Now I know the cloud based Auth providers will say they can be trusted to be secure, but there is no getting away from the fact that you are trusting a third party who operates in the cloud with a core security function, namely authenticating people (and systems) with access to your internal services. Plus you can be using the same provider to also authenticate your own SaaS services as well. I think at the very least you need to seriously consider the risk you are placing yourself in by using one sole supplier for all your authentication needs, at the very least second sourcing arrangements need to be in place and you need to keep public and corporate focussed authentication systems separate and isolated from each other.

Now if you add to that the ongoing cost base, which is usually around $70 USD per month per 1000 active users and it doesn’t take long for the cost to get into 4 or 5 figures. If you require more advanced features (such as multifactor authentication, fine grain roles, etc) then you can be looking at North of $400 USD per month per 1000 active users and costs escalate even quicker. At that point you should be seriously considering the cost/benefit ratio in this whilst also also factoring in the following:

• Data privacy controls – where exactly does your data sit? What its lifecycle? What government regulations apply to it?
• System resilience – What is their uptime? What happens if they go down? What is the plan B?
• Supplier Dependency and second sourcing – How easy is it to change provider? Have you integrated with them in a way which allows that?
• Internal Competencies – Should your organisation have stronger in house security skills? What other risks could you manage in house?

The 4th point above is perhaps the most significant, if you keep offloading critical elements of your security infrastructure to a 3rd party, you are denying yourself the ability to build internal competencies, and not just with security but with general technical development abilities as well – which could deny you competitive advantages going forwards (i.e. no ability to usefully differentiate or innovate). In effect you don’t know what you don’t know and this can be a very expensive form of ignorance. Now add into this that Open Source is actually quite mature in this space, its no longer a question of having to hand code such services, they often come pre-packaged with extensive support and documentation.

You will note I have also added in VPN’s – again there are lots of commercial solutions available, which again use the per seat per month charging model. To me the security of your VPN solution is just as critical as your AuthN and AuthZ solutions, a failure here would provide unfettered access into your corporate systems.

Open Source Solutions

To prove the point I will list a few open source authentication libraries/systems that can do the job for you.

1) Keycloak – full framework

Keycloak is free to use and allows you to provide a Single-Sign On solution to allow authentication to multiple applications from one space. You can choose between various Identity Providers for Keycloak to access to determine ID, such as: OpenID Connect, SAML 2.0 compliant Identity providers, Kerberos or even social networks (Google, GitHub & Facebook). You can even use your corporate Active Directory, LDAP or a DB.

Keycloak comes with extensive account management, including allowing users to set up two-factor authentication. Admins can control all features and set up fine grain policies.

Installation can either be direct on a server or it can be run from a container, it runs in the OpenJDK environment. This could hosted be on your local network or in your cloud environment as a completely stand-alone self-managed solution.

Keycloak is ideal for wrapping a Single-Sign On solution around existing apps and services that have the right hooks to allow you do so.

2) ZITADEL – full framework

Zitadel is an open-source authentication framework that supports out of the box multi-tenancy, so allowing you to use this for a SaaS application that would support multiple customers each with a set of logins they need to manage and integrate into their Single-Sign On framework. It supports OpenID Connect, OAtuh2.x, SAML2 LDAP, Passkeys/FIDO2 and OTP. Also includes JWT Profiles, Personal Access Tokens (PAT) and Client credentials for machine to machine auth. It also has an API to allow custom integrations and event propagation.

Can be installed to run natively on Linux, MacOS, and within containers under Docker, Knative and Kubernetes. You can also their ZITADEL cloud solution for a fee.

3) Hanko.io – app framework

Hanko is an open-source authentication framework that employs passkey-based authentication. It consists of a set of API’s and UI components that allow you to quickly build Authentication into your applications. Authentication is supported using: passkeys, passcodes, mobile biometrics, FIDO security keys, OAuth SSO and passwords.

You can choose to either self-host or use their Hanko Cloud offering for a fee…

4) SuperTokens – app framework

SuperTokens allows you to add secure login and session management to your apps. SDK’s are available in many languages and front-end frameworks; it consists of three main parts: the Frontend SDK, the Backend SDK and the SuperTokens Core, allowing flexible integrations with minimal coding.

SuperTokens support authentication via: Passwordless, Social, Email Password and Phone Password. Multi-Factor authentication is also supported as well as Multi Tenancy and Organizational support.

SuperTokens is Java based and is available as a prebuilt binary or docker image for deployment.

5) Pritunl – OpenVPN gateway

Pritunl is an open-source VPN gateway with lots of useful features. Its security features include TPM and Apple Secure Enclave device authentication, dynamic firewall, SELinux policies and a dual web server design. It will work with multiple cloud providers to deliver VPC Peering.

You can also set up Two-Step Authentication using either Yuico PubiKey, a Duo Hardware Token, push notification to a mobile phone via an app and the Google Authenticator app.

Installation is via packages that available for most Unix platforms. VPN clients are available for all major OS’s.

Pritunl also supply Pritunl Zero, an open source BeyondCorp server that provides zero trust security for privileged access to ssh and web applications via user public keys. Roles can then be assigned to users using either Auth0, Azure, Google, Okta, or OneLogin Sign-On. Again secondary authentication can be performed via Doe, OneLogin Push or Okta Push.

Conclusion

So please, stop putting all your auth eggs in someone else’s basket, take back control of your authN and authZ. It will likely reduce costs and reduce your security surface at the same time. This also improves your inhouse technical security skills.

Also, did you know that if you are on Microsoft Azure or Microsoft 365 cloud subscriptions, Entra ID Free is included which provides: MFA, SSO and self-service password change. Yes for free, in fact Microsoft goes out of their way to provide wizards and documentation to make it as easy as possible to get SSO going. For a small to medium sized business this is a true gift.

BTW if you are on Google Workspace, you can also set up SSO.

Addendum

We should also not forget that there is a number of SaaS products that charge significantly more for just turning on SSO integration support, just have a look at the SSO Tax website. For just having SSO turned on you get charged anywhere from 1.5 to 10 times as much as the non SSO rate. Remember, once SSO is implemented in the product code base, there is literally near zero cost to make it available to all customers, its not as if a whole new distinct code base is required to support SSO – if an application can support HTTPS without charging more it can support SSO as standard for no extra cost. I suggest you demand SSO is included as standard and vote with your feet.

1. Over-reliance on AI: A Risky Dependency

AI is revolutionizing cybersecurity operations. Machine learning (ML) algorithms can process large volumes of data rapidly, helping identify anomalies and patterns that human analysts might miss. However, the convenience of AI also comes with the risk of over-reliance.

When organizations rely too heavily on AI-based systems, they may deprioritize the role of human analysts in assessing and responding to threats. AI tools are not infallible, they are based on data patterns and can struggle to keep up with novel attack techniques or recognize subtle shifts in threat tactics. If left unchecked, over-reliance can result in:

• Lack of manual oversight: A cyberattack could exploit a system’s AI-based vulnerabilities, and without the intervention of human analysts, the response could be delayed or mismanaged.
• Reduced accountability: When relying too heavily on automation, there may be confusion over responsibility, especially when an AI-driven system fails to detect or mitigate a significant threat.
• Lowered situational awareness: Security teams might depend too much on automated insights and alerts, potentially missing critical warning signs that fall outside the scope of AI-driven detection systems.

2. The “Black Box” Problem: Lack of Transparency

Many AI algorithms, especially deep learning models, are often referred to as “black boxes” due to their complex and opaque decision-making processes, this lack of transparency presents significant concerns. If the AI makes an error or is attacked, understanding why it failed is challenging. Such black-box AI raises several critical issues:

• Trust in decision-making: Without transparency, it can be difficult to trust the system’s decisions, especially when they deviate from human judgment.
• Difficulty in auditing: In cybersecurity, the ability to review and audit system decisions is critical for compliance and incident response. Black-box AI makes it challenging to trace decisions back to their origin and therefore understand the factors contributing to an incorrect output.
• Regulatory scrutiny: With regulatory bodies increasingly focusing on AI transparency, especially in industries like finance and healthcare, the black-box problem could expose organizations to compliance risks.

3. Vulnerabilities to Adversarial Attacks

Adversarial attacks are a unique and sophisticated risk associated with AI in cybersecurity. Attackers can subtly alter input data in ways that trick the AI model into making incorrect predictions or classifications. For instance, by adding noise to an image or modifying a network packet, an attacker might deceive an AI system into misidentifying malicious activity as benign or vice versa.

The consequences of adversarial attacks can be severe:

• Bypassing security controls: If attackers succeed in “fooling” the AI, they could bypass security controls undetected.
• Increasing the attack surface: Adversarial attacks can undermine confidence in AI systems and create new attack vectors that traditional security measures may not cover.
• Challenging detection and response: These attacks can be hard to identify and counteract, as they often target the nuances of the AI model itself, exploiting its inherent vulnerabilities.

4. Ethical and Privacy Concerns

AI-driven cybersecurity often involves collecting, analysing, and interpreting large amounts of user data to identify patterns and anomalies. This data-driven approach, while effective, can raise ethical and privacy concerns that could harm an organization’s reputation and stakeholder trust.

• Data collection risks: AI systems rely on vast datasets, often including sensitive personal or business information. If not managed properly, this data can be misused or inadequately protected.
• Privacy erosion: There is a fine line between identifying threats and infringing on privacy. For example, an AI system analyzing user behaviors could inadvertently infringe on employees’ personal privacy, leading to concerns about workplace surveillance.
• Bias and discrimination: AI models can inherit biases present in the data used to train them. Biased decision-making in security systems can result in discriminatory outcomes, such as unfair targeting of certain user groups or businesses, which could lead to reputational damage and legal repercussions.

5. Data Quality and Integrity Risks

AI models are only as effective as the data on which they are trained. In cybersecurity, ensuring that data is accurate, up-to-date, and representative of actual threat landscapes is essential. Poor data quality and compromised integrity can impact AI performance, leading to:

• False positives and negatives: Inaccurate data can cause an AI system to flag benign activity as malicious (false positives) or miss actual threats (false negatives), undermining trust in the system.
• Degradation over time: Cybersecurity threats evolve quickly, and AI models need continual training to keep pace. A model trained on outdated data may fail to recognize new attack patterns, rendering it ineffective.
• Increased operational costs: Poor data quality and false alarms strain resources, requiring additional time and effort to investigate and resolve alerts, ultimately impacting productivity and increasing costs.

6. Model Drift: AI’s Short-Term Memory Problem

Model drift occurs when an AI model gradually becomes less effective due to shifts in the underlying data patterns. In cybersecurity, this is particularly relevant, as threat actors constantly develop new techniques to circumvent security measures. Over time, the effectiveness of an AI system will degrade unless it’s retrained with fresh data.

Model drift introduces several risks:

• Declining accuracy: Without retraining, an AI system may become inaccurate, resulting in missed detections or increased false positives.
• Ongoing maintenance: Retaining a robust AI model requires significant resources, as models must be regularly updated to keep pace with evolving threats.
• Potential blind spots: Outdated models can create blind spots where emerging threats are no longer recognized, leading to potential security vulnerabilities.

7. Resource Intensity and Cost

Deploying AI in cybersecurity is resource-intensive, requiring specialized skills, substantial processing power, and ongoing model management. This can pose significant financial and operational challenges:

• High cost of implementation and maintenance: Building and maintaining AI models is costly, both in terms of financial resources and human expertise.
• Skilled personnel: AI-driven cybersecurity requires a team with expertise in both machine learning and cybersecurity, which can be challenging to recruit and retain.
• Processing and storage demands: AI models often require significant computational power and data storage, increasing infrastructure costs and the organization’s environmental footprint.

8. Compliance and Regulatory Risks

Many industries are subject to stringent regulatory requirements around data usage, privacy, and cybersecurity. AI systems, with their propensity to gather and analyze large amounts of data, can inadvertently lead to compliance issues if not carefully managed.

• Data privacy regulations: Laws such as GDPR, CCPA, and others impose strict guidelines on data usage, storage, and processing. Failure to ensure that AI models operate within these guidelines could result in costly fines and reputational damage.
• AI transparency requirements: Some regulations require that AI-driven decisions be explainable and transparent, especially when they involve customer or employee data. Organizations that rely on opaque AI systems risk falling afoul of these requirements.
• Audit and oversight challenges: Regulators may require organizations to provide evidence of AI decision-making and risk mitigation strategies, demanding a level of visibility that black-box AI systems may not support.

9. Risks of Scaling AI Across Security Operations

Many businesses attempt to scale AI-driven cybersecurity solutions across various departments and regions to maximize their value. However, this can lead to unintended risks, especially if the scaling process isn’t carefully managed.

• Operational complexities: Scaling AI requires careful alignment across systems and departments, often creating integration challenges.
• Loss of centralized control: As AI tools proliferate within an organization, maintaining control over their deployment, performance, and updates becomes increasingly difficult.
• Increased attack surface: When AI systems are deployed broadly, the potential for adversarial exploitation grows, as threat actors can exploit vulnerabilities across various instances.

