The following guest article is from Edgardo Artusi, SVP of Engineering at identity and access management company SecureAuth.
It's the spooky season, that spellbinding time of the year when little, big and in-between kids turn into monsters, cartoon characters, ghosts, superheroes and the occasional politician to roam the streets for tricks and treats.
But for CISOs and security professionals, it's always spooky season. There is nothing make-believe about their arch-enemies — cybercriminals — who lurk tirelessly in the shadowy background, incessantly concocting ghoulish methods to hack into and penetrate the heart and soul of an enterprise and kidnap its most valuable assets.
They're always out there, not just during Halloween.
Consider this: More than 4.5 billion data records were compromised during the first half of 2018, the equivalent of 291 stolen or exposed records every second, according to digital security company Gemalto's Breach Level Index.
The Verizon 2019 Data Breach Investigations Report (DBIR) offered up some equally scream-worthy insights into just how frightening it is, such as:
Privilege abuse accounted for nearly 80% of all reported incidents.
60% of attacks against web applications involved the compromise of cloud-based email accounts using stolen credentials.
43% of breaches involved a small business.
32% of all breaches involved phishing, which is a cybercriminal's No. 1 technique to breach a system.
29% of all breaches involved stolen credentials.
There are eerie parallels between traditional Halloween characters and the different types of bad actors who prey on enterprise networks and computer systems. Earlier this year, 2.2 billion unique usernames and passwords were available on the Dark Web, Wired called it "a gargantuan, patched-together Frankenstein of rotting personal data."
Introducing the cybercriminal Monster Mash
Dracula seduces targeted victims and sucks data from a system's veins like a spearphisher. Spearphishing attacks arrive as emails that appear to be from someone the recipient knows. Instead they contain malicious links or attachments.
Sometimes, these malfeasant individuals use social engineering, playing "trick or treat" to help themselves to the sweetest prize of all: sensitive professional or personal information.
Similar to spearphishing are "whaling" attacks — or pretexting in the form of a fabricated persona — in which the prey falls victim to money-transfer fraud or blatant data theft. C-level executives are usually the primary target.
The 2019 Verizon DBIR indicates that some form of phishing is involved in 32% of breaches and 78% of cyber-espionage incidents.
These monsters mysteriously change identities and represent insider threats: employees, temporary workers or contractors who have access to an organization's systems and can compromise or steal from systems at will.
Insider threat incidents have risen for the last four years, with 34% such attacks in 2018, according to the most recent Verizon DBIR.
"Arrrrgh!" That's the frustrated reaction of security admins when reminded that millions of credentials have been seized by thieves and then sold on the Dark Web.
These are the cybercriminals who use stolen credentials to quickly get in and out of networks without detection. The 2019 Verizon DBIR noted that 29% of all breaches involved stolen credentials last year.
Infected by worms or viruses, starved for human flesh (in this case, data) and displaying no mercy toward their victims, zombies propagate via malware found in email, documents and on websites to wreak bloody havoc on servers and networks.
Like a zombie, the Mummy is a formerly living human transformed into an unstoppable monster with strength and perseverance, using brute force to gain entrance into networks and systems.
Brute-force attacks in the cybersecurity world take the form of criminals using automated tools to guess various combinations of usernames and passwords until they can force their way in.
How to defend against the monsters and villains
It takes true superheroes — information security professionals — to defend against attacks and protect the business and everyone that connects to it.
One thing they can't do is wait until the sun comes up and hope the creatures will disappear. The spine-chilling truth is that cyberattackers will always be around to instill fear and do harm.
Instead, organizations can do the following:
1. Train your employees
Being aware of common threats and knowing best practices is absolutely essential to maintain safe environments.
But training shouldn't stop once employees have been onboarded. Annual and even semi-annual reminders, assessments and audits of company assets are strongly encouraged.
2. Control access and authentication
Passwords and basic methods of two-factor authentication (2FA) is no longer enough against attackers.
In fact, most security experts — including The National Institute of Standards and Technology (NIST) — agree that attackers can easily circumvent 2FA.
Advanced authentication methods that use invisible risk analysis checks — such as authenticating IP addresses, checking if it is a recognized device and using behavioral analysis — can verify user identities before allowing access.
In addition to providing greater security, it doesn't interfere with the user experience.
3. Consider going passwordless
While passwords aren't dead yet, the low-security measure and hindrance on user productivity and user experience is compelling security professionals to call in the Ghostbusters and take out passwords.
Passwordless authentication is achieved by combining advanced authentication methods: Something you are (a biometric) and something you have (a mobile app) and then combining it with risk analysis checks.
4. Enforce recertifications for privileged assets
Frequent resetting of privileged-access parameters is an effective way to ensure access to the right people.
Every user's identity should be checked and rechecked, which includes examining the way they type, the time of day they're trying to gain access, their IP address, and if their location suddenly changes.
5. Patch and update with vigilance
Pay strict attention to antivirus and patch management. Cybercriminals are always poking around, looking for holes and backdoors.
Halloween is a time for fun — and having fun with scary themes. For enterprises and their security teams, it's also a good time to remember that cybercriminals are always out there haunting you. Avoid attackers' tricks and take your pick of cybersecurity treats.