Ten years ago, implementing a single firewall per business location was considered an adequate security practice. However, a single firewall is not sufficient in this age of remote and hybrid access where criminals and threat actors actively target your company.

Why?

Because the points of presence (PoPs) for even simple business models have exploded in recent years. No longer is it enough to simply protect a company’s digital perimeter or edge, but managed network security services must now encompass employees, devices, and applications. An organization’s data must be secured, no matter where it lives or how it flows.

In other words, each device must be secured, every application monitored for vulnerabilities, and every employee must become a firewall. As hackers become increasingly sophisticated at targeting your employees and the potential points of attack continue to multiply, organizations must deploy both proactive and reactive managed network security services. Gone are the days when running an antivirus program occasionally was a satisfactory defense technique. Now, businesses must manage a portfolio of security applications and protocols to address the increased risks to your data.

This post will review the best practices of managed network security services through the lens of three security strategies:

• Devices
• Applications
• People

Securing devices

Brought on by the COVID-19 pandemic, the remote and hybrid revolution of the world’s workforces mean that it is no longer sufficient for an employee to work from anywhere; they also want to work from any device. While this is incredibly convenient for remote employees, it is a massive potential problem for security teams. Each device represents a potential vulnerability or weakness in the secure perimeter you need to establish to reduce risk.

Fortunately, managed network security services are evolving to secure mobile devices. Effective risk mitigating strategies include:

• SASE/SSE. Secure access service edge (SASE) and security service edge (SSE) are cloud security solutions that integrate with emerging cloud network tools (Firewall as a Service [FWaaS], SD-WAN, and zero trust networking access [ZTNA] to name a few) to secure access points and PoPs.
• EDR. Endpoint detection response (EDR) is a next-generation suite of antivirus and anti-malware applications that make your devices unattractive targets for criminals. EDR does not rely on user signatures but instead deploys machine learning to notice aberrations in user behaviors. EDR also utilizes more effective tools to contain and defend against malware.
• MDM. Mobile device management (MDM) is a way for organizations to control connected mobile devices. First, businesses enroll the device in the MDM tool and set rules and policies for the device. For example, MDM can turn off the camera function of a device during a sensitive meeting. MDM can also send an application to every MDM-enabled device within an organization. MDM is an emerging technology to allow businesses to secure their employees’ devices en masse.

Learn more: 2023 Strategic Roadmap: The Future of SD-WAN

Securing applications

In many ways, modern businesses are the sum of their data and value-add applications. For example, a Software as a Service (SaaS) company may market and sell applications to its end users. The same company also uses applications for business operations: finances, payroll, HR management, communications, security, etc. As each device represents a potential security breach, so does each application. Additionally, with digital and physical supply chains being more interconnected than ever, the potential for catastrophic damage across entire sectors is a genuine danger. Remember the Log4J vulnerability that was revealed in December of 2021 and the impact that had on virtually every organization.

Businesses can take proactive steps to secure their applications enterprise-wide using managed network security services such as:

• Patch applications. A vital and often overlooked piece of security hygiene is routinely checking for and installing the latest patches for each application. These patches plug security vulnerabilities as they are discovered. An organization should check for new patches at least once a month.
• Vulnerability scanning. This automated test seeks out potential vulnerabilities and creates an actionable report. As a rule, vulnerability scans should be scheduled to run once a month.
• Penetration testing. Often confused with vulnerability scans, a penetration test (pen test for short) is an in-depth, cohesive examination run by actual humans. The goal is to simulate a cyberattack. Unlike a vulnerability scan, pen testing is an investment, ranging anywhere from $15,000 to $70,000. Testing length varies from a couple of days to several weeks depending on the size and scope of the test.
• Security assessments. How do you know what security measures you need to implement to secure your applications? Security assessments advise businesses on what mosquitos to swat (patching and vulnerability scans) versus potentially catastrophic attacks they must prepare for (penetration testing). In addition, security assessments help companies comply with evolving government security and application management regulations. Security consultants like CBTS take a holistic view of the organization, factor in business goals, and deploy solutions with a phased approach.

Learn more: Cloud security controls that help mitigate risk

Securing people

Businesses hoping to attract and retain the best talent know they need to meet the demand for a hybrid workforce. However, it is unfortunate that a vast majority of security breaches come from users falling for a phishing attack rather than a brute-force cyberassault. People are distracted by hectic schedules and responsibilities, and social engineering schemes grow more sophisticated by the day. That’s why it is incredibly vital to generate a culture of security.

Each employee must become a firewall. But what does that actually mean?

Choosing a trusted partner in managed network security services

Choosing which security tools are appropriate for your company’s unique needs is challenging. How do you select not just adequate tools but the best-in-class anti-malware services? How do you deploy those tools effectively without overburdening your IT department while staying on budget?

CBTS uses a consultative approach to discover your company’s needs and to develop a phased plan for instituting the appropriate solutions. Our profoundly experienced team offers a comprehensive security assessment to identify potential vulnerabilities and proactive steps to prevent malware attacks. CBTS managed security services save your IT team time and money by offloading the burden of researching, managing, and updating security tools.

Get in touch with CBTS today to learn how to protect your devices, applications, and people.

Learn more: Watch our Tech Talk replay now

The recent clamor of legislative activity on Capitol Hill contains several common themes as the government branch makes moves to secure the U.S. cyber environment and solidify cybersecurity law.