10. Erosion of Human Expertise and Decision-Making

AI in cybersecurity can, paradoxically, diminish human skills over time. As organizations become more dependent on automated solutions, they may gradually deprioritize traditional cybersecurity expertise. This erosion of human decision-making capabilities has long-term implications:

• Loss of critical thinking: Without regular practice, analysts and security experts may become less skilled in recognizing and responding to complex threats.
• Over-dependence on AI-driven decisions: If AI systems consistently make security decisions, human operators may become less capable of handling situations where AI fails.
• Knowledge gaps: As technology advances, human skills may fail to keep up, creating a knowledge gap that is difficult to address without intentional training and skill development.

Conclusion: A Balanced Approach to AI in Cybersecurity

AI undoubtedly offers significant benefits to cybersecurity, but these advantages come with risks that should not be overlooked. Management must take a balanced, informed approach when implementing AI, ensuring that human expertise remains integral to cybersecurity operations. By recognizing the limitations of AI and establishing a robust framework for oversight, transparency, and accountability, organizations can enjoy the benefits of AI while managing its associated risks.

Key strategies include:

1. Encouraging a human-AI partnership: Emphasize collaboration between AI systems and human analysts rather than replacing human judgment entirely.
2. Establishing rigorous oversight: Regularly audit and monitor AI-driven decisions, particularly in high-stakes cybersecurity contexts.
3. Ensuring continuous model training and updates: Implement frequent retraining to keep models current and effective.
4. Prioritizing transparency and ethical considerations: Choose AI models that support interpretability, and address data privacy and ethical concerns proactively.

AI can be a powerful ally in cybersecurity, but only if implemented thoughtfully. Management plays a crucial role in guiding AI adoption to enhance security while safeguarding against its inherent risks. With the right approach, organizations can harness AI’s potential and achieve a resilient, forward-looking cybersecurity posture.

While the theoretical benefits of Zero Trust are clear, the practical realities of its implementation can be challenging. Zero Trust is not a single technology or a quick-fix solution but a strategic framework that touches every part of an organization’s infrastructure, identity management, and security policies. In practice, organizations face numerous difficulties that, if not carefully addressed, can lead to partial, ineffective, or failed implementations.

In this blog post, we’ll explore some of the key areas where Zero Trust implementations face challenges or can completely fail. Understanding these pitfalls are essential for organizations looking to maximize the effectiveness of their Zero Trust strategy and avoid costly mistakes.

1. Absence of a Well-Defined Strategy

One of the most significant pitfalls in Zero Trust implementation is starting without a well-defined, comprehensive strategy. The Zero Trust framework is complex, requiring a coordinated approach across multiple domains such as identity, access management, network architecture, data security, and monitoring. Jumping into Zero Trust without a clear roadmap can lead to fragmented efforts, where isolated tools and processes are put in place without holistic integration.

Common Failures:

• Unclear Objectives: Without defining the specific goals and expected outcomes, organizations risk implementing Zero Trust haphazardly. This can lead to overengineering certain aspects while neglecting critical areas, making the security model ineffective.
• Lack of Leadership Buy-In: Zero Trust requires collaboration across IT, security, business units, and executive leadership. If the initiative doesn’t have clear support and understanding from leadership, it can result in insufficient resource allocation or resistance to process changes.

Solution:

Start with a well-articulated Zero Trust strategy that aligns with the organization’s broader security and business objectives. Develop a phased roadmap that outlines the steps toward full Zero Trust adoption. Ensure leadership support by demonstrating the security and operational benefits, as well as the return on investment (ROI) that a Zero Trust model can provide.

2. Inadequate Identity and Access Management (IAM)

Identity management is the backbone of any Zero Trust model. One of the core principles of Zero Trust is to verify the identity of users, devices, and applications continuously before allowing access to sensitive resources. Weaknesses in IAM implementation can severely undermine the entire security framework.

Common Failures:

• Weak Authentication Methods: Many organizations still rely on single-factor authentication (SFA) methods like passwords. Without strong multi-factor authentication (MFA) in place, attackers can easily exploit compromised credentials to gain unauthorized access.
• Inconsistent Identity Policies Across Platforms: Organizations often struggle to enforce uniform identity policies across cloud, on-premises, and hybrid environments. Legacy systems, in particular, may not be compatible with modern IAM solutions, leading to inconsistent enforcement.
• Overprivileged Access: Granting users or devices more access than necessary violates the principle of least privilege. This not only increases the risk of insider threats but also amplifies the potential impact of compromised accounts.

Solution:

Implement first strong MFA for all users, devices, and services, and integrate Single Sign-On (SSO) to streamline the authentication process. Leverage identity federation and directory services that can provide consistent identity policies across various platforms, including cloud and on-premises environments. Finally, regularly audit access controls to ensure adherence to the principle of least privilege and remove all unnecessary access rights.

3. Challenges with Network Segmentation and Micro-Segmentation

A key aspect of Zero Trust is limiting lateral movement within the network by implementing strict segmentation. This ensures that if an attacker gains access to one part of the network, they cannot easily move to other areas. However, achieving effective network segmentation and micro-segmentation often presents technical and operational challenges.

Common Failures:

• Poor Visibility into Network Traffic: If an organization lacks sufficient visibility into its network traffic and data flows, segmenting the network becomes a guessing game. Without comprehensive insights, security teams might segment incorrectly or fail to apply the necessary controls to critical assets.
• Complexity in Managing Micro-Segmentation: Micro-segmentation can involve breaking down the network into dozens or even hundreds of small, isolated zones. Managing security policies for each zone becomes increasingly complex, especially in large, dynamic environments. This complexity can result in misconfigurations or security policy inconsistencies.
• Inconsistent Segmentation Across Environments: Cloud environments, in particular, present challenges for traditional segmentation techniques. In hybrid or multi-cloud environments, inconsistencies in segmentation policies can create blind spots that attackers can exploit.

Solution:

Invest in network visibility tools that provide real-time monitoring and insights into how data and workloads move across the environment. Use software-defined networking (SDN) solutions to simplify micro-segmentation and ensure that segmentation policies are uniformly enforced across cloud, on-premises, and hybrid environments. Automation tools can also help reduce the complexity of managing large-scale segmentation.

4. Data Security and Encryption Issues

Zero Trust focuses heavily on protecting data at every stage of its lifecycle—whether in transit, at rest, or in use. Unfortunately, many organizations overlook or inadequately address the data security aspects of Zero Trust implementation, leaving sensitive information vulnerable to exposure.

Common Failures:

• Unencrypted Data: Failing to encrypt sensitive data, both in transit and at rest, is one of the most glaring weaknesses in many Zero Trust implementations. This can occur because organizations still rely on outdated systems that don’t support modern encryption protocols.
• Inconsistent Data Classification: Organizations often fail to classify their data effectively. Without knowing which data is sensitive or critical, it’s impossible to apply appropriate security controls. This results in either under-protecting important information or overprotecting data, leading to resource wastage.
• Poor Key Management Practices: Even when encryption is implemented, many organizations struggle with key management. Storing encryption keys in insecure locations, failing to rotate keys regularly, or using weak encryption algorithms compromises the integrity of data protection.

Solution:

Implement strong encryption for all sensitive data, both in transit and at rest, and ensure that data security policies apply consistently across all environments, including cloud services. Develop a data classification framework to prioritize the protection of sensitive or mission-critical information. Invest in robust key management solutions that securely store, rotate, and manage encryption keys, ensuring that data remains protected even if keys are compromised.

5. Incompatibility with Legacy Systems

Many organizations have long-standing legacy systems that are critical to their operations but are not designed to function within a Zero Trust model. These systems often lack modern security features such as MFA, encryption, or integration with IAM solutions, making them a weak link in the overall security architecture.

Common Failures:

• Difficulty Integrating Legacy Systems: Legacy systems, especially those built on outdated protocols, can be difficult or impossible to integrate into a modern Zero Trust framework. As a result, organizations may leave these systems unprotected or apply inadequate compensating controls.
• Risk of Shadow IT: When legacy systems are not properly secured or integrated into the Zero Trust model, employees may circumvent security policies by using unsanctioned tools and applications (known as shadow IT), which introduces additional risks.

Solution:

Where possible, upgrade or replace legacy systems that cannot support modern security standards. For critical legacy systems that cannot be replaced, implement compensating controls such as additional layers of monitoring, isolation, and strong access controls. It’s also essential to engage in regular audits to detect any shadow IT and ensure compliance with security policies.

6. Monitoring and Incident Response Challenges

One of the key components of Zero Trust is continuous monitoring. Without real-time visibility into network traffic, user behavior, and system activity, organizations will struggle to detect and respond to security incidents effectively. However, implementing robust monitoring and response mechanisms often proves challenging.

Common Failures:

• Lack of Real-Time Monitoring: Many organizations rely on periodic or after-the-fact analysis of logs rather than real-time monitoring. This creates delays in detecting and responding to threats, allowing attackers more time to move laterally within the network.
• Overwhelming Volume of Alerts: A Zero Trust model generates an increased number of security alerts due to its continuous verification nature. If not managed properly, this can lead to alert fatigue, where security teams become overwhelmed by the sheer volume of alerts and miss critical incidents.
• Inefficient Incident Response: Even with real-time monitoring, organizations often lack automation tools that can respond to security incidents quickly. Manual processes are too slow and ineffective in dealing with sophisticated, fast-moving attacks.

Solution:

Invest in Security Information and Event Management (SIEM) systems that provide centralized, real-time monitoring and analytics. Use User and Entity Behavior Analytics (UEBA) to detect unusual behavior and prioritize critical alerts. To reduce alert fatigue, implement automated threat detection and response tools that can immediately isolate or remediate compromised systems. Regularly refine incident response plans to ensure that they are optimized for the unique demands of a Zero Trust environment.

7. Overcomplication and Lack of Scalability

Zero Trust implementations can quickly become overcomplicated, especially when organizations try to enforce overly rigid controls or deploy too many disparate security tools without proper integration. This complexity can hinder scalability, making it difficult for organizations to adapt their Zero Trust architecture as they grow or adopt new technologies.

Common Failures:

• Tool Overload: Organizations often deploy numerous security tools to cover various aspects of Zero Trust (e.g., endpoint security, IAM, data encryption). If these tools are not well-integrated or streamlined, they can introduce operational inefficiencies and create blind spots.
• Rigid Policies that Hinder Productivity: Overly strict security policies can interfere with day-to-day business operations, frustrating users and making them seek workarounds. This not only reduces productivity but also undermines the Zero Trust model by creating new security vulnerabilities.
• Difficulty Scaling: Many organizations struggle to scale their Zero Trust architecture as they expand. For example, new devices, users, or services may not be properly integrated into the existing security model, leading to gaps in protection.

Solution:

Prioritize simplicity and integration when deploying Zero Trust tools. Look for unified platforms that offer multiple security functionalities within a single solution rather than piecing together disparate tools. Ensure that security policies are flexible enough to accommodate legitimate business needs without sacrificing security. Finally, design the Zero Trust architecture with scalability in mind, allowing for future growth and the integration of new technologies.

Conclusion

Implementing Zero Trust is no small feat. While its benefits are clear—improved security, reduced attack surface, and better protection against modern threats—the challenges of implementing Zero Trust cannot be underestimated. From poorly defined strategies and weak identity management to legacy systems and overly complex policies, there are numerous pitfalls that can lead to failure.

By understanding these common failure points and implementing the right solutions, organizations can successfully adopt Zero Trust and reap its full benefits. Achieving this requires a strategic, phased approach that balances security with usability and ensures that every component of the infrastructure is continuously verified, secured, and monitored. Organizations that address these challenges head-on will be better equipped to protect their assets, data, and users in an ever-evolving threat landscape.

Zero Trust is a modern cybersecurity approach that assumes no implicit trust inside or outside a network perimeter. Instead, everything must be verified before granting access to any resources. This model is being widely adopted by organizations of all sizes, driven by the need to reduce the risk of cyberattacks and protect critical assets where boundaries are constantly shifting.

In this blog post, we will explore the fundamentals of Zero Trust, outline the best practices for implementing it successfully, and highlight key areas that require specific attention to ensure a smooth and effective implementation.

What Is Zero Trust?

Zero Trust is a security concept based on the principle of “never trust, always verify.” This model eliminates the idea of trusted zones (such as internal networks) and untrusted zones (like external networks) and instead ensures access to systems, applications, and data is granted only after proper verification (based on strict security policies).

Zero Trust is not a single product or technology but rather a comprehensive strategy that includes a variety of components, such as identity and access management, endpoint security, data encryption, and monitoring. It focuses on continuously validating every interaction, regardless of where it originates, before granting access.

The pillars of Zero Trust can be summarized as:

• Least Privilege Access: Ensure that users and devices have the minimum level of access required to perform their tasks, no more and no less.
• Continuous Verification: Trust is never permanent; it must be continuously verified based on context, such as user identity, device health, location, and behavior.
• Assume Breach Posture: Always operate with the assumption that a breach has already occurred, and limit the impact by segmenting access to resources.

Why Zero Trust Matters

Organizations across industries face a growing number of cyber threats, from ransomware attacks to data breaches and insider threats. Traditional perimeter-based defences are not sufficient in protecting against these threats as they cannot account for the dynamic and decentralized nature of modern IT environments.

