Reflections on Security: Looking Ahead
As we continue deeper into 2022, facing many of the challenges we saw in 2021 (see Reflections on Security: Looking Back at 2021), optimism may seem difficult. How do we know the next evolution of identity and security practices will be enough? And this time of year always sees a flurry of predictions on what trends will emerge and what should be top of mind in the security space. For me, Slartibartfast of Douglas Adams’ Hitchhiker's Guide to the Galaxy said it best:
“Perhaps I'm old and tired, but I think the chances of finding out what's actually going on are so absurdly remote that the only thing to do is to say, ‘Hang the sense of it,’ and keep yourself busy.”
In the spirit of this quote, here are some things to keep in mind, based on the lessons we’ve learned from the cyber events of 2021.
There is always something you can do
The catch 22 about working in the IT space these days is that it’s always evolving — the list of critical projects is never done. As technology keeps advancing, we keep optimizing, improving, and retiring legacy systems and processes. But as we’ve learned, the bad actors are just as innovative. They’ll evolve their efforts, as needed, to compromise our infrastructure and capitalize on deprioritized systems.
The common thread behind each of the incidents discussed in the previous post is their reliance on identity-based attacks, typically through weak passwords or easy-to-compromise authentication—such as those based on SMS. The good news is there are some easy, low-impact steps that can be taken. One of which is to shift our thinking toward considering identity and security goals to be one in the same. Another is to adopt a strong security strategy that doesn’t make people your weakest link, i.e., phishing-resistant and devoid of legacy methods.
To that end, there’s a new understanding that people are the new perimeter. Whether you officially employ Zero Trust or not, they are potentially the strongest asset to any security team. But they must be equipped with the appropriate easy-to-use tools like multifactor authentication (MFA) and Single Sign-On (SSO). But that’s not all, the underlying system must be equipped with policy enforcement that evaluates context at a granular level.
The use of risk-based authentication systems using signals from multiple sources (such as the user’s network, computer, and even other applications) will enable organizations to create better security while improving the overall user experience (i.e., not causing undue friction for end-users.)
The learning never stops
Back in the ‘80s, none of us would have conceived we’d be walking around with something called the internet in our pockets, yet here we are. It’s important to remember, though, that constant innovation and advancement brings risks that weren’t originally considered. In that same vein, passwords are now seen as ineffective security gateways, firewalls still serve a purpose, but shoudn’t be the entry point into organizations anymore. And, as data is now often stored in the cloud, we should not be using code bases designed without security in mind.
So, here are a few key things to take into the new year as we have learned and experienced more growing pains in 2021:
- Code/development needs to leverage secure API’s and injections, as code was never developed with security in mind. To that end, practitioners should build with security in mind from the get go, rather than treating it as an afterthought.
- Dynamic work is the new reality, so we need to shift our mindset to building security into our infrastructure, starting at the access points: people and devices.
- Passwords need to be displaced with new, stronger authentication methods like WebAuthn.
Be both optimistic and realistic
Passwordless is the desired utopia but becomes complicated, convoluted, and sometimes impossible when legacy technologies don't support modern authentication (as detailed in this year’s Businesses at Work 2022 report). As the industry moves towards discontinuing the use of the antiquated username and password methods, organizations need to continue the digital transformation journey and leverage solutions that will help them modernize their infrastructure without a heavy lift. In addition, organizations should begin preparing for a passwordless future by identifying and removing systems that do not support modern authentication standards.
Change can be scary, but it need not be
It’s clear that threat actors used the pandemic to industrialize. Cyberattacks have become faster, bigger, and more organized. Cybercriminals have become a part of complex ecosystems that do everything from selling access to compromised accounts, generating bulk attack payloads, and managing the financial side of extorting money. Major events now occur on a weekly basis and 2022 will likely bring more of the same.
We are entering an era of digital trust. Whether it’s our work or personal experiences, there needs to be an emphasis on interacting in the digital world with security in mind. Organizations need to find a way to build a true culture of cybersecurity by training employees properly and improving individual cyber-behavior and hygiene. Security groups should be able to translate this into larger budgets and investment further in zero trust technologies.
Plan and build for the future
So as we go forward into the new year, remember the wisdom of Douglas Adams:
“There is a theory which states that if ever anyone discovers exactly what the Universe is for and why it is here, it will instantly disappear and be replaced by something even more bizarre and inexplicable.”
This applies to our infosec world; as soon as we think we understand something and have mitigated the threats, something new is exposed and exploited. But by learning from past attacks, there are steps you can take in 2022 to create a stronger security posture than ever before:
- Invest in an industry leading identity solution that provides strong authentication
- Use the principle of “least privilege” across your environment to prevent lateral movement
- Evaluate context at every access attempt with policy to reduce your risk surface
- Invest in technologies that will reduce your reliance on passwords, but also reduce friction
- Start your journey with identity to adopt a zero trust security strategy