Deploying Multifactor Authentication: First Steps in Identity Security

Your enterprise needs to begin deploying a multifactor authentication solution on your network. No compromises. Full stop.

These strong statements come with the backing of mountains of cybersecurity and identity management expert research. As much as enterprises still rely on password-based single-factor authentication, it just doesn’t work. Indeed, hackers specifically target these systems because they represent easy marks. Moreover, single-factor authentication leaves you vulnerable to insider threats or even non-human automated attacks.

But how should your enterprise go about deploying multifactor authentication? Which factors should you employ in your identity security policies? Does step-up authentication make sense for your environment? Can you balance identity management with effective business practices?

We answer these questions below.

Why Single Factor Authentication Doesn’t Work

Oftentimes, cybersecurity inertia causes as much damage as evolving digital threats. Enterprises become comfortable and familiar with their current identity and access management solution. Therefore, they continue to use it even as hackers discover and deploy new methods of subverting or exploiting.

Unsurprisingly, this applies to single-factor, password-based authentication. For years it served as the foundation of identity management. Only in the past few years have cybersecurity experts and enterprises realized its inherent weaknesses. The latter, though, continues to struggle with the change.

According to researchers, passwords offer very little in terms of actual identity security. Even inexperienced hackers can crack them or purchase software that automates cracking them. Worse, hackers can now use publicly available information, such as through social media, threat actors can often guess users’ passwords. Distressingly, given the horrible password practices most users embrace, hackers often guess right.

Compounding matters further, users tend to reuse their passwords on multiple accounts, including their work accounts. As a result, any data breach could give threat actors more weapons in their credential stuffing attacks.

Obviously, these facts argue strongly for deploying multifactor authentication yesterday. But how can you do it most effectively?

Why Deploying Multifactor Authentication Matters

The principle rule of thumb regarding authentication is the more steps between access request and access granted, the more secure your enterprise.

Two-factor authentication, therefore, proves much more effective than password-only authentication for exactly this reason. However, more talented threat actors can circumvent the second step in two-factor authentication. In most cases, they can interfere with SMS messaging and trick employees into giving their passwords away without realizing it.

That’s why deploying multifactor authentication—with three, four, five, or more steps, offers so much more identity security in the long term.

Of course, the most dedicated and experienced hackers could subvert your identity security with MFA. However, this would cost them time and effort they could invest in attacking weaker targets; hackers prefer to follow the path of least resistance. Deploying multifactor authentication thus works as cybersecurity protection and as a deterrent.

Here’s how you can get the best identity and access management today.

Get the Right Solution

Deploying multifactor authentication begins with selecting the right IAM or privileged access management (PAM) solution for your enterprise. Privileged access management especially helps protect users’ identities through strong authentication, including your superusers. In fact, many serve as the innovators of MFA factors.

However, not every solution is created equal. Put another way, your distinct business use cases pose unique identity management challenges which not every solution can accommodate. Additionally, the demands of your privileged users naturally differ from those of other enterprises; the number of privileged users, their involvement in your business processes, and what databases they access regularly should affect how you begin deploying multifactor authentication.

Thus, you must select a solution that fits your needs. Don’t skimp on the self-assessment.

Deploy the Right Factors

Multifactor authentication can involve any number of potential factors. These can include:

  • Geofencing.
  • Time of Access Request Monitoring.
  • Physical Biometrics.
  • Behavioral Biometrics.
  • Hard Tokens.
  • SMS Messaging.

This list only scratches the surface of potential multifactor authentication.

However, not every multifactor authentication factor makes sense for every industry or enterprise. For example, SMS text messaging may not offer proper security for more remote workforces; hackers who obtain users’ devices could easily subvert that factor. On the other hand, most mobile devices offer built-in physical biometric readers; this obviously facilitates biometric authentication.

When deploying multifactor authentication, you need to consider what endpoints your users employ in their business processes. Additionally, you need to consider your IT environment and what factors make the most sense for securing it.

What About Step-Up Authentication?

No one disputes the identity security benefits of deploying multifactor authentication. Where enterprise decision-makers tend to balk is the effect MFA has on the user experience.

Indeed, additional steps at the login portal can negatively impact user convenience. In worst-case scenarios, the additional authentication factors can actually inhibit business profits and lengthen response times.

Many cybersecurity experts argue enterprises must sacrifice convenience for true identity security. After all, if your business suffered from the analog equivalent of digital threats, you would probably put up as many checkpoints as possible before granting entry.

Fortunately, step-up authentication offers a means to balance both security and convenience in user authentication. Step-up authentication asks for more authentication factors as the sensitivity of the access requests increases.

For example, a user logs in to the network by inputting only two factors. However, let’s say that the user then wishes to look at a more restricted file. The step-authentication system asks for a third and possibly fourth factor to verify the user first, even though they logged in to the network.

After that, the user requests access to sensitive proprietary data. The system, in turn, asks for more authentication factors, often the most extensive (such as physical biometrics or a hard token).

As you can see, step-up authentication only becomes apparent as users engender further risks. In addition, you can employ step-up authentication only on your privileged accounts, which can do the most damage in the wrong hands.

Deploying multifactor authentication should become a major concern for your enterprise and a top priority. Now’s not the time to let your identity and access management stagnate. Your enemies never stop innovating. Neither should you.

