The growing need for securing APIs over the last five years inspired Open Web Application Security Project (OWASP) to create the API Security Top 10, a list of the top API vulnerabilities facing developers and DevSecOps today. The 2023 list was just released and concluded API1:2023 – Broken Object Level Authorization and API2:2023 – Broken Authentication have remained in the top places for security concerns since 2019, showing us more work is needed to address these core vulnerabilities. 

Knowing that more and more APIs are being used to build software, security implications need to be top of mind for all IT leaders.

API Security is the Underdog We’re All Rooting For 

Organizations require clarity on the fact that API security needs to be prioritized alongside other security domains. Traditionally, software goes through security testing as a whole, instead of testing the APIs individually. This form of testing leads to missed information and possible vulnerabilities for adversaries to take advantage of.

Typically software includes many APIs, and automated scanning tools aren’t able to provide comprehensive results. Manual testing is needed to fully understand the breadth of security implications — which is a challenge for many organizations due to time, resource, and budget constraints.

API Security versus Application Security 

API security is a subset of application security that is more challenging because APIs are harder to remember to secure, given their development process and lack of use case foreshadowing.  

When a developer is building small bits of software, like APIs, they may not be able to foreshadow how it will ultimately be used, so security can fall to the wayside. Rather, when developers build a larger software application (general applications), security professionals often automatically think of adding security controls such as authentication, input validation, or output coding. The shift that needs to happen when working with APIs is that those automatic security responses are built into the requirements to become an inherent property of the APIs.

API Security Best Practices 

The traditional pillars of AppSec apply to making APIs more secure, such as input validation, output coding, authentication, error handling, and encryption to name a few. IT security leaders need to think of these pillars and all the different ways in which APIs can be used to build out comprehensive security controls.  

In short, organizations need to build secure development frameworks with APIs that take the security considerations out of the developers’ hands – since they often don’t possess a security-first mindset – and build security directly into the APIs themselves. 

Go back to the basics. Every CISO can benefit from this practice. Just like with general software security, if you don’t go back to the basics first, you won’t be able to mature the program. Right now, the basics are where organizations are struggling. NetSPI’s 2023 Offensive Security Vision Report had similar findings. These foundational security flaws are ever-present, and we’re still challenged by the basics across attack surfaces.

Questions to Consider Before API Pentesting 

API penetration testing is conducted in a similar manner to traditional web application testing. However, there are several nuances to API pentesting that must be considered during the scoping phase. Overall consultants require engagement from API developers to ensure that testing is done thoroughly. These questions explore what is specifically needed to maximize API pentesting success – from the very beginning.

1. Production vs Staging: Is it possible to provide testers with an API staging environment? 

NetSPI recommends providing penetration testers with a staging API environment. If testing is done in staging, the testers can use more thorough and invasive/comprehensive attacks. If testing is done in production, then testers will be forced to resort to more conservative attacks to avoid negatively affecting the system and disrupting the end-users.  

2. Rate Limiting: How is rate limiting implemented on the target API? Is rate limit testing in scope for this engagement? 

By leveraging rate limiting flaws, attackers can exploit race condition bugs or rack up costly service hosting bills.  

3. WAF Disabled: Is it possible to disable the API’s WAF or allow list the penetration tester’s IP range during the testing window? 

If possible, we recommend API WAFs are disabled when testing occurs. If testing is done in production, consider allow listing your testing team’s IP range. Read more on how it adds value to API pentesting here. 

4. New Features: Are there any new features in scope that we should focus on? 

New features that haven’t been reviewed for security issues are more likely to be vulnerable than hardened code.  

5. Denial of Service (DoS) Testing: During the test, will DoS testing be in scope? 

Denial of Service vulnerabilities of APIs can have a catastrophic impact on software systems.  

6. Source Code Assisted Testing: Will source code be provided to consultants during the test? 

By providing source code, consultants are enabled to test applications more thoroughly without additional cost. For additional information on source code assisted penetration tests, check out our article on “Why You Should Consider a Source Code Assisted Penetration Test.” 

Due to their programmatic nature, APIs provide additional customer interaction during the scoping process. By providing testers with the information listed above, testers are able to provide maximum value during an API penetration test and maximize the return on investment. 

