2021 saw an increase in the number of high profile security breaches, many involving devastating ransomware attacks. Attackers preyed on traditionally softer targets like hospitals, schools, and local governments in addition to the continued focus on the supply chain. Although the root cause for many of these cyber attacks varies, all took advantage of single factor authentication, weak multi-factor authentication (e.g. OTP), and exposed secrets (e.g SAML signing keys).
The impact these attacks has had on critical infrastructure has spurred the White House into action with an executive order mandating adoption of robust security practices including the use of MFA by Federal agencies.
In 2022, Chad Thunberg, CISO of Yubico, expects the trend of extorting victims with ransomware due in large part to the success that ransomware groups had in 2021. Additionally, it’s expected that there will be additional emphasis on regulations to help accelerate maturing information security practices and principles within vulnerable industries.
Here are Yubico’s top information security recommendations of 2022
1. Zero Trust architecture needs to be a primary initiative for companies
The SolarWinds incident and the recent Log4j vulnerability highlighted that critical internal systems for some companies have permissive access to the internet and untrusted systems despite decades of advocating for least privilege and isolation.
Zero Trust security models further the conversation but with the fundamental change in how we approach information security. Instead of assuming the internal environment can be trusted, Zero Trust starts with the presumption that the environment is hostile. Trust is established through inspection and strong authentication but is ephemeral in that trust must be re-establish periodically. In theory, this should limit the impact of a successful breach due to a limited window of opportunity and increased isolation.
The focus on Zero Trust gained even more strength last May when the Biden administration called for modernising the federal government’s MFA profile. The Zero Trust Maturity Model that the government released in September outlines seven tenets of Zero Trust and leaves no doubt that companies will have to act to comply with those pillars in order to stay secure from increasingly sophisticated and widespread cyberattacks in 2022.
2. Companies must adopt phishing-resistant MFA
Phishing, credential stuffing, and other password-based authentication threats will continue to present significant risk to companies. Attackers have demonstrated they are capable of gaining access to internal networks where single factor authentication and weak MFA is still prevalent. Stolen credentials provide attackers with the means of persisting in the environment without the need to exploit vulnerabilities or other actions that would increase the likelihood of detection.
The YubiKey that supports multiple authentication protocols can provide a bridge for companies interested in an incremental transition from single factor authentication and legacy MFA like OTP to modern FIDO-based protocols that are resilient to common attacks like phishing.
3. Companies need to get over the fear of the cloud
Some companies and industries continue to see the cloud as a threat due in large part the perceived security benefits in maintaining control. Whether true or not, the cloud does offer a robust set of security features and protocols. When used appropriately, many of the threats large organisations are struggling with today, like ransomware and business email compromises, are largely mitigated. The combination of federated identity, strong multi-factor authentication, and cloud-based file storage is powerful for companies large and small. Mutual TLS-based authentication and encryption can usually be enabled with nothing more than a checkbox where the complexities of PKI are managed and automated in the backend. Additional oversight and control is also available to those that are interested in and are mature enough to manage their own secrets.
Wholesale cloud adoption is not required in order to gain the benefits of federated identity and strong multi-factor authentication. Most modern identity provider offerings support the FIDO protocols, SAML, and OpenID Connect to assist with integration on and off-premise applications. A comprehensive list of identity providers that support FIDO2/WebAuthn can be found in Yubico’s Works with YubiKey catalog.
4. Plan for ransomware
Organisations with traditional perimeter models and legacy infrastructure based on technologies like Active Directory must have a robust response plan in place to respond to a ransomware attack. The plan must consider topics beyond detection and recovery like insurance coverage, outside council, and plans to pay the ransom if recovery fails. Insurance plans may only cover the cost of hiring a third party but only when an approved vendor is used. There may also be limits to what is covered. We’ve recently seen changes to coverage based on whether the attacker is a nation-state or not.
Once a plan is in place, it should be tested, especially any backups.
5. Supply chain security requires more care
In 2021, the SolarWinds incident and the log4j vulnerability not only reminded us about how fragile our supply chains are but also highlighted that business critical and highly sensitive systems still have the ability to arbitrarily connect to untrusted systems on the internet. We should remind ourselves that we have mutual responsibility in ensuring the secure design, development, and operation of technology. Vendor assurances process littered with non-standard questionnaires alone cannot secure the supply chain.
Companies involved in a supply chain will have to establish mutual trust, established by implementing good information security practices throughout their development process and have the ability to demonstrate them externally. Ideally, the entire development process from code commit to release would be secured with strong authentication, robust integrity controls, and least privilege authorisation models. Companies implementing that technology must follow industry accepted practices (e.g. Zero Trust) to ensure that technology stays secure with isolation, patching, and resilient access control models.
The log4j vulnerability potentially highlighted the importance of securing commonly used and critical open source software. When the software is freely available, who is responsible for its security? We expect to see a return to conversations related to a “Cyber UL” as well as government grants to comply with yet to be defined FAR and DFAR requirements. The recent Open Source security summit may be the precursor to something more formal from the U.S. Government.
6. User privacy will continue to be a focus for regulators
Gartner recently predicted that by the end of 2023, modern privacy laws will cover the personal information of 75% of the world’s population. As more laws like GDPR and CCPA continue to be implemented around the world to tackle the security and privacy of millions of people, the new issue organisations will face is managing multiple data protection legislation in various jurisdictions.
Companies must be protecting regulated information throughout its lifecycle and not just at the point of entry. While CCPA and GDPR do not impose requirements for authentication, we expect to see more and more prescriptive requirements as other jurisdictions develop their own set of requirements.