Original post


Customer Identity And Access Management (CIAM) in the Time of Coronavirus

Officials from the Trump administration warn that the era of social distancing might continue for several weeks. Others suggest it could as long as a year or longer. In either case, online retail and remote customer relations continue to dominate the economic landscape. Additionally, so many businesses have chosen to work from home, forcing all customer relationships to go digital. Therefore your business needs to consider its customer identity and access management (CIAM) in the time of coronavirus. 

After all, we can say with no hyperbole that managing your CIAM during the coronavirus could make or break your business in the coming months. 

What is CIAM?

CIAM functions in a similar manner to more traditional identity and access management (IAM). Both provide identity security to their user bases, defending against credentials abuse and authentication failures. However, whereas IAM works to secure and verify employees and third-parties, CIAM does so for customers. 

Thus, CIAM provides recognizable capabilities such as single sign-on, login authentication protections including multifactor authentication, and session monitoring. Simultaneously, CIAM provides distinct capabilities that traditional IAM would never consider implementing. 

These include social sign-on, which uses social media credentials to log in, and password reset self-service in case customers lose or forget them. Since these capabilities could create security vulnerabilities for employees, you need a secure means to provide it to customers.

Furthermore, CIAM can help create a streamlined and personalized digital experience that benefits customers. Unlike employees, you can’t force customers to jump through hoops to verify their identity; attempts to do so only drive away potential customers. In fact, consumers will often judge a company and its products based on the online experience; they could decide to abandon their carts following a poor digital customer experience.

Finally, CIAM helps enterprises collect information on buying habits and purchasing interests. Thus it can facilitate targeted marketing campaigns and personalized experiences. These solutions can securely store this information so hackers cannot steal and exploit it. 

So CIAM clearly provides benefits to consumer-facing enterprises. Why does it matter so much in the time of coronavirus?  ALERT: Cyber threats don’t rest, even during global pandemics.

CIAM in the Time of Coronavirus        

According to Marketing Week, 91 percent of brands predict an increase in their use of online services during the coronavirus outbreak. Customer demands on digital marketplaces and retail spaces will put significant pressure on your workflows. 

Additionally, the coronavirus may have an impact similar to what happened with the SARS pandemic of 2003. This pushed more people to embrace digital commerce, which has become a vital aspect of consumer-facing business’ bottom line. Now, they potentially face the same paradigm shift, but on an even higher scale. 

CIAM can actually help with scalability, assisting with growing your digital environment to match the newfound demand. It can also, as described above, help collect and store customer identity information which can assist with much-needed personalization. Personalization, after all, can help transform first-time customers into recurring customers.

Perhaps most importantly, CIAM during the coronavirus pandemic fortifies the digital perimeter; it helps keep bad actors out of sensitive databases. Hackers prefer to take advantage of troubled times and crises to facilitate their attacks; several studies indicate that they are exploiting the COVID-19 pandemic to take advantage of people’s fears. 

Moreover, according to Ping Identity, 81 percent of consumers would stop engaging with a brand online after a data breach. Meanwhile, 63 percent of consumers believe companies are responsible for protecting their data. The long-time viability of your business hinges on its ability to fully authenticate their customers.  

Posted by Ben Canner in Best Practices


CyberArk provides free subscriptions for Alero

As organizations move quickly to do their part in stopping the spread of COVID-19 people are working remotely more than ever before.  At CyberArk we have taken action to protect the health and safety of our global community of customers, partners and employees – including having our employees across the globe work from home.

It’s not always easy for organizations to move to full remote work, especially having to balance productivity and security. Sudden, unexpected changes in the amount of work being done from home affects the workflows of remote users – especially those requiring privileged access – and most of the time, organizations don’t have the ability to properly scale. Additionally, attackers are working to capitalize on people’s fears and desire for information, which underscores the need to safeguard critical systems and assets.

Utilizing technology to overcome these challenges can help make these trying times a bit easier. Whether that’s making greater use of video chat and conference calling or allowing secure access to internal systems from anywhere, technology is helping business to continue with as little disruption as possible.

Recently we launched a new use case for CyberArk Alero to address the needs of all remote users (employees and vendors) by providing secure remote access to critical systems managed by CyberArk.

We’ll be offering qualified customers the use of CyberArk Alero at no cost through the end of May in hopes that it will help ease some of the burden associated with the changing work environment.  There are many ways that we, as individuals and as a company, are working to help our communities during this trying time.  As business continuity plans are being tested, we hope to help organizations keep business running securely while putting the health and safety of all of us first.

The offer
Together with CyberArk, we offer the deployment of Alero free of charge for up to 100 users (until 31 May). The deal also includes free 2-day consultancy to set up this SaaS-based solution. These are necessary to prepare Alero for you and to prepare your IT environment remotely.
 
Conditions
There are some technical preconditions:

  • CyberArk v10.3 or higher is required;
  • Licenses must be assigned to external users
     
    Learn more
    Detailed information about the Alero SaaS solution can be found on the CyberArk website

If you would like to take advantage of this offer, please contact us. One of our engineers will determine whether your environment is suitable for this. We can set up a plan for the installation in consultation.


