Over the past 12-18 months, there has been a mounting interest in the next generation of IAM systems. The promises of decentralized and self-sovereign identity promote a frictionless user experience, improved privacy controls, and appeal to organizations looking to reduce both costs and risks. How do you get started? Many organizations are just starting their journey to cloud, so the idea of a decentralized identity may seem too futuristic.In this session, experts from IBM, Pontis Research, PathMaker-Group & SecurIT discuss the value of such a transition and how clients are progressively moving towards it. Learn how use cases like password less authentication for law enforcement personnel and digital job credentials are becoming a reality. With the right strategy the next generation IAM is closer than you think.
As the business world navigates the ups and downs of today’s economy, a mindset shift is required to maintain cyber resilience. Cybersecurity, often an afterthought in a strong economy, must not be neglected in responding to shifts in the business landscape.
As more companies expand their remote workforce, the number of endpoints with access to corporate resources is proliferating. Hackers are seizing the opportunities this presents: Phishing email click rates have risen from around 5 percent to over 40 percent in recent months, according to Forbes.
With a strong cybersecurity mindset and some strategic planning, your company can position itself to survive these new working conditions and build up even more cyber resilience as you adapt. Because cybersecurity professionals are facing formidable adversaries, understanding how hackers think can go a long way in mitigating the threat they pose.
An Unfair Advantage
Security expert Frank Abagnale is one of the foremost experts on the thought processes of threat actors, and he was kind enough to lend his expertise to this piece.
Since the number of successful phishing attacks has skyrocketed, I asked him if this is more a function of hackers stepping up their game, or employees not possessing the right cybersecurity mindset to pay attention.
“It’s both,” he explained. “Any crisis is a perfect backdrop to phishing attacks. At the same time, employees are in a new environment, working from home with more distractions than ever. Add to this stress, cabin fever and anxiety, and you have the perfect phishing storm.”
What makes bad actors so successful, according to experts, is that they take advantage of the human condition. And the human condition is less guarded by security layers today than it has been in quite some time.
“Any fear and anxiety gets people to do things they normally would not do,” said Abagnale.
Take It From the Top
So what can an enterprise do to swim against this foreboding tide? Abagnale insists that vigilance is the key.
“It’s the way to go in normal times and especially now,” he said. “If a link or email sounds too good to be true, it probably is. Don’t rush to fill forms and provide your information to anyone who claims to be the IRS” — or someone who can accelerate your tax return.
But employees can’t be expected to bear the full responsibility of security, or even to recognize established best practices in every scenario. If something is too confusing or complicated and employees don’t know much about it, failure can seem inevitable. Good cybersecurity must be taught in ways that are easy to understand and that include actionable takeaways.
“We must use this time to educate and keep employees alert,” Abagnale asserted. And today, the cybersecurity responsibility elevator operates with only one button and one destination: the C-suite. It therefore falls to chief information security officers (CISOs) and security practitioners to connect the dots and ensure their colleagues understand what they can do to help.
Modern Problems, Modern Solutions
As we continue working, could the altered landscape change Abagnale’s mindset around cybersecurity? Would most of his convictions hold?
“I have been talking and warning executives and companies for over four decades about what criminals do to exploit unsuspecting humans,” he explained. “I now live to see the full effect of it, in a time that is ripe for fraud and deceit. My convictions are more reinforced today than ever. I am more energized to help educate the public about cybercrime and how we move forward to a better and more secure internet.”
Abagnale firmly believes that we must elevate our systems to prepare for the future, and the first piece of advice he would give to any company and security practitioner is to stop using passwords.
“Once you take the secret away from the human user, they cannot give it to the crooks,” he said. “They will not fall prey to keyloggers. It’s time we move forward from a 1960s technology to the 21st century.” Now may just be the time to put into action what Abagnale has been suggesting for years, and the path to a passwordless world may be simpler than you think.
Of course, moving away from passwords is just one aspect of the mindset shift security experts must embrace to bolster their cyber resilience. Don’t just keep cybersecurity and cyber hygiene front of mind; take the opportunity to reevaluate the true efficacy of our fundamental assumptions about security. Drastic changes in the threat landscape will continue to develop as working norms are overhauled, and security measures devised for outdated threats likely won’t serve us in the future — or even the present.
Your First Two Steps to Make Life Harder for Cyber Attackers
If you think like an attacker, you’ll realize that your best approach to securing your critical assets is to assume that you’ll be breached. But what does this mean in practice?