Zero Trust offers several advantages, including:

• Improved security posture: By assuming that every request, even from within the network, is potentially malicious, Zero Trust reduces the likelihood of unauthorized access.
• Mitigation of insider threats: With continuous verification and least-privilege access, even trusted users within the organization cannot overreach their access rights.
• Minimized attack surface: Network segmentation and micro-segmentation ensure that if an attacker gains access to a system, their ability to move laterally is severely limited.
• Better visibility: The model emphasizes monitoring and logging of all user and device interactions, providing better visibility into activity across the environment.
• Support for remote work and BYOD: Zero Trust policies can apply to any device, anywhere, making it well-suited for a distributed workforce and modern cloud-based environments.

Key Areas to Focus on When Implementing Zero Trust

Implementing Zero Trust is not a one-size-fits-all solution, and its success depends on a holistic approach that addresses multiple aspects of security architecture. Below are the key areas to focus on during implementation and why getting these right is key.

1. Identity and Access Management (IAM)

Identity is the foundation of Zero Trust. The model relies heavily on strong authentication methods to ensure that only the right people have access to the right resources at the right time. Therefore, Identity and Access Management (IAM) should be one of the first areas of focus when implementing Zero Trust.

Best Practices for IAM in Zero Trust:

• Multi-factor Authentication (MFA): Require multiple independent forms of authentication for access to critical resources. Passwords alone are not sufficient, and MFA significantly increases security by adding additional layers of verification, such as biometrics, hardware tokens, or one-time passcodes.
• Single Sign-On (SSO): Implement SSO to streamline access management and reduce the attack surface created by multiple login credentials. When combined with MFA, SSO enhances user experience without sacrificing security.
• Identity Federation: Use identity federation to extend authentication across multiple systems, especially cloud services. This enables a seamless experience for users while enforcing consistent security policies.
• Role-Based Access Control (RBAC): Limit access based on roles within the organization, ensuring that users can only access resources required for their job. Use the principle of least privilege to restrict unnecessary access.
• Just-In-Time (JIT) Access: Instead of giving users or devices long-standing access to sensitive resources, implement JIT access that grants privileges only when needed and revokes them immediately afterwards.

Key Attention Areas:

• Implement robust identity governance to monitor access rights over time, and continually reassess roles and permissions.
• Implement conditional access policies that assess user behaviour, device health, and network context before granting access.

2. Device Security and Endpoint Protection

In a Zero Trust environment, the security of devices connecting to the network is paramount. Whether the device is owned by the organization (corporate-owned) or the individual (BYOD), it must meet specific security criteria before it can be trusted.

Best Practices for Device Security:

• Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor and detect malicious behaviour on endpoints (such as laptops, desktops, and mobile devices). EDR can help detect threats in real-time and contain them before they spread.
• Device Compliance Checks: Implement continuous monitoring of devices to ensure compliance with security policies. This includes checking for & requiring the latest security patches, endpoint protection software, and device encryption.
• Network Access Control (NAC): Use NAC solutions to enforce security policies on devices trying to access network resources. NAC can evaluate the security posture of a device and block or limit access if the device does not meet the required criteria.
• Mobile Device Management (MDM): Enforce security policies on mobile devices, including encryption, app whitelisting, and remote wipe capabilities to protect sensitive data in case a device is lost or stolen.

Key Attention Areas:

• Ensure that devices are continuously monitored for compliance with security standards. A device that was secure yesterday may not be secure today.
• Consider adopting a Zero Trust Network Access (ZTNA) solution to replace VPNs and provide secure access to resources based on the device’s security status and the user’s identity.

3. Network Segmentation and Micro-Segmentation

Zero Trust demands that access to resources is tightly controlled and that the attack surface is minimized at all times. To achieve this, network segmentation and micro-segmentation are crucial components of the implementation.

Best Practices for Network Segmentation:

• Micro-Segmentation: Divide your network into smaller, isolated segments and apply security controls to each one. This ensures that even if an attacker gains access to one segment, they cannot easily move laterally to other areas and are likely to be detected trying to do so.
• Software-Defined Perimeters (SDP): Use software-defined perimeters to create a virtual boundary around applications, isolating them from the rest of the network and making them invisible to unauthorized users.
• Granular Access Control Policies: Apply strict access controls on every network segment to ensure that users and devices can only access resources within their designated area.

Key Attention Areas:

• Ensure that segmentation is dynamic and can adapt to changing network conditions, user behavior, and threat levels.
• Pay close attention to managing traffic between segments to prevent unauthorized access or data exfiltration.
• Implement in flight traffic monitoring and alerting of suspicious activity.

4. Data Protection and Encryption

Zero Trust not only focuses on who and what can access the network but also on the protection of data. Data should be protected at all stages—at rest, in transit, in use and when destroyed.

Best Practices for Data Protection:

• Data Encryption: Encrypt sensitive data both at rest and in transit. Encryption ensures that even if an attacker gains access to the data, they cannot read it without the decryption key.
• Data Classification: Implement a data classification system to identify and label sensitive information. This enables the organization to apply specific security controls and policies based on the sensitivity of the data.
• Data Loss Prevention (DLP): Use DLP solutions to prevent unauthorized access to sensitive data. DLP tools can monitor and control data flows, ensuring that sensitive information is not accidentally or intentionally leaked.

Key Attention Areas:

• Ensure that encryption keys securely managed, with appropriate rotation policies and secure storage.
• Implement access controls to prevent unauthorized users from accessing or modifying sensitive data.

5. Monitoring, Analytics, and Threat Detection

Continuous monitoring and analytics play a vital role in the Zero Trust model. Since trust is never implicit, organizations must continuously verify access requests, monitor activity, and analyze behavior for any signs of compromise.

Best Practices for Monitoring and Threat Detection:

• Security Information and Event Management (SIEM): Implement SIEM solutions to collect and analyze security logs in real-time. SIEM can help detect potential security incidents early by correlating events from multiple sources.
• User and Entity Behavior Analytics (UEBA): Use UEBA solutions to identify abnormal user and entity behavior that could indicate an insider threat or compromised account.
• Automated Threat Response: Leverage automated threat detection and response solutions that can act quickly to contain threats without requiring manual intervention.

Key Attention Areas:

• Ensure that monitoring tools cover the entire environment, including cloud workloads, endpoints, and internal networks.
• Regularly review security logs and alerts to avoid alert fatigue and ensure that critical incidents are addressed promptly.

Overcoming Challenges in Zero Trust Implementation

Implementing Zero Trust is not without its challenges. Below are some common hurdles organizations face and strategies to overcome them:

1. Cultural Resistance: Transitioning to a Zero Trust model can face pushback from employees and IT staff who are used to more traditional security models. It’s essential to communicate the value of Zero Trust, provide adequate training, and involve key stakeholders in the process.
2. Complexity: Zero Trust requires significant changes to infrastructure, identity management, and security policies. Break down the implementation into manageable steps and prioritize the most critical areas first. Utilise Pilot implementation strategies to gain experience and understand the complexities with least risk.
3. Legacy Systems: Many organizations rely on legacy systems that may not be compatible with modern security practices. When possible, update or replace legacy systems, and where not possible, implement compensating controls to mitigate risks.

Conclusion

Implementing Zero Trust is an ongoing journey that requires a shift in mindset, architecture, and culture. By focusing on key areas such as identity management, device security, network segmentation, data protection, and monitoring, organizations can significantly enhance their security posture and reduce the risk of cyberattacks.

While the implementation process may seem daunting, the benefits of adopting a Zero Trust approach far outweigh the challenges. In an era where the threat landscape is constantly evolving, Zero Trust offers a scalable, flexible, and effective framework to protect critical assets and maintain trust in a world where trust is never assumed.

Embrace Zero Trust today to secure your organization’s future.

This blog post covers the fundamental aspects and best practices for implementing Zero Trust in a modern environment. If you need more details or have specific questions, feel free to reach out!

It should also be remembered that certain classes of users (the elderly and the disabled for instance) may not be able to use or afford modern smartphones or other devices to implement MFA (Multi Factor Authentication) – so we need to do our best to ensure username/password based login is secure and useable in such situations.

In this article we will cover a some simple techniques, along with a few advance techniques, on how you can strengthen username/password based security. You can also use this article as a checklist for when you have to integrate with a 3rd party who only offers username/password based login.

1. Defeating password guessing

Before we do anything with the core username/password authentication process, there are a few simple things that need to be done to dent or completely stop scripted dictionary password attempts. Such an attack is where the hacker either doesn’t know the username and password, or they just don’t know the password (say you allow an employee email address as a username instead). There are four key approaches to denting this attack.

The first is to log failed attempts to login, and record in that log the source IP and User Agent (more later) at least. Now with the source IP you can use tools like fail2ban to implement max failed attempts per source IP, so if the hacker exceeds the limit in a given timeframe, they get banned from accessing the login service for a period of time. Using tools like fail2ban is great as usually you don’t have to modify you code and you can configure fail2ban to pick up on other failures, say mismatches on the password reset form and feed it into the same ruleset for analysis.

The second technique is to have a form crumb tied to the session cookie, this forces the script to be complex enough to load the whole page and cookie, then submit the username/password guess, with the crumb and cookie, in order to have a valid attempt. In essence, when you create the form, you generate a random number, store that random number in the session record and put in an additional field in the form (say called crumb). Then when you process the form, check for the submitted crumb matching what was stored in the session record, and immediately afterwards blank the entry in the session record. You can also use the same crumb technique on the password reset form.

The third technique is displaying a captcha immediately on a wrong password being entered. This avoids the need to trigger the captcha off some failed attempts counting metric, you just need to have a flag in the user record indicating ‘showedCaptcha’, so successful login needs both a correct password and successful captcha challenge.

The fourth technique involves ensuring people choose sufficiently complex passwords, avoid the old ways of wanting a mix of uppercase/lowercase with some digits and special symbols – it just encourages people to reuse passwords. Instead lean towards longer phrase based passwords, they are much more memorable and much harder to guess. Say mix up: significant places, people and objects not known to an external observer. Also, with sufficiently long unique phrases, the need to force periodic passwords changes on people can be relaxed in certain situations, again this can cause excessive password reuse and formulaic passwords.

2. Closing the barn door

The biggest problem with most username/password login systems is they are just open to everyone. Anyone on the planet can typically access a login page and be considered valid to try to login. This is just wrong, 99.9% of logins are from machines that logged in previously and we should make good use of that to improve security. Below are a few techniques which can make use of this.

First off is making use of the source IP (IPv4 the /24, IPv6 typically the first half) as a location tracker in effect. This way if a user keeps logging in from the same place, on additional security controls come into effect. If they try to login from a previously unseen IP, you should not allow them to login and send them an email to confirm the IP is indeed them. If they do confirm, you will then allow the login to proceed. In effect the email contains a signed link that encodes the IP and directs to the login form. The session then contains that IP as an ‘approved IP’, and once they login successfully, the IP is added to the allowed list. Note: The allowed IP list should expire unused IP’s after a month.

Secondly, make use of the browser by planting a long lived cookie on it, the cookie contains a signature created from the username and the browser User Agent at least. This way a hacker can’t just take the cookie and replay without setting up the whole browser environment as well. If a user tries to login without a valid long lived cookie, they fail to login and a similar email is sent to the one above to give them a path to verify their browser.

Thirdly, login form pages should not be pulling in all sorts of 3rd party dependencies. The risk here is that the 3rd party behaviour tracking or analytics code could get compromised by a hacker or it could be ‘noisy’ and record authentication information by accident. Ideally keep 3rd party dependencies on login pages to an absolute minimum.

Fourthly, if you know employees should only login from a well known set of IP’s (say the corporate IP block) ensure this can be supported as a login restriction. In a SAAS context this should be able to be set up at the customer record, so all login accounts for that customer are automatically restricted.

3. Limit Impact

This goes for all methods of authentication (MFA or not), once a hacker obtains access into a system, the only thing reducing impact is what they are able to do with that login. Therefore you need to ensure that the permission system in the product is sufficiently fine grain and scoped that the impact is contained. Below are some techniques that can be applied.

First off, ensure actions mimic real world processes in terms of their permission structure. In effect , if an action required a two person sign-off in the real-world, the same MUST apply in the product. This way a hacker cannot short circuit safeguards. Its not good to enough to simply notify a manager that something is being done, approval must be required before and be blocked until approval is gained. Too many systems fall back on the sensitive operation notification model and when a hack occurs out of hours, you will find out too late to do anything. Also the notification will often not contain an ability to block the action, making it even more useless, the manager will have to track down someone in IT to look into it and stop whatever is going on. This just doesn’t work, so don’t even do it; approvals are hard gates, no other way.

Second, implement user behaviour tracking. This could be as simple as providing a user access log of activity, all the way through to behaviour analysis to find ‘out of band’ actions that should be notified to management. In this way unusual out of hours access could be flagged as soon as it happens. You could also use this to implement authentication scoring, i.e. analysis the when, where and what of a login attempt and have a validity threshold to permit the login.

We hope the above article has been informative and provides you with some pointers on improving the security of your username/password login service without inconveniencing the users. If you would like to know more, please contact us or buy our book .

Yesterday, at around 3.30pm AEST, people started to notice that Windows PC were restarting and going into the Blue Screen of Death (BSOD) – a fatal non operating state for a Windows machine. Once in such a state it requires manual intervention to restart (more on this later). Before long, millions, if not hundreds of millions of machines were being impacted globally. Update: turns out just over 8 million machines were directly impacted, no figures yet on what was indirectly impacted, which will be higher.

