Security Awareness, multifactor authentication, MFA
4 Things a Data-Driven Defense Evangelist Wants You to Know
This year’s Cybersecurity Awareness Month theme is “See Yourself in Cyber” – highlighting the “people” part of cybersecurity. As security professionals, we know the importance of our digital actions, but that awareness isn’t innate for everyone.
It can be tough to imagine ourselves in the shoes of the marketing manager or financial analyst who trusts an email link without verifying or connects to a Starbucks WiFi to complete their banking. When security is constantly on the brain, it’s easy to take our healthy level of paranoia for granted. But not everyone operates in that mindset. Yet, the success of the controls we put in place depend on the actions of all types of people with varying levels of security awareness.
To help raise awareness for all, throughout October, Cadre will be sharing resources around key action steps that everyone should take according to CISA, including:
• Enabling Multi-Factor Authentication
• Using Strong Passwords
• Recognizing and Reporting Phishing
• Updating Software
To kick things off, we’ve interviewed KnowBe4’s Data-Driven Defense Evangelist, Roger Grimes. Roger is a 30+ year senior computer security consultant and cybersecurity architect with 13 books (9 solo and 4 co-written) and more than 1,100 national magazine articles on security. During his career, Roger has worked tirelessly to make the internet a safer place for all.
Read on to find his answers to our most pressing questions this Cybersecurity Awareness Month:
1. Ransomware is always a hot topic when it comes to security awareness, but it is also something that companies still struggle with. Why do you think that is?
Roger: Ransomware is just the flavor of the month for malware and hacker attacks. It changes over time. When I first began fighting hackers and malware in 1987, DOS boot viruses and Mac executable viruses were the big worry. Then, DOS file viruses became a big deal, followed by Windows viruses, email worms with malicious file attachments, spam-sending worms, USB worms, pass-the-hash attacks, and so on. Every five years or so we get a new thing that becomes #1 that we need to worry about the most. But essentially, the constant trend among hackers and malware has to increase the monetization of the attacks.
Ransomware is a big way to get lots of money, and so it's sticking around longer than the others. The future of malicious hacking is where the ransomware groups morph into generalized hacking groups, hacking and making money in different ways, depending on the victim. They are already doing that now and the trend is increasing. But no matter what the threat or motivation, the primary two ways that they break and exploit a target have remained fairly consistent over the entirety of computers -- and that is social engineering and unpatched software.
Social engineering is involved in about 70% to 90% of attacks and unpatched software is involved in about 20% to 40% of attacks. That hasn’t changed in over 4 decades. Those two attack methods are responsible for 90% to 99% of all attacks. Yet, the average organization spends less than 5% of its IT budget to mitigate them. It is that continuing, fundamental misalignment with the ways we are attacked most often against the ways we mitigate that continues to allow hackers and malware to be as successful as they are. Until we address that fundamental misalignment of mitigations against the right threats, it won’t get better.
2. Speaking of recovery vs. prevention, it’s common to see heads nod about needing backups to prevent adversaries from having the power during a ransomware attack. Realistically, that won’t stop social engineering. Where should companies put their efforts to achieve recovery AND prevention?
Roger: We need to do far more on prevention. You’ll have to get someone else to promote recovery because my life and professional career are focused on prevention.
Most organizations don’t do enough to prevent exploitation. Every organization needs to focus on prevention more. Including, aggressive security awareness training, perfect patching, using phishing-resistant MFA where they can, and using very strong passwords (12-characters fully random or longer or 20-characters or longer if made up in your head) where MFA can’t be used. Those mitigations, if done very well, will prevent the vast majority of attacks. Nothing else you can do or deploy will be as effective. Hacking and malware are so bad because most defenders don’t concentrate on those four things.
3. Even though MFA is a widely recommended defense, it is much easier to bypass than most would think. For those that are skeptical about this control, what should people focus on to make MFA phishing resistant?
Roger: 90%-95% of today’s MFA is easily phishable and as easy to steal or bypass as a password. Everyone should use phishing-resistant MFA whenever they can to protect valuable data and systems.
Easily phishable MFA includes any MFA that is tied to your phone number (e.g., SMS-based MFA), is considered Push-Based MFA, or MFA that sends you a code that you then enter in on a website or application. The US government has been saying not to use these easily phishable forms of MFA since at least 2017. Unfortunately, most people use easily-phishable forms of MFA. They should, however, be using phishing-resistant forms of MFA. I have a list on LinkedIn of phishing-resistant MFA that I keep updated.
4. It can be overwhelming, especially for smaller or resource-constrained companies, to accomplish everything on CISA’s list and have users comply. Do you have any advice on how to make these aspirational goals achievable?
Roger: Yes. Just do four things very well:
1. Mitigate social engineering, focus on educating your employees about how to be skeptical of unexpected messages asking them to do something they’ve never done before for that requestor. That’s 70%-90% of the problem. Imagine…just do that well…training your end-users…and 70%-90% of your problem goes away.
2. If you have any software or firmware that’s on CISA’s Known Exploited Vulnerability Catalog list patch it ASAP. Do it perfectly.
3. Use phishing-resistant MFA where you can to protect valuable data and systems.
4. When you can’t use MFA, use a password manager to create long and complex, different passwords for every site and service.
Whether or not you are hacked is mostly related to these four things. Nothing else you could do recommended by anyone else could do as much to improve your cybersecurity risk. It is every organization’s inability to correctly put the right resources in the right amounts against the right things that continues to allow hackers and malware to be so successful. Change it! Defeat them. Fight the good fight the best way.
Thank you to Roger for spending time with us answering these need-to-know questions on ransomware. For even more insight from him, read his book, Ransomware Protection Playbook.
Looking for more free resources? Watch our on-demand webinar with Roger, How Ransomware Has Gone Nuclear & Many Ways to Hack MFA.