Domestic cyber criminals and nation-state attackers alike are capitalizing on this time of uncertainty – and remote workers are a prime target.
Tonya Ugoretz, deputy Assistant Director of the FBI Cyber Division, recently spoke at a virtual Aspen Institute event. Ugoretz described the situation best as a “collision of highly motivated cyber threat actors and an increase in opportunities.” In fact, the FBI’s Internet Crime Complaint Center (IC3) is currently receiving between 3,000 and 4,000 cybersecurity complaints daily – a massive jump from their normal average of 1,000.
Criminals are taking advantage of “enormously high public interest in information” on COVID-19, the status of government stimulus checks and updates on local community restrictions. Some are setting up fake domains claiming to sell personal protective equipment, masquerading as charities working to raise money for patients or offering fraudulent loans to the financially strained. Times like these present a lucrative opportunity for cyber criminals – and they know it.
A Common Attack Method Shines
Traditional phishing attack methods continue to be a popular first step in the cyber attack chain. With a legitimate-looking email disguising a malicious, virus-spreading link or attachment, the attacker can easily cast their bait. These attacks have come to present an increased threat to businesses – especially now.
In today’s environment, remote workers are increasingly using both personal and corporate devices to access corporate resources. While a company may have made the office computer as secure as it can, if the remote worker logs on with their home laptop, that doesn’t help. Even employer-owned devices may be more vulnerable at home as many workers will be connecting through unsecured Wi-Fi.
Furthermore, with the adjustment to working from home – whether that means setting up a laptop on the kitchen table or working with kids playing in the background – many newly remote workers are not at their most alert, which makes it easy for them to mistakenly click on the wrong link. Clicking on a phishing link gives the cyber attacker a foothold on that person’s workstation – from there they can gain access the company network to accomplish their goals.
Who’s at Risk?
While there are plenty of nefarious individuals working to cash in on chaos for personal profit, many of today’s campaigns are driven by highly organized nation-state attackers with deep pockets. To help shine a light on some of their methods, the FBI and a group of federal agencies issued a public alert this month – noting that financial institutions and digital currency exchanges are particularly at risk as attackers develop and launch “increasingly sophisticated” malware tools in search of large payouts.
The FBI has also observed a spike in nation-state cryptojacking attacks where attackers compromise victim endpoints and steal computing resources to mine digital currency. Additionally, they warned of ransomware campaigns, some of which demand payment “under the guise of long-term paid consulting arrangements in order to ensure that no such future malicious cyber activity takes place.”
But the financial sector isn’t the only one at risk. Hospitals and healthcare organizations are “deeply under attack,” explained Ugoretz and her co-presenters. As evidenced by attacks on the World Health Organization (WHO), nation-states are particularly interested in gaining insights on the coronavirus to help inform their country’s own response. These attackers are also honing in on research institutions and biotechnology companies that have publicly touted their work in progressing treatments and a viable vaccine.
Prioritizing the Protection of Privileged Access
Whether targeting healthcare organizations, financial institutions or any number of other companies, there is one common thread. Attackers are looking for sensitive information they can exploit – and they are doing so by compromising endpoints, stealing credentials and escalating privileges in order to access their targets.
While attackers can ultimately accomplish their goals by targeting any endpoint, they often seek out those of privileged users (like system administrators working from home) who have access to sensitive assets and powerful systems. By stealing privileged credentials from these users, attackers can accelerate their efforts. After gaining legitimate access to company systems, attackers appear to be company employees and can move throughout the environment with ease to conduct reconnaissance and siphon off proprietary data.
Privileged access is the gateway to an organization’s most valuable assets and is at the core of nearly every major security breach today. With privileged access, motivated external attackers and malicious insiders alike can access network infrastructure and steal data. Without that access, attackers are severely limited in what they can accomplish.
That’s why protecting the pathway to critical resources with privileged access management (PAM) is so important. Organizations that have a strategy in place to manage and monitor privileged access, as well as detect and respond quickly to threats, are best positioned to defend against today’s targeted threats.
While there is no silver bullet to protect organizations from this surge in criminal activity, prioritizing privilege can dramatically reduce the business impact of an attack.
Privileged accounts and the access they provide represent the largest security vulnerability an organization faces today. These powerful accounts exist in every piece of hardware and software on a network. When employed properly, privileged accounts are used to maintain systems, facilitate automated processes, safeguard sensitive information, and ensure business continuity. But in the wrong hands these accounts can be used to steal sensitive data and cause irreparable damage to the business.