Predictions for the Future of Security API 

Going forward, we’ll likely see a software development paradigm shift over the next five years that combines features from REST and SOAP security. There is likely to be a software development paradigm where some features from each method are used to create a combined superior method – something we’re already starting to see with Adobe and Google. This combination will take security out of the hands of the developers and allow for better “secure by design” adoption. We must enable developers to innovate with confidence.

Additionally, the concept of identity and authentication is changing — we need to move away from the traditional use of usernames and passwords and two-factor authentication, which relies on humans not making any errors. The authentication workflow will shift to what companies like Apple are doing around identity management with innovations like the iOS16 passkeys, and could even impact the OWASP API Security Top 10. This will be developed through APIs. 

APIs provide incredible value with connectivity between systems. They are here to stay, making API security a much-needed focus. NetSPI’s Application Penetration Testing gives your team a proactive advantage with identifying, prioritizing, and remediating vulnerabilities in a single platform. Bring proactivity to your API security by requesting a quote today.

The post Getting Started with API Security Best Practices  appeared first on NetSPI.

+++

As data-driven enterprises rely heavily on their software application architecture, application programming interfaces (APIs) occupy a significant position. APIs have revolutionized the way web applications are used, as they aid communication pipelines between multiple services. Developers can integrate any modern technology with their architecture by using APIs, which is highly useful for adding features that a customer needs.  

By nature, APIs are vulnerable to exposing application logic and sensitive data such as personally identifiable information (PII), which makes them an easy target for attackers. Often available over public networks (accessible from anywhere), APIs are typically well-documented and can be quickly reverse-engineered by malicious actors. They are also susceptible to denial of service (DDoS) incidents. 

The most significant data leaks are due to faulty, vulnerable or hacked APIs, which can reveal medical, financial and personal data to the general public. In addition, various attacks can occur if an API is not secured correctly, making API security a vital aspect for data-driven businesses today.

The Future of API Security

“We’re most likely going to see a different software paradigm shift in the next five years that combines features from REST and SOAP security. I believe there will be a software development paradigm where features from each method are used to create a combined superior method,” Nabil Hannan, managing director at NetSPI, told VentureBeat. “This combination will take security out of the hands of the developers and allow for better ‘secure by design’ adoption.”

Hannan said that the concept of identity and authentication is changing, and we need to move away from usernames and passwords and two-factor authentication, which relies on humans not making any errors. 

“The authentication workflow will shift to what companies like Apple are doing around identity management with innovations like the iOS16 keychain. This will be developed through APIs in the near future,” he said.

You can read the full article at VentureBeat!

The post VentureBeat: Why API Security is a Fast-growing Threat to Data-driven Enterprises appeared first on NetSPI.

+++

Penetration testing is based on the premise that one of the best ways to safeguard the enterprise is to pretend to be a hacker and find the number of ways you can break into a business. 

The FBI uses this strategy. It often recruits criminals such as forgers and thieves who proved especially effective at crime and in thwarting the efforts of law enforcement. These former criminals become consultants who are highly skilled at spotting scams. Frank Abagnale is one of the most famous, the subject of the movie, “Catch Me If You Can”.  

Penetration testing is a formalization of this approach. A series of tools have been developed that are designed to automatically probe the network and systems for different weaknesses. 

1. Understand The External Attack Surface 

Nabil Hannan, managing director, NetSPI, has noted a greater focus on testing and understanding the external attack surface of organizations. 

Over the last two years, with the shift to working from home, businesses had to make drastic and rapid transformations in the way they operate. As a result, not only did the threat model of their business change, but the external facing attack surface of their organization evolved.

Enterprises now have assets that are exposed to the internet and are regularly changing — and these changes are occurring more rapidly with cloud-hosted systems. That’s one of the drivers behind attack surface management solutions, such as NetSPI’s ASM. They are being leveraged by organizations to continuously monitor attack surfaces and proactively identify any areas of risk in a timely manner.

“Creating and managing an accurate inventory of internet-facing assets and being able to identify potential exposures and vulnerabilities have become key focuses for many organizations,” Hannan said. 

You can read the full article at Datamation!

The post Datamation: 5 Top Penetration Testing Trends in 2022 appeared first on NetSPI.