How to Secure Your Remote Workforce During The Coronavirus Crisis

It is undeniable; the coronavirus global pandemic has radically changed everyday business processes. Now many enterprises once focused on their physical premises must contend with a remote workforce unlike any they employed previously. How can you secure your remote workforce during the coronavirus crisis? 

Of course, your business may not feel concerned about cybersecurity at this exact moment. Instead, you may believe it a low priority compared to other challenges including the means of communication among your employees, managers, and third-parties. Alternatively, you may emphasize changing your budgets to accommodate the change in workflows over security.

However, cybersecurity must become a top priority for your enterprise. With an increasingly remote workforce, the digital perimeter becomes proportionally porous and dangerous. Also, maintaining necessary visibility becomes an increasing challenge. Further, remote workforces pose new threats to your overall network security if not prevented promptly. Next-gen endpoint security in particular offers enterprises the means to secure your workforce regardless of their location. Moreover, it helps maintain visibility and defends against remote threats. 

Here’s how you can secure your remote workforce during the coronavirus crisis. 

How to Secure Your Remote Workforce in a Critical Time

1. Embrace the VPN

Even during times of crisis, hackers don’t relent. In fact, they embrace chaos and confusion to further their malicious goals. Additionally, hackers have the infrastructure to take advantage of these events since they tend to work from home already. 

In any case, hackers will continue to try their cyber attacks even as your enterprise embraces an increasingly remote workforce. Thus you need to defend yourself against the most common types of infections. In more social times, public Wi-Fi represented one of the most common vectors of attack for remote workforces. However, any unsecured Wi-Fi connection can suffer from the same issues; namely, they don’t provide the necessary layers of encryption for protecting sensitive data as it moves from device to device. 

Thankfully next-generation endpoint security often includes virtual private networks (VPNs). VPNs encrypt data in transit; thus, they ensure that only the sender and recipient can see sensitive data even when sent across unsecured connections. However, your enterprise needs to find the endpoint security and VPN provider that can match your individual use case.

2. Pair Your Endpoint Security with Strong Authentication

To secure your remote workforce during the coronavirus, you need to consider the structure of your digital perimeter. 

The digital perimeter comprises all of your IT entry points, which includes every user and every device. On the user side of things, you need to deploy a strong authentication protocol. Authentication and identity verification ensures that only legitimate users can access your network; therefore, external threat actors can’t enter and insider threats can’t cause damage above their station. 

One aspect of authentication in regards to remote endpoint security involves device identity management. In addition to every user, every device has its own identity and its own baseline behaviors. If an “employee” logs in with a different device, that should merit investigation by your IT security team. Alternatively, if a recognized device gives the right credentials but begins acting in a strange way (like automatically uploading unknown files) that too should merit investigation.

Device identity functions as an endpoint security layer to overall identity and access management policies. Moreover, it can act as a continuous authentication factor in a multifactor authentication policy, helping to weed out hackers posing as your remote workforce. 

One important thing to note when determining how to secure your remote workforce: the more factors, the better. Of course, two-factor authentication (Multifactor authentication/MFA) is better than single-factor authentication, but three or four factors provide even greater assurance. Additionally, factors do not need to be intrusive or upfront at the login stage.  ALERT: Cyber threats don’t rest even during pandemics.

3. Prepare to Secure Every Device of Your Remote Workforce

Many enterprises embrace a bring-your-own-devices (BYOD) culture in their on-premises environment. After all, working off a device they know increases employee productivity and job satisfaction. Yet that doesn’t mean BYOD comes without risk, especially when added to the complication of remote workflows. 

Without proper visibility, you may not know what data is stored on each device. In fact, your employees may not realize the data they have stored on their devices. Thankfully, next-generation endpoint security can enforce Data Loss Protection (DLP) capabilities. This keeps a close eye on your sensitive data, ensuring that it doesn’t leave the network without permission. Also, DLP prevents users from storing enterprise data without permission, especially to notoriously porous public cloud databases.

Looking at the big picture, your endpoint security needs to provide a consistent level of cybersecurity in each device as it connects to your network. Thus you may need a solution that enforces mobile security and mandates that each work-device deploys your selected cybersecurity capabilities before granting access. 

Ultimately, you may never have the power to completely secure your remote workforce. However, you can’t guarantee you secure your on-premise workers either. Every next-generation capability you deploy increases your security and decreases the target on your business. Make sure that you embrace other endpoint security capabilities such as firewalls, antivirus, and application control. Make cybersecurity a priority in the same way you must prioritize your physical health.

Get endpoint security now, before you face a digital threat. Waiting until after a threat occurs only invites more attackers. Make the right call for these difficult times.

Posted by Ben Canner in Best Practices


Hackers are using coronavirus maps to infect your computer

As coronavirus threatens to become a global pandemic, everyone’s keeping a close eye on how it’s spreading across the world. Several organizations have made dashboards to keep track of COVID-19. But now, hackers have found a way to use these dashboards to inject malware into computers.

Shai Alfasi, a security researcher at Reason Labs, found that hackers are using these maps to steal information of users including user names, passwords, credit card numbers, and other info stored in your browser. Volume 0%01:2100:0304:28

[Read: Google now displays health info from the NHS directly in search results]

Attackers design websites related to coronavirus in order to prompt you to download an application to keep you updated on the situation. This application doesn’t need any installation and shows you a map of how COVID-19 is spreading. However, it is a front for attackers to generate a malicious binary file and install it on your computer.

