- Security TWENTY
- Women in Security
Multi-Factor Authentication (MFA) Attacks
A report by LastPass has highlighted that 57 per cent of global businesses are using MFA, compared to 45 per cent in 2018. While this indicates a strong uptake of MFA in 2019, which is set to increase in 2020, it will mean that attacks against MFA will inevitably rise also.
Stephen O’Boyle, Global Head of Cybersecurity and Information Resilience Services at BSI says: “MFA is a method of authentication developed to add an additional layer of protection for users and while we have seen a positive roll out of it in 2019, we expect to see attackers increase their attempts to bypass it. One such example is what we call a “9am attack”, whereby the attacker attempts to login at around 9am local time of the user. The end user arrives at the office, and when logging on, gets a prompt on their authenticator app to approve, and if the attacker has it timed correctly the user approves and inadvertently grants access to the attacker.”
“This along with other targeted attacks such as Evilqinx or SIM swapping will become more prominent this year. Provided that phishing attacks remain a ‘high return and low risk’ proposition they will continue to be attractive to attackers. Organisations must have the capability to detect and react to advanced attacks in order to keep their clients, employees and information secure.”
Third Party / Supplier Risk Management
Managing supplier risk effectively has been strengthened by a number of new directives and regulations which have wide reaching effect, including the Network and Information Security (NIS) directive and the General Data Protection Regulation (GDPR). While companies are following ISO/IEC 27002 Information technology — Security techniques — Code of practice for information security controls
and ISO/IEC 27036 Information technology — Security techniques — Information security for supplier relationships to improve their ability to manage risks and are substantially increasing their security control, the risks relating to supplier relationships will continue to expand in 2020.
O’Boyle says: “Supplier risk management allows organisations to identify, assess, manage and treat supplier risk. This year businesses will need to further enhance their solutions when it comes to reducing risks associated with third party management. This includes processing of information, outsourced system development, integrations, configurations and hardware product provenance. Doing so will allow them to be in a better position from a security perspective to achieve their objectives and meet their compliance requirements.”
Globalisation and the relentless advance in technology means that privacy safeguards are necessary to ensure the protection of the fundamental rights of citizens. The need to adopt a principles-based privacy program to establish a rights-centred approach to controls will be further required this year as enforcement of regulations, such as the GDPR, are progressed – in 2019, 134 fines were reportedly issued under the GDPR equating to over €417 million.
O’Boyle says: “The GDPR fines are set to rise in 2020, especially given the impending decisions under review by the Information Commissioner’s Office (ICO) relating to large tech firms. Many organisations have realised their compliance requirements due to the GDPR, however new and evolving global legislation such as Japan’s Act on Protection of Personal Information (APPI), Brazil’s Lei Geral de Proteção de Dados (LGPD), Thailand’s Personal Data Protection Act (PDPA) and California’s Consumer Privacy Act (CCPA) mean that an organisation’s privacy compliances continue to evolve. These global requirements must be considered based on a company’s global reach and their data jurisdictions.”
Mature security organisations often attribute significant human and financial resources to their cyber security programs. In 2019, many industry security teams were tasked with proving the value of the company’s security investments. In addition to certifications such as PCI DSS (Payment Card Industry Data Security Standard), ISO/IEC ISO 27001 Information Security Management Systems and SOC 2 (Service Organisation Control 2), companies began conducting Purple Teaming exercises, where Defenders (Blue Team) are pitted against Attackers (Red Team) to determine the effectiveness of their defence capabilities and this will expand in 2020.
“This technique provides a truly effective view of attack susceptibility and defence capability in a close to real world attack scenario. The benefits to organisations are extremely valuable as defenders gain attack experience in a safe scenario environment, deficiencies are highlighted and opportunities to improve identification and response capabilities are advanced through process improvements and monitoring system tuning. We will see more companies adopt this approach as part of their annual assessment activities this year.” says Stephen.
Cloud Security – Zero Trust Networks
As cloud adoption grows and organisations begin to truly accept the ‘death of the perimeter’ the Zero Trust model will rise to the fore. Security measures for protecting organisations beyond the traditional firewall will proceed to improve and conditional based access considering device enumeration, certificates, location, biometrics and user secrets will become the norm for protecting organisations leveraging cloud first models.
“Cloud services, including Microsoft Office 365, are key targets for attackers and password spray and credential stuffing attacks are examples of methods used to gain access. Companies who progress their cloud journey without adequate Identity and Access Management tools and processes will soon find themselves subject to compromise. Those with limited monitoring in place can expect attacker persistence to remain for extended durations.”
O’Boyle adds: “We are seeing the next phase in cyber threats, cyber-related regulations, technological evolutions and specific solutions within these trends, looking beyond the stalwart and ever-present security risk of inadequate patching. Defence preparation must remain high on the agenda for 2020 across all industry sectors including finance, the public sector, food and healthcare. In England specifically this will be further enforced through efforts stipulated in the National Cyber Security Strategy. Organisations need to prioritise and address their cyber and regulatory efforts this year and opt for a deeper level of assurance across the board at all levels. Doing so will ensure that everyone has a greater understanding of the cybersecurity landscape and that their information resilience is enhanced across the organisation.”