By Thom Otten and Ewout Vermeulen While there used to be some kind of watershed between internal infrastructures and the outside world, since the rise of the internet – and more recently working from home – the traditional perimeter is a thing of the past. Data, applications, and users are in a diffuse world where data and applications are accessed sometimes within the traditional perimeter and sometimes from home or on the road. This means that threats from the inside and outside are actually equally small or large. In another blog post, we discussed insider risk characteristics and actions. Below, we look at the current outsider risks and which actions are appropriate now.
While insider risk involves actors that we know, with outsider risk the perpetrator is unknown. In this context, it is important to recognize that more and more cyber-attacks are taking place via supply chains. An estimate by the American National Institute of Science and Technology (NIST) says no less than eighty percent. An organization is infected via a vulnerability of a (software) supplier. Well-known recent examples are leaks in the software of Citrix and Solarwinds. Precisely because of this trend good threat intelligence is increasingly important. Gartner defines this as ‘evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging threat or asset threat. This information can be used to make decisions regarding the subject’s response to that threat or danger.’
The motives of outside risk actors do not differ much from insiders. Monetary gain comes first. In addition, we also see activist or political motives among outsiders. In recent years it has become clearer that state actors are very active in cybercrime. Spying on authorities to follow or influence political decisions or to steal intellectual property from companies are widespread. The means used for this purpose are well-known: malware and ransomware, distributed through Business Email Compromise (BEC), phishing or brute force.
Role of IAM
To counter all these threats, companies invest in Identity and Access Management-platforms (IAM). According to the ISC2 2021 Cyberthreat Defense Report, adaptive authentication is currently still at the top. This approach entails that you deploy two-factor authentication and multi-factor authentication based on risk, such as user role, the importance of a particular resource, the location, time or day of the week. The system learns from user behavior and can provide a good balance between convenience and security. In second place comes password management/automatic reset. In third place comes Privileged Access Management, followed by Identity as a Service (IDaaS).
The multitude of threats and available point solutions can make it difficult for an organization to make well-informed decisions about its overall security policy. It is important to start with determining the current maturity of your own security. What basic processes are there and to what extent do they meet current standards? Security is much more than tools and technology. It requires a holistic total approach, in which broad security awareness must be the starting point.
This blog focused to the outsider risks. In another contribution we will discuss the insider risks in more detail.
Ewout Vermeulen and Thom Otten are security consultants at Traxion, provider of Identity Centric Security Services in the Netherlands and Belgium with over 130 highly qualified professionals. Traxion is part of Swiss IT Security Group.