Just to be clear, these websites pose as genuine maps for tracking coronavirus but have a different URL or different details from the original source.

Currently, the malware only affects Windows machines. But Alfasi expects attackers to work on a new version that might affect other systems too. 

Hackers are using coronavirus maps to infect your computer 6

Alfasi noted that this method used malicious software known as AZORult, which was first found in 2016. The software is made to steal data from your computer and infect it with other malware as well. 

The researcher noted that AZORult can steal info from your computer including passwords and cryptocurrencies:

It is used to steal browsing history, cookies, ID/passwords, cryptocurrency and more. It can also download additional malware onto infected machines. AZORult is commonly sold on Russian underground forums for the purpose of collecting sensitive data from an infected computer. 

A new variant of AZORult installs a secret admin account on your computer to perform remote attacks. 

Earlier this month, research from security firm Check Point noted that coronavirus related domains are 50 percent more likely to install malware in your system.

While it’s important to gain information regarding coronavirus, you should only use verified dashboards to keep a tab on it to avoid getting hacked.

Original article is from nextweb.com


Key Industries Most Vulnerable to Cyber Attacks This 2020

Last year has been a mess at best in terms of the growing complexity and ubiquity of cybersecurity, and experts estimate that this year won’t be any different.

 The 2020 PWC’s annual CEO survey found that top executives in North America reported cybersecurity as their top concern, with half of the respondents describing “extreme concern” over their cyber vulnerabilities. As the data breaches and attacks become more ubiquitous, with estimates equating to 1 every 5 minutes since GDPR laws came into force, organizations are bracing themselves for 2020’s cybersecurity threats.

 While cybercriminals seldom discriminate, some industries are more vulnerable than others. So, here are five of the most at-risk industries and sectors to cyber attacks and breaches this year:

 Healthcare

 Healthcare organizations continue to be the most exposed industry to cyber attacks this year. Data breaches and ransomware attacks last year alone cost the industry an estimated $4 billion, with the industry accounting for more than four in ten breaches as well. As experts note, it has more to do with the value of healthcare data than the state of security in the industry. Public healthcare institutions are particularly susceptible as criminals target valuable personal data that healthcare providers store and process.

 IT and Telecoms

 With the rollout of 5G, more devices and sensors are expected to be connected to supply chains, communities, organizations, and localities. While this will usher a new wave of the communication revolution, experts note that it poses new risks to both consumers and businesses. As it’s a switch to all-software networks and a wider bandwidth, high-level hackers can tap into these emerging vulnerabilities and have a larger attack surface to exploit. Meanwhile, the ubiquity of sensors and devices will need a newer and tighter framework for endpoint security across industries.

 Finance

 It’s no surprise that cybercriminals are targeting financial data from the banking and financial sector. In fact, a Clearswift survey in the UK found that more than 70% of financial institutions fell victim to cyberattacks last year. But as institutions and organizations deploy more stringent protocols and protections, some sectors within the industry remain vulnerable. While relatively small in scale, attacks on retirement accounts have enormous stakes. A special report on cyber attacks directed at US 401Ks and retirement plans note that wrongfully removed money from retirement accounts are difficult to recover. This is becoming more of an issue as more people are putting money into their retirement savings. An article on retirement plans notes that IRA contribution limits reached $6,000 in 2019 while allowing catch-up contributions of an additional $1,000 for those 50 and older. With the plans reaching nearly $6 trillion this year, experts estimate that it’ll be increasingly in the middle of criminal crosshairs. Especially as the holders of these accounts are much less likely to be up-to-date on the latest cybersecurity trends and therefore easier targets.

 Construction

 Phishing remains one of the top attack vectors cyber criminals employ, making the human factor one of the most vulnerable parts of an organization. According to a phishing report, the construction sector is the most at risk among industries in terms of vulnerabilities to phishing attacks. Ransomware and malware directed at construction firms are particularly dangerous as highly confidential plans, blueprints, bids, financial information, and even personally identifiable information (PII) are usually stored within one system. In addition to financial loss, companies subjected to attacks face long-term consequences like lost business and bad press coverage.

 As we enter a new decade, each of the above industries will have to further adapt to the changing cybersecurity landscape to protect their data. With increased connectivity, the danger of a data breach will only increase.

Article authored by Harriet Keery

 Solely for the use of Securit.biz


5 identity priorities for 2020 according to Microsoft Azure—preparing for what’s next

As we reflect over the past decade, it’s remarkable how the digital transformation has reshaped the way people work and how companies do business. Let’s take one example—your users. At one time, “users” meant employees. Users now include partners, customers, even software bots and devices. What started as identity for the workforce is now identity for everyone and everything. The corporate network perimeter has disappeared, making identity the control plane for security that now provides effective access control across all users and digital resources.

2020-01-23 Blog - Graphic - Old World New World.png

This makes identity absolutely critical to the business success of our customers. It’s not only central to security, but also to business transformation. For that reason, we want to share five areas to prioritize in 2020, and one technology to watch as you’re getting ready for what’s next. These priorities are based on many conversations we’ve had while working closely with our customers to re-architect their environments as they digitally transform.