The most noticeable is a recognition that voluntary action in the cyber and data privacy space is just not working, and that the federal landscape of agencies is just not coordinated well enough to support cybersecurity. This blog will analyze the running themes throughout the effort to craft and enact new cybersecurity law in 2023, and is the second part in a series. You can read part one here.

The current state of government cybersecurity

There are multiple overlapping documents and disjointed systems for detection and reporting, but more important is the recognition that our economy is driven by a complex, interconnected system that exhibits systemic risk. To address that systemic risk, cybersecurity law and data privacy legislation requires covered entities to improve their risk management and governance approaches to increase the visibility of cyber risk at the board and leadership levels.

In tandem with risk management, many of these measures are also defining a minimum baseline of preparatory and protective measures to ensure entities are left with no doubt about what is an acceptable level of preparation and defense, and what is not.

While Executive Order 14028 and the recently released cybersecurity strategy only apply directly to federal agencies, two key measures—the deployment of a zero trust architecture and improvements to the software supply chain (software bill of materials)—will trigger similar actions in the commercial space as this trickles down through contract agreements and establishes new, leading best practices.

Why you should care

Most of us have business priorities that are focused on running or growing the business and must prioritize and re-prioritize our work on a daily, even hourly basis. This makes it easy to place this tide of new cybersecurity law on the back burner.

Here’s a set of reasons why we believe you should take notice and adjust your strategy, priorities, and spending now to become compliant with the ever-changing cybersecurity and data privacy legislation.

The first and most obvious is that if you are a covered entity and required to comply with any of these legislations, it may take some time to implement systems to become compliant. 

Second, as these measures become required in publicly traded financial institutions and for all federal contracts, the expectation level or bar will begin to rise across all industries. Your business partners, and those you sell services to, will adopt similar requirements in their contracts and business dealings. You may even lose business to competitors who appear more secure to the purchasing executives.

Third, and finally, even if you are not directly impacted, cybersecurity law that becomes effective in 2023 will improve the understanding and deployment of leading practices and standards for all covered entities. This hardening process will inevitably make you, as covered entities, more secure and reduce your own commercial risk. 

How secure is secure enough?

The question then becomes, if your enterprise is less secure, will you become easy prey for threat actors? This is the proverbial “I only have to run faster than my colleague to escape the bear” analogy, as threat actors have shown time and time again that they are adept at targeting the least prepared as “easy pickings.”  

Even if you are not directly impacted, you should take note, and re-assess your risk position—as the number of threat actors targeting you could well increase. You should put a cybersecurity improvement program in place now rather than wait for your first incident.

Where can I get more information about cybersecurity law?

During the coming months, we will be analyzing key legislative changes and provide a more detailed view of what they contain, and what actions you may need to take or would be well advised to take as a result. 

Alternatively, we would be happy to discuss these strategies with you in person, informally, or as part of a tailored security assessment and roadmap generation. Contact us today.

This blog post offers a personal opinion and is not intended as legal advice.

What is zero trust?

The term zero trust is becoming more commonplace, with virtually every vendor claiming their products support a zero trust architecture (ZTA) or zero trust network architecture (ZTNA).

Much of the buzz is driven by Executive Order 14028, which tasks the Cybersecurity and Infrastructure Agency (CISA) and other agencies with boosting cybersecurity across industries and protecting software supply chains.

This undertaking involves defining ZTA and demonstrating to security experts that adopting zero trust principles benefits enterprises by significantly reducing the risk and impact of data breaches.

The zero trust philosophy is driven by the need to replace the historical perimeter with an in-depth defense and a more granular model appropriate for today’s hyper-connected world. In other words, rather than the previous “castle-and-moat” defense model, where cybersecurity is “hard on the outside, but soft on the inside,” the ZTA model bolsters internal security to equitable levels with external protection. The benefits of investing in a zero trust framework are transformational for enterprises.

In a zero trust world, all actions require explicit authorization and authentication. You are not granted access just because you are on the corporate network or connected to the corporate VPN. In the virtual data center, mutual TLS protocol is used extensively, all data is encrypted (at rest and in transit), and network access is both segmented and controlled.

Access authorizations are dynamic and based on continuous policy evaluation or risk assessment using contextual information, such as (but not limited to):

• End-user device type.
• Health of the device.
• Data sensitivity.
• The individual.
• Location.
• The current threat environment.

Learn more: Build a strong cybersecurity plan that includes zero trust

The benefits of zero trust

Organizations benefit from adopting zero trust architecture in three broad ways:

1. 1. Reduced risk

   The risk of compromise is greatly reduced by imposing more granular access controls and improving protection and detection capabilities for applications, data, devices, and networks.

   In this model, identity is the new boundary, compared to the historical model of network access controls providing the exterior perimeter. This strategy decreases risk and improves business continuity planning when designed correctly.

2. 2. Improved user experience

   By making applications Internet-accessible, companies can simplify the corporate network architecture and reduce operational expenses.

   Many organizations embark on this change as part of a strategy to depart the corporate data center and move to the Cloud. Like how users can access Gmail, Outlook, or Facebook on a web browser, this “Software-as-a-Service model” lets employees access mission-critical applications online. As an added benefit, employees may work remotely and securely from anywhere in the world with a reliable Internet connection.