Privileged accounts are exploited in nearly every cyber-attack. Bad actors can use privileged accounts to disable security systems, to take control of critical IT infrastructure, and to gain access to confidential business data and personal information. Organizations face a number of challenges protecting, controlling, and monitoring privileged access including:
• Managing account credentials. Many IT organizations rely on manually intensive, error-prone administrative processes to rotate and update privileged credentials—an inefficient, risky and costly approach.
• Tracking privileged activity. Many enterprises cannot centrally monitor and control privileged sessions, exposing the business to security threats and compliance violations.
• Monitoring and analyzing threats.
Many organizations lack comprehensive threat analysis tools and are unable to proactively identify suspicious activities and remediate security incidents.
• Controlling Privileged User Access.
Organizations often struggle to effectively control privileged user access to cloud platforms (IaaS a PaaS), SaaS applications, social media and more; creating compliance risks and operational complexity.
• Protecting Windows domain controllers.
Attackers can exploit vulnerabilities in the Kerberos authentication protocol to impersonate authorized users and gain access to critical IT resources and confidential data.
Send download link to:
Founded in 1999, SecurIT has over 18 years of extensive experience of designing, implementing, maintaining large Identity Management/Governance infrastructures. With more than 30 specialists permanently employed in the Netherlands SecurIT offers its customers high quality consultancy, implementation, management and support services (24*7).
Healthcare is working intensively to help everyone in society in these bizarre times of the corona crisis. At the same time, criminals abuse the situation by digitally attacking healthcare institutions and healthcare providers, for example by distributing ransomware or sending spam. We find this unbelievable and take action by uniting in the Dutch coalition “We Help Hospitals” to protect Dutch healthcare institutions free of charge against digital attacks during times of the corona crisis.
The COVID-19 virus attacks our immune system. We try to limit the damage as much as possible by taking the correct preventive measures in time. Matters such as mouth masks, disinfectants, respiratory equipment and the care surrounding it are essential, otherwise, the pandemic is incalculable.
Just as COVID-19, there are continuous security attacks that test the immunity of every organization. The right combination of preventive measures can make the difference between the simple flu for your organization or a total lockdown with all its consequences.
As with the COVID-19 virus, security threats are present. We all know that sooner or later we will be confronted with this.
The question is how are we prepared for this? SecurIT is the healthcare provider with years of experience. We are the doctor that you want to have at your bedside to prevent your organization from ending up in an irreparable emergency.
What we can do for you
|Situation||Why should you bother?||The solution that we could provide|
|Working safely from home (for home workers, but also third parties)||Office network is a trusted environment. But how about home network, home wifi and unmanaged devices? Offer secure access to company network & apps||Secure Remote Access (CyberArk is needed)|
|Prevent Security breaches caused by malware/ransomware and attackers that are abusing the corona virus to hack||Over 80% of ransomware attacks starts from some clicking on phishing mail. Virus scanners do not always detect this. How to prevent ransomware?||Endpoint protection & Privileged Account Security|
|Secure password usage (or no password usage at all)||A large majority of successful cyberattacks are due to stolen or compromised passwords. Make sure your employees are using strong passwords for all of their work accounts, are not reusing passwords, and are using multi-factor authentication (2FA) on all websites, applications, and systems that support it||Password Manager & Multi-factor authentication|
Do not wait until it is too late, contact us now.*
*If you are a Healthcare organization outside The Netherlands or if you are NOT a healthcare organization at all, please let us know as well, and we’ll check the possibilities with you to help you where we can.
Dear Customer and/or Partner,
The coronavirus (COVID-19) pandemic is affecting people all over the world and forces businesses to far-reaching health and safety measures. We want to assure you we remain committed to providing the best possible service despite the challenges we all currently face.
At SecurIT, our people are the heart of our business. This means that we take no risks concerning the health and wellbeing of our people, customers, their families, and society at large. We shall, therefore, fully comply with all relevant measures that we are asked to take by government officials and health experts.
We have taken several measures to minimize the risk of infection with the COVID19 Virus for both our personnel and third parties.
Below some of the measures:
· We have closed our offices in Amsterdam and Greenville, and all our employees work from home.
. Our support organization can be contacted as usual.
· All (physical) internal and external meetings and appointments have been canceled. Where possible, we meet and get in touch through electronic means.
We strive to continue to serve our customers as usual and to ensure that the service for your customers will continue optimally.