+++

September is National Insider Threat Awareness Month, which emphasizes the importance of safeguarding enterprise security, national security and more by detecting, deterring and mitigating insider risk.

The risks of espionage, violence, unauthorized disclosure and unknowing insider threat actions are higher than ever; therefore, maintaining effective insider threat programs is critical to reducing any security risks and increasing operational resilience.

National Insider Threat Awareness Month is an opportunity for enterprise security, national security and all security leaders to reflect on the risks posed by insider threats and ensure that an insider threat prevention program is in place and updated continuously to reflect the evolving threat landscape.

Below, in honor of National Insider Threat Awareness Month, security leaders offer advice on how to reduce insider threat risks effectively.

Nabil Hannan, Managing Director, NetSPI:

To account for internal threats, there must be a mindset shift in what constitutes an organization’s threat landscape. Most companies focus exclusively on external threats and view their own people as trustworthy. As a result, insider threats are often under-addressed cybersecurity threats within organizations. We learned with SolarWinds that detecting such a threat is vastly different from traditional pen testing, code review or other vulnerability detection techniques. 

Security teams need to move from only looking for vulnerabilities to also looking for suspicious or malicious code. With a vulnerability, the threat actor interacts with the attack surface in a way that exploits a weakness. With malicious code, the threat actor is either choosing or creating the attack surface and functionality because they have control over the system internally. 

So, instead of the threat actor exploiting vulnerabilities in the attack surface, now the threat actor creates the attack surface and exercises the functionality that they implement. Failing to implement threat modeling that studies potential threats to both vulnerabilities and malicious code can set your organization up with a false sense of security.

You can read the full article at Security Magazine!

The post Security Magazine: National Insider Threat Awareness Month 2022 appeared first on NetSPI.

+++

September marks National Insider Threat Awareness Month, a time dedicated to emphasize the importance of detecting, deterring and reporting insider threats. This began as a collaborative effort by U.S. government agencies, three years ago and has now grown to both the public and private sector. 

In honor of the month, industry experts have shared their thoughts on different strategies organizations can use to protect themselves from these threats.

Nabil Hannan, Managing Director, NetSPI 

“To account for internal threats there must be a mindset shift in what constitutes an organization’s threat landscape. Most companies focus exclusively on external threats and view their own people as trustworthy. As a result, insider threats are often under addressed cybersecurity threats within organizations. We learned with SolarWinds that detecting such a threat is vastly different from traditional pen testing, code review or other vulnerability detection techniques. Security teams need to move from only looking for vulnerabilities to also looking for suspicious or malicious code. With a vulnerability, the threat actor interacts with the attack surface in a way that exploits a weakness. With malicious code, the threat actor is either choosing or creating the attack surface and functionality because they have control over the system internally. So, instead of the threat actor exploiting vulnerabilities in the attack surface, now the threat actor creates the attack surface and exercises the functionality that they implement. Failing to implement threat modeling that studies potential threats to both vulnerabilities and malicious code can set your organization up with a false sense of security.”

You can read the full article at VMblog!

The post VMblog: September is National Insider Threat Awareness Month – Experts Weigh In appeared first on NetSPI.

During Infosecurity Europe, NetSPI officially announced its expansion into the EMEA region. We’ve experienced growing demand from EMEA organizations, and we feel that NetSPI is well-positioned to deliver in this region. 

Aside from the hustle and bustle of the conference itself, we devoted much of our time to the exhibitor hall – where we noticed a few interesting themes. Continue reading for our three key observations from Infosecurity Europe and our conversations with the EMEA cybersecurity community. 

Automate Where Necessary 

Walking the floor, the automation message was prevalent among vendor solutions. However, in conversations with end users, the underlying message was that automation needs to serve a purpose, linked to, for example, improving cybersecurity workflows and processes. As Lalit Ahluwalia, writes in this Forbes article, the top drivers for automation include the lack of skilled workers, lack of standardization, and the expanded attack surface. 

It is also important to understand that technology alone should not be viewed as a “silver bullet.” There is a fundamental need to ensure that skilled humans can triage the data to ensure accurate results and that the information delivered is valuable and actionable.  

