% of network breaches start with a compromised login - whether using stolen credentials or phishing - the difference between “123456” and “1&!7A8%9gh3Tio” is negligible in protecting your network. Hackers don’t “hack in”, they simply log in using “found” passwords, be it through social engineering, phishing or even just paying employees for their credentials. Trusting employees to create their own keys is the ultimate problem that CISA should be addressing.”
Whilst O’Toole agrees with CISA’s advice to give role-based access, she explains this does not fix the credentials vulnerabilities. “The root cause of the problem is letting employees create their own passwords. Imagine if CISA let their employees make their own keys to walk into their Arlington facilities just because they have MFA!”
“In reality, they take far more precautions to ensure their systems stay secure, starting with keeping control of their access keys. Likewise, in the digital world, organisations can distribute end-to-end encrypted passwords to their employees to securely access their online systems, one by one, without ever seeing a password. Employees can only gain access to parts of the network for which they have the keys, which means: no key, no access.”
“As passwords stay encrypted from creation, distribution, use, to expiry, employees cannot give away by error a password they don’t know. This solves the problem of human errors leading to credentials compromise, which is the source of 82% of breaches. And contrary to other access management methods, there is no master password or identity to steal, so criminals cannot find a privileged account or single point of access to take control of the network and launch a ransomware attack.”
“Companies should be investing sooner rather than later to stop cybercriminals from gaining access to their systems through credentials. Keeping control of their own encrypted digital keys will protect them from over 4 out of 5 breaches. Without this minimum layer of cybersecurity, all it takes is one employee slip up to result in a potentially devastating and costly network breach.”
22nd June 2022