Jargon Buster: Untangling The Complexity In Cybersecurity 

Uploaded on 2023-09-22 in NEWS-Cybersecurity News, FREE TO VIEW

Security on devices affects us all. So, wouldn’t it be helpful to all if we went back to basics again to explain and design security in a way that makes it easy?
 
The root of the problem in cybersecurity is that we expect every person on the planet to be an expert in actively defending themselves and their companies. We don’t expect everyone to understand glide slopes to land their own planes - we have pilots for that.

Strangely though, we do expect everyone to understand how to inspect links in their email and make informed decisions about whether to click them. With potentially devastating consequences for those individuals and companies that get this wrong, it’s hard to see why this is accepted practice.  
 
I don’t think it’s realistic to explain everything in security in a way the average person would instantly understand. It’s not realistic in astrophysics or any other complex field. What will really help is if we move to systems that are secure enough by design so that the average person can use them safely without needing a PhD in Hyperlinks. Like air travel, the average person needs to be able to just get on the plane and get off at their destination, rather than being forced to do airspeed calculations mid-flight - a situation we see with many existing security “solutions” in practice.  

Untangling The Complexity Of Cybersecurity By Design

What do all spy movies - from Austin Powers to James Bond - have in common? Disguise. Cybersecurity is no different - attackers attempt to imitate legitimate users to evade detection and expulsion from the network, disguising themselves to evade detection by the adversary.  
 
In the olden days of passwords and John le Carré spies, a single “yes” - whether a password check or a passport check - granted access to whole countries and networks. Today, however, we use more modern factors to decide whether a person is a spy in disguise or just a weirdly dressed citizen.  Here is the top glossary of terms of modern ‘never-trust, always-verify’ security solutions that effortlessly by design allow people, devices to stay secure wherever they are located. 

Next Generation “phishing-resistant” Multi-Factor Authentication (MFA) 

First-Generation MFA simply uses multiple phishable factors. For example, a password, plus a one-time code sent over SMS text messages, or a password and a magic-link sent via text.  Passwords and weak MFA can, at best, perform as a doorstop to cybercriminals — at worst, allow adversaries to step right in with unsophisticated tactics. 

Next generation MFA, or phishing resistant MFA phishing-resistant MFA, implements only strong authentication factors such as device biometrics, FIDO-based cryptographic passkeys, and hardware security keys which remain very difficult even for a very sophisticated adversary – acting as the padlock to shut and block the front door to cyber criminals.

Passwordless

Replacing passwords with asymmetric cryptography that employs public/private key pairs creates a phishing-resistant authentication process. Users are authenticated effortlessly by proving they possess the enrolled device and that it is bound to the user’s identity. And since the private part of the key pair remainse securely stored in purpose built device hardware (Trusted Platform Module or Enclave) and doesn’t move across the network - it can’t be stolen.
 
Getting rid of passwords and permanently tying identities and devices together using strong cryptography is like stopping spies from changing their clothes and appearance and requiring them to wear orange hats - it gets a lot easier to just stop them at the front gate.

Zero Trust Authentication 

Eliminating phishable factors and the risk from an end-user disclosing factors is the “never trust; always verify” model of Zero Trust and can be applied to authentication. 

A Zero Trust authentication approach also requires continuous risk-based monitoring.  To do this, signals from other systems are incorporated- EDR/XDR, and MDM - comparable to tapping national and international security databases to determine the risk posed by a given individual. 

Getting Real: Taking Responsibility For Breaches     

Four of five breaches stem from password misuse. From the Verizon DBIR to the CrowdStrike GTR, the numbers always hover around 80% of breaches that are traced back to passwords. Attackers have learned how to bypass first-generation MFA - and they do it regularly. From SolarWinds to Uber, most breaches in the news involve bypassing phishable MFA systems. 
 
To keep customers safe, not from Dr Evil but from the real-life adversaries that want a share of their bank accounts, we need to move them to Zero Trust Authentication, which unites inherent technical defence against phishing and other account takeover attacks with device trust and validation to effectively prevent intrusions that can lead to breaches. 

Chris Meidinger is Technical Director, EMEA at Beyond Identity                   Image: fauxels

You Might Also Read: 

Simplicity In Complexity: The Key to Successful Threat Exposure Management:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Exploring How Generative AI Is Contributing To Cybersecurity Threats & Risks
Europol Identifies The Top Cyber Threats »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CERT Bulgaria (CERT.BG)

CERT Bulgaria (CERT.BG)

CERT Bulfaria is the National Computer Security Incidents Response Team for Bulgaria.

Sepio Cyber

Sepio Cyber

Sepio is the leading asset risk management platform that operates on asset existence rather than activity.

ATIS Systems

ATIS Systems

ATIS Systems offers first-class complete solutions for legal interception, mediation, data retention, and IT forensics.

Institute for Cybersecurity & Privacy (ICSP) - University of Georgia

Institute for Cybersecurity & Privacy (ICSP) - University of Georgia

The goal of ICSP is to become a state hub for cybersecurity research and education, including multidisciplinary programs and research opportunities, outreach activities, and industry partnership.

Government CSIRT - Chile

Government CSIRT - Chile

Government CSIRT is the Computer Security Incident Response Team for State networks and government cyberspace in Chile.

Synectics Solutions

Synectics Solutions

Synectics deliver solutions for reducing risk, combating financial crime, and enabling organisations to meet their compliance and regulatory commitments.

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub is a non-profit network organization focused on cooperation, information sharing, research and implementation of cutting-edge technologies in cybersecurity.

Andreessen Horowitz (a16z)

Andreessen Horowitz (a16z)

Andreessen Horowitz (known as "a16z") is a venture capital firm in Silicon Valley, California that backs bold entrepreneurs building the future through technology.

Global Resources

Global Resources

Global Resources' planning and management capabilities support city, regional, and national utility and infrastructure management, and information systems and cyber security service delivery.

RedHunt Labs

RedHunt Labs

RedHunt Labs is a premier Cybersecurity Solutions provider, offering Attack Surface Management solution 'NVADR' and Penetration Testing services.

QAlified

QAlified

QAlified offer independent testing and quality assurance services for software projects including security testing.

AWARE7

AWARE7

IT security for human and machine. With the help of our products and services, we work with you to increase the IT security level of your organization.

Riot Security

Riot Security

In today's world, most successful cyberattacks start by a human failure. Riot have developed a platform that makes it easy to prepare your employees for cyberattacks, in a way they love.

Cyber Octet

Cyber Octet

Cyber Octet is an IT Solution, Security, Training and Services company. We provide training and services from Web Application Security to ISO 27001 implementation.

Panoptic Cyber

Panoptic Cyber

Panoptic Cyber are a team of elite Armed Forces Veterans who hold a wealth of experience in Information Security, Cyber Security, Data Protection and Risk Management.

EGUARDIAN

EGUARDIAN

EGUARDIAN serves as a Value-Added Distributor and technology enabler in the APAC region with the aim of further expanding globally and cater to the needs of the demands with the emerging technology.