Automation should enable humans to do their job better and spend more time on the tasks that matter most (e.g., in penetration testing, looking for critical vulnerabilities that tools cannot find). For more on the importance of people in cybersecurity, read Technology Cannot Solve Our Greatest Cybersecurity Challenges, People Can. 

Tightening of Venture Capital Funding and Cybersecurity Budgets 

Another heavily discussed topic at Infosecurity Europe centered around funding, budgets, and priorities. 

With the onset of COVID-19, we noticed an over-expansion of cybersecurity vendors – this was evident in the exhibitor space. We attribute this partly to the rise in remote work, increased ransomware attacks in the past year, and companies’ expanding attack surfaces.  

The cause for concern? 

With the current global economic downturn, many vendor solutions are now seen as a “nice to have”, budgets are being squeezed, and end users are prioritizing their investments based on risk.  

We also had conversations with end users who felt that the whole market is becoming a “Noah’s ark” of solutions – i.e., there are a lot of solutions that have been built in the hope end users see value. We foresee not just a consolidation of the vendors in the market, but also a consolidation of the actual solutions that end users view as critical to their needs. 

The reality is that financial winds of change are blowing, whether it is customers focusing on maximising the return on their budget, or investment dollars looking for a home, there is a tightening coming. While our industry is relatively well-placed to withstand these financial pressures, the ability to build those trusted relationships with our customers and help them achieve tangible positive outcomes will be a key differentiator. 

Emphasis on Business Enablement  

It was refreshing to see many vendors focus less on fear, uncertainty, and doubt and more on business enablement and benefits to the customer.  

Understanding how technology supports initiatives that enable a company to grow is a win-win tactic in our book. This is a positive change and one that will help customers understand which products and services are vital as they mature their security programs.  

The Future of Information Security in EMEA 

There is no doubt that cybersecurity is a vital component of every business, and that was evident at the conference. We’re excited to be a part of the momentum in the EMEA region and support the global cybersecurity community through our platform driven, human delivered methodology and our focus on business enablement. 

Infosecurity Europe may be over, but that doesn’t mean our conversation has to end. Connect with NetSPI today to learn how we can meet your global offensive security needs.

The post Infosecurity Europe 2022: Observations from the ExCel appeared first on NetSPI.

By shifting left, an organization can detect application vulnerabilities early and remediate them, saving time and money, and ultimately not delaying the release of the application.  

But not everything comes wrapped in a beautiful bow. In application security, I witnessed that shifting left comes with its fair share of trouble – two in fact: 

• Overworked and understaffed teams
• Friction between application security engineers and development teams 

During his time at Microsoft, Idan Plotnik, co-founder and CEO at Apiiro experienced these two roadblocks and created an application security testing tool that addressed both. I recently had the opportunity to sit down with him to discuss the concept of shift left and other application security challenges.  

Continue reading for highlights from our conversation including contextual pentesting, open-source security, and tips on how a business can better prepare for remote code execution vulnerabilities like Log4Shell. For more, listen to the full episode on the Agent of Influence podcast.  

Why is it important to get more context on how software has changed and apply that to pentesting? 

Idan Plotnik: One of the biggest challenges we are hearing is that organizations want to run penetests more than once throughout the development life cycle but are unsure of what and when to test. You don’t want to spend valuable time on the pentester, the development team, and the application security engineer to run priority or scoping calls in every release. You want to identify the crown jewels that introduce risk to the application. You want to identify these features as early as possible and then alert your pentesting partner so they can start pentesting early on and with the right focus. 

It’s a win-win situation.  

On one hand, you reduce the cost of engineers because you’re not bombarding them with questions about what you’ve changed in the current release, when and where it is in the code, and what are the URLs for these APIs, etc.  

On the other hand, you’re reducing the costs of the pentest team because you’re allowing them to focus on the most critical assets in every release.  

Nabil Hannan: The traditional way of pentesting includes a full deep dive test on an application. Typically, the cadence we’ve been seeing is annual testing or annual requirements that are driven by some sort of compliance pressure or regulatory need.  

I think everybody understands why it would be valuable to test an application multiple times, and not just once a year, especially if it’s going through changes multiple times in a year. 

Now, the challenge is doing these tests can often be expensive because of the human element. I think that’s why I want to highlight that contextual testing allows the pentester to hone and focus only on the areas where change has occurred.  

