If you follow cybersecurity, you will know the news is rarely good, and that the digital environment is getting more challenging. Attack volumes have risen significantly since the onset of the pandemic.
Concern about COVID-19 means there is a high level of interest in any COVID-19 related news. This has provided cybercriminals with a whole new vehicle for phishing attacks. The huge increase in work-from-home practices, often with hastily implemented security measures, has created a greatly enlarged target market.
In a report published in October 2020 the Ponemon Institute, after surveying 2,215 IT and tech security personnel in multiple countries, including Australia and New Zealand, reported: “The remote work force has significantly reduced the effectiveness of organisations’ security posture.”
The good news is there’s no shortage of security technology that, fully and correctly deployed and used, provides excellent protection against most cyber threats. The bad news is that robust security requires active and appropriate participation from every user, and eliciting that participation is proving difficult.
“I reckon the CISO has the hardest job in IT,” says LastPass/LogMeIn federal and state government manager Tim Blumentals. “Because he has to be cat herder.”
Password re-use is a classic example. Employees often use the same password to access company resources and public websites. When one of those public sites is compromised and email/password combinations extracted, hackers can automatically test these against numerous other sites to try and gain access. This is credential stuffing.
In its latest half yearly report into the operation of Notifiable Data Breaches scheme, the Office of the Australian Information Commissioner (OAIC) said 25 per cent of breaches were effected using credentials compromised or stolen by unknown means. It is highly likely these were obtained by credential stuffing.
Two factor authentication is a very simple and effective way of thwarting an attack using stolen credentials, whether extracted from a comprised online service and used for credential stuffing, or obtained via a phishing attack (36 percent of breaches in the OAIC report).
However, only 35 per cent of respondents to the Ponemon Institute survey said they required their remote workers to use multifactor authentication.
Driving adoption of multifactor is a challenge, says Mr Blumentals. LogMeIn’s LastPass identity and access management system is widely deployed in Australian business and government organisations, but often not made full use of.
“It’s one thing to give it to a user. It’s another thing to get them to use it,” says Mr Blumentals. “Security is not about technology. It’s about people and processes.”
With LastPass, IT staff in government agencies are able to monitor employees’ usage and also measure their level of security: determine the strength of passwords and see how many are being re-used. However, leveraging this information to increase usage is challenging.
“A lot of the government agencies that use LastPass will monitor usage and then try and get their users to improve every month,” Mr Blumentals says. “But’s like teaching kids to wash their hands and brush their teeth. It’s basic hygiene. Everyone knows they should do it, but they don’t.”
The Australian Cyber Security Centre’s (ACSC) has a set of strategies to mitigate cyber security incidents, known as the Essential Eight Maturity Model.
Level one requires multifactor authentication be used to authenticate all users of remote access solutions. The top level, level three, also requires multifactor authentication be used to authenticate all users when accessing important data repositories.
However, says Mr Blumentals, only about 55 per cent of government agencies have achieved compliance with the Essential Eight.
Despite the difficulty of driving take-up and appropriate usage, he says Government agencies remain reluctant to mandate password practices that would create stronger security.
“There’s been no mandatory uptake of the Essential Eight. It is a recommendation. They are striving to push it and audit departments. And as they audit them, they are trying to lift uptake.”
Measures he has seen adopted by government bodies to encourage take-up include videos from senior executives.
However, in general the carrot is preferable to the stick and he suggests agencies promulgate a monthly ranking of individuals’ security scores, with a reward for the most improved.