5 identity priorities for 2020

1. Connect all applications and cloud resources to improve access controls and the user experience.

Digital natives are joining the workforce in ever-increasing numbers. They expect to collaborate on any project from anywhere using any app—and they only want to sign in once. Connecting all applications—from popular SaaS applications to on-premises applications and cloud resources—to a single cloud identity service will not only give your users single sign-on (SSO) for a better experience but also improve security.

With Azure Activity Directory (Azure AD) as the single control plane for all your apps, you get visibility and adaptive granular access controls across your entire digital estate. You also benefit from the 171 terabytes of data our cloud-scale machine learning algorithms process each day to learn behavioral patterns for each user and application, flag potential attacks and remediate them. For example, to protect users who may be at risk, you can apply simple policies like forced password reset that prevent identity compromise with minimal user disruption.

2. Empower developers to integrate identity into their apps and improve security.

Most organizations are dealing with an explosion of applications, which introduce increasingly complex security and privacy requirements. Integrating with Azure AD improves application security and privacy. But keeping up with the flood of new applications while continuing to manage an already overwhelming portfolio is a big job for Identity admins. They need help.

To be successful, Identity admins need to delegate more to their application development teams. So, we’re making it easy for developers to integrate authentication into their apps with Microsoft Identity Platform and to build data-driven applications and automation with Microsoft Graph. As an added benefit, developers can set up granular permissions that specify minimum necessary privileges for each application, so that it can only access the Microsoft Graph data necessary to complete its tasks.

3. Go passwordless to make security effortless for users.

We all know that passwords are not secure, expensive to manage, and frustrating for users. That’s why over the past two years we’ve been on a mission to eliminate passwords, partnering with the FIDO alliance and leading the charge with our own employees. The time to get ready for a world without passwords is now.

There are so many benefits to passwordless authentication. One of them, as we’ve seen from Microsoft’s own journey, is an 87 percent reduction in hard and soft costs. To help every organization get ready to go passwordless, we offer a variety of methods—from Windows Hello to the Microsoft Authenticator and FIDO2 security keys—which will work across cloud and hybrid environments. And to make it easier to get started, we’ve identified four steps to start planning your rollout based on the experience of our customers and our own IT team.

4. Enable boundaryless collaboration and automated access lifecycle for all users.

Digital collaboration, both inside and outside of organizational boundaries, has increased exponentially. Today, identity supports all your digital relationships, for example, with customers and partners or over two billion Firstline Workers who were previously excluded from the benefits of digital transformation. In the future, it will also power collaboration between people and software bots, microservices, and smart devices.

Effective collaboration requires more than simply connecting all users. It requires giving the right users the right access to the right resources at the right time. With the growth in numbers of users and applications, it’s not possible for IT to know everyone’s access needs. This is where identity governance can help. Cloud-based identity governance automates the access lifecycle through integration with HR systems like SAP Success Factors or Workday and simplifies access decisions for reviewers through the power of machine learning and analytics. It also empowers business users to manage access through access requests and workflows or delegated user management for Firstline Managers.

5. Start your Zero Trust journey to protect your organization as you digitally transform.

The customers we speak with are absolutely clear on one point: with no network perimeter, no boundaries around collaboration, and an explosion of devices and applications, the old security paradigm no longer applies. In this world, Zero Trust is both a worldview and a security strategy. It replaces the assumption that everything behind the corporate firewall is safe with three simple principles: verify explicitly, use least privileged access, and assume breach.

As Microsoft has learned from our own experience, every Zero Trust journey will be unique based on your business priorities, the technologies you already own, and the assets you want to protect. As you build on your existing investments, you can assess your Zero Trust maturity and take practical steps toward an even stronger security posture.

Identity Priorities - Line on left.png

The identity landscape beyond 2020

Looking beyond 2020, many exciting technologies are poised to change the identity landscape. I’d like to highlight one in particular—decentralized identity.

Greater verifiability and privacy with decentralized identity and verifiable claims.

As more transactions and information exchanges take place digitally, it’s essential to verify that people are who they are and that the information they present is accurate. This puts enormous pressure on organizations to validate the data that they collect while keeping it private and secure. It also requires people to put enormous trust in the organizations that steward their identities and collect personal information around them.

Decentralized identity will transform our digital interactions, making every online claim easily verifiable while giving people back control over their data. And it’s not just a concept—it’s real. Through a community effort with the Decentralized Identity Foundation (DIF), we are on the path to a new W3C web standard for verifiable credentials. And we are piloting decentralized identity in partnership with the UK National Health Service, Blackpool Teaching Hospitals, and Truu. Through this pilot, we were able to reduce the time it takes for doctors to validate their credentials from five months to five minutes, helping them spend more time with their patients.

Our commitment for the next decade

In this new decade, as in the last, the business priorities our customers share with us will guide our engineering investments in identity. Our team’s top priority is the reliability and security of the service. Our core innovation principles remain the same:

  • Start with industry-leading security.
  • Build a simple, integrated, and complete identity solution.
  • Support an open and interoperable ecosystem.

Even though each of your identity priorities for 2020 will be unique to your organization’s goals, identity will be a critical part of your business transformation journey. My team is committed to working closely with you to innovate our products, help you design an optimal identity architecture, and quickly roll it out to your organizations. Our plans always start with your feedback, so let us know what you need to stay ahead of what’s next.

