Using a Virtual CISO Service Supplementally
Securing critical information has never been more of a challenging commitment to members than it is right now. Despite the bevy of cybercrimes...
We are in the Cloud Era, and the mass migration of business processes to cloud-based third-parties is not slowing down. Some of the reasons business owners are relying more and more on the cloud:
Although there are many reasons to move business processes to outsourced service providers, this paradigm shift does come with some trade-offs.
The nature of web-based service providers calls for a much greater need for User Access Controls. Now, many critical business lines and sensitive data lies in the myriad web portals spread across the World Wide Web. Much of these assets are protected purely be the prolific Login Screen.
With the interconnected nature of services, many organizations have their third-party applications interface directly to other third-party applications to enable automated and streamlined business processes. This connectivity opens the risk of chain-reaction incidents. An attacker gaining access to one service through faulty user access controls could potentially affect multiple other services through the back door nature of service-to-service APIs.
With the ever increasing adoption of HTTPS, brute force mitigations, and system-level incident monitoring, it is becoming harder and harder for attackers to compromise systems on a “hacking” level. A lot of security incidents stem from Social Engineering attacks. These attacks target the weakest link in the security chain: people. Leveraging the human nature of trust and curiosity, attackers will go to great lengths to trick an employee to accidentally give up credentials. These attacks often have many steps and be done over the course of weeks or months.
Many times, an employee will have no idea that the website they are entering their login information into is not legitimate until it’s too late. Attackers will find third parties that an organization trusts, and “spoof” their website, most of the time triggered by a “call to action” email or phone call that will prompt the employee to login in response to some event.
Once a single employee account is compromised, an attacker can sometimes start a chain reaction attack by targeting other connected services or employee accounts. Even if the incident is caught and remedied quickly, that attacker already has enough new information to continue the barrage of social engineering attacks on other parts of the organization.
This scenario can be avoided by strong User Access controls and Multi Factor Authentication. But by how much? MFA is now very mainstream and goes a long way to avoid incidents based on compromised user credentials but is not foolproof. Attackers many times now include the MFA process as part of a layered Social Engineering attack strategy, and even popular authentication tools can be compromised on the system and hardware levels.
With all the advances in technology, the most reliable security measure today is still sometimes.. people. Proper awareness of User Access controls and consistent cybersecurity awareness training of employees to detect and report social engineering probes can go a long way to preventing incidents. With the vast networks of connected service providers, this is ever more important to prevent a single incident from snowballing into something much larger.
Rivial Data Security knows that a proper security program starts and stops with the most important asset of any organization: the people. Managed Security Training and customized Social Engineering testing, together with simple reporting and informative metrics, can go a long way to achieving a truly robust security program.
Securing critical information has never been more of a challenging commitment to members than it is right now. Despite the bevy of cybercrimes...
As 2019 is rapidly coming to a close––and budgets are finalizing for the new year––it is time to look ahead and ensure that we are prepared for the...
When I get questions about the name “Rivial” I tend to cringe a little. Way back in 2008 when the idea was born, the concept was this: information...