People-centric exposures are top security concern per SANS Managing Human Risk report
Background
Having been in cybersecurity for many, many years as a hands-on practitioner, in product / program management, and now product marketing, I’ve seen a fair amount of security trends come and go. For example, when network defenses were bolstered by next-gen firewalls, attackers turned to DNS. When DNS defenses were added, attackers turned to vulnerabilities in Operating Systems, and so on.However, as the SANS 2022 Managing Human Risk report[i] indicates, the latest attack frontier is simply People. From the report, we can conclude that human risk management will be a vital element for cybersecurity moving into the future, particularly when it comes to ever-escalating attacks (such as phishing) designed to steal passwords. This trend makes phishing-resistant authentication ever more critical.The question is: Will the trend of People-centric cyberattacks be as transitory as network and DNS vulnerabilities? Let’s dig into the report a bit.
Top 3 Risks and Conclusion
The report discusses the top 3 risks chosen by the surveyed security personnel:
- Phishing Attacks: The report highlights all major phishing attack types, including email-based phishing, SMS phishing (AKA smishing), and voice phishing (AKA vishing), as the most serious threat. They reported that this conclusion was in line with the Verizon DBIR and Microsoft Digital Defense Reports.
- Business Email Compromise (BEC) Attacks: This is a highly targeted attack that uses social engineering typically towards an organization’s accounts payable department. One or more believable emails are sent supposedly from the CEO requesting transfer of funds or a change in payment information. This seemingly high response is because these attacks do not have to be disclosed publicly. So, while very serious, these attacks do not receive the media coverage that other attacks (such as ransomware) receive.
- Ransomware Attacks: The report indicates that the vast majority of ransomware infections either start with a phishing attack or with exploiting weak passwords.
Not surprisingly, the report focuses on the human risk management aspects of security risk. As a result, an investigation was made into the frequency of end user training versus the effectiveness of the security program. The recommendation was made to communicate, interact with, or formally train the workforce at least once per month to be effective.
Quick Take: What is Phishing-resistant passwordless multi-factor authentication (MFA)?
This definition varies quite a bit by source. So, let’s provide some guidance as to what the term means and why it is important.Multi-factor authentication is simply not enough since the password can be intercepted by several attacks. Similarly, other factors – typically a code sent via text or provided by an authenticator app – can be compromised. Further, if shared secrets are used between the device that’s running the authentication (typically a laptop) and the identity provider, those can also be intercepted over the network.So, one way to remember the significance of this term is to break it down:
- Phishing-resistant: Immune to tricking the end user into giving away the password and other authentication factors.
- Passwordless: Immune to having a code or shared secret be intercepted on the device or over the network.
- MFA: Leveraging multiple (at least two) end user-provided factors in the authentication process.
Considering the Report’s Conclusions
A key aspect of security is to carefully consider end user friction. When friction grows to a sufficiently high but overall unpredictable level, end users typically circumvent or ignore security, particularly regarding passwords. In fact, a recent study calculated that 69% of respondents shared passwords with colleagues and 51% reuse an average of five passwords across business and personal accounts.[ii] So, the report recommendation to provide monthly security “touch” to end users may be difficult for security teams to implement.So, what’s a security team to do? The answer: implement phishing-resistant MFA, specifically passwordless MFA, across the board – for people (end users and admins), machines (devices and virtual workloads), and interactions (emails and attached documents). Using the 80/20 rule, that will cover the 80% of issues while training hopefully can account for the other 20%. That approach could reduce the recommendation for end user interaction to a more manageable level than monthly.
Not As Easy As It Sounds – People, Machine, and Interaction Authentication
While it sounds easy to implement phishing-resistant authentication across the board, some technology realities must be factored into the thought process. There is no single authentication method, authenticator, and credential combination that will work for all three authentication needs.Instead, a combination of authentication methods needs to be architected into authentication. The top methods are:
- Certificate-Based Authentication: The combination of certificates and strong authenticators (such as a YubiKey or PIV card) is phishing-resistant, passwordless and highly secure.
- Phishing-Resistant MFA: End user authentication leveraging strong authenticators and a PIN fit the need.
- Public Key Infrastructure (PKI): PKI can authenticate machines (physical devices and virtualized workloads) at scale. PKI can also be used to authenticate emails and any attached documents.
Axiad’s SaaS authentication cloud platform supports products for each of the above authentication methods. Further, a single product, Passwordless Orchestration, supports certificate-based authentication, phishing-resistant MFA, and PKI authentication methods. As a result, the product handles people, machine, and interaction (emails and attached documents) authentication.
Wrapping Up: People Attacks Are Here to Stay
To wrap up this blog, I believe strongly that People-centric attacks as described in the SANS Institute report, Verizon DBIR report, and others are not a transitory trend. People-centric attacks are here to stay and are likely to grow as social engineering attacks are growing more sophisticated and span more connections (such as email, text, and voice). The security exposure surface is truly huge both technologically and psychologically.The only way to prevent these attacks from a technology standpoint is phishing-resistant passwordless MFA across the board for people, machines, and interactions such as emails and attached documents. However, no technology will be able to completely protect against sophisticated threat actors with well-executed social engineering attacks. Even with phishing-resistant passwordless MFA, end users will still need a reasonable amount of training to stay vigilant. Human risk management will continue to be critical for all businesses looking to protect themselves, their customers, and their operations. Giving users and workers the training and tools needed to protect against phishing attacks, BEC attacks, and more will be vital.
Learn More About Passwordless Authentication
For additional information on how we provide phishing-resistant authentication for people, machines, and interactions, please view our Passwordless Orchestration product page.[i] SANS Institute, Managing Human Risk report, 6/28/2022.[ii] Yubico, 2019 State of Password and Authentication Security Behaviors Report, 1/28/2019.