TL/DR – Root Cause

It turns out the root cause, as best as we can tell at this stage, is that a virus/malware definition file was pushed out by CrowdStrike to its Falcon Sensors (software installed on their customers computers to detect and block viruses and malware) that was malformed enough to cause the receiving machines to go into a BSOD state when they tried to process the file. Rebooting the machines did not help as the update would be applied again and it would go into the BSOD state again.

TL/DR – The fix

As described on the CrowdStrike site, either reboot the host to see if it will receive the updated definition file (they call it a channel file) or you need to boot the machine into Safe Mode, locate the %WINDIR%\System32\drivers\CrowdStrike directory and remove the file matching “C-00000291*.sys” and delete it, then reboot. You may need the BitLocker recovery key if the host is encrypted. Good luck!

Suspected Root Cause

Based on reports on the Internet, it looks like the malformed channel file was able to cause a null pointer dereference fault or a similar level exception event, which, given the Falcon Sensor is running in a privileged kernel environment, triggers an instant kernel panic and a BSOD to halt the system. One such stack track is shown below.

The Error text is highlighted in Red, showing an attempt to read from an address at 00000009c, but the real killer is what highlighted in Green, this shows it was using the contents of memory address 0000000000000 to then use as a pointer to read memory from another location – not good. We know this is CrowdStrike code from the Blue box, the name of the program is csagent.

So how did this come about? Well there have been a few reports of the bad C-00000291*.sys file containing all zeros rather than data. Now given these files contain some representation of multiple signatures of new malware or viruses for the CrowdStrike engine to detect, its very likely each signature will be of a different length. So how do you read in each definition from a single file? Note: the sys extension has no significance on the format of what the file contains, it varies in usage across the system from text files, to flat databases, to system drivers.

Update: there have also been reports of non-zero containing Channel files causing the same crash, it may well be the same zero byte at a certain place in the file is a root cause, or some other vector is at play.

Inline variable length record handling

The usual way to deal with multiple variable length records in a file is to have a block that gives the length of the following data block, so you can pick out each data block and advance to the next block where you pick up its length and the cycle continues until you get the end of the file. You end up with a file structure like that shown below.

The Blue blocks are contain the length of the following block (which I call N), so you can read the exact length of the Data block in then jump to the end and pick up the next block. I would suspect that the Falcon Sensor code made use of the value of N to reserve memory then attempt to write the following data Block into that memory, as you would want all the signatures you are attempting to match in memory. Other things could well be going on, for example linking signatures to a table of file extensions to match against, but at the start you need to read in the data block into memory and then process it in whatever way needs to be done.

So what happens if you feed in a file full of zeroes into such a processing system? Well, the first block length will be read as zero length, the program will then try to reserve memory of zero length, which is an error and the underlying routine will likely just return a zero to indicate failure. The program will then try to deference this zero pointer at some point and cause an exception leading to a halt state given the Falcon sensor is operating in a privileged environment. This might not be exactly the precise causal chain, but throwing zeros into a system expecting non-zero values will cause a fence post critical error somewhere along the processing chain (if not checked for).

So how did such a file get created?

I suspect the program on the server side either encountered a storage fault, i.e. either the creation of the individual signatures was faulty or the storage of them was faulty OR the subsequent reading and construction of the channel file was faulty. Given the reports of a file containing all zeros and that it is a single file that is the root cause (from what has been discovered so far) I think its the program creating the channel files at fault. It may be the delivery mechanism that has faulted, but if that was the case I would have expected those impacted to be ‘patchy’ (excuse the pun) in that only a subset of people would be impacted and this wouldn’t require a totally new file to be created to address the problem you just send out the old one correctly to those impacted.

What could have been done differently?

First off the Falcon sensor should not be assuming the Channel file is correctly formed, it should have been scanned first for basic integrity and correctness prior to doing any processing using it. Just checking a checksum is not enough, you need to assume the worst, especially when operating at the kernel level.

In a similar way the delivery stage should perform some basic checks on the file integrity before making a Channel file available for download. Now it may be the file is encrypted and signed prior to the delivery stage, if that is so, whatever was feeding the delivery stage needs to do these checks before it sends the file to the delivery stage and then confirm what the delivery stage has is what it sent to it then flag it valid for onwards delivery. In effect a passing of a baton of correctness is implemented by always verifying what was sent is what was received.

So the ‘trigger’ for this was the bad file, but the ‘fatal error’ in not handling the error case in the machine was also needed for this problem to come about, if either was not present the problem would not have arose. This may point to a lack of systematic end to end awareness of what the generating program and the reading program is responsible for or expecting from the other.

Conclusion

Mistakes happen, its a fact of life living in a technical world. Trouble is the wide usage of common systems creates a set of common mode failure points that if not addressed can generate wide ranging outages such as this. The solution is to have more robust coding and to perform staged rollouts that have an ability to detect the health (or not) of the end systems – if its clear there is a wave of ‘dead’ end system states, assume you are problem and stop pushing updates. It’s likely other remote update services from other vendors have similar design weaknesses, this is something which will require urgent investigation.

I also don’t think the fact this occurred on a Friday is a factor, given this should be a completely automated tool chain distributing malware signatures to clients, its just bad luck it occurred on a Friday. IT teams around the world will be working over the weekend to address this and likely this won’t be fully closed out for a few weeks.

Also, there appears to be much discussion online about if this was a security incident or not. According to CrowdStrike, for them, it was NOT a security incident, they did not get hacked, it was just buggy data or code. As for the impacted businesses, the impact could range from zero to a full on security incident, it all depends on what the BSOD boxes were doing for the business, they might have been doing nothing critical to something utterly core to the business and its security. So we cannot generalise to any one impact statement, its individual per business. So, for businesses impacted, they need to do ‘blast radius’ impact discovery exercise and see if the security surface around critical services could have been impacted, then confirm for these services if everything is in a known good state (no CIA events).

Addendum

Apparently CrowdStrike have a history of pushing out broken updates, in April they pushed updates that broke Debian and Rocky Linux installs. The same also occurred after upgrading to RockyLinux 9.4 .

Also it looks like this recent update ignored all the staging policy controls their customers had and went everywhere all at once. This could be due to the policy controls being implemented at the end device and not from the centre when deployed. Which would make sense, as you would not want to be globally tracking for all customers what version each device is at and then working out what updates to push according to their individual policies. Also such a model supports centralised IT deployment management of updates and local policy control. Correction: it appears versioning staging controls are only applied to the Falcon software itself and NOT to Channel Files, which are always instantly applied.

Hiring competent people in cybersecurity is always important, as you cannot secure what you do not understand. The trouble is often those who are performing the hiring do not have an in-depth understanding of cyber security and what specific skills and experiences are required to perform a cyber security role well.

In this article, we provide some pointers and red flags to look out for that indicate a person is jumping onto the cyber security bandwagon and presenting a somewhat overly ‘rose tinted’ view of their cyber security achievements and experiences. BTW Some ‘putting in the best light’ is to be expected in CV’s, what we are referring to is taking that way too far and presenting a overly false impression of skills and experiences. Also covered are a few key things to look out for during the interview process that will help in separating the wheat from the chaff.

1. The 180 degree abrupt Career Shift…

This may be obvious or not in their CV but if you see a sudden dramatic change in focus to cybersecurity, especially in the last 4 years, I’d treat this as a Red Flag. Especially if they have several years under their belt doing something totally none cybersecurity work prior. Treat as a clear sign of bandwagon following, especially if they have no prior certifications or qualifications that relate to cyber security.

Now for a junior role this may not be that much of an issue, but if you are hiring someone where direct cyber security ability is key and so expected to be enacted on a day to day basis, this could be a problem.

If they do make it interview you should be probing the transition period, why the change? Were they not succeeding in their prior career direction?

2. Too rapid a climb…

Another give away is when they climb too rapidly in roles and scope, especially a transition from technical in senior management occurring in one step. Typically you want to see at least 2 years in each role, anything less than 18 months (and especially less than 12 months) consider a Red Flag. This could indicate someone role hopping to avoid accountability for prior mistakes or a business picking up on their inability and the person jumping ship before they got pushed (or did they get pushed?). It might just be that the business did a downsize as well, so you should ask why during the interview.

3. Excessive buzz word bingo

If the CV contains more buzz words than actual substance, this can be concerning. There should be evidence of the application of cyber security techniques and outcomes alongside the buzz words, in effect a few ‘war stories’ that can be discussed during interview that shows the skills being applied. If its all buzz words and no stories, big Red Flag.

4. Too much timed experience

Another quick check is to compare how long they have been dedicated to cyber security and the duration of cyber security experiences they claim to have. For instance, they cannot have 10 years experience in Firewalls if they have only been doing cyber security for 5 years. This would be something certainly worth questioning about during the interview.

5. Too varied

People tend to develop their areas of expertise and focus more on those over time; a CV that does not focus, or shown a progression across different areas of focus, should be a big Red Flag. This could indicate buzz word stuffing or a lack of ability on the part of the individual, they may not be able to be an expert in any cyber security field.

Also look out for ‘unsupported expertise’, for instance its very difficult to be an expert in Code Security if you do not have a programming background. Again ask about it during the interview.

6. Certifications only

If someone only has certifications and no related academic qualifications (or years of relevant experience), this could be a problem. There are a lot of security certifications out there which are not that hard to get, especially once you have one in a given area, accumulating more of the same is easier. Quite a few of them are more memory tests than actual ability. You need to check why the certification was taken, was it a role requirement?

7. Title expansion

This can be a bit harder to detect but its where a job title seems rather too ‘grand’ for what it should be. For instance, someone could take an ‘IT Technician’ and morph it into ‘IT Cybersecurity Technician’, or ‘Systems Analyst’ morphs into ‘Cyber Security Analyst’. The easiest way to spot this is check the size of the business they were employed at and roles you can see on LinkedIn, if it was a medium or small sized business its very unlikely they will have such fine grain role differentiation.

8. No ‘just for fun’ tech

Cyber security revolves around technology, therefore you want to see strong evidence that the person is actually technical and enjoys using and applying technology. They should have other interests that are based on a technology mindset. For instance hobbies that have a strong technology or theoretical basis (model aircraft, electronics, metal working, wood working, etc). A complete lack of such hobbies (or no hobbies at all) should be a small Red Flag.

During the Interview

Genuine cyber security people with solid experiences will often have ‘war stories’ that have shaped their careers; they will be able to present these, and the outcomes and learnings, in a highly focussed form. They will be able to clearly demonstrate their role, what they did and the outcomes. They will also have a clear understanding of how human factors come into play when doing cyber security. In effect they will have ‘lived’ doing cyber security and have an eye for it in its many different aspects. It will have become second nature for them and they will happily talk about it all day long if given the chance.

We hope the above points will help you in finding good cyber security staff for your open role. These are only some of the basic techniques we have used in assessing capabilities and fit for cyber security people, either for open roles or when checking 3rd party supplier personal (to make sure they can actually keep a service secure). We can perform much more detailed assessments and provide this as a service for businesses, if you are interested, please contact us.

What if you are want to get into Cybersecurity?

First off do not BS on your CV. Focus, tune and tweak, yes but do not BS. Cyber security, at its core, is about dealing with people who use technology in businesses and making that secure. A lot of your job will be around gaining trust and having trust in others, if you BS your way into a cyber security role, what does that say about how you can be trusted? An employee would much rather have someone be honest and state what they know they are capable of, what they are training up on and where they want to go. This is SO much more powerful than a BS laden CV, it shows integrity, to shows drive and it shows honesty, all very positive qualities to have in cyber security. Also, if a potential employee likes you, they could set up training and support to help grow your career… Start off as you wish to continue and want to be treated.

Also remember if you do BS your way into a cyber security role, its very likely you could be putting that business at undue risk, and in turn your future career in cyber security could be a risk if they get breached as a result. Just don’t do it.

There are many valid paths into cyber security and everyone has something to bring to the table, just do so with integrity, you will go that much further.

So why does this keep on happening? Well…

Hackers love 3rd parties…

This may come as a surprise to some, but hackers will always preferentially target 3rd party integrations and associated services, for the following reasons:

• There is a security responsibility disconnect between those using the 3rd party and the 3rd party themselves. In other words, the integration between the customer and the 3rd party is often a point of security weaknesses as you have two parties responsible for each half of the integration. This makes it very likely that there is little meaningful security co-ordination between the two, so security coverage gaps can exist.
• In a similar way, hackers have double the surface to probe and test; the security surface of the customer wrt to the 3rd party, and the security surface of the 3rd party wrt to the customer. They can try their hand at pretending to be the customer or the 3rd party, or play one off the other, etc. Many ways to skin the cat and find a weakness.
• 3rd party providers often provide services to many customers and sometimes the separation between each customer is weak if none existent once you get into the systems. This means for the effort of hacking one customer you could end up hacking them all, extra bonus!
• The 3rd party integration might allow the hacker to move into other customer services or points of integration with other 3rd parties. Especially if that 3rd party is providing authentication or Single Sign-On services – in essence an ‘open sesame’ moment for the hacker.

The above diagram shows these points clearly. In this case a Customer is using some 3rd party service that provides an API to integrate with their in-house system. As shown this provides at least 4 ways the hacker can interact with either system or either businesses staff to get access to the data. Note how the security surface (the blue box) for the Customer is distinct to that of the 3rd Party, neither has visibility or a tight security interaction with the other; they are, in essence, security black boxes to each other, and the hacker understands this and exploits it to the full.