About the author

Joy Chik is a Corporate Vice President, Identity Division at Microsoft. She leads engineering for Microsoft’s multi-billion-dollar Identity business that is building greater security and mobility into consumer and enterprise technologies that billions of people rely on every day. Her team is responsible for building all of Microsoft’s identity technologies and services, including Active Directory, Azure Active Directory, which provides end to end identity and access management solutions to secure organizations of all sizes and Microsoft Account (MSA) that secures identities for almost 1 billion consumers around the world. Joy serves on the Board of Trustees for the Anita Borg Institute and on the Board of Directors of Sierra Wireless. She’s active in charities that encourage women and girls to pursue technology careers.


How to Prevent Fraud in your company – Mitigate your risks

Technical malfunctions in the payment chain have a major impact on both consumers and business owners. Fraud occurs in a variety of forms, such as phishing, skimming, shouldering and theft, cash trapping, etc. Many parties are involved in fraud prevention: banks, transaction processors, POS terminal suppliers, brand owners, and also business owners and consumers.  But how can you prevent fraud and reduce your risks?

In 2002 the movie “Catch Me If You Can” came out. The story of one of the most notorious conmen, Frank Abagnale, was set in film. With Leonardo Dicaprio in his shoes. What this movie shows, is that social engineering isn’t something new. In an example, Abagnale went to the bank, in a pilot suit, and a boost of confidence, and asked the bank cashier if they could cash the check for him. They would often oblige because they only saw the pilot, and Abagnale stated; ” The difference today is that when I used to pass cheques, 90% was the presentation, 10% was the cheque. Today, it’s the other way round”.

The three (security) lessons from Catch Me If You Can

Catch Me If You Can is an incredible story to see/read. Not only because we see a charming Leonardo DiCaprio, but it also gave us some insights into a real conman. These are three (security) lessons we can learn from Catch Me If You Can:

1. Social engineering isn’t new. It’s about confidence, targeting the right people in the chain to get what you want and look legit. Abagnale knew he could pull it off if he looks like he has the authority to cash money he didn’t have. – Luckily, social engineering is beatable. If they’ve looked to the details, they should’ve known something wasn’t right. It’s the same with scammers. If you know something isn’t right, there usually isn’t.

2. Information is key

Frank Abagnale Jr. impersonated some of the most educated careers in America without a fragment of background education. But he had an innate ability to learn quickly and think on his feet, allowing him to mesh well with his highly educated colleagues. It only took him so far, because, at the end of each of his scam, he chooses to flee, because his surroundings became suspicious about his real background and education. – For scammers nowadays, it’s just the same. They don’t know a lot, but what they do know about you, and about your company, lets them learn more, with the result to outwit the key person in your company. Moreover, it is really important to educate your colleagues about the risks, because once they are aware, they know which kind of questions they should/could ask to prevent a successful scam.

3. Technology (and policies) can prevent human error.
Last, but not least, technology could’ve prevented a lot of problems that Abagnale has caused. It wasn’t as sophisticated as it is now, but you could still see through the lies of Abagnale. The same with policies, or rather, the lack of. The only reason why Abagnale had the luck to fly all over the world, was because of policy between airlines (where pilots could fly for free). If they had checked Abagnale properly (according to policy), he couldn’t even get his hands on a pilot costume. – Again, it’s the same principle for most of the companies. With the right systems, technology and policies in place, it should be a lot harder to hack or social engineer into your company.

Privileged user accounts are magnets for hackers, fraudsters and auditors!

Earlier, it is mentioned that fraud comes in different sizes. Most of those cybercrimes are targeting privileged user accounts, and in 2019 it resulted in a dazzling estimated US$3.5 billion in losses. Why do you ask? Because a privileged user is someone who has administrative type access to critical systems. As ‘trusted’ users, they have the most powerful access to anyone within the organization. Often, they are able to carry out a wide range of system administration tasks, such as amend system configurations, install and/or upgrade software and change access for other users.  They may even be able to override existing security policies, make unauthorized system changes and access confidential data.

Typical job functions include:
– System / Database Administrators
– Human Resources Staff
– Support Staff

It’s worth mentioning that privileged access rights can also be granted to Service Accounts, such as those which are set up to manage integrations.  Although these accounts are not intended for use by humans, they could be abused by anyone who knows the credentials.

Privileged access increases the risk of fraud

PWC’s 2018 Global Economic Crime and Fraud Survey found that “52% of all frauds are perpetrated by people inside the organization.” That brings us back to lesson number 3. It is therefore vitally important that you implement rigorous risk management policies to protect your organization from the dangers associated with privileged access.

Of course, the natural thing to do is to mitigate these users or exclude them from regular audit reporting requirements by stating they are known or trusted – but that should not be acceptable to your organization and would likely result in a deficiency in your next audit.

As with any mitigation, the objective is to reduce the probability or possibility of an event to an acceptable threshold. So you need to consider your options for mitigating privileged access, the cost vs benefit of each option, and the impacts. Risk mitigation can be costly and time-consuming, but not if you do it right (with a suiting roadmap, the right information, and compatible tooling).

