In recent years, online communication tools became necessary as companies depend on them to stay connected and get work done.
An immense amount of data is being shared through these applications. Personal, as well as confidential information, is no exception – making the apps easy targets for hackers.
However, for the sake of safety, brushing up on password security is just one of the many ways you can secure your account. You’d be surprised at how something as simple as a repetitive password or accessing the Internet without encrypting your connection with a VPN can jeopardize the safety of your data.
For this reason, we had a chat with CyberArk’s technical director, David Higgins, who shares more about remote work vulnerabilities and the “never trust, always verify” mindset.
CyberArk is emerging as a strong player in the identity security market. What is it about the sector that excites you?
Identity remains the go-to for threat actors looking for an effective and swift entry point to a business. It’s a problem that hasn’t dissipated; instead, it’s getting larger and more complex as the environment changes.
When we’re looking at security incidents, whether it be a data breach, ransomware, manipulation of service, etc., identity is almost always the ingress point. Interestingly, though, according to our recent CyberArk 2022 Identity Security Threat Landscape research, less than half (48%) of organizations have Identity Security controls in place for their business-critical applications, to name just one key environment.
These challenges, coupled with the innovation and ingenuity of malicious actors, who are continually finding new ways into their targets through identity, are what make identity security such an exciting sector.
How does Zero Trust underpin your security offering? How do you ensure you can protect against a variety of threats with this approach?
The premise of Zero Trust – never trust, always verify – is vital to our security offering and to forward-thinking security strategy in general. It’s an evolution of the ‘assume breach’ mindset that we have been advising our customers to take for many years.
It’s important that Zero Trust focuses on all identities too, not just the human ones. Only by looking at the complete spectrum of identities can the approach work. Thus, machine identities need to be taken into account and protected. This is especially important as automation continues to take off; our recent report shows that the number of machine identities outweighs human identities by 45x in the average organization.
The age-old adage that those protecting themselves need to get it right 100% of the time, whereas attackers only need to get it right once to wreak havoc, still holds true. So Zero Trust plays an important role in an organization’s armory.
Besides providing identity security, you also run the CyberArk Labs. Would you like to share some of your recent research?
Our CyberArk Labs team is a vital resource. Producing innovative research into emerging attack techniques, the team aims to help improve security posture and drive greater industry collaboration.
The team has researched a number of interesting vulnerabilities recently, one being research into the Conti Ransomware Group – which has affiliations to Russia – and the leak of its inner workings.
In the research, the Labs team aimed to get a better idea of how the backend of the group’s operation works, finding evidence of some of the exploits it makes use of to carry out attacks, including ZeroLogon, a preference for light webshells, and Kerboroasting.
The insight gained into the tactics, techniques, and procedures of groups such as Conti is essential for future prevention, but also for coping with the aftermath of an attack. Knowing how an attacker might get through a back door, or what types of data they want to steal, for example, is absolutely crucial in mitigating the damage of an attack, and this is why the Labs team is so important to what we do.
Have you noticed any new challenges in your field of work during the pandemic?
The immediate transition to working from home at the start of the pandemic meant individuals were no longer in secure environments. This created a whole new security challenge as hybrid and remote working forced a change in ingress points.
This new challenge served to emphasize the importance of enforcing the least privileged. Thankfully, though, organizations have been quick to realize how hybrid working could negatively impact their resilience. 86% of respondents in our research identified it as their biggest potential source of cyber risk.
It was also interesting to note how the move to working from home shifted our reliance on new, potentially unsecured, tools. In fact, early in 2020, our Labs team discovered and helped fix, a vulnerability in Microsoft Teams in which malicious links and GIFS could be used to access data. Had this vulnerability been successfully compromised, the consequences could have been disastrous for both home workers and their organizations.
Recently, there has been a lot of commotion around the Log4j vulnerability. Could you briefly explain why it is so serious?
The Log4j vulnerability followed the landmark SolarWinds attack, otherwise known as the attack, which changed everything. Proving just how devastating a supply chain attack can be, SolarWinds was believed to be the most high-profile of the attacks. When Log4j raised its head a year later, posing a threat of at least equal proportions, it’s no wonder the security world was worried.
The vulnerability put hundreds of millions of devices at risk and had the potential to cause data exfiltration and/or remote code execution on servers using the Log4j component for their logging functionality. This meant, if left unmitigated, an attacker could take complete control of a target server.
What was even more worrying about Log4j, was the fact that a bug was found in widely available open-source software. It is used - directly or indirectly - in the world’s most popular consumer applications and enterprise services. One type of attack can rarely be universally applied to so many different targets, and that’s what makes Log4j so serious. It can be likened to a wobbly Jenga block holding a towering puzzle above: if one brick at the bottom falls, the whole thing comes down.
Do you think similar vulnerabilities are going to cause more issues in the near future?
As mentioned, we’ve seen large-scale attacks based on a base-level flaw like this before – which is what happened in the massive SolarWinds attack that used a digital supply chain vector to reach more than 18,000 organizations worldwide.
The constantly changing nature of IT and cybersecurity means we don’t always have foresight into what the next big attack will be. But organizations can use techniques like the MITRE ATT&CK framework, alongside keeping up to date with the latest patches and software updates to be prepared to mitigate any potential impact when it comes.
Would you like to share some of the best practices companies should adopt to minimize the risks of vulnerability exploitation?
All companies should operate under the assumed breach mindset I mentioned earlier. It’s impossible to defend against every single flaw your organization might have, especially with the fast-paced, changing nature of IT. Instead, the focus and best practice should be around preventing attackers from moving to their objective – whether that be to spread malware, harvest data, or shut down a critical service – once they are inside a system. This typically starts with identity.
By securing routes to the most critical assets or underlying administrative access, having strong, adaptive identity authentication, and removing hard-coded secrets, an organization can dramatically improve its overall security posture.
Alongside this, exercises like red teaming will not only strengthen defenses by finding previously unknown gaps but will offer organizations the opportunity to run ‘fire drill’ simulations to better understand the readiness of their security teams.
As for individual users, what security tools would you recommend for personal use?
My main recommendation for individuals is to have good credential hygiene. What I mean by this is ensuring you have different passwords for every login and also have a good password wallet – making it easier to keep track of them all. This can offer the first line of defense and prevents individuals from falling back into risky habits such as saving credentials in browsers, resorting to post-it notes, or re-using passwords.
Secondly, it’s key to ensure the passwords you’re using are strong. When it comes to resetting passwords, we’re often guilty of only changing one digit, negating the purpose of what is often a mandatory reset. It’s easy for attackers to steal or crack credentials and the above hygiene habits will go some way in helping individuals to keep themselves safe.
What do you expect the next big security threat to be, and how can we prepare for it in advance?
We know cyber threats won’t subside completely due to the nature of attackers and their evolving tactics; however, this past year security threats have become so consistent, that criminal groups have appeared more like real businesses. Just like any other organization, though, this way of working means large attacker groups have unwittingly created their own attack surfaces, opening themselves up to risk.
It’s likely that the need to secure themselves internally will force security to revamp – as adversaries will increasingly get caught by defenders using their own offensive attacks against them. This change may bring with it plenty of new, innovative tactics, techniques, and procedures which organizations need to be prepared to protect against and monitor.