In a recent article for Forbes, Dave Lewis recalls an experience earlier in his career in which the physical access controls to production servers were completely undermined by lack of proper network segmentation. In the article, he notes that traditional network segmentation is now being replaced with movement towards “zero trust.” The concepts of “inside the network” versus “outside the network” are melting away as organizations steadily move towards cloud-based and hybrid infrastructures.
Last year the Verizon Data Breach Investigation Report found that “81% of hacking-related breaches leveraged either stolen and/or weak passwords.” This shouldn’t come as a surprise. Companies have been investing in perimeter defenses for years. The best way for hackers to circumvent these network controls is to use legitimate credentials to authenticate themselves. Protecting against these attacks is a challenge, but there are several things your organization can do to reduce your risk.
As we have all likely heard, passwords are really not very secure these days; some would say they never have been. If you must use passwords, hopefully you take a few simple steps to make them more secure, such as making them long (12-30 characters) and complex (odd characters and no patterns). Perhaps you are using a generator to make them random and avoid dictionary words, pets’ or significant others’ names. If you’re striving for extra security you may have enabled second-factor authentication, to ensure you’ll receive a text, email, or other confirmation on a device you will likely have on you.
It’s 2017 and while traditional password-based authentication is still widely used, security experts have long realized that traditional passwords are not enough to keep malicious intruders out. Even with requirements for password length, sophisticated complexity, and frequent changes, even the best password is still only one piece of information that’s required to gain access.
Multi-factor authentication is often pointed to as a great step in increasing security for account access. In addition to your password, “something you know,” you’ll also need access to your cell phone, “something you have.” For example, if you enable two-factor authentication for a Google account, when you try to log in with your password from a new computer or other device, Google will send a text to your cell phone with a code you’ll need to enter on the login screen to verify that along with having the correct password, you also have physical access to the associated cell phone for the account. However, problems arise if your access to your cell phone is compromised.
The old adage goes, “there are only two certain things in life: death and taxes”. Increasingly, however, it looks like identity theft needs to get added to that list. Earlier this week, security blogger Brian Krebs reported that TALX, a division of Equifax (one of the “Big Three” credit bureaus), experienced a significant data breach of personally identifiable information (PII). As is often the case in mass data theft scenarios, TALX was unable to identify the exact number of records or the scope of PII compromised.
During the early-to-mid 2000’s, the NBC network aired a successful reality television show called “Fear Factor.” In that show, contestants competed by attempting a broad range of terrifying stunts, eating grotesque foods, and a range of other activities designed to exploit their innate fears. The contestants, one assumes, had weighed the value of the show’s prize against the risks of the unknown, and decided to participate in the hopes of gaining the $50,000 top prize.