Here are the ideal steps that your organisation can take towards true defence-in-depth across the whole business.
Defence-in-depth is a simple enough idea, similar in concept to the tightly-ranked Roman centuries of the ancient world, with the next line of soldiers awaiting any enemy that hacked their way through the front rank. We can apply this (albeit less violently) as a cybersecurity strategy to protect the most sensitive data at the heart of any organisation’s IT environment. But where the Romans faced a battlefield with a clear frontline, the cyber battlefield entails complex multi-dimensionality. The average staff member has access to more than 30 business applications and accounts – any of which can be privileged, and thus a target. IT teams need to understand which workforce access areas present the most risk in order to assemble their ranked defences.
The first step is, of course, figuring out where these extra layers of defence should go. The simplest way is to follow the data, as available research shows us the areas of the workforce IT landscape that are most at risk. Predominantly, it demonstrates that attackers have moved away from targeting traditionally privileged IT admins to just targeting the wider workforce. It’s easy to understand why: more than half of organisations’ workforces have direct access to sensitive corporate data as they work from a variety of locations, on many different devices.
>See also: Combating common information security threats
The five workforce access areas at the most risk
Weak or disruptive authentication mechanisms
80 per cent of breaches begin with compromised credentials, so we know that single-factor authentication just isn’t enough. Multi-factor Authentication (MFA) is now industry standard, but just as we innovate, attackers have evolved their own ways to evade legacy MFA policies such as by tampering with QR codes, hijacking cookies and MFA bombing.
The defensive layer: rather than simply adding more layers of authentication, endeavour to make them smarter and more autonomous instead. Security teams should make use of behavioural analytics and automation to better understand individual users’ access habits to build context of what constitutes risk over time. This avoids forcing users to jump through multiple hoops, but allows smart controls to take out a threat with extra layers of defence – such as extra MFA factors – when needed.
Unprotected endpoints
Less than half of IT teams apply identity security controls to company supplied user machines. This leaves workstations, servers, and virtual machines open to ransomware, phishing, or other endpoint-focused attacks. It only takes one unprotected device to be the start of a ransomware attack.
The defensive layer: Organisations can blend adaptive MFA with endpoint privilege controls to help address risks arising from a hybrid work environment in which any user’s workstation could be a target.
High-risk business applications
Businesses have many wonderful applications at their fingertips, with the average user having access to 5-10+ high-value business apps. These contain sensitive resources such as customer information, intellectual property, and financial data, making them a key target for attackers. Unfortunately, 80 per cent of businesses have faced users misusing or abusing these apps in the last year. Simply requiring a login is not enough to keep them safe – the moment a user steps away from their screen while still logged in, all of that valuable data is exposed.
The defensive layer: a login only verifies a user’s identity at one point – so effective security controls here will continue to monitor, record, and audit user actions after authentication. Enhancing the visibility available to security teams offers many benefits, including being able to identify the source of a security incident (and therefore respond) much quicker.
Third party vendors
Almost all businesses benefit from using third party tools, but they offer risks too, as integration often requires creating super-user access to clients’ systems. Unfortunately, this is growing as a popular attack vector, with over 90 per cent of organisations experiencing a security incident to an external partner.
The defensive layer: it’s important to strike a careful balance between security and productivity, as it makes no sense to cripple the purpose of the third-party product with overbearing security. Finding a way to systematise third party privileged access vetting and monitoring will go a long way – especially if it can be done without relying on VPNs, passwords, or agents to do so.
Credentials living outside of single sign-on
We know already that the key to reducing identity compromise is to properly secure user credentials. This is most efficient through single sign on (SSO), but with the variety of services used by each individual, there often ends up being numerous apps and logins left outside of that environment, and some apps simply don’t support modern context-based authentication. To make matters worse, those logins and passwords often are stored in insecure locations or shared among colleagues for ease.
The defensive layer: Where SSO can’t be implemented, it is essential that all users have access to strong, enterprise-level, vault-based password storage. We know that any user can become privileged in the right circumstances, so they should all be protected with the same importance as an IT admin, for example. Not only will a password vault increase overall visibility and control for cybersecurity teams, but it makes life easier for users to automatically capture and retrieve credentials as needed.
>See also: What to know about user authentication and cyber security
Building up those defensive layers
In the process of stacking these defensive layers, it’s important to pay attention to the particulars of each organisation’s attack surface. Approaching user security more holistically, layer by layer, and with a zero trust attitude top-of-mind allows the development of more robust defences overall.
David Higgins is senior director field technology office at CyberArk
Related:
Cybersecurity jargon impacting communication between C-suite and specialists — Kaspersky research has found that over two-fifths (42 per cent) of UK C-level specialists believe that jargon around cybersecurity is the biggest reason for a lack of risk understanding at the top of organisations.
Top 10 most disastrous cyber hacks of the 2020s so far — This article takes a look at the top 10 most disastrous cyber hacks carried out on organisations this decade, so far.