Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Three Critical Threats on the Horizon You Need to Prepare For

October was National Cyber Security Awareness Month, which served as an important annual reminder for organizations to never let their guard down when it comes to protecting access to data.

October was National Cyber Security Awareness Month, which served as an important annual reminder for organizations to never let their guard down when it comes to protecting access to data. The most recent wave of data breaches (e.g., Simon Fraser University, Twitter, Universal Health Services, and Shopify) demonstrate that cyber adversaries no longer need to ‘hack’ in — instead they can log in using weak, stolen, or phished credentials. This takes on increased significance when it comes to privileged credentials, such as those used by IT administrators to access critical infrastructure. These types of credentials are estimated to be involved in 80% of data breaches. 

Today’s dynamic threatscape requires security professionals to adjust to an ever-expanding attack surface. It doesn’t matter where the data they need to protect resides, or who is ultimately trying to access the data — be it human or a machine. What counts is that they minimize the risk of data exfiltration. Period.

Consider the following threats that are on the horizon and which companies need to start preparing for now:

Once COVID-19 hit, a lot of organizations realized they lacked the scalability to support work from home business needs, which accelerated moving workloads to the Cloud. However, a lot of companies haven’t figured out how to secure their cloud infrastructure. In fact, 92 percent of organizations admit that they face a cloud security readiness gap. Unfortunately, there is still widespread misunderstanding of who is responsible for securing privileged access to cloud workloads. 

According research conducted by Centrify among 700 respondents from the US, Canada, and UK, 60% of organizations incorrectly believe the cloud provider is responsible for securing privileged access, whereas the shared responsibility model clearly states that it is the responsibility of the organization. However, this shift to the cloud has not gone unnoticed by threat actors. In fact, data breaches in the cloud due to misconfigurations and privileged credential abuse have increased in the past couple of years. 

While politicians and security experts are constantly warning about the risk of cyber-attacks, they rarely, if ever, mention the risks associated with the Internet of Things (IoT). They should, since there are already plenty of examples of successful IoT security breaches including STUXNET, Mirai botnet, connected cardiac devices, etc. IoT in all its flavors (e.g., physical security systems, lights, appliances, as well as heating and air conditioning systems, and artificial intelligence-based automated agents such as chatbots) exposes companies and consumers alike to a wide range of security threats. In fact, according to a survey conducted by Altman Vilandrie & Company, nearly half of US-based firms using IoT have been hit by a security breach. 

Therefore, IoT must be considered part of a broader attack surface that requires protective measures. While consumer IoT devices like Amazon Alexa, Google Home, Nest Labs home automation systems, and smart wearables get all the headlines, the largest proportion of IoT devices aren’t used in homes. They are deployed in manufacturing plants, retail businesses, and the healthcare industry. The strong adoption rates in these verticals is tied to the benefits IoT devices provide in terms of tracking inventory, managing machines, increasing efficiency, improving customer interaction and service, reducing maintenance costs, and even saving lives. 

Today, identities include not just people but workloads, services, and machines. In fact, Non-Human Identities represent the majority of “users” in many organizations. They are often associated with privileged accounts and typically have a much larger footprint than traditional human privileged accounts within modern IT infrastructures. This is especially true in DevOps and cloud environments, where task automation plays a dominant role. These often pose a blind spot, since machine, IoT, service account, and application identities are not always considered when establishing security controls. Besides underestimating the risk associated with non-human identities, many organizations have recognized that static password authentication which often requires manual and time-consuming configurations is not suitable in fast-moving multi-cloud and hybrid environments, where access needs are often temporary, and changes are constant.

Advertisement. Scroll to continue reading.

Establishing a solid perimeter and investing in a well-built security team is still important, but organizations need to adjust their security strategies to match modern threats and focus on identity and credentials. In this context, granting ‘least privilege‘ is essential to preventing unauthorized access to business-critical systems and sensitive data by both insiders and external threat actors. Establishing granular, role-based privileged access controls and granting just-enough, just-in-time access to target systems and infrastructure limits lateral movement.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.