3. 3. Increased compliance

   Government regulations are changing, requiring increased security controls that effectively require ZTA for all federal agencies and their subcontractors.

The CBTS ZTNA experience

CBTS operates across domains such as security, enterprise architecture, and product architecture to create a zero trust roadmap for your business. This roadmap is a cohesive strategy that reduces risk and outlines each step in implementing your zero trust framework to achieve maximum benefits.

To achieve this, we have several core offerings that can be tailored to your individual needs. This process guides customers through a phased approach, as described below.

Architecture and planning

This professional service engagement takes the CISA zero trust architecture model and maps function to resources and vendor products. This phase is tailored to maximize the enterprise’s existing investments in IT systems, services, and processes. Additionally, CBTS can include budgetary cost forecasts for all or part of the roadmap implementation.

Implementation services

Our team of professional services engineers and security architects can provide a turnkey implementation or augment your own architects and engineers to guide and assist in the implementation process.

Managed services

Our cloud and security operations teams can support a subset of the vendor offerings required to run a ZTNA delivery model. This includes our managed detection and response (MDR) capabilities, which are often used by smaller clients who cannot afford or do not want to establish a 24x7x365 security operations capability.

Read more: CBTS’ commitment to outstanding IT service delivery drives success

Begin your journey to zero trust with CBTS

At CBTS, we know all enterprises will benefit from a move toward a zero trust architectural and delivery model. The strategic investment reduces cyber risk, improves the end-user experience, and reduces cost and network and infrastructure complexity.

CBTS has over 30 years of experience guiding customers through every aspect of digital strategy. From communications to cloud migration and application modernization to cybersecurity, the experts at CBTS have you covered.

Get in touch to start your journey to zero trust architecture.

Every business has a mission statement, at least every business I have been involved with over the last 30 years. At CBTS, for example, our mission statement is “To deliver unparalleled products, services and experiences to customers, where they work and live.” And to deliver on that mission with the commitment to “Make it simple, do it fast, and do it together.” Delivering on this mission and commitment is ultimately what makes us a profitable and thriving business.

But guess what? Business departments and divisions each have their own mission statements too! And when security and IT departments are tasked with creating a cybersecurity plan that limits and minimizes the risk to the entire organization, commitments to do things “simple, fast and together” don’t sound very secure. So how do you deliver on your mission, whatever it is, and keep the organization and its most valuable assets secure? In business today, security is top of mind for executive leadership. Security threats have advanced and evolved, and attacks by criminals and threat actors have negative implications on the financial strength and brand trust of every company. Even with these threats, we still HAVE to deliver on the mission, whether that mission leads to selling more widgets, saving lives, building more products, providing financial services, or delivering the best entertainment.

What is essential to a strong cybersecurity plan?

Many computer security architectures have evolved to meet these threats. An example of this evolution is zero trust network access (ZTNA), which allows you to design your cybersecurity plan with an architecture that is customized to your business. Each industry and every business in each industry is unique in how they create, sell, and deliver their products, services, and solutions. In turn, the security architecture you design and build for an organization must be customized to fit into the unique structure and culture that makes that particular business successful and secure.

Zero trust security architectures—at the highest level—change the focus from trusting anyone and any device initially, to requiring users and the devices they use, to prove that they are who they say they are. Sometimes this is thought of as “trust no one” on both the internal network and external network. It is a new mindset, or a framework, where an organization grants employees access based on authentication policies only to the company data and resources needed to do their job.

Read up on the fundamentals of a cybersecurity plan for the supply chain: Enhanced supply chain security and optimization through cloud computing

What are the benefits of ZTNA?

There are many use cases where zero trust allows you to balance your business objectives and execute your cybersecurity plan.

The first and most common use case regards remote workers or remote offices. These employees are not directly on the HQ network but still require access to company data and information.

Certainly, customer/client access to company data or systems is becoming a requirement for many businesses as a way to differentiate from the competition. In many cases this information can be sensitive or confidential data that must be secure.

Similarly, giving third parties—like business partners and contractors—access to your network is very common in today’s dynamic business environment. With unemployment at an all-time low, companies are relying on business partners and contractors like never before to provide support and augment staff. How do you make sure that you have provided these trusted third parties the minimum access required to help your business? Using a zero trust framework, you can implement a network that provides access to third parties in a safe and secure manner.

Another common zero trust use case is multi-cloud instances. Increasingly businesses have applications and data across multiple clouds. Implementing zero trust gives users the ability to access resources securely across multiple clouds while providing the organization visibility into their cloud security. Read more about the risks and benefits of moving to the Cloud.

CBTS has the know-how to create a ZTNA-fortified cybersecurity plan

To help you create your cybersecurity plan using a zero trust architecture, CBTS needs to clearly understand specific criteria about your business and confirm fundamental questions about who requires access to information in order for them to contribute to the business. We would need to know what devices are being used to access your company data, like laptops, tablets and smart phones, as well as the network devices utilized, like the routers and switches that enable access. Once we know the business workflows and processes, we can design and implement a zero trust network with the policies for the users and devices to make your organization securely successful.

