October is National Cybersecurity Awareness Month, which is focused on teaching individuals steps they can take to protect themselves online. We’re presenting lots of material for users this month but, as I was looking at CISA’s recommendations, it occurred to me that these topics are still as timely for organizations as they are for individuals.
The four recommendations are:
- Use strong passwords and a password manager
- Turn on multifactor authentication (MFA)
- Recognize and report phishing
- Update software
These are valuable recommendations no matter who you are; however, based on my own experience and the telemetry we see at Orca, they are definitely areas in which organizations still struggle.
Use Strong Passwords and a Password Manager
I don’t think I’m being hyperbolic if I write that passwords are one of the weakest points of any enterprise security program. Typically, there’s only so much that we can do to encourage strong password usage but I think there are other best practices that help.
Password complexity isn’t a cure-all by any means but it does make it harder for an attacker to compromise a user. I’ve investigated more than one incident where a company had a different, or no, password complexity policy for the C-suite than for regular users because executives complained that it was too difficult to remember passwords. It won’t surprise you, reader, that these were the users who were compromised.
Find a password complexity policy that makes it reasonably difficult to guess a password while not inconveniencing users too much and stick to it. And, if it makes sense, investigate passwordless approaches like FIDO2.
It seems depressingly common for helpdesks to use a common value for new passwords when a user requests a password reset. I worked with an organization where passwords were reset to a value that was just the season and the year – “Spring2023”, “Summer2023”, “Autumn2023” – and users weren’t required to reset the password on the next login. This led to a situation where, once an attacker understood the pattern, they were able to compromise quite a few accounts quickly.
Additionally, there have been high profile incidents where an attacker abused password resets to gain access to an account through social engineering.
Some ideas to manage this:
- Use self-service password resets if available. This will ensure that every new password is unique.
- Use unique passwords if an automated, self-service approach isn’t possible.
- Require users to reset their password on the next logon.
- Notify the user’s manager of the password reset so that they can verify that the user requested the reset.
Enforce Single Sign-on (SSO) Everywhere
I’m surprised, in 2023, how many SaaS applications I have to use professionally where, instead of using my corporate identity, I have to create another account with another password. Even with a password manager, this creates complexity for the user and makes it harder for security teams to effectively monitor who is accessing what, when, from where. These additional accounts may or may not support additional protections like MFA, too.
There are a lot of benefits to using SSO for every platform that your users access. It allows centralized control over access to 3rd party applications, typically simplifying the process of provisioning access to those applications. It also ensures that you have centralized logging for all of that access and leverages the protections, such as anomaly detection, in your identity provider. Finally, it enables you to act quickly, changing credentials and revoking access as needed if a user is compromised.
Configure (and, hopefully, mandate) SSO in every platform your users access and, if possible, include SSO support in your acquisition process to ensure that you don’t purchase platforms and services that don’t align with your security requirements.
Turn On Multifactor Authentication (MFA)
MFA is a good layer of protection against the compromise of a user’s password. It also, unfortunately, tends to complicate the user experience. For these reasons, I think every organization should be thinking not just about how to enable and enforce MFA but, also, how to do it in a way that is friendly to everybody who has to use it.
Use Context and Risk-Aware Approaches
Not every logon is equal – sometimes, a user is connecting from their corporate laptop at 10am local time on a weekday from the office they work from all the time and, sometimes, they’re connecting from an unknown device in a coffee shop that’s an 18 hour flight from home. Modern identity providers often provide tools to force MFA prompts if a request is particularly anomalous while requiring MFA less frequently, if at all, when the request is clearly normal behavior for the user. And, just as every request isn’t the same, resources are different, too – even if the request is clearly normal behavior, it may be worth forcing MFA for access to particularly high value assets.
While some factors, like SMS, should probably be off the table, there’s value in providing users with choices in which factor they use. Options like face recognition or fingerprint readers work well for many users while others will be more comfortable with a phone app. Deeply technical users may prefer a hardware token.
Enforce Single Sign-on (SSO) Everywhere
I know that I’m repeating myself but, typically, your work on MFA won’t protect your users if they’re forced to logon somewhere outside of SSO.
Recognize and Report Phishing
Phishers have a never-ending supply of approaches and, unless users are perfectly diligent, it’s likely that at least a few of them will succeed. We need to embrace this reality, focusing on empowering users, detecting campaigns, and being able to respond quickly when the inevitable happens.
One of the reasons that phishing is on the list of suggestions this month is because many users aren’t proficient at spotting phishing attempts. Awareness programs may take the form of training, exercises, and notifications about targeted attacks against your organization – in 2023, I’ve seen high volumes of SMS phishing targeting my peers and recruitment phishing targeting people who would like to work for us, for example. For me, one of the most important components of awareness campaigns is positivity as berating or shaming users for phishing phailures discourages those users from taking the right actions.
As users get better at identifying phishing, they also become one of the security team’s best sensors for new, emerging campaigns. Having a channel for reporting phishing attempts, whether that’s simply sending the e-mail to an analyst team or using an app that automates the process, enables you to catch a campaign and take action to protect less savvy users; for example, if somebody reports one phishing e-mail, it’s possible that the same e-mail is waiting in a dozen other users’ inboxes. Identifying and quarantining those e-mails protects everybody.
This is an area where automation may be useful, too. Automatically triaging the contents of reported phishing lets teams identify the riskiest ones to pass on to analysts & take action on.
While some phishing relies on pure social engineering, other campaigns attempt to take advantage of common or emerging vulnerabilities to compromise the machines that users use. Ensuring that operating systems, browsers, office suites, and other software is up to date reduces the possibility of a phisher successfully exploiting a vulnerability.
If a user does fall victim to a phishing campaign, being able to investigate efficiently is critical. This includes not just being able to determine what data & assets were compromised through that user but whether other users received the same campaign and clicked on links/took other actions.
I wish that it was easy to apply security updates to every machine, everywhere, all the time, quickly. Experience has taught us that’s not a practical goal for most organizations, though. Every organization should have a regular software update cycle and a plan for identifying critical vulnerabilities that represent elevated risk.
Identify and Update Where Users Interact
I already mentioned this, above, but the software that users interact with directly are frequently the targets of exploits. Make sure that desktop operating systems, browsers, office suites, and other software that users interact with is kept up to date to reduce the potential for a user’s mistake to lead to a compromise.
Identify and Update Public Facing Servers/Services
This is another area where vulnerabilities can be efficiently exploited by attackers. Keeping them up to date is a key step in preventing their compromise.
Even in companies with well-implemented vulnerability management programs, it’s not uncommon to find a server or another asset that has fallen through the cracks. Hopefully, these assets aren’t exposed to the Internet or used interactively but they still represent an outsized opportunity for an attacker.
Make sure you are up to date on new vulnerabilities, particularly severe and easily exploitable ones, in the software and development platforms you use. Plan for how you address something emergent that affects your fleet – for example, if you use Java heavily and there’s an easily exploited vulnerability in a Java component like, say, log4j, know where this component is used in your enterprise and have a plan for updating it efficiently.
Conclusion: Revisit the Basics of Cybersecurity Best Practices
While National Cybersecurity Awareness Month is focused on users, it’s a good time for security professionals to reflect on how we’re doing with the basics. The list of ideas here is hardly comprehensive but, in my experience, no organization is doing all of these things perfectly today.