In mid-March, the Cybersecurity and Infrastructure Security Agency (CISA) released a report highlighting how cyber actors routinely exploit poor security configurations, weak controls, and other poor cyber hygiene practices to gain access and compromise user systems. These included not enforcing multifactor authentication, primarily with remote desktop access, the use of vendor-supplied default login usernames and passwords, and the failure to detect and block phishing attempts.
CISA suggested organisations can help strengthen their network defences against commonly exploited practices by adopting a zero-trust security model, which enables users to be assigned only the access rights required to perform their assigned tasks. Access control can limit the actions of malicious cyber actors and reduce the chance of user errors.
However, CISA also stresses the importance of implementing multi-factor authentication (MFA) protocols, employing antivirus programs and detection tools and searching for vulnerabilities, as well as initiating a software and patch management program. These are all said to provide a higher degree of visibility into endpoint security, or else effectively aid in protecting against malicious cyber actors.
Julia O’Toole, Founder and CEO of MyCena Security Solutions, believes that these recommendations are simply not enough and that organisations need more than surface-level fixes to prevent cyber-breaches.
“Preventing malicious actors from gaining network access won’t happen through antivirus programs. These are simply temporary fixes that do nothing to correct the fundamental vulnerabilities in how organisations approach their cybersecurity. It’s time for businesses to take control and lead their own cyber resilience, rather than hide their difficulties behind third-party software.”
“We’ve seen earlier this year how MFA can be easily exploited by malicious cyber actors wishing to gain network access. These vulnerabilities are often known in the cyber security space for months and still left open for hackers to take advantage of, posing a significant danger to your organisation. By the time people were made aware of the MFA vulnerabilities, their systems were already compromised.”
“MFA is not the solution CISA wants to pretend it is and enforcing the use of stronger passwords doesn’t stop the problem either. When, according to the 2022 Verizon Data Breach Investigation Report, 82% of network breaches start with a compromised login – whether using stolen credentials or phishing – the difference between “123456” and “1&!7A8%9gh3Tio” is negligible in protecting your system. Hackers don’t “hack in”, they simply log in using “found” passwords, be it through social engineering, phishing even just paying employees for their credentials. Trusting employees to create their own keys is the ultimate problem that CISA should be addressing.”
Whilst O’Toole agrees with CISA’s advice to give role-based access, she believes this does not fix the credentials vulnerabilities. “The root cause of the problem is letting employees create their own passwords. Imagine if CISA let their employees make their own keys to walk into their Arlington facilities just because they have MFA!”
“In reality, they take far more precautions to ensure their systems stay secure, starting with keeping control, possession and custody of their access keys. Likewise, in the digital world, organisations can distribute end-to-end encrypted passwords to their employees to securely access their online systems one by one without ever seeing a password. Employees can only gain access to parts of the network for which they have the keys, which means no key, no access.”
“As passwords stay encrypted from creation, use, distribution to expiry, employees cannot give up a password they don’t know. This solves the risk of human errors leading to compromised credentials. Contrary to other access management methods, there is no master password or identity to steal so criminals cannot find a privileged account or single point of access to take control of the network and launch a ransomware attack.”
“Companies should be investing now rather than later to stop cyber threats from gaining access through credentials. Keeping custody, possession and control of their own digital keys will protect them from over 80% of breaches. Without that basic layer of cybersecurity, all it takes is one employee to slip up, resulting in a potentially devastating, and most importantly expensive network breach.”
FOR MORE MEDIA INFORMATION
Adam Hartley/ Nathan Patel/ Alex Henderson
T +44 (0)20 7388 9988
About MyCena Security Solutions
Founded in 2016, MyCena is the market leader in encrypted access management. MyCena helps companies manage and distribute end-to-end encrypted credentials for all systems to their employees. With companies owning their passwords and employees never knowing them, MyCena resolves over 80% of breaches that involve a compromised login. Contrary to other access management solutions, there is no master password or identity to steal, so criminals cannot find a privileged account or single point of access to take control of the network and launch a ransomware attack. The company offers enterprise security solutions and applications to end-users. To learn more visit: https://mycena.co/