In today’s active business environment, a cybersecurity plan with a zero trust network is critical to keeping your organization and data secure. Think of the many ways employees, vendors, partners, and clients access information right now. Your customers and partners want to access your data and services whenever and wherever they are. Building a zero trust architecture will help keep your data and information secure. FOCUSING on your business while building a zero trust architecture will secure your assets AND allow you to complete your mission.

Contact our team today to get started on your cybersecurity plan.

When your company starts to think about a digital transformation, they must consider how they will secure the data that is critical to the business. The strategic benefits of a digital transformation can quickly be lost if the data you are storing in the Cloud or on mobile devices is lost, stolen, or compromised.

Just as the move from mainframes to minis to PCs transformed how businesses operated in the 80s and 90s, the opportunity to enhance and upgrade your business using the best technology platform can transform your business and prepare it for exponential growth. At the same time, using the best security technology during a digital transformation ensures that you can focus on that growth and not persistent threats to your data and systems.

What does it mean to go through a digital transformation?

For most companies, digital transformation has three main components—resiliency, scale, and speed to market—and involves re-writing, re-architecting, and re-platforming legacy and traditional applications into cloud-native modern apps. These new applications allow for a mobile-first design that pushes data and security out to the edge device.

A sample of transformative steps a company can take are:

• Transform and move back-office processes to a cloud-hosted solution.
• Shift to a mobile-first philosophy and leverage IoT devices.
• Allow your products or services to be consumed on a subscription basis.
• Move to an agile software development process focused on the customer.
• Permit staff to work from anywhere, on any device.

To ensure success of these steps and the value they can bring, information security must be part of the discussion as key strategic decisions are made. Furthermore, knowing the exact location of the data on which these systems rely can help protect your company’s data and long-term health of the organization.

Digital transformation security will require a culture change

As companies compete with innovative ideas and first-to-market tools, the security team supporting these advances also must adapt and change. However, a sticking point for innovation is the ongoing support of legacy applications. A report by Deloitte in 2020 noted that the average IT department devoted 50% of their budget to maintenance and only 19% to innovation. A 2020 survey conducted by the Ponemon Institute reported that 82% of the respondents believe their organization experienced a data breach because of the company’s digital transformation. Clearly, innovation and security must happen simultaneously.

CIOs investing in a digital transformation strategy know that integrating a new culture of security at the beginning of the digital transformation will create a sound foundation for a transformed company. No single security tool or policy or procedure can protect all the data. What will protect the data is a mindset that says, “I am as responsible for security as much as the CISO is.”

Ultimately, it is all about the data

Before a digital transformation, information security teams could expect to have firewalls at the edge to protect the internal network. All work was conducted on company-owned hardware connecting to the internal network where centralized data centers protected the crown jewels of your data 24×7.

As legacy systems are transformed and updated, however, new security tools and controls are needed to protect and monitor who can access the data and what they can do with it. Accordingly, security tools need to move up the stack with legacy security tools that are focused on the network and host moving up to the application layer to focus on the data. The goal is to protect the data, not the device or the network.

The four must-have modern security areas for your digital transformation security plan

Zero Trust Network Access

Zero Trust Network Access is not a product or an SKU you can buy, but a mindset that starts with the expectation that no device is trusted, and no user is trusted. Instead, trust must be demonstrated and verified before access is granted to an object or system or service. Read more about ZTNA here: https://www.cbts.com/blog/zero-trust-networks/

Third-party risk management

When you move applications to a cloud-hosted solution, you are trusting your data and systems to a third party. You now need to manage the risk that exists with that third party on a regular basis and confirm that the provider you are using has the same, or better, security posture as your own. Learn more about ZTNA: https://www.cbts.com/blog/how-do-you-ensure-the-security-of-your-supply-chain/

IoT device management

During a digital transformation, a myriad of devices will interact with your systems and data. While your transformation will initially focus mobile devices with people making the requests, you also want to design for IoT devices—like Alexa or Siri—and how they can interact with your cloud-hosted applications, and what security concerns arise. See how IoT impacts the medical field: https://www.cbts.com/blog/digital-transformation-in-healthcare-begins-in-the-cloud/

Cloud security controls

As your new cloud-native applications are brought into production, your security team will need to use cloud security controls, like CASB, CSPM, and CWPP. Cloud access security brokers (CASB) are cloud-native security tools that ensure users in your environment can access only the cloud services that they are allowed to access. Cloud security posture management (CSPM) monitors your cloud environment and alerts you when security permissions are not set correctly for a system or data. Cloud Workload Protection Platform (CWPP) is a security tool that makes sure that the applications running in your cloud environment are protected from malware and viruses. Read more about these controls: https://www.cbts.com/blog/cloud-security-controls-mitigate-risk/

In conclusion

Plainly, security must be part of the conversation as you plan your digital transformation. Whatever plan you make, security is at least as important as the reasons your company pursues its transformation. If you have questions about how to integrate security into your plan, contact our security team.

The need for supply chain security

Managing supply chains has never been more complicated. There are numerous threats to fragile supply chains. Cyber attacks and malware are growing in number and complexity, seemingly daily. Supply chains are an attractive target because they offer a backdoor into dozens or hundreds of companies’ systems that are a part of the chain. To combat the eventuality of these events and bolster supply chain security, Disaster Recovery as a Service (DRaaS) furnishes backups of mission-critical data.