Idan: When you move to agile, you have changes daily. You need to differentiate between changes that are not risky to the organization or to the business, versus the ones that introduce a potential risk to the business. 

It can be an API that exposes PII (Personally Identifiable Information). It can be authorization logic change. It can be a module that is responsible for transferring money in a trading system.  

These are the changes that you need to automatically identify. This is part of the technology that we developed at Apiiro to help the pentester become much more contextual and focused on the risky areas of the code. With the same budget that you have today, you can much more efficiently reduce the risks.  

Learn more about the partnership between NetSPI and Apiiro. 

Why is open-source software risk so important, and how do people need to think about it? 

Idan: You can’t look at open source as one dimension in application security. You must take into consideration the application code, the infrastructure code, the open-source code, and the cloud infrastructure that the application will eventually run on.  

We recently built the Dependency Combobulator. Dependency confusion is one of the most dangerous attack vectors today. Dependency confusion is where you’re using an internal dependency without a proper naming convention and then an attacker goes into a public package manager and uses the same name.  

When you can’t reach your internal artifact repository or package manager, it will automatically fall back and access the package manager on the internet. Then, your computer will fetch or download the malicious dependency with the malicious code, which is a huge problem for organizations.  

The person who founded the dependency confusion attack suddenly receive HTTP requests from within Microsoft, Apple, Google, and other enterprises because he found some internal packages while browsing a few websites. He just wanted to play with the concept of editing the same packages with the same name to the public repository. 

This is why we need to help the community and provide them with an open-source framework that they can extend, so that they can run it from their CLI or CI/CD pipeline for every internal dependency. Contributing to the open-source community is an important initiative.  

What can organizations do to be better prepared for similar vulnerabilities to Log4Shell? 

In December 2021, Log4Shell sent security teams into a frenzy ahead of the holiday season. Idan and I discussed four simple steps organizations can take on to mitigate the next remote code execution (RCE) vulnerability, including: 

1. Inventory. Inventory and identify where the vulnerable components are.
2. Protection. Protect yourself or your software from being attacked and exploited by attackers from the outside.
3. Prevention. Prevent developers from doing something or getting access to the affected software to make additional changes until you know how to deal with the critical issue.
4. Remediation. If you do not have that initial inventory that is automated and happening systemically across your organization and all the different software that is being developed, you cannot get to this step.  

For the full conversation and additional insights on application security, listen to episode 39 of the Agent of Influence podcast.

The post Addressing Application Security Challenges in the SDLC appeared first on NetSPI.

+++

Let’s set the scene. For years, organizations have undergone compliance-based penetration testing (pentesting), meaning they only audit their systems for security vulnerabilities when mandated to do so by regulatory bodies. However, this “check-the-box” mindset that’s centered around point-in-time testing is leaving organizations at risk for potential exploitation.

From August-October 2021 alone, a total of 7,064 new Common Vulnerabilities and Exposures (CVE) numbers were registered – all of which could go undetected if a business does not have an established proactive security posture.

With malicious actors continuously evolving and maturing their attack techniques, organizations must leave this outdated mindset behind and take the necessary steps to develop a comprehensive, always-on penetration testing program. Here’s a look at how this can be accomplished.

Adopt an ‘as-a-Service’ Model

Traditional pentesting programs operate under a guiding principle: organizations only need to test their assets a few times a year to protect their business from potential vulnerabilities properly. During this engagement, a pentester performs an assessment over a specified period and then provides a static report outlining all of the found vulnerabilities. While once deemed the status quo, there are many areas for inefficiencies in this traditional model.

With threats increasing, organizations must take a proactive approach to their security posture. Technology-enabled as-a-Service models overhaul traditional pentesting programs by creating always-on visibility into corporate systems. For an as-a-Service model to succeed, the engagement should allow organizations to view their testing results in real-time, orchestrate faster remediation, and perform always-on continuous testing.

This hyperfocus on transparency from both parties will drive clear communication, with the pentesters available to address any questions or concerns in real-time – instead of just providing an inactionable static report. Additionally, it allows teams to truly understand the vulnerabilities within their systems so they can begin remediation before the end of the pentesting engagement.

Lastly, when working in an as-a-Service model, pentesters can help organizations become more efficient with their security processes, as they work as an extension of the internal team and can lend their industry expertise to help strengthen their clients’ security posture.