Mitigating risk for privileged users: the 3 main areas to consider

There are three main areas to consider if you’d like to mitigate risk for privileged users. The keywords are Manage, Monitor, and Review. Perhaps, you already have a few of these solutions or even an alternative, but it’s still good to check if it’s in place, or if it’s necessary to put it in place. Let’s take a look:

1.     Manage the risk:

Implement a User Management policy that tracks specifics about privileged user accounts, e.g. effective date, usage type (system admin or integration), vendor company name, the expiry date of the contract, or the date when access should cease pending contract renewal. It’s about documenting the “who, what, when and where” for privileged accounts.

Access Management – people often focus on controlling access to roles, but it’s more important to restrict the privileges within the roles. The roles should be created using a model of least privilege, where users only obtain access to the applications, modules, and data that they need to do their job.

For example, a System Administrator may not require access to business transactional applications in the production environment, provided sufficient support resources are available.  Read more about access management

Password Management – passwords for these users should expire more frequently, on a set schedule. They should never be set NOT to expire.

It is also recommended to implement a procedure for joiners/leavers; whereas you could give or take away access for network access. Upon leaving, passwords for service accounts should be changed when possible.

For shared passwords, such as those required for service accounts, passwords should be stored in a third-party password tool or kept in a secure, password-protected location/vault.

2.     Monitor activity:

Maintain on audit trail of changes to critical or master data, such as the address book, vendor / supplier master data and human resources data. Monitoring should consist of capturing before and after results, then reviewing them for unusual activity.

Set up alerts for events such as a high number of password change attempts (in example more than 5), or a significant period since last sign-on date (in example over 30 days). This ensures that you can keep an eye on unusual activity

Segregation of Duties – when access is granted either by a change in a role or the addition of roles to a user, it is critical to check whether this new access causes an SoD conflict.

3.     Review

User Access Review – conduct a review of privileged users on a more frequent basis than business users. It is recommended to do this monthly.

Vendor Review – in conjunction with your User Access Review, you should also check the status of ERP access granted to any vendor employees who work with your organization.

Ask your vendors to regularly supply a list of their employees who are assigned to your account.  Check for the spelling of names/name changes, job titles/position changes, and employment status, so that you can remove any redundant access for people who no longer work for them.

Service Accounts – ask for updates/status reports on the usage of these accounts. Ensure that usage is documented and updated regularly.

Passwords – review and set a schedule for when service account passwords should be changed (note that this may require system downtime). Require evidence of execution.

Terminate redundant access – revoke access when it’s no longer required. Institute an immediate termination policy and require evidence of execution.

Hopefully, this article gave you some useful insights and encouraged you to clamp down on privileged access to your ERP system. Keep in mind, some of the largest data breaches were carried out by insiders with administrative access, such as Edward Snowden.


FBI: Cybercrime losses tripled over the last 5 years

On the upside, the Bureau recovered more than US$300 million in funds lost to online scams last year

In 2019, the United States’ Federal Bureau of Investigation (FBI) received more than 467,000 cybercrime complaints that caused an estimated US$3.5 billion in losses, according to the Bureau’s annual 2019 Internet Crime Report (IC3). Last year saw both the highest number of complaints and the highest dollar losses on record; in 2015, for example, annual losses totaled ‘only’ US$1.1 billion.

Business Email Compromise (BEC) fraud remains the costliest type of fraud on the list, accounting for more than half of the total losses and costing businesses almost US$1.8 billion. These schemes are constantly evolving, too. Back in 2013, scammers would typically hack or spoof the email account of a CEO or CFO to request a fraudulent transfer of funds to accounts under their control. Over the years the tactics have evolved to also include compromising personal or vendor emails as well as spoofing lawyers’ email accounts.

Payroll diversion emerged as a popular form of BEC fraud last year. Scammers target HR and payroll departments by acting as employees who want to update their direct deposit information for the current payment period. The updated information then usually directs the funds to a pre-paid card account.

Elder fraud is also an increasingly pressing issue. With 68,013 victims, this type of fraud had the highest number of victims; under-twenties claimed “just” 10,724 victims. The number of victims may not reflect the true extent of the problem since providing the age range is voluntary.

Seniors are often the targets of romance, tech support, government impersonation, and lottery scams. Victims of these schemes were defrauded out of over US$835 million. Romance and confidence fraud alone accounts for almost half a billion dollars in losses, with the FBI estimating that up to 30% of romance fraud victims had been used as money mules.

Tech support fraud remains a growing problem as scammers attempt to defraud their victims by contacting them under the pretense of resolving a non-existing technical issue with their software licenses or bank accounts.

Recently, however, scammers have started impersonating representatives of well-known travel companies, financial institutions or virtual currency exchanges. Tech support fraud has claimed approximately US$54 million in losses in 2019, a 40% increase compared to the previous year, with most victims falling into the over-60 age category.

Meanwhile, losses emanating from ransomware reached around US$9 billion, almost triple the losses incurred in 2018. The number of reported victims also rose to about 2,000 compared to 1,500 from 2018. While phishing was still the most widespread problem claiming 114,072 victims last year, non-payment and non-delivery scams came in second with about half the number of victims being 61,832.

Not to end on a bleak note, the FBI’s Recovery Asset Team (RAT) helped retrieve almost US$305 million lost in scams, giving it a 79% return rate of reported losses.