Beyond the external threats are the internal ones: aging infrastructure, poorly optimized data, lack of flexibility and scaling, and no backup plan. These variables limit business agility, and modern supply chain demands that companies must be able to pivot on a dime with little notice. Cloud technology has risen to meet the challenges of maintaining fluid supply chains. AI and machine learning tools grant insights into existing data streams while best-in-class security systems actively monitor and seek out evolving malware threats. This blog will examine how cloud computing provides supply chain security and optimization solutions.

Supply chain optimization

Optimizing a supply chain entails getting the most out of your data flows and securing said data through backups and security measures. Cloud-native predictive AI tools can help you analyze trends and stay ahead of supply chain disruptions. IoT devices and monitoring tech such as RFID tags track products during each step of the journey from manufacturing to purchasing to fulfillment. The Cloud allows for greater visibility and security across the supply chain.

Cloud systems also offer more opportunities for automation and simplification of supply chain management. APIs can simplify integrations across platforms and are valuable tools for creating complex automation workflows. Automatic backups are one of the core advantages of utilizing the Cloud.

Advanced security is another advantage of using the Cloud in supply chains. Public clouds, such as Google Drive and Microsoft OneDrive, have some of the best minds in security working around the clock to stay ahead of cyber criminals. However, many supply chains implement a multi-cloud environment. Smaller cloud providers may not have as robust security as industry leaders and may leave backdoors open to hackers. Multiply this by the number of companies and systems linked via a supply chain, and the potential for vulnerabilities explodes.

Data must be secured in all locations — onsite, in the Cloud, on third-party systems, and via a separate DRaaS solution.

Learn more: How do you ensure the security of your supply chain?

Scaling and flexibility

Maintaining national or global supply chains comes with a great degree of uncertainty. Responding to shortages, overstock, or even crises is vital to modern supply chains so corporations must scale and pivot as needed.

A cloud environment is an ideal resource for scaling in near real time. You pay for storage or services as needed. With the mass adoption of serverless computing and microservices, you can drill down and develop the exact tools you need when you need them and deploy them across platforms. Additionally, AI keeps you agile by flagging potential issues. Your data works harder by providing invaluable business intelligence that translates into informed strategic decisions.

Data protection and recovery

DRaaS experts are vital to your supply chain because malware is always evolving and may eventually be able to target cloud backups.

How malware works now

While familiar tactics like phishing or spear phishing are still around, dangerous new ploys threaten supply chain security. For example, malware can now be implanted directly in documents and images. Another approach is to lock the disk drive itself rather than individual files. One particularly insidious assault uses malware with a timer that may remain dormant for months or even years. Hackers know to target older systems that may have more vulnerabilities.

Protection through DRaaS

Increasingly, companies must contend with climate change-fueled disasters that may damage business locations and devastate vital systems. Properly setting up DRaaS is a safeguard against both malware and catastrophic events. A DRaaS system should be a secondary, offsite cloud backup system and even though cloud vulnerabilities exist, a DRaaS can be made inaccessible to hackers and bad actors through expert setup.

Maintaining supply chain security now and into the future

Managing and securing supply chains remains one of the most significant business challenges. CBTS can help you optimize and secure your supply chain. Our experts craft custom solutions to address security, backups, and supply chain data insights through cloud-based solutions.

With decades of experience under our belts, CBTS helps our clients make sense of supply chain management. We partner with industry-leading technology providers, and our thousands of certified engineers and project managers make navigating evolving technology a breeze.

Get in touch today to learn how to optimize and secure your supply chains with cloud technology.

For many organizations, multi-factor authentication—or MFA—is the first line of defense against the chance that an employee’s credentials have been compromised. If one of those credentials is compromised, the unauthorized user will fail subsequent tests and be blocked from spaces both physical and digital. Organizations do not usually create this system and instead rely on products like Cisco Duo to manage MFA for them.

Remember that multi-factor authentication is based on the rules of authentication: Something you know (your password), something you have (your cell phone or mobile device), and/or something you are (like your fingerprint or other biometric). Ideally, if you can’t provide or authenticate through one of these as required, your access request is denied. At the same time, a single one of these items that is stolen or compromised should not permit unauthorized entry into company systems.

MFA is a critical piece of other security measures, like zero trust networks. Read more: Zero Trust Networks (ZTN): what are they and how do I implement one?

Attackers take advantage of human weakness to create MFA fatigue

Flaws can emerge in any good process. In this case, the weakness is MFA fatigue, which can be a real problem for companies trying to improve their cybersecurity programs. Several corporate breaches have occurred due to an employee approving an MFA request despite the fact that they are not actively authenticating into an application or computer system. The threat actor or criminal attacker can attempt to bypass MFA by first repeatedly sending SMS text messages or Authenticator push requests to a compromised account where the attacker knows the username and password.

Duo, probably the most popular MFA vendor, has provided Duo Push for years as a secure method for authentication. Attackers exploit Duo Push from a social engineering perspective, repeatedly sending requests that eventually coerce the end user into approving an illegitimate request. The attacker is counting on the fact that the end user will approve one of the authentication requests to make the requests stop. This attack exploits a weakness of human nature—giving in when fatigued—to bypass the MFA security control. In response, MFA vendors have come up with some very interesting approaches to counteract this weakness in MFA.