Take care and stay safe.
|In light of recent news surrounding COVID-19, the disease caused by the novel coronavirus, many employees may suddenly need to work from home. If employees can’t access applications and information securely from remote locations, their productivity will decrease and the security of key corporate assets will be at risk. Together with our partner Ping Identity, we are prepared to help IT organizations with the following immediate steps to ensure employees can be productive anywhere in the world.|
|1|| Put multi-factor authentication everywhere|
52% of data breaches are due to hacking, and of those, 80% are due to weak or compromised passwords.1 Multi-factor authentication (MFA) can reduce password risk by 99.9%.2 Putting MFA everywhere is a no-brainer, especially on VPN connections and for employees that use personal devices (BYOD) when they work from home.
|2||Leverage intelligence so that added security doesn’t add friction|
As more employees work outside the corporate network, intelligent authentication helps you make better decisions about who should have access to resources. Continuously evaluate risk scores based on user behavior and location to better understand when to grant access, when to step-up authentication or when to deny access—all without impacting employees’ productivity.
|3||Being on the network shouldn’t automatically grant access|
Organizations enable VPNs for remote access, but this often allows employees to access more than they need. Since 23% of sensitive data breaches are caused by internal employees,3 someone shouldn’t have access to everything just because they’re on the network. To mitigate risk, enforce least-privileged access and establish Zero Trust security for apps, APIs and data.
|4||One password is not only more secure, but it’s also more productive|
On average, employees spend 10.93 hours per year entering and resetting passwords.4 This slows down remote employees as they sign on to applications to get their work done, like collaboration apps for instant messaging and video conferencing. Federated single sign-on (SSO) and self-service password reset gives employees back all those hours and lets them get back to work. Better yet, strong authentication methods, such as biometrics and FIDO2 keys, can make passwords a thing of the past.
|5||Put digital business resources at workers’ fingertips|
There’s a streamlined app for just about every business task. But employees may struggle to find all these tools—or just forget to use them now that they’re not in their usual work environment. They may also find them difficult to access, since some are on-prem and some are in the cloud. With a dock for SSO to all digital resources in one place, employees can easily find, access and use apps to get more work done from anywhere.
We want to help you get your work-from-home workforce secure and productive, right now. Get fast, free, cloud SSO and MFA for unlimited apps and unlimited identities.
1 Verizon 2019 Data Breach Investigations Report
2 Microsoft Security Intelligence Report, 2018
3 Forrester Analytics Global Business Technographics Security Survey, 2019
4 Ponemon 2019 State of Password and Authentication Security Behaviors Report
The trend toward a mobile, distributed workforce, including working from home, has been underway for many years. Unfortunately, sudden events like COVID-19, the disease caused by Coronavirus, can shine a harsh spotlight on the need to provide more comprehensive workforce access and productivity solution than what many companies have in place currently. Organizations like Google, Microsoft and Amazon have already encouraged employees to work from home. And JPMorgan Chase, as a precautionary measure for contingency planning, asked 10% of its entire workforce to work from home to test their global remote access capabilities.
Working from home is no longer just a perk to offer employees, but a critical alternative to keep your business running.
To fully enable a productive remote workforce, organizations need to make working from home seamless. They need to offer a smooth user experience while making sure that systems and data remain secure. In order to evaluate whether your remote working procedures are effective, here are a few questions to consider:
- Is your organization moving towards an enterprise-wide Zero Trust strategy, or are you still relying on your network as your main security perimeter?
- Does your organization have strong, intelligent authentication mechanisms in place beyond passwords?
- Is your organization prepared for a majority of your workforce to work remotely? Can they use their own devices?
- Can your organization control access beyond the network to the application, data and API layers?
Think Beyond Network Perimeters
For many years, virtual private networks (VPNs) have been the default solution for enabling remote access to work resources. However, the notion that a VPN should legitimize employee access to all of a company’s resources is outdated. In fact, VPNs have been the source of some high profile hacks and were even the subject of an NSA advisory.
Instead of solely relying on VPNs, organizations need a strong identity foundation. That means implementing Zero Trust principles, where by default no network traffic is trusted. Instead, everyone and everything must be verified via centralized authentication services relying on capabilities like single sign-on (SSO) and multi-factor authentication (MFA). By implementing strong, centralized authentication, organizations are less susceptible to the inherent weaknesses of VPNs. In addition, with an identity foundation based on Zero Trust, organizations can control access beyond the network to assets like applications, data and APIs.
Reduce Passwords Wherever Possible
In terms of security, strong authentication becomes even more critical when your employees are working from home. Passwords alone are not enough, it’s time to augment or replace them with smarter, more secure authentication factors. Using other factors can also result in increased productivity. For example, location tracking can be done in the background and continuously verify employees without interrupting their work.