This article originates from welivesecurity.com


Cyberthreats are hard to defend against, but it isn’t impossible. One of the solutions you could work with is privileged access management, where you’ll be able to protect your organization and your employees. Learn more about PAM in our free whitepaper!


Cybersecurity: Awareness is Only the First Step

European Cyber Security Month (ESCM) is an annual campaign designed to raise awareness of the myriad of threats individuals and organisations face in today’s ever more connected world

Whether it be malicious hacking, malware, espionage or data loss, we are more at risk of becoming victims of cybercrime than ever before. This trend is only set to increase exponentially into the future. 

The end goal of ESCM is not only to raise awareness of cybersecurity issues, but to also promote best practice, provide access to the resources required to fight cybercrime and, of course, to educate users and decision-makers about the risks they face.

While bringing awareness to an issue is important, one month of highlighting cyber security issues just isn’t enough. Hackers operate 24 hours a day, 365 days a year and it would be foolhardy not to ensure your cybersecurity protocols operate to the same timeframe.

The ever-growing threat

When national security, personal safety and business continuity is at stake, everyone should not only be aware of the threat, they should be taking actionSociety believes in this when it comes to environmental and physical threats so why are we so disengaged when it comes to cyber security?

Cyber security doesn’t just affect a person, but everyone around them. And in the globally connected world we live in, that literally is everyone. Infected devices have a way of infecting other devices, and compromised systems can make everyone vulnerable. So cyber security isn’t just about protecting you – it’s about protecting all of us.

The National Cyber Security Centre recently revealed that it has handled 658 attacks on 900 organisations, including schools, airports and emergency services, and said the attacks pose ‘strategic national security threats to the UK’. The spread of cyber-attacks should come as no surprise. The number of internet-enabled devices is skyrocketing. Already, there are seven billion internet-connected devices globally, and that number will more than triple to over 21 billion by 2025, IoT Analytics predicts. Thanks to the Internet of Things there is now web-enabled software in everything from planes to fridge-freezers. In an era where espresso machines have IP addresses and speakers are connected to the internet, a lot of effort is required to keep safe.

The threat is very real, and very immediate. And where the attacks are coming from a cause for serious concern.

Increased sophistication

Gone are the days where the only concern was the lone attacker wearing a hoodie in his bedroom. While that stereotype might have been true over 20 years ago, organised criminal gangs quickly got in on the action, stealing credit card details and testing the IT structures of retail banks to their very limits. More recently, ‘hacktivists’ like Wikileaks have tried to expose the malpractices and secrets of big businesses and powerful governments. And in the last few years, the advent of state-sponsored attacks have been ever increasing, with accusations of foreign meddling in domestic elections (US, France, Brexit) a massive concern. The transition from the teenager’s bedroom to the upper echelons of power has been frighteningly quick.

It is imperative that we move from a state of apathy to a state of national readiness when it comes to cyber threats. Cyber-attacks are getting more sophisticated, and are having real life consequences for nations, organisations and citizens. The fightback must begin.

The steps we must all take


Businesses need to own their IT. “Owning” your digital profile means taking stock of the apps, appliances and other IoT devices that hold and use personal and corporate data on a daily basis. Solutions which use things like data encryption provide visibility into and security for complex, interconnected IoT systems. They also help ensure devices are authenticated and data/control information is free from tampering.

Only after building a complete picture of your personal and organisational cyber landscape can you begin securing it.  95 per cent of successful attacks on enterprise networks result from spear phishing scams. Identifying a phishing attempt is the first step: always check the actual email and web addresses when you receive an email of which you are unsure. On a technological level, the use of multi-factor authentication and dynamic security policies can mitigate even successful phishing attacks.

The most important thing to remember about cybercriminals is that more often than not they rely on human error to gain access to systems. Continued employee awareness training can help strengthen cybersecurity defences by lowering the risks associated with human error.

Businesses can also make sure strong security processes are in place, including ensuring employees use strong passwords, and that they are changed regularly. Yes, Password123456 – I’m looking at you. 

Keep your software updated to the latest version available because updates often include fixes for disclosed vulnerabilities. Also be wary of public WiFi, especially when connecting in new locations – hotels and other public spaces are common targets for cybercriminals due to their unsecured networks.

And this isn’t only for the grown ups’ table. Just as we teach our kids to lock up their bikes, parents and teachers need to remind children to protect their phones and other devices with passwords. And children need to know that some things in life need to be kept secret!

Stop. Think. Connect.

The organisations behind National Cyber Security Month remind people to Stop. Think. Connect:

STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.

THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family’s.

CONNECT: Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself and your computer (and other devices). 

In a world where cybercrime is to be expected, it is high time we ensure security at all times, not just when awareness is at a peak.


Campbell Murray is Global Head at BlackBerry. Today’s BlackBerry is a software company with a standard of security for managing the network of mobile and wearable devices, desktops and laptops, and other endpoints within enterprises. In addition to developing and providing applications, our BlackBerry Secure platform enables enterprises and independent developers to create applications for smartphones, medical devices, connected cars, consumer appliances and industrial machinery, and much more.

Original post is from Technative


en_USEnglish
nl_NLNederlands en_USEnglish