Read the full article online here.

The post Solutions Review: Four Ways to Elevate Your Penetration Testing Program appeared first on NetSPI.

+++

Trendy consumer gadgets are reaching the market at an expedited rate in today’s world, and the next new viral product is right around the corner. While these innovations aim to make consumers’ lives easier and more efficient, the rapid development of these products often creates security risks for users — especially as hackers and malicious actors get more creative.

When commercial drones were brought to market as recreational tools in 2013, for example, consumers jumped at the chance to use them for a wide range of personal purposes, from photography to flying practice. Many security risks emerged, however, and it became clear that drones can be used maliciously to do anything from tracking and monitoring to causing physical harm and societal disruption.

GPS-enabled devices are now experiencing the same growing pains.

The Current Threat Environment

GPS-enabled devices have been on the market for a while, but consumer use has boomed in recent years. The newest device making waves is Apple’s AirTag — a small device that tracks personal items such as keys, wallets and backpacks.

With an affordable price tag, consumers have jumped at the opportunity to keep track of their belongings more easily. As adoption has grown, however, so have security and privacy concerns. Malicious actors can easily slip these devices into peoples’ belongings and track them.

While the risk to consumers is clear, businesses and influential figures can also be targeted. GPS-enabled devices can be used to track day-to-day business movements and identify exploitable weak points.

Apple has remediated some of these risks by releasing a personal safety guide outlining the steps users should take if they find an unknown AirTag or suspect someone has gained access to their product. Yet these risks highlight a broader problem with GPS-enabled devices. Threat modeling in the design phase of tech development must evolve to uncover emerging security risks — before consumers get their hands on the devices.

Read the full article online.

The post TechTarget: How to Address Security Risks in GPS-enabled Devices appeared first on NetSPI.

For too long, we have depended on this legacy form of authentication to protect our personal data. As more people rely on the internet to manage their most important tasks — online banking, applying for loans, running their businesses, communicating with family, you name it — many companies and services still opt for the typical username and password authentication method, often with multi-factor authentication as an option, but not a requirement.  

To combat the sophisticated attacks of hackers today, multi-factor authentication methods must be considered the bare minimum. [For those unfamiliar with the concept, multi-factor authentication, or MFA, requires the user to validate their identity in two or more ways to gain access to an account, resource, application, etc.] Then, starting on that foundation, security leaders must consider what other identity and access management practices can they implement to better protect their customers? 

For more insights on this global challenge, we spoke with authentication expert Jason Soroko, CTO-PKI at Sectigo, during episode 40 of the Agent of Influence podcast to learn more about the future of multi-factor authentication, symmetric and asymmetric secrets, digital certificates, and more. Continue reading for highlights from our discussion or listen to the full episode, The State of Authentication and Best Practices for Digital Certificate Management. 

Symmetric Secrets vs. Asymmetric Secrets  

The legacy username and password authentication method no longer offers enough protection. Let’s take a deep dive into symmetric secrets and asymmetric secrets to better understand where we can improve our processes. 

Symmetric secrets are an encryption method that use one key for both encrypting and decrypting a piece of data or file. Here’s a fun anecdote that Jason shared during the podcast: “Let’s say you and I want to do business. We agree that I could show up at your door tomorrow and if I knock three times, you will know it’s me. Well, somebody could have overheard us having that conversation to agree to knock three times. It’s the same thing with a username and password. That’s a shared symmetric secret.” 

According to Jason, the issue with this method is that the secret had to be provisioned out to someone or, in today’s context, keyed into memory on a computer. This could be a compromised endpoint on your attack surface. Shared secrets have all kinds of issues, and you only want to utilize them in a network where the number of resources is extremely small. And we should no longer use them for human authentication methods. 

Instead, we need to shift towards asymmetric secrets.   

Asymmetric secrets, which are used to securely send data today, have two keys: private and public. The public key is used for encryption purposes only and cannot be used to decrypt the data or file. Only the private key can do that. 

The private key is never shared; it never leaves a secured place (e.g., Windows 10, Windows 11, trusted platform module (TMP), etc.) and it’s what allows the authentication to occur securely. Not only that, but asymmetric secrets don’t require the 123 steps of authentication, improving the user experience overall. The ability for a hacker to guess or steal the asymmetric secret is much more difficult because it is in a secure element, Jason explains. 