What can you do to protect yourself?

Given the degree of integration modern businesses have with all sorts of cloud services it can often look impossible to improve your security position, but there are a few simple things you can do:

• First off, identify what is your core data and where it exists. This is the data you never want a hacker to get their hands on, it’s the data life blood of your business.
• For each system that contains core data, check the following:
  • Only you and no other systems can access that data. In other words are there restrictions in place to ensure your way of access to that data only works for you. It should be impossible to use corporate credentials on the public internet to access those systems. If this cannot be implemented, move to another provider who does, this is key.
  • All backups are stored encrypted, and the encryption key is NOT stored with the backups. May sound obvious, but do not assume all is right.
  • The data must be stored on an encrypted medium (encrypted file system).
  • Check that the provider has a security policy and people in their organisation with specific security responsibilities and the associated skills (both operational and technical).
• Make sure your employees are only using SaaS products approved by IT, there should be no ‘Grey SaaS’ – as there is no corporate control over the data in such services. Also there is no control over how security is implemented in such services.
• In a similar vein, before using a 3rd party, do some form of security review of the service and check it meets your minimum security requirements first.

You should also strongly consider if bringing a service back ‘in-house’ would be a good move, this guarantees that the way it is set up will always meet your security expectations and you are not forced to compromise and share that service with anyone else. This also means the uptime of that service is completely under your control. With the advent of private clouds and cost effective virtualisation services that can run on site, this gives businesses new options in combating security risks.

Now I know some people would consider it sacrilege to consider bringing services in-house, but there are many ways of doing this that do preserve availability and are not cost prohibitive. You can combine on-site with private cloud a lot easier (and at a lower cost point) these days than was possible a few years ago.

When you are using cloud services in any form, you must always remember you are renting services from a 3rd party in a highly shared environment, which may not fit your real and evolving business risk profile. Especially if you are using many cloud services, as each is a point of exposure and weakness that a hacker can exploit.

The cloud, like all services, has a risk/return curve, which can be quickly exceeded as your usage grows, especially when multiple services are being employed (in effect your efficiency of usage declines with size and complexity, this is how cloud providers make their money, as most customers do not track this).

It must always be remembered that when you use a 3rd party to provide services that are manipulating your key business data, you in effect entrusting your ‘crown jewels’ with a 3rd party via an often at-arms-length contractual relationship. They may even be in another country and operating under a completely different legal framework, which might void or seriously perturb your ability to obtain recompense when something does go wrong. Often contracts will contain extensive clauses limiting liability and compensation to an amount probably not worth the effort of claiming (compared to the damage caused). Ideally, all of this needs careful consideration prior to engaging with a 3rd party, its an important part of the risk management process that you need to undertake.

If you would like to learn more about how to improve data processing security, I suggest you read my book, available on Amazon.

TLDR…

• The researchers analyse in the paper prompt engineering for LLMs using the context of a formal analysis based on control theory, and then determine how stable or predictable the model behaviour is.
• They found that, given the large complexity of input token combinations, it is possible to ‘drive’ or ‘control’ the LLM to output what you require. In other words, if you want a specific output, there is a set of input tokens that will produce that required output; in effect a form of injection that can “jail break” constraints.
• It was discussed in the video that the feedback mechanism employed in LLM’s to create chains of output tokens provides the possibility of the model going into a ‘corrupted state’. The implication being you could then manipulate the LLM even more.
• They discuss that ‘weird prompting’ (compared to magic) can often reliably steer a LLM to required outputs. Such weird prompting can be mix of gibberish and symbols, meaningless to us but significant to the LLM processing them.
• They discovered that the degree of steering possible is quite powerful they could make the least likely output token to be the most likely token with a few input tokens. In effect trying to ‘tune out’ undesirable output only reduces the likelihood of that output occurring, you cannot stop it completely from occurring.

My Thoughts

Given the very high degree of complexity of LLMs and usage of feedback loops and ‘hidden state’ to create a stream of output tokens – its no real surprise to me that LLMs can be manipulated or engineered to produce a desired output that was not intended. This research in effect formalises what has been long suspected. This means that LLMs have an exploitable ‘dark side’ which is very difficult to guard and block access to. In effect you might think you have it well constrained and behaving as intended, but then a novel prompt is employed and the dark side is exposed. There have been numerous examples of this in the past where a carefully constructed prompt can move the LLM into a state where it voids its constraints and will start to tell you all sort of things it isn’t meant to. This paper indicates that this aspect of LLMs might be with us for quite a while yet until more rigorous and formal methods of control and constraint are possible.

Security Aspects

From a security perspective, if you are utilising LLMs you need to be very careful about what they access, and in turn, who is permitted to use them. It is very easy to make current LLM’s escape whatever ‘pre-prompting’ controls were employed and get them do anything required, up to and including dumping databases or performing systematic attacks. What such a LLM can do when it goes rogue purely depends on what it has access to and the degree of control entrusted to it. Always employ a Least Privilege mindset and be very careful around database integrations.

In particular do not just depend on ‘pre-prompting’ to set the state the LLM should be using to process inputs; this can often be very easily overcome. You need to use a mixture of techniques. if you want to know more, please get in touch .

A recent Statista Market Insights survey predicts that the cost of cyberattacks in 2024 could likely reach $9.2 trillion across the globe. To put it in context that is more than the 2022 GDP of Japan and Germany combined. This is triple the figure of $2.95 trillion in 2020, a short 4 years ago.

This is clearly outpacing the growth of the global economy, so the ability to enact profitable cybercrime at scale must be getting easier and more rewarding. There is no other way to interpret such a dramatic increase in the rewards of cybercrime, they are getting away with it more often and being well rewarded for their efforts.

Why is this happening?

There is a confluence of factors which are coming together and contributing to cybercrime growth:

• Increased system complexities and interconnectedness: Over the last few years there has been an explosion in cloud services and connected devices, both in the home and office. Nearly every IT device you buy now comes with some ‘cloud’ service offering – be that remote access to just simple backup services. This has created an explosion in the complexities of the associated surfaces to secure. Long gone are the days when you just needed to secure your office network, now you need to secure a smorgasbord of cloud services to operate even the smallest business; and in most cases the businesses just don’t have the time or resources to be able to do that. The same can also be said for a lot of large businesses as well – the security complexity in IT can quickly get away from you.
• Invisible dependencies: Associated with the above are ‘Russia Doll Dependencies’, in that a service quite often depends on another service, which depends on another service, etc, etc.. In other words what you see of a service hides a massive tree of dependencies which can end up spanning the whole globe, and most of those dependencies are beyond your awareness and control. Good luck ensuring all of that remains secure 24×7.
• Fire and forget security solutions: The knee jerk reaction by most companies has been to go on a spending spree to buy off-the-shelf security solutions, set them up once and promptly forget about them. This may make them feel happy that they think they are secure, but refer back to the 2 prior points, 99.9% of the business security surface is beyond your control. Plus once this off-the-shelf security solution is forgotten about, it will often be not maintained or the licence for its operation will expire and it will silently stop working.
• Insecure default configurations: Literally everything comes with terrible security defaults, and we wonder why admin/admin is still one of the most common device logins going. Plus by default logging is often turned off or does not exist, or some remote UPnP pops into existence on a ‘just in case we need to get in remotely’ basis.
• Its easy to hack: There is a wide range of ‘hacking’ or ‘ransomware-as-a-service’ toolkits out there, you don’t need to be a cyber-ninja nowadays to make hacking pay, just be willing do it. The level of technical skill is actually quite low.
• The hackers are more organised: There is a lot focus on doing hacking as a business enterprise, this creates economies of scale for all hackers and grows an underground community.
• We like hanging onto sensitive information: Businesses (and individuals) have a tendency to either keep information on a just-in-case basis or they just plain forget what information they have. Combine this with operating systems that do absolutely nothing to manage data lifecycles and files just accumulate all over the place. You would be horrified what most people have in their inboxes, documents folder or shared corporate drive. Everything from passport images upwards in sensitivity.
• Confusion over regulations and what data must be kept: businesses are often not sure what they need to keep to protect themselves or to comply with regulations within the sectors they operate in, so they often keep everything…

Now, you may think one big factor in all of this has being missed, the shortage of those with cybersecurity skills, but this is becoming a bit of an excuse rather than a reason. Let me explain why:

1. We are always going to be short of good people in cybersecurity: The simple reason being to do it well requires a certain ‘mindset’ and depth of experience – you can’t get that straight out of Uni or TAFE. You need to be able to worry about what really matters and ignore the rest; a lot of people fret over everything and that doesn’t work. You also need to know dependable techniques that deal with human factors (which are covered in a lot of articles on this site BTW).
2. Cybersecurity really is a concern for everyone: Pointing the finger at cybersecurity professionals is wrong, everyone needs to up their security game and the facilities need to be provided to allow this to happen.
3. The complexity & dependency super explosion: Refer back to the first 2 points on the first list, do you think throwing more manpower and technology (including AI & all that implies) is going to do anything to meaningfully change the situation? When you are faced with an exponential growth in interconnectedness and complexity, no amount of manpower or technology will cover it.

So what is the solution? There are multiple problems that need solving right now:

• Reign in the interdependencies: Not only are multiple levels of dependency a security nightmare, its also a maintenance nightmare as well. Plus you could be dependent on a whole web of hidden companies and individuals to maintain and provide secure and reliable (and bug free) services. This is not a viable long term arrangement; businesses change direction or close down, people move onto other things, versions are retired, etc. If you don’t manage your dependencies, they will end up managing you.
• Data lifecycle support baked right into the base: Its 2024 and applications engineers are still expected to code up data lifecycle support. Anything stored in a disc or database should be able to be tagged with a ‘delete on’ timestamp and when that time arrives, its automatically removed. In essence this should be an atomic operation at the Operating System and Database level – stop putting it all on the developer to worry about this.
• Do you really need that data? As hinted at above individuals and businesses need to be a lot more wary of holding onto data; if they have no specific need for it, just delete; or even better don’t collect it in the first place. Training should be provided on this. Hackers almost depend on this tendency to accumulate data to make ransomware and data breach attacks effective; if you didn’t have valuable data, there would be nothing to gain.
• Do more with less: There is a trend developing of needing every little tool or service out there to do your work. Quite a few people have their set of favourite tools or services and want to take that set with them from job to job. Trouble is, with all the cloud connections and dependencies, this creates a management nightmare for both the IT and Security departments in a business (if you are large enough to have these to begin with). It also inefficiently consumes resources and is a distinct cost to manage. Plus everyone else will need to adapt to the differences, creating yet more inefficiency. Of course this also creates a massive security headache. The solution? Have a prescribed list of supported and approved services, anything not on that list cannot be used, this is controlled jointly by IT/finance and security. Also make sure you are not doubling up on functionality with anything on that list.
• Examine what needs to be local or remote: The usage of cloud services needs to be considered against the criticality of those services and who they are for. Customer facing services need to be in multiple deployments and isolated completely from your office, so cloud fits. But does a purely internal service or data store also need to be in that same cloud service? Could a local virtualising server run such a service? (yes, with remote secure backups of course). The world of containers and associated support frameworks makes it much easier to run local services. Yes, you need to have some hardware and its an additional machine or two for IT to support, but you retain full control; which could be ideal for certain business functions. The technology cloud providers use to scale servers is now available for local hosting functions as well, you can create a local compute cluster for quite a reasonable price. Remember the cloud providers have to extract profit from the services they provide and you get no access to depreciation or R&D equipment write offs if you use them.
• Give everyone security training: Cybersecurity is not just a ‘geeky’ thing, everyone is touched by it, so everyone should get security awareness training. Be it the front desk receptionist to the software developer & CEO, everyone has a role to play in maintaining security and you cannot expect them to deliver on that without training, in exactly the same way you need training to drive a car safely.

Conclusion

The drastic increase in the value of cybercrime is more a reflection of how our usage of technology is ahead of our collective security skills. We utilise more interconnected services than ever before and that leaves behind a massive data lake that we are constantly contributing to, just sitting there for criminals to plunder at our collective expense. We need to recognise this for the problem it is, rethink our approach on many levels and adapt. This may seem like a ‘moon shot’ scale problem, but we have been able to do it once, I’m confident we can do it again.

This article aims to provide a comprehensive guide to performing effective 3rd party vendor security reviews, outlining key steps, best practices, and strategies to mitigate risks and ensure a robust security framework.

Understanding the Importance of Vendor Security Reviews:

Before delving into the process, it is crucial to recognize the significance of third-party vendor security reviews. Third-party vendors often have access to sensitive data, networks, or systems, thereby making them potential entry points for cyber threats. Conducting comprehensive security assessments can help identify vulnerabilities, assess compliance with industry standards and regulations, and ultimately safeguard the organization’s assets and reputation.