Duo Push requires equal effort for the end user to approve or deny the transaction. If you are faced with a dozen or more push requests and denying each one keeps presenting another push challenge, eventually the end user—who is becoming irritated seeing this over and over—is going to press “approve” to see if they get a different outcome. After all, one of the definitions of insanity is doing the same thing over and over again but expecting a different outcome.

How did Duo strengthen its MFA offering?

To combat this, Duo has released the Verified Push feature, which is currently in public preview and will be available to all license levels of Duo. This is a helpful feature and one I think any Duo customer should consider testing, if not deploying.

Instead of just allowing an “approve” or “deny” single tap response characteristic of MFA, Duo Verified Push requires the end user to enter a three-digit code that pops up on their phone screen as part of a push notification in order to approve the authentication request. The end user must take an action and actively participate in the approval process by entering the three digit code. Incidentally, you can increase the code from three to up to six digits.   

I think this approach will work because we are all being trained to be more suspicious. Imagine the attacker sends multiple MFA requests hoping to fatigue an end user who is configured for and expecting verified pushes. The actual legitimate user must enter the three-digit code on one of those requests in order to approve the request. What’s more, it takes less effort for the legitimate end user to deny the fraudulent requests if they know they are not currently trying to access an application. If you are being harassed with pushes, why would you make the extra effort to enter in the code? Your security team can also follow up with training that under no circumstances should an end user enter the code unless they are actively authenticating to an application, device, or operating system. That can actually be laid out in the acceptable use policy for your organization along with threat of termination for violation.

Read up on other critical security training your organization needs now: The value of phishing simulation in a strong security program.

Duo takes a big step toward overcoming weakness in MFA

One step up from verified push is Risk-Based Authentication (RBA) from Duo, another new feature in public preview right now that is part of their arsenal to address MFA fatigue and continuous trusted access. Unlike Verified Push, the RBA feature will not be available in all Duo offerings, which has three feature license tiers: MFA, Access, and Beyond. You’ll find the RBA feature only in the higher level Access and Beyond license tiers.

RBA takes a different approach to MFA fatigue. RBA changes the acceptable authentication methods based on the perceived risk at that point in time for that account. For example, RBA can step up the MFA requirement to a Duo Verified Push if multiple standard Duo Pushes are being denied, which indicates that an attacker is trying to fatigue an end user into supplying an approval.

RBA also now leverages enhancements in Remembered Devices to determine changes in risk. For instance, if a user turns on their corporate issued device while within the office walls the Remembered Devices policy in Duo would generate a secure device token that allows that user seamless access in  that office environment. If the user then accessing those same resources remotely, Duo would detect the location change and require the device re-authenticate. Subsequently, if that location has never been seen before, Duo could force a Duo Verified Push and over time learn the user behavior of successful logins. RBA then eliminates the need to use more aggressive verification methods until the next high-risk authentication request is received.

RBA strengthens a system of authentication types

Duo supports a large number of authentication types. Secure authentication types available in RBA include Duo Verified Push, WebAuthn security key, a platform authenticator such as Touch ID, or an OTP (one-time password).  RBA allows you to determine which authentication methods are acceptable once Duo has identified a specific MFA request with more associated risk than a standard MFA login, overcoming weakness in human nature with a process that attackers can’t plan for.  RBA is a welcome addition to balance more aggressive authentication method requirements with end user ease of authenticating. It only steps up the requirements when a risk is perceived, which addresses potential pushback from the user community if more aggressive methods were standard authentication mechanisms.

Get more information on RBA, including RBA’s enhanced Remembered Devices functionality: https://duo.com/docs/risk-based-auth

If you are a Duo customer, the CBTS security team would be happy to consult with you how to best implement these Duo features and fight the MFA fatigue that is likely growing among your users. If you are looking for an MFA solution, then you definitely need to consider Duo. CBTS would love the opportunity to show you how it works and recommend other managed security services.

When talking about information privacy, some people think it’s the same thing as information security, but for security professionals, they are not the same thing.

If you talk about privacy, you are really talking about confidentiality.

When talking about keeping information —or data—secure, information security professionals focus on three key things: Confidentiality, integrity, and availability, also known as the CIA triad, which is the foundation of any organization’s security program.  If you think about it visually, it would look like this:

Privacy focuses on how personal data is used and controlled. The graphic puts privacy in that circle of how companies collect personal information, how they use that personal information in an authorized manner, and how they ensure the information is accurate.

Security focuses on keeping the data safe from unauthorized access and use, making sure the data reliable and accurate, and ensuring the data is available for use when needed.

Let’s look at examples to show the difference between privacy information and security

We’ll start with Amazon, an entity that touches almost everyone’s information in some way, shape, or form.

Amazon and privacy

If you buy products online from a vendor like Amazon, you expect that they will keep the information you share with them confidential. This information includes things like where you live (shipping information), how you are paying for your purchases (credit card or debit card), what you buy (shampoo, jewelry, clothing, personal items), and how often you buy things (once a week, once a month, etc.). All this information that Amazon has stored about you is related to information (data) that you would most likely want to keep private.

Note that none of your order information is personally identifiable information (PII), except for your method of payment.

In this example, you shared personal information with Amazon with certain expectations: For starters that Amazon will keep that information private and not disclose it to just anyone; and secondly, that only authorized people at Amazon can see your personal information.