Of course, some organizations have no choice but to stick with ancient legacy systems due to financial reasons. But the opportunity here is to complement that legacy authentication method with other controls so you can enhance your authentication system. 

Pitfalls of SMS Authentication 

If you’re considering SMS authentication, I hate to be the breaker of bad news, but that doesn’t offer comprehensive protection. SMS authentication was never built to be secure, and it was never intended to be used the way it is used popularly today. Now, not only do we have the issue of people using a protocol that’s inherently insecure by design, but hackers can easily intercept authentication messages sent via SMS. 

As Jason shared on the podcast, the shocking truth is that SMS redirection is commercially available. It only costs around $16 to persuade the telecommunications company to redirect SMS messages to wherever you want them to go, which shows how easily hackers can obtain messages and data. 

Learn more about telecommunications security, read: Why the Telecoms Industry Should Retire Outdated Security Protocols. 

Three Best Practices for Managing Digital Certificates 

Even with the implementation of multi-factor authentication, how do you know if a person or a device is trustworthy to allow inside your network? 

You achieve that with digital certificates also known as public key certificates. They’re used to share public keys and verify the ownership of a public key to the person or device that owns it. 

With so many people moving to remote work, this only amplifies the number of digital certificates to authenticate each day. It’s important to manage your digital certificates effectively to mitigate the risk of adversaries trying to access your organization’s network. 

For additional reading on the security implications of remote work, check out these articles: 

• COVID-19: Evaluating Security Implications of the Decisions Made to Enable a Remote Workforce
• Keeping Your Organization Secure While Sending Your Employees to Work from Home 

To get you started toward better digital certificate management, Jason shared these three best practices: 

1. Take inventory: Perform a proper discovery of all the certificates that you have (TLS, SSL, etc.) to gain visibility into how many you have.
2. Investigate your certificate profiles: Take into consideration your DevOps certificates, your IoT certificates, etc., and delve into how the certificates were set up, who set them up, how long the bit-length is, and whether is it a proper non-deprecated cryptographic algorithm.
3. Adapt to new use cases: Look towards the future to determine if you can adapt to new use cases (e.g., can this be used to authenticate BYOD devices or anything outside the Microsoft stack, how will the current cryptographic algorithms today differ in the future, what about hybrid quantum resistance, etc.). 

The Future of Multi-Factor Authentication 

As mentioned at the beginning for this article, multi-factor authentication should be considered the bare minimum, or foundation, for organizations today. For organizations still on the fence about implementing this authentication method, here are three reasons to start requiring it: 

• A remote workforce requires advanced multi-factor authentication to verify the entities coming into your network.
• Most cyberattacks stem from hackers stealing people’s username and password. Multi-factor authentication adds additional layers of security to prevent hackers from accessing an organization’s network.
• Depending on which method your organization utilizes, multi-factor authentication provides a seamless login experience for employees — sometimes without the need for a username or password if using biometrics or single-use code. 

More organizations are choosing to adopt multi-factor authentication and we can only expect to see more enhancements in this area.  

According to Jason, artificial intelligence (AI) will play an important role. Take convolutional neural networks for example. This is a type of artificial neural network (AAN) used to analyze images. If we were to apply convolutional neural networks to cybersecurity, we could train it to identify malicious known binaries or patterns quickly and accurately. Of course, this is something to look forward to in the foreseeable future. 

An area we’ve certainly made much progress on, though, is the ability to use machine learning to determine malicious activity in the credit card fraud detection space. 

Multi-Factor Authentication is Only the First Step 

At a bare minimum, every organization should start with multi-factor authentication and build from there. One-time passwords, email verification codes, or verification links are user-friendly and go a long way in effective authentication.  

Cyberwarfare coupled with a remote workforce and government scrutiny should prompt companies everywhere to bolster their cybersecurity defenses. The authentication methods and best practices Jason Soroko shared with me on the Agent of Influence podcast are a step in the right direction toward protecting your organization, employees, and — most importantly — your customers. 

The post Multi-Factor Authentication: The Bare Minimum of IAM appeared first on NetSPI.