Multi-factor authentication can mitigate many of the security and productivity issues that come with employees accessing critical business resources from home. It does this by layering various combinations of authentication factors:
- Knowledge: Something you know (e.g., password, security questions, etc.)
- Possession: Something you have (e.g., Yubikey, smart card, etc.)
- Biometric: Something you are (e.g., fingerprint with TouchID, facial recognition with FaceID, etc.)
- Behavioral: Something you do (e.g., how you type, hold your phone, etc.).
Leveraging easier, more secure factors than passwords gives enterprises the option of reducing password use or going completely passwordless. To reduce password use, organizations often extend the length of user sessions from days to weeks, only requiring password entry during this extended session when a new device is used to sign-on. Organizations can also implement rules around longer sessions, such as only extending session length for users logged in from known locations like a corporate office.
The next stage of maturity is passwordless login, where an alternative factor (fingerprint, authenticator app, security token, etc.) becomes the primary method of authentication. Further down the path of maturity is a bypass of both the username and password in a “zero login” scenario, enabled by storing a cookie on the employee’s device.
When talking about passwordless authentication, we would be remiss if we didn’t also mention Fast Identity Online (FIDO), a global alliance committed to solving the world’s password problem. By design, the FIDO standard for authentication does not allow passwords to be used under any circumstances. FIDO authentication methods includes device biometrics, security keys, and Windows Hello to increase resistance to advanced phishing attacks, password theft and replay attacks for web authentication.
Examine Your BYOD Strategy
Companies that are shifting to remote work out of necessity may not have the budget or time to issue employees trusted, pre-configured corporate devices. Allowing employees to bring their own devices (commonly known as BYOD) is not only a growing trend but perhaps the only option available in the short term. In order to make BYOD a reality and ensure employee productivity, enterprises require central authentication services that can easily integrate with and leverage signals from mobile device management systems (MDMs).
The integration of your user base and applications with your MDM can be accomplished with a strong identity foundation. Ensure that your central authentication services include easy admin set-up and quick user adoption. From there you can implement MFA to realize the benefits of user-friendly authentication methods (fingerprint, facial recognition) and contextual identifiers (detecting jailbroken devices, user location).
Implement Smarter, Adaptive Access Policies
Network, password and device security are crucial aspects of employee access, but there’s still more to secure. Organizations may be using outdated web access management tools to manage authorization policies for critical legacy or mainframe applications, but they struggle to secure modern resources like single-page apps (SPAs), mobile apps and SaaS. They also may not be giving enough consideration to securing the data or API layers. Enabling adaptive access security is crucial to ensuring your workforce has the right access without introducing unnecessary friction.
The first step toward adaptive access security is to create a centralized authentication service that can extend across all your resources, whether they live in the cloud or on-premises. Once those centralized authentication and authorization policies are in place, you can introduce fine-grained authorization at the data level and analyze API traffic to learn, detect and block potential threats. But this shouldn’t come at the cost of productivity. Smart policies based on dynamic risk scoring can grant access to a user, require step-up authentication if necessary or deny access altogether.
Embrace Identity Intelligence
For a majority of organizations that have embraced the cloud, mobile and “as-a-service” products, the days when the network was the security perimeter are in the past. Organizations need an identity solution that can operate at the speed and scale they’re used to. They also need a solution that can integrate with their existing technology stack and support open standards to future-proof their investments in new technologies.
Identity intelligence enables this vision by connecting all the resources within your enterprise, receiving contextual signals from multiple systems and working across the silos that have grown over time. It’s the ability to ensure secure access without introducing barriers. It serves as the organizational brain that can enforce smart policies with split-second decisions leveraging various sources such as devices, user directories, AI and fraud signals. With intelligent identity in place, your organization can break down the barriers between remote and office work and deliver exceptional employee experiences.
How SecurIT Can Help
Large enterprises in North America and Europe trust SecurIT to enable their remote workforces at scale. They use our intelligent identity solutions to speed up their businesses and allow their employees to get things done, no matter where work happens. SecurIT helps them to ensure that all of your resources are covered. No matter what product you are looking at/for. We help you to get started.
To support organizations in this transition, we’re offering up fast, free usage of selected Ping products. For organizations new to Ping, we are offering cloud-based single-sign-on and multi-factor authentication. And for existing PingFederate workforce customers, we are offering free multi-factor authentication. These products can be deployed rapidly across unlimited users and applications, keeping your work-from-home employees secure and productive.