Despite all the questions this suggests, today we won’t go into how Amazon makes money from selling your information to various companies. The terms of use of your information is in the privacy terms between you and Amazon.

Amazon and security

From Amazon’s the point of view, the focus is the CIA triad and ensuring that:

1. The information they are storing about you stays confidential (e.g., it’s not stolen by a competitor or criminal gang).

2. This data maintains its integrity, that is, it is not changed in some way by someone (e.g., your order is changed from 1 pair of socks to 10, or the price is changed from $10 to $1); and  

3. The data is available, so that you can see your order anytime, day or night, from anywhere on any device.

Equally important to Amazon is that this data is available to them when they want it so they can pick the right quantities, ship it to the right address, charge the right credit card, etc.

In this example, Amazon keeps the information you share confidential and available, and at the same time ensures that it hasn’t been modified and has maintained its integrity. For more on privacy, review how SD-WAN answers the challenge of remote workforce networking.

How do financial institutions treat information privacy and security?

As a consumer, one of your primary concerns is the trustworthiness of the business that takes care of your hard-earned money.

Your bank and privacy

Your bank or credit union has a lot of sensitive information about you, much of which is personally identifiable information, or PII. They know your name, address, age, social security number, and bank account numbers; the balances of your credit card, mortgage, savings and checking accounts; and the amount of your paycheck and how frequently you are paid. You most definitely want this data to remain private and confidential.

Not surprisingly, your bank also wants to keep your information private, particularly according to Federal regulations regarding PII and PCI (credit card). At the same time, your bank wants you to feel like you can trust them with this very private, very personal information.

Incidentally, banks also sell your information based on the privacy agreements that you agreed to when you opened the account, but this is a topic we also won’t address in this blog post.

Read up on how CBTS UCaaS services are PCI compliant.

Your bank and security

Banks also want to keep your information secure, and also follow the CIA triad. They make sure your information is kept confidential, so that only the appropriate people can see your PII and other bank-specific information.

To prevent your account balances from being not manipulated in some way, the integrity and accuracy of your account information is essential to your bank or credit union. Your bank also makes your account information (your data) available so that you can check your balances and access your money any time, from anywhere. Like Amazon, the bank works to keep your information confidential and available and maintains the integrity of the data so that it is used appropriately and according to the privacy terms you agree to when you opened the account (see the privacy terms for US Bank).

Are you all clear on information privacy and security now?

Hopefully these examples help clarify the difference between privacy—keeping your sensitive data private—and security—which ensures that your data is kept confidential and available in a way that maintains its integrity.

If you want to limit what any business—like Amazon or your bank—knows about you, find and review the data sharing policies with the companies you use. Also, some companies provide options for limiting how your personal information is shared with other companies. Those details are in the company privacy policies which you can typically and easily find online. Security doesn’t just happen. Learn why you should do information security awareness and training.

Absolutely EVERYTHING!

As an attack vector, the computer supply chain is attractive one and attacks on it continue to rise. Most people view a supply chain attack as something that affects only hardware. A typical scenario would involve a malicious actor working in a factory. This bad actor installs chips into the hardware that allow some kind of remote access once the system is booted or, alternatively, pre-install malware on a hard drive before the computer ships. But these days this can also include a “software” supply chain.

The hardware world has long had a complete list of components shipped as part of a system delivery known as a “Bill of Materials.” This BOM provides the customer with a detailed inventory of all the parts and pieces of a box, usually down to the types of memory installed, the processor model, everything. On rare occasions, this would include at least a starting firmware/software version, whatever the OEM put into the system itself.

A software bill of materials (SBOM) is the software equivalent of the hardware version: a list of all the components used to build an application, including any open-source or commercial components in addition to whatever code is original to the vendor. SBOMs, though, have not been quite as standard as their hardware counterparts.

Read more: How do you ensure the security of your supply chain?

Why is a software bill of materials important?

Not surprisingly, the information in a bill of materials can help determine how to fix something on whatever system to which the BOM is referring. On the hardware side, serial numbers, component specifics, and overall product identification numbers are essential when replacing a hard drive, motherboard, memory module, or any other hardware item.

Think of a software bill of materials (SBOM) in the same context. Wouldn’t it be simpler to fix a software bug if you had a list of all the additional software components in an application? Wouldn’t you sleep better at night knowing that your application consumes a specific Python library for input and output? What about your logging components? And—I’m just spitballing here—wouldn’t it be great to know for sure that you didn’t have a vulnerable version of a logging component for some, oh, I don’t know, web server like Apache?

Yeah, I know: it seems so far-fetched that something like that would ever be a threat, right?

Not only is it important to know where your software comes from, it’s also important to know what software components and shared libraries you have running on your devices or inside your applications. That’s where the concept of a software bill of materials comes into play.

With an inventory of all the software components used in an application or on a deployed device, your organization can finally figure out if you use Open Source Software library A, or custom software library B, and then which asset has which version!

Certainly, that would make those late-night calls over winter vacation much easier to take, as the solution to the question “do we run this?” would be right at your fingertips!

More on avoiding late-night, vacation-time emergencies: Improve your cybersecurity defense with centralized logging, continued: A deeper dive!

Aren’t software bills of materials already standard procedure?

Unfortunately, no.