Key Steps for Conducting 3rd Party Vendor Security Reviews:

1. Define Clear Objectives: Begin by outlining the specific goals and objectives of the security review. Identify the critical assets involved, the scope of the assessment, and the compliance requirements pertinent to the industry. It may be you have mandatory requirements that the 3rd party must meet.
   • Scoping this correctly is key, you need to ensure you have discovered all the touch points and ways in which their offering is utilised. You well may need to do an initial discovery with your inhouse IT and developer teams first.
2. Assess Vendor Risk: Evaluate the potential risk exposure associated with the vendor. Consider the nature of the data shared, how it is transferred, and where it is stored. Then review the vendor’s security practices, their history of security incidents, and their internal security policies and procedures.
3. Conduct Due Diligence: Gather comprehensive information about the vendor’s security practices. Request documentation regarding their security controls, protocols for data handling, incident response plans, and any relevant certifications or compliance reports. Be clear to inform them why you want such documentation and that it in turn will be appropriately managed and secured.
4. Perform On-Site Assessments: When feasible and useful, conduct on-site visits to the vendor’s facilities to gain deeper insights into their security infrastructure. Assess physical security measures, employee training protocols, and the overall culture of security awareness within the organization. Is being secure part of their operational DNA?
5. Review Contractual Agreements: Ensure that the vendor’s security commitments are clearly defined in the contractual agreements. Assess their adherence to industry standards, regulatory requirements, and specific security obligations as outlined in the contract. Look out for clauses that unduly restrict their ongoing security responsibilities.
6. Conduct Vulnerability Assessments: Utilize robust security tools to perform comprehensive vulnerability assessments on the vendor’s systems, networks, and applications. Identify and prioritize potential vulnerabilities to determine the level of risk associated with the vendor’s services. Of course, only do this with their prior permission and in a way that cannot negatively impact their service.
7. Implement Ongoing Monitoring: Establish protocols for continuous monitoring of the vendor’s security posture. Regularly review security reports, conduct periodic assessments, and ensure that the vendor maintains compliance with the agreed-upon security standards. This could be as simple as a half-yearly ‘check-in’ to see how they are progressing with their security maturity.
8. Develop Contingency Plans: Prepare contingency plans to address potential security breaches or incidents involving the vendor. Establish clear protocols for incident response, including communication channels, escalation procedures, and steps for mitigating the impact of any security breach.

Best Practices for Enhancing 3rd-Party Vendor Security:

• Foster open communication and transparency between the organization and the vendor regarding security practices and concerns.
  • Emphase that this is a two way street, in that you are willing to work with them to identify security issues and improve their security.
  • Ideally liaise at least every 6 months, how often you meet or communicate should correlate with the criticality of their offering to the business.
• Establish a robust vendor management program that emphasizes security as a priority throughout the partnership lifecycle.
• Regularly update security policies and procedures to align with evolving industry standards and emerging security threats.
  • This needs to be an ongoing process and if you find a security threat, think if it could apply to one of your vendors and inform them of it. Do not demand they address the threat upfront or require confirmation that it has been resolved. Rather let them freely communicate with you around the risk and work together to cover it off.
• Provide comprehensive training to employees and stakeholders involved in the vendor management process, emphasizing the importance of security compliance and risk management.
• Collaborate with legal and compliance teams to ensure that contractual agreements are enforceable and aligned with relevant regulatory requirements.
• Implement a robust incident response plan that includes the vendor as a key stakeholder, enabling swift and coordinated responses to potential security incidents.

Conclusion:

In an era where data breaches and cyber threats pose significant risks to businesses, conducting effective 3rd party vendor security reviews is a crucial component of a comprehensive security strategy. By following the outlined steps and best practices, organizations can proactively identify vulnerabilities, mitigate risks, and foster secure partnerships with third-party vendors, thereby safeguarding their valuable assets, data, and reputation in an increasingly interconnected business environment.

Incorporating these strategies will enable organizations to build resilient security frameworks that prioritize risk management, compliance, and proactive measures against potential security threats from third-party vendors. By establishing a culture of security awareness and vigilance, companies can navigate the complexities of vendor management while ensuring the integrity and security of their operations and data.

At Aykira we have in-depth experience performing 3rd party vendor security reviews, if you would like to know how we can assist you please fill in the form below.

To me, this begs the question: if human error is often the root of 99% of security incidents, then why is so little truly focussed on dealing with it specifically? So much of the investment in security seems to be around detection, with little in true prevention. Why not design out the ability for such errors to cause such incidents, or at least when they do happen the incident is minor instead of a business crippling level event?

Makes you wonder doesn’t it..

Now you could say this is what Q&A, unit testing, code scans etc are there to guard against it, but there is a problem with this – it will only find what it has been written to find, it doesn’t understand what its testing or scanning – its looking for patterns of failure it already knows about. Trouble with human error is that it can occur anywhere, it could even be in the unit tests or code scanners you are running, they are just as much suspectable to human error as your systems are.

Now, it could be AI can make such checks more effective, but I have my doubts. I suspect as the checks become better, the programmers will become more lazy, given the checks are not 100% covering (even with AI), you get back to a situation where the chance of a vulnerability ‘going live’ increases, so the net effect of employing AI is essentially unchanged wrt security risk. Call it human nature, but if you increase the safe guards, people tend to start depending on them, they get lazy.

What if there was a way to make darn sure where ever human error occurs it does not ‘blow the doors off’. Well, there is a way that I have been using for years that is effective, cheap and reliable – its called Defence in Depth design.

Defence in Depth Design

The basic idea of defence in depth design is that you acknowledge up front your security controls have a rate of failure, yet this is an individual likelihood per control – in other words the failure of one control does not imply the failure of another. So given this independence of failures, why not layer your systems so a single failure does not ‘punch a hole’ through your defences?

This is a bit like the difference between a single line of defence and layered multiple lines of defences. The multiple lines of defence provide a much more difficult defence to overcome as the undefended back is that much further way. An alternative mental model is that of a castle where you have the moat, the draw bridge, the wall, the bailey, and finally the keep with numerous defensive opportunities throughout.

In this way you gain several other advantages over a single line of defence:

• Each layer can be managed in its own right, you are not forced into having to rebuild everything; with an associated ‘through punch’ risk.
• Inner layers can be wired up only to the next outer layer, this way its a lot harder to inject an attack around an outer layer.
• Inner layers can be set up to monitor the health of the outer layers – so providing an early warning of compromise that’s independent of other monitoring.
• Layers can duplicate security controls to provide operational redundancy, say SQL injection prevention. This way if an external layer fails open, you are still protected.

So how is this done in practice?

First off, decide how many layers you want? Usually in most designs people go with 3 or 4 layers, which typically map into:

• Network Edge – this could be an internet distributed content delivery network (like CloudFront, Akamai, Azure CDN) that can have filtering rules embedded into it to control exactly what traffic is permitted to the next layer. Some call this a WAF function but it usually doesn’t do deep inspections.
• Network router with WAF (Web Application Firewall) – this usually the service right before the application that routes and examines the data packets for unusual content and blocks if found.
• Application Web Server – the web server itself can usually be configured to perform checks on the data and block if needed. This can be quite detailed and more specific than that performed by the WAF.
• Application – the code itself can contain checks for data validity and integrity. Such stopping SQL injections, or detecting embedded html that is out of place, etc.

With such a set up, you can see how it is easy to have your security controls overlapping in coverage across the layers – so if one layer fails open (or is compromised) the damage possible is greatly reduced.

A few things you need to ensure you get right…

First off, do make sure that is not possible to ‘jump’ a layer by dint of that layer being publicly visible. In particular the Application Web Server should NEVER be directly visible to the internet in such a model, you are just asking for trouble.

Secondly, the same rule follows for services the Application Web Server depends upon, such as databases, key/value stores, file stores, etc – they should not be directly visible to the public internet. Putting everything in VPC (virtual private cloud) is one way of doing it, but ensure you don’t end up with one big VPC containing all your applications. Different applications should go in their own VPC’s.

Thirdly, logging is done remotely. A layer, and its associated controls, should not log locally alone – the logs should go to some independent logging store, and also onto a SIEM or log analysis service. So when something unexpected does occur, you both know about it and have the logs to investigate.

Fourthly, each layer needs to ‘stand alone’ in terms of shared dependencies. You should not run multiple layers on the same machine or box. Even if they are virtualised. This completely removes the risk of cross talk or resource starvation being used as a mechanism to take down a service. Keeps things apart and they won’t interfere with each other.

Conclusion

I hope I have convinced you that Defence in Depth in a useful system design technique to help reduce the ‘blast radius’ and likelihood of a human caused security incident. As I said, it is one of my principal design techniques that I know just works. If you would like to know more about this security technique, and others, please first consider buying my book , available both in hardcopy and kindle e-book.

If you want to follow up with me and are considering engaging me for my security and architecture services, please use the contact form . Thank you.

Google is doing this to reduce the amount of spam being sent to their email customers and to improve general email security.

So what are the changes? have a look a here . Below I have take a screen shot of the changes and underlined what I think is the key change.

For those not in the know, SPF and DKIM email authentication are two entries added to your domain record that stop hackers pretending to be you when sending emails. SPF lists what machines on the internet are allowed to send as emails as you. DKIM adds a digital signature to your outgoing emails, allowing a receiver to check that signature and verify that the email is indeed from you and it hasn’t been modified in flight through the internet.

If you want to check if your domain is set up correctly, I suggest you use dmarcly.com/tools/ Just enter your domain (the text on the right hand side of the ‘@’ in your email address) into the SPF Checker and the DKIM Checker. If they both come back finding valid entries, there is nothing more you need to do. But if they come back as missing, this means from February 1st your emails might fail to get through to those using Google Email – if so, please contact your IT support to get this fixed, or if you are technically minded use the SPF Record Generator and DKIM Record Generator on the dmarcyl.com site, along with knowledge of your email set up and whom can send emails as you to correctly configure this.

The DKIM change will require your email programs to be set up to sign all your emails, this can be quite an involved process.

1. More bigger & audacious hacks…

A pretty obvious one, but I think 2024 is going have some truly monstrous hacks and in two main areas:

• Highly integrated SaaS product providers – these are SaaS products that tie into a lot of other SaaS services. In effect their surface area is large, complex and constantly evolving – I’m talking about Auth providers, data/API integrators, etc – any product offered up as a SaaS that takes data from a number of systems, manipulates that data and hands it onto a number of other systems. These face numerous security challenges including: separation/isolation between customers, resource cross talk, 3rd party integrations and ‘varied’ authN/authZ coverage…
• Health and ‘old’ services – basically organisations with large data sets but not the resources to keep current on their security control coverage. These used to be unofficially ‘off limits’ to the more ethical hackers, but the need to make money is winning out against any semblance of ethics..

In essence there are two drivers here: ‘over the horizon’ complexity (in other words all the stuff you cannot control or see), and just a simple inability to keep current.

2. The AI security love-fest will start to come to an end…

ATM you can’t look at any security product without it having some sprinkling of AI in it like some magic fairy dust that solves all your security problems (I’m just waiting for my cappuccino to come with AI!). We are in the ‘exciting but unproven’ stage, where AI is being thrown at any problem to create differentiation in the market place. This will all come to a sorry end when a hack (maybe of the monstruous variety) occurs on a system that was meant to be protected by AI solutions and everyone will have their ‘a ha’ moment. This will happen for sure in 2024, although whether it will fully see the light of day in 2024 is another matter.

In essence there is no getting away from the core security control requirements, AI is something you should carefully apply to layer on additional controls over the base set, it is NO substitute for such controls. Sorry, no free lunch via AI, plus to do it right you will need additional expenditure on resources to configure and keep it in tune (otherwise it will just go rotten over time).

I also think people will discover LLM’s have limited applicability in areas that require precise and correct language in ill defined and evolving problem spaces; in effect the effort spent training and correcting will be greater than just doing it by hand. There will be an illusion of efficiency that hides efforts to compensate for incorrectness (I call this the shiny tool illusion, i.e. its AI it must be better right?).

3. The security skills shortage will continue

This is just a sheer product of the aggregate security surface that’s out there, its growing somewhere North of 10% per annum (this is probably quite conservative if one takes into account all the cloud integrations and interdependencies), so if we aren’t creating at least 10% more security professionals per year, the skills shortage will keep getting worse. And, no, AI will not save you, see the previous point.

I actually don’t think we have a skills shortage problem, we actually have more of a skills leverage problem, i.e. the problems are not getting solved correctly as classes of problem – I’ll explain this thinking some more in a later article (it will blow your mind…).

4. A rise in ‘junk’ security certifications

I’m seeing this a lot, people piling up their profiles or CV’s with essentially ‘junk’ certs, and this will get even worse in 2024. Myself, I do not care what LinkedIn, AWS, MSFT, etc security course video you sat through and answered a short questionnaire on to pass; I want to see you actually doing the following:

• Doing a proper industry recognised certification that is actually hard to get and requires money and effort to keep;
• Doing some online challenges (say Capture the Flag);
• Contributing to a security library;
• Finding vulnerabilities in services and responsibly reporting them;
• Contributing to setting security standards.

When I see someone loaded up on junk certs, its an instant red flag – so just stop doing it – it impresses nobody in the know and will actually stop you getting on in the security space, real knowledge requires real effort – get used to it and do it, no short cut to the top.

5. Governmental Oversight/Policies

In 2024 a lot more governments will start demanding more security regulation and general oversight of how society critical businesses go about their security operations. This is been growing in 2023 but I think a lot of regs and policies will be rolled out globally. This is a good thing by intention, but I still have my reservations over if it will truly change the risk dynamics for the better over the long term. Reason being if these just exist to set common baselines, then the hackers will adapt to look for weaknesses above the baseline. Hackers have the opportunity to think outside the box and use a variety of techniques to achieve their objectives, where as businesses are restricted in how they can adopt security controls in a lagging fashion.

