Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Three Critical Threats on the Horizon You Need to Prepare For

October was National Cyber Security Awareness Month, which served as an important annual reminder for organizations to never let their guard down when it comes to protecting access to data.

October was National Cyber Security Awareness Month, which served as an important annual reminder for organizations to never let their guard down when it comes to protecting access to data. The most recent wave of data breaches (e.g., Simon Fraser University, Twitter, Universal Health Services, and Shopify) demonstrate that cyber adversaries no longer need to ‘hack’ in — instead they can log in using weak, stolen, or phished credentials. This takes on increased significance when it comes to privileged credentials, such as those used by IT administrators to access critical infrastructure. These types of credentials are estimated to be involved in 80% of data breaches. 

Today’s dynamic threatscape requires security professionals to adjust to an ever-expanding attack surface. It doesn’t matter where the data they need to protect resides, or who is ultimately trying to access the data — be it human or a machine. What counts is that they minimize the risk of data exfiltration. Period.

Consider the following threats that are on the horizon and which companies need to start preparing for now:

Once COVID-19 hit, a lot of organizations realized they lacked the scalability to support work from home business needs, which accelerated moving workloads to the Cloud. However, a lot of companies haven’t figured out how to secure their cloud infrastructure. In fact, 92 percent of organizations admit that they face a cloud security readiness gap. Unfortunately, there is still widespread misunderstanding of who is responsible for securing privileged access to cloud workloads. 

According research conducted by Centrify among 700 respondents from the US, Canada, and UK, 60% of organizations incorrectly believe the cloud provider is responsible for securing privileged access, whereas the shared responsibility model clearly states that it is the responsibility of the organization. However, this shift to the cloud has not gone unnoticed by threat actors. In fact, data breaches in the cloud due to misconfigurations and privileged credential abuse have increased in the past couple of years. 

While politicians and security experts are constantly warning about the risk of cyber-attacks, they rarely, if ever, mention the risks associated with the Internet of Things (IoT). They should, since there are already plenty of examples of successful IoT security breaches including STUXNET, Mirai botnet, connected cardiac devices, etc. IoT in all its flavors (e.g., physical security systems, lights, appliances, as well as heating and air conditioning systems, and artificial intelligence-based automated agents such as chatbots) exposes companies and consumers alike to a wide range of security threats. In fact, according to a survey conducted by Altman Vilandrie & Company, nearly half of US-based firms using IoT have been hit by a security breach. 

Therefore, IoT must be considered part of a broader attack surface that requires protective measures. While consumer IoT devices like Amazon Alexa, Google Home, Nest Labs home automation systems, and smart wearables get all the headlines, the largest proportion of IoT devices aren’t used in homes. They are deployed in manufacturing plants, retail businesses, and the healthcare industry. The strong adoption rates in these verticals is tied to the benefits IoT devices provide in terms of tracking inventory, managing machines, increasing efficiency, improving customer interaction and service, reducing maintenance costs, and even saving lives. 

Today, identities include not just people but workloads, services, and machines. In fact, Non-Human Identities represent the majority of “users” in many organizations. They are often associated with privileged accounts and typically have a much larger footprint than traditional human privileged accounts within modern IT infrastructures. This is especially true in DevOps and cloud environments, where task automation plays a dominant role. These often pose a blind spot, since machine, IoT, service account, and application identities are not always considered when establishing security controls. Besides underestimating the risk associated with non-human identities, many organizations have recognized that static password authentication which often requires manual and time-consuming configurations is not suitable in fast-moving multi-cloud and hybrid environments, where access needs are often temporary, and changes are constant.

Establishing a solid perimeter and investing in a well-built security team is still important, but organizations need to adjust their security strategies to match modern threats and focus on identity and credentials. In this context, granting ‘least privilege‘ is essential to preventing unauthorized access to business-critical systems and sensitive data by both insiders and external threat actors. Establishing granular, role-based privileged access controls and granting just-enough, just-in-time access to target systems and infrastructure limits lateral movement.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cybercrime

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.