The good news is that the National Telecommunications and Information Administration (NTIA) has been thinking about this concept since 2018! They’ve put together a site for practitioners to use and learn about SBOMs, and have written up some FAQs and consumable documents that help guide anyone new to this concept. Additionally, the Cybersecurity and Infrastructure Agency (CISA) has created weekly workstream meetings to share information with anyone interested, based on different topics. You can find the workstream events listed here.

What to do in the meantime

Ultimately, either generating your own software bills of materials or asking your vendors to supply them will substantially increase your ability as an organization to answer those age-old questions:

1. Are we vulnerable to this new zero-day vulnerability?
2. Where exactly are we vulnerable to it?

If you find yourself needing to create the SBOM yourself, be sure to visit that NTIA site, which also offers guides to creating SBOMs, evaluating the many online resources to help you out, and dispelling misconceptions about SBOMs (for example, they are not really a roadmap for hackers; the benefits to you are far greater than to a hacker who has so many other exploits available).

Taking time and care to catalog your software components correctly (and update that catalog frequently!) will help you and your leadership sleep better at night. For the most part.

Sleep even better with help from our security team! Contact us today with your security needs.

Read up on things you can do right now to strengthen your security posture:

Why should you do information security awareness and training?

Car parts and cybersecurity: what is Google dorking?

The value of phishing simulation in a strong security program

Improve your cybersecurity defense with centralized logging

I am a shameless promoter of information security awareness and training (A&T).

If I could get people to take three or four minutes of training on information security every week, I would do it.

I want everyone to be able to detect phishing emails and fake text messages quickly and easily.

I hear some of you groan in frustration and say, “Why bother? It doesn’t work!”

I strongly disagree.

I don’t agree that end users are the “problem,” that they can’t learn how to protect themselves and their data.

I see end users as normal human beings who want to do the right thing, to do their jobs and not make mistakes. In the same vein, the bad guys out there are working very hard at their job to trick our users, our friends, and our family.

The bad guys spend hours and hours learning what people will click on in an e-mail, identifying the exact words that trigger the urge to help out and click the link in that malicious e-mail. Or call that fake 800 number to fix a problem. Or quickly answer a request from the president or CFO or CIO.

Without a doubt, the potential consequences of that click, call, or answer are exactly why information and security awareness belongs on your list of infosec priorities.

Read more: Essential security practices to protect your business

So who needs information and security awareness training?

Everyone!

Absolutely everyone in your company or organization needs regular A&T. From the CEO and CFO, the CIO to the admin at the front desk, everyone, all the way down the line. A&T that starts at the top is the most effective. If the CEO believes that A&T is valuable and worth doing, then the program will be significantly more effective.

Ok, tell me more about this training 

First, it’s both awareness and training. If you make your users aware of the risks, the threats that are out there, and why they need to be on guard or on alert, then the training will be more effective. At the same time, you don’t want to go down the FUD route (fear, uncertainty, and doubt). Be honest with your users and let them know that they are targets.

There are criminal organizations that do nothing but gain access to companies and organizations. These organizations are called access brokers. They are the groups that send out a blizzard of e-mails aimed at stealing credentials. These access brokers then sell that access to the ransomware groups who do the damage and encrypt or steal the data and demand the ransom. The threats to you and your company or organization are real, and they are persistent, and they evolve.

Second, be aware that people retain information and learn new skills differently, so your training will need to be adaptive. Some people like written instructions with short quizzes at the end to test what they learned. Some people like roleplay training or training wrapped in a short video (either animated or live action). Some like classroom-based training where they sit down—with others—and hear someone talk about a security topic (think brown bag sessions). They want to be with others in order to learn the material. The good thing is you have options for providing training for your users.

Alright then, when and where do you do this training? 

All year long, not just once a year. People need regular awareness and training just like computers need monthly patching.

Training—like patching—should happen monthly, or even weekly, to get the best bang for your buck. We live in a complex world with active threats that continue to evolve. Your training has to be frequent and needs to evolve as the threats evolve.

Those of us in information security preach the gospel of monthly vulnerability scanning and monthly patching. But often, we don’t preach quite so much about monthly awareness and training.

A&T helps, and I know that firsthand, as a preacher of the Gospel of Training, chapter 1, verse 1: “Train your users regularly.”

As for where to do the training, do it wherever people will take it. . You might do monthly lunch–and-learns, either face to face or online or computer-based training that is designed for mobile devices or PCs. We are far enough into this decade that you can find companies that offer computer-based training or other kinds of training that will fit your budget and needs.

The benefits of information security awareness training 

Besides potentially decreasing the number of incidents that your company or organization experiences in a given year, a good information security awareness and training program can:

• Help lower your cyber insurance premium.
• Help you meet regulatory compliance requirements.
• Help better protect your employees on the job and at home.

What’s more, what you spend on a good A&T program can be offset when you factor in the benefit of recovering from fewer incidents and lower cyber insurance premiums. It is money well spent. What do you do for ISAT? Please feel free to e-mail me with comments or questions.

Read more from John Bruggeman:

Why test patches before deploying to production?

Cloud security controls that help mitigate risk

Cyber Insurance, part 1: What is Cyber Insurance and do I need it?

Cyber Insurance, part 2: Getting ready for the insurance company questionnaire

Cyber Insurance, part 3: Filling out the questionnaire

Cyber Insurance, part 4: What do you do if your cybersecurity insurance policy is denied?