So what do you think? Am I being too much of a Security Grinch? Feel free to write below, I’ve enabled the comments for this article.

What really is cashless?

Simply put, being cashless means having no physical currency to transact, instead, you depend upon electronic payment ‘proxies’, typically these are credit or debit cards but can also be token cards (like public transport cards). All these proxies have to make use of a computer network to transmit, record, and ultimately settle the transaction; no physical ‘cash’ is ever involved, hence ‘cashless’. You are presenting an authorized token instead of cash and it’s processed through a computer network to settle the transaction.

On the face of it, this seems a great thing to encourage, no more fiddling with notes and coins to settle a transaction, instead you just swipe and go. The day-to-day convenience of this is highly attractive which is totally understandable, yet going completely down this road creates more problems than it solves, let me explain.

Cashless knows what you did and where

Compared to cash, cashless is totally traceable, everything from your weekly food shop to that coffee you just bought is recorded. Now on the face of it, this seems incident enough, yet this complete transactional history of you is highly valuable and who has access to this? Yep, your financial institutions. Such information can be used to:

• Target their services to you – such as car loans, personal loans, insurance, etc
• Target other companies’ services to you – buy a lot of coffee, maybe you might be interested in a loyalty card scheme? Recently bought a baby seat, how about a special offer on discounted nappies?
• Profile you as a customer – does your transactions indicate something undesirable about you as a customer? Is there fraud going on? Should your accounts be shut down as a safeguard? Does the government consider you a risk?

The first point I don’t have that much trouble with, they have been effectively doing that for years, it’s the other two I have problems with. Once your financial institutions start sharing your financial transaction details (no matter how watered down or anonymized they are) it’s all out there and essentially impossible to bring back. Your very financial essence is there for companies to buy and trade. Plus, with the more information they collect, it becomes possible to deanonymize by the sheer weight of information collected. In effect, more data points allow the filling in of the gaps, which when combined with public data sources allow complete deanonymization.

The last point in the list is perhaps the most immediately scary, as this closing down of bank accounts has occurred in the UK and has occurred in Canada for those who sponsored the truckers. BTW Most banks have in their T&Cs the ability to shut down accounts for no reason.

Something I always find odd is that people don’t realize cashless records where you are and when. Every time you pay for something via cashless it creates a record of you being there doing that transaction at that precise moment in time. Every payment point is uniquely identified, and your literal walk through life is recorded in detail as a result.

Also with the knowledge of how much you spend at a certain time, it becomes possible to work out what you bought. For instance, visiting Star Bucks and spending $5.50 will indicate it’s likely you bought a large coffee. Visit JB HiFi and spend $1089. That can be matched to a certain TV that was the only item in the store at that price point at that moment in time. Going to your local petrol station once a week and spending around $50, you are filling up your car.

Then there is the other problem of retailers who have systems to track your buying behavior by using your cashless token ID as a tracer to build behavioral purchase profiles over time. They can then use this to target you for deals, or if they get your mobile number sell that information to a third party for targeted advertising. Now you are wondering why certain retailers are offering digital invoices, just give them your mobile number, it is so easy and convenient…

Cashless is Fragile

An aspect of cashless that is not discussed is that it is inherently fragile in operation compared to physical cash. A whole network of computers run by many different businesses is required to be working 24×7, reaching into every single place you could possibly transact. This is not fully reliable, there needs to be alternatives. We have had situations where the networks of financial providers have gone down for extended periods and those merchants and individuals associated with the impacted provider have been unable to transact, nothing worked. Don’t believe me, here is a recent list:

• CBA Systems – 23 June 2021, 26 June 2023
• NAB Systems– 19 October 2020
• Westpac Systems – 9 Jan 2023
• Telstra Network – 11 July 2019
• Square Systems – 11 Sept 2023
• Tyro Payment Network– January 2021 lasted 3 weeks

With each of these outages, millions of people were impacted. They were ‘cut out’ of the cashless systems, unable to either give or take payments.

Now, what happens if you live in an area with limited or zero mobile network coverage? Yep, if you depend upon your mobile phone to tap to pay, there is a risk it will fail. Most digital wallets have to update their token keys from time to time, so if you are unable to pick the update up, your wallet won’t work (the old token you have is not valid in the central system). Also if your merchant suffers a network outage or bad connections, they won’t be able to complete the transaction. Reminds me of taxi drivers who I try to pay at my house and they have to go up the drive waving the terminal around to get a signal…

Something also not discussed is the human error aspect of all these systems, the people running them do make mistakes from time to time, some of these mistakes do cause massive outages – but others can be more targeted in their impact. Member for Menzies Keith Wolahan recently encountered a form of such silliness when his cards were all declined, simply because his bank wanted to verify his driver’s license… Why they couldn’t notify him to verify his card prior to locking him out of his account is unknown, again human error in not creating a proper process.

Bad Actors

One aspect of this that is not often discussed is say you are a state actor with evil intentions for Australia, how easy would it be to take down the cashless systems and cause a prolonged outage? I would argue that it would be relatively easy for a competent state actor to seriously perturb such systems. I won’t describe the mechanisms of how this could be done, as that would be irresponsible, but knowing how the Internet and telecoms networks are put together and how businesses utilize such networks in many different ways – bringing it all to a screaming halt is quite viable.

Going cashless also enables a form of surveillance that bad actors could tap into. Any business connected to the cashless financial system is a worthwhile target as pieces of information can be merged together to gain an increasingly accurate overview of someone’s activity. Plus bad actors are able to just buy activity information from information brokers by pretending to be a marketing agency. Armed with such knowledge a bad actor can create very convincing phishing emails. There have even been cases of advertising platforms used to target malware to known persons of interest.

Cashless is not Green

Hopefully, it has not escaped your notice that in order to have the convenience of Tap-to-pay, a whole network of computers and terminals need to be powered 24×7 to process those payments, this is an enormous power consumption combined with physical resources consumption. Just think every time you Tap-to-pay for your coffee you could be contributing to the climate problem. Cash in comparison consumes very little and is very reusable, coins and notes are designed to be very durable.

Cashless Won’t Stop Criminals

Cashless is often presented as a mechanism to deal with the Grey or Black Economy, a way of stopping criminals from washing money and enacting fraud. In part, yes, it will help but I would argue they would then adapt to the new reality. In a way, they are already adapting by utilizing ‘innocent’ 3rd parties to perform their transactions, and financial institutions are having a hell of a time trying to stop it.

What I’m referring to is the use of ‘mule accounts’, this is where a criminal will gain access to someone’s financial account, and then use it as a means to move money around between 3rd parties without involving themselves directly. In effect, they ‘wash’ the money through the mule account. This is on top of scammers gaining access to financial accounts and clearing them out.

Also, criminals are free to associate value with other forms of exchange, such as gold, diamonds, etc. All of which are completely untraceable. So I don’t think cashless is going to have a big impact on the Grey or Black Economy, rather it will catch the stupid criminals, but the smart ones will still get away as they always do.

What should you do?

Given the above and how cashless can often fail at the most critical of times. I recommend the following:

• Carry on you at least enough cash to get you home from work via a taxi times 2. Why times 2? Well if there is a mass outage of cashless services, the taxi rates will likely go up. Although you will be one of the few able to pay your way, you might be able to haggle!
• Keep enough cash at home to buy the essentials for at least 1 week, i.e. 1 food shop and 1 car fill-up. This way you will be able to keep your home fed and move around.
• For the smaller transactions, say under $10, go back to using cash. You might also find things are a little bit cheaper as the transaction handling fees or surcharges often silently get added on when using Cashless, this can be as high as 2%, which quickly adds up.
• Contact your local MP and point out you are not happy with the bank branch closures and this move to being exclusively Cashless.

Conclusion

Cashless, like all technology solutions, has its pros and cons. Unfortunately, I think in Australia, the upswing in cashless transactions during COVID is being used as an excuse to fundamentally scale down the cash part of the economy to save operational costs for banks, whilst the same banks are getting an uptick in transaction fees (which adds up to a lot) from the cashless settlement. With the current 80%+ usage of cashless, they can see it won’t take much to push out cash. This is not being driven at all by improving your convenience, you already have that, rather it’s to improve profitability for the banks.

I think this wholesale move to cashless is a massive disaster waiting to happen and will make Australia an easy target for state actors (or sophisticated hackers) to perturb when they want. Add onto this the fact the legislation to support this new financial order is woefully lacking in checks and balances and you can see why I think it is a bad idea. Cash has its uses and will continue to have its uses and needs to remain an equal method of settlement as cashless.

Did you find this article interesting? If so, please consider following me on LinkedIn, I often post stories relating to cybersecurity, national security, and technology. Also have a look at the blog on this site, where I often post longer-form articles and stories. Thank you.

This article explores how ISO 27001 helps businesses remain secure and attract customers by instilling confidence in their cybersecurity practices.

Understanding ISO 27001

ISO 27001 is a globally recognized standard that provides a systematic approach to managing and protecting sensitive information. It is part of the ISO 27000 family, which encompasses various information security standards. ISO 27001 specifically focuses on establishing, implementing, maintaining, and continually improving an ISMS within an organization.

An ISMS is a structured framework that integrates people, processes, and technology to manage information security risks effectively. It helps organizations identify and mitigate vulnerabilities, safeguard sensitive data, and ensure the confidentiality, integrity, and availability of information.

ISO 27001’s Role in Information Security

ISO 27001 plays a pivotal role in enhancing information security within organizations. Here’s how it contributes to this critical aspect of business operations:

a) Risk Assessment and Management:

One of the fundamental principles of ISO 27001 is risk assessment and management. It requires organizations to systematically identify and assess information security risks. By doing so, companies can prioritize threats, implement appropriate controls, and continuously monitor and review their effectiveness. This proactive approach reduces the likelihood of security breaches and data leaks.

b) Legal and Regulatory Compliance:

ISO 27001 helps businesses stay compliant with various data protection and privacy laws and regulations, such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), Prudential Standard CPS 234 Information Security, and the Australian Privacy Act. Compliance with these laws & policies is crucial to avoiding costly penalties and maintaining customer trust.

c) Improved Incident Response:

ISO 27001 provides guidelines for developing an effective incident response plan. Organizations can use this framework to prepare for potential security incidents, respond promptly when they occur, and minimize the impact on their operations and reputation.

d) Employee Awareness and Training:

ISO 27001 emphasizes the importance of educating employees about information security. A well-trained workforce is more likely to recognize and report security threats, reducing the risk of insider threats and human errors.

e) Continual Improvement:

ISO 27001 encourages organizations to continually improve their ISMS. This iterative process ensures that security controls remain effective in the face of evolving threats and technologies. Hackers and bad actors never stop trying new techniques to get into systems, so ongoing security improvement is key to remaining secure.

Building Customer Trust through ISO 27001

In an era where data breaches and cyberattacks are daily news, customers are becoming increasingly cautious about whom they trust with their personal information. ISO 27001 can be a powerful tool for businesses looking to build and maintain trust among their customer base.

a) Demonstrating Commitment to Security:

When an organization obtains ISO 27001 certification, it sends a clear message to its customers: “We take information security seriously.” This commitment to protecting sensitive data can reassure customers and partners, making them more comfortable doing business with the certified organization. For certain customers, like government departments or financial businesses, having a security certification like ISO 27001 is a prerequisite to being considered.

b) Enhancing Reputation:

A strong reputation for cybersecurity can be a significant competitive advantage. Organizations that are ISO 27001 certified are often seen as leaders in their industry when it comes to information security. Such a reputation can attract new customers and partners and retain existing ones.

c) Reducing Security Concerns:

Customers are becoming increasingly aware of the risks associated with sharing their data. ISO 27001 certification can alleviate their concerns by demonstrating that an organization has implemented rigorous security measures and controls to protect their information. This can result in higher customer confidence and loyalty.

d) Mitigating Data Breach Costs:

Data breaches can be financially devastating, with costs stemming from regulatory fines, legal actions, and reputational damage. ISO 27001 can help reduce the likelihood of a breach occurring in the first place, as well as minimize the associated costs if one does occur.

The Certification Process

Obtaining ISO 27001 certification is a structured process that involves several key steps:

a) Gap Analysis:

The first step is to assess the organization’s existing information security practices against the ISO 27001 standard. This identifies gaps and areas that are in need of improvement.

b) Risk Assessment:

At this step, a comprehensive risk assessment is conducted to identify potential threats and vulnerabilities to the organization’s information assets. Work is then done with the business to ‘bootstrap’ a simple security ‘baseline’ to start the process of securing the business, now that risks are starting to be identified and understood.

c) ISMS Development:

Next an ISMS is developed and implemented based on ISO 27001’s requirements. This includes defining security policies, conducting risk assessments, and implementing controls. This starts to tie together an overarching process of business security.

d) Internal Auditing:

Regular internal audits are conducted to ensure compliance with ISO 27001 and the effectiveness of security controls. With the first being done before the full external audit, to demonstrate operational compliance with ISO 27001.

e) Certification Audit:

Next, an accredited certification body is engaged to perform an independent audit to assess the organization’s compliance with ISO 27001. If successful, the organization will receive ISO 27001 certification.

f) Continual Improvement:

ISO 27001 emphasizes the importance of continual improvement. Organizations must regularly review and update their ISMS to adapt to changing threats and technologies.

Once certified the final three steps are often applied in a yearly cycle, this allows sufficient time for a business to apply ISO27001 whilst being able to collect evidence for the audits whilst not perturbing business activities too much. Yes, there is an overhead to maintaining ISO27001 but that should be outweighed by the ongoing risk reductions to the business. Plus over time it becomes part of ‘business as usual’ operations.

Challenges and Considerations

While ISO 27001 offers significant benefits, achieving certification is not without its challenges:

a) Resource Investment:

Implementing ISO 27001 requires a commitment of time, money, and personnel. Smaller organizations may find it more challenging to allocate the necessary resources.

b) Cultural Change:

Adopting ISO 27001 often necessitates a cultural shift within an organization. Employees must understand and embrace the importance of information security. A good security team can make this an engaging and informative journey for the staff.

c) Maintenance:

ISO 27001 certification is not a one-time achievement; it requires ongoing maintenance and continuous improvement to remain effective. Especially with respect to the technical aspects of cyber security in a modern business.

d) Third-Party Relationships:

Organizations that rely on third-party vendors or suppliers must ensure that their partners also adhere to information security best practices to prevent vulnerabilities in the supply chain. This often requires an operational and technical examination of vendors to assess their security capabilities and if these meet the risk profile of the business.

e) Regulatory Changes:

Regulatory requirements that relate to data protection and cybersecurity do change over time. Organizations must stay up-to-date with these changes to maintain compliance. Failure to do so could be costly.

ISO 27001 Scoping

An aspect of ISO 27001 often overlooked is that it does not need to be applied to a whole business, rather it can be scoped to the entity, location, or business unit of prime security concern. You could be a business that operates from a central head office with a few satellite offices. Those satellite offices might not be in a specific scope if the security controls of the head office segregate out the risks. This can have a dramatic impact on the cost and effort of maintaining compliance.

Scoping is often done with a specific high-level security objective in mind, for instance ensuring the security of customer data at all times.

ISO 27001 Standards

ISO 27001 is in reality part of a set of (currently) 5 interconnected standards, as follows:

• ISO 27000 – Defines the Information Security Management Systems (ISMS) and the vocabulary used by the other standard documents below.
• ISO 27001 – ISMS Techniques, the required areas of implementing controls, and how risk is managed.
• ISO 27002 – A catalog of information security controls that can be managed through the ISMS with specific advice and guidance.
• ISO 27003 – guidance on the requirements for an ISMS and the associated required processes.
• ISO 27004 – Guidelines on evaluating information security performance and the effectiveness of the ISMS.

The standards get reviewed roughly every 5 years and updates are published, the most recent updates have focussed on data retention as a concern.

Conclusion

ISO 27001 is a powerful tool for businesses seeking to enhance their information security practices and build trust with customers and partners. By implementing an ISMS based on ISO 27001’s framework, organizations can systematically identify, assess, and mitigate information security risks. This proactive approach not only reduces the likelihood of data breaches but also demonstrates a commitment to security that can attract and retain customers.

In an age where data breaches can have severe financial and reputational consequences, ISO 27001 certification offers a competitive advantage. It instills confidence in an organization’s cybersecurity practices, enhances its reputation, and mitigates the costs associated with security incidents.

While achieving ISO 27001 certification may present challenges, the long-term benefits far outweigh the initial investment. By embracing ISO 27001, businesses can not only remain secure but also thrive in an increasingly data-driven and interconnected world.

At Aykira we consider ISO 27001 a critical element in making a business secure end-to-end; it creates and maintains a security-first mindset within the business. We also consider ISO 27001 a baseline for security, depending upon the security requirements of a business, they may need additional controls to ensure security risks are being properly managed.

If you would like to know how we can help you, please fill in the contact form below and we will get in touch.

This article delves into the importance of attack surface management, highlighting specific areas that require careful consideration to ensure the security of an organization.

I. Understanding Attack Surface Management

Attack surface management (ASM) refers to the practice of identifying, monitoring, and reducing an organization’s attack surface, which encompasses all the potential points of entry that adversaries could exploit to compromise your systems and data. By proactively managing your attack surface, you can significantly enhance your cybersecurity posture and minimize the risk of successful cyberattacks.

Why Attack Surface Management Matters

1. Protection Against Evolving Threats

Cyber threats are constantly evolving, becoming more sophisticated and adaptable. Attackers look for vulnerabilities to exploit, making it crucial for businesses to stay ahead of potential threats. ASM helps organizations identify and address vulnerabilities before malicious actors can take advantage of them, thereby reducing the risk of data breaches, financial losses, and reputational damage.

2. Regulatory Compliance

Compliance with data protection regulations, such as GDPR, HIPAA, or CCPA, is a legal requirement for many businesses. Failure to comply can result in severe fines and legal consequences. ASM aids in maintaining compliance by ensuring that sensitive data remains secure and is not exposed to unauthorized access.

3. Business Continuity

A cyberattack can disrupt business operations, causing downtime, loss of revenue, and damage brand reputation. Effective ASM helps protect your organization’s critical assets, ensuring business continuity even in the face of cyber threats.

II. Key Areas of Focus in Attack Surface Management

To implement effective attack surface management, management should be aware of the specific areas that require careful attention to enhance security. These areas include:

A) Network Security

1. Perimeter Security

Securing the network perimeter is a fundamental aspect of ASM. Ensure that firewalls, intrusion detection systems, and intrusion prevention systems are in place and regularly updated to safeguard against unauthorized access and cyberattacks. This is often your first line of defence, so it is critical this is performing well.

2. Vulnerability Scanning

Regular vulnerability scans are essential to identify weaknesses in the network infrastructure. These scans should be conducted on both internal and external systems to pinpoint potential entry points for attackers.

B) Web Application Security

1. Secure Software Development

Review the software development process to ensure secure coding practices are followed. Implement secure development methodologies, conduct regular code reviews, and utilize tools for static and dynamic application security testing (SAST and DAST) to detect and rectify vulnerabilities early in the development lifecycle.

2. Web Application Firewall (WAF)

Deploy a Web Application Firewall to protect web-facing applications from common attacks like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). Regularly update and configure the WAF to stay protected against emerging threats.

C) Endpoint Security

1. Endpoint Detection and Response (EDR)

Implement EDR solutions to monitor and respond to threats on endpoints like laptops, desktops, and mobile devices. These tools can provide real-time visibility into suspicious activities and allow for rapid incident response.

2. Patch Management

Regularly apply software and system updates to address vulnerabilities and keep endpoints secure. An outdated system or application can be a prime target for attackers. This is especially important when zero days and other high impact vulnerabilities appear regularly in Operating Systems and key business applications.

D) Cloud Security

1. Cloud Configuration

Ensure that your cloud infrastructure is configured securely, following best practices from cloud service providers. Misconfigured cloud resources can lead to critical data exposure and security breaches. Quite a few major data breaches have been due to simple oversights in how cloud infrastructure is configured.

2. Identity and Access Management (IAM)

Implement robust IAM policies and controls to manage user access to cloud services. Limit privileges based on the principle of least privilege (PoLP) to reduce the risk of unauthorized access.

E) Employee Training and Awareness

Human error is a significant factor in cyber incidents. Your attack surface includes the human element, making employee training and awareness an essential component of ASM.

1. Security Training

Invest in cybersecurity training for employees to raise awareness of security best practices. Educated employees are more likely to recognize and report suspicious activities, reducing the risk of social engineering attacks. This helps share some of workload in detecting security issues.

2. Phishing Awareness

Train employees to recognize phishing attempts and other social engineering tactics used by attackers. Conduct regular phishing simulation exercises to assess and improve the organization’s readiness.

III. The Role of Senior Management

Senior management play a crucial role in ensuring the success of attack surface management within an organization:

A) Leadership and Support

1. Allocate Resources

Provide the necessary budget and resources for ASM initiatives. Investing in cybersecurity is an investment in the organization’s long-term stability and reputation.

2. Set a Security Culture

Promote a culture of security throughout the organization, emphasizing its importance and making security a shared responsibility among all employees.

B) Risk Management

1. Risk Assessment

Conduct regular risk assessments to identify the most critical areas of concern within your attack surface. Prioritize remediation efforts based on the potential impact and likelihood of threats.

2. Incident Response Planning

Develop and maintain an incident response plan that outlines the steps to take in the event of a security breach. Test the plan periodically to ensure it is effective.

C) Compliance and Governance

1. Regulatory Compliance

Stay informed about evolving data protection regulations and ensure that your organization complies with relevant laws and standards. Failure to do so can result in legal repercussions. Compliance might even be a critical requirement to operate in certain business sectors or to supply services to large government agencies.

2. Board Reporting

Regularly report on the status of ASM initiatives to the board of directors, keeping them informed of the organization’s cybersecurity posture and any emerging threats.

D) Collaboration

1. Cross-Functional Teams

Foster collaboration between IT, security, legal, and other departments. A multidisciplinary approach can help identify and address attack surface vulnerabilities more effectively.

2. External Partnerships

Engage with external cybersecurity experts and organizations to gain insights into emerging threats and best practices. Attend industry conferences and forums to stay current.

Conclusion

In an increasingly digital world, businesses face a growing array of cyber threats that can have severe consequences. Attack surface management is a critical practice for safeguarding your organization’s assets, data, and reputation. Management must recognize the importance of ASM and actively support its implementation. By focusing on network security, web application security, endpoint security, cloud security, and employee training, and by embracing a leadership role in risk management, compliance, and collaboration, management can play a pivotal role in strengthening the organization’s cybersecurity posture. In doing so, they can better protect the business from the ever-evolving landscape of cyber threats and ensure its long-term success.

In conclusion, attack surface management is not just a technical concern but a strategic imperative. It is the foundation upon which a resilient and secure organization is built. Management’s commitment to understanding, investing in, and leading ASM efforts can make all the difference in a world where cyber threats are a constant and evolving challenge. Through their leadership, organizations can forge a path towards a secure and prosperous future in the digital age.

In an era where digital technologies have revolutionized the way businesses operate, the real estate industry has not remained untouched. The adoption of technology has streamlined processes, improved customer experiences, and expanded the reach of real estate businesses. However, it has also exposed them to new and evolving threats in the form of cyberattacks. The importance of cybersecurity in a real estate business cannot be overstated.

In this article, we will explore why cybersecurity is essential in the real estate sector, the specific threats it faces, and strategies to protect against them.

I. The Digital Transformation of Real Estate

The real estate industry has undergone a significant transformation in recent years, largely driven by technology. Here are some key aspects of this transformation:

1. Online Property Listings: Gone are the days when potential buyers or tenants relied solely on print ads and physical visits to properties. Online listings have become the norm, allowing individuals to explore a wide range of properties from the comfort of their homes.
2. Data Analytics: Real estate companies now use data analytics to make informed decisions about property investments, pricing, and market trends. This data-driven approach has become invaluable in the industry.
3. Virtual Tours and Augmented Reality: Virtual reality (VR) and augmented reality (AR) have made it possible for potential buyers or renters to take virtual tours of properties. This immersive experience can help clients make quicker and more informed decisions.
4. Property Management Software: Real estate firms use property management software to efficiently handle tasks such as rent collection, maintenance scheduling, and tenant communication. These tools improve operational efficiency and customer service.
5. Online Transactions: Digital payment systems and electronic signatures have simplified and expedited property transactions. The entire process, from offer to closing, can now be completed online.

II. Cybersecurity Threats in Real Estate

As real estate businesses have embraced digital technologies, they have become prime targets for cybercriminals. Here are some of the key cybersecurity threats faced by the industry:

1. Data Breaches: Real estate companies collect and store sensitive information about their clients, including personal and financial data. A data breach can result in the exposure of this confidential information, leading to financial loss and reputational damage. For instance, Real estate firm OrangeTee & Tie has been ordered to pay $37,000 following a data breach in the company that compromised the information of over 250,000 employees and customers
2. Phishing Attacks: Cybercriminals often use phishing emails to trick employees into revealing sensitive information or downloading malware. Real estate professionals, who regularly communicate with clients and partners via email, are susceptible to such attacks. For instance, Real estate companies have lost more than $100,000 to phone scammers pretending to be from major banks.
3. Ransomware: Ransomware attacks can disrupt business operations by encrypting critical data and demanding a ransom for its release. Real estate companies that rely on digital records and transactions can be severely impacted by such incidents.
4. Unauthorized Access: Unauthorized access to databases or property management systems can lead to data manipulation or theft. This can have legal and financial repercussions for both the real estate business and its clients.
5. Insider Threats: Employees with access to sensitive information can pose a threat if they misuse their privileges or inadvertently expose the company to risks. Proper access controls and monitoring are essential to mitigate this threat.

Such is the threat of cyberattacks to real estate businesses that Real Estate Institute of Australia (REIA) President Hayden Groves said the risks for agents not securing their systems was enormous, to quote “With data breaches occurring frequently, REIA encourages all Australian real estate agencies to continue reviewing their cybersecurity and privacy policies, if they are not already, for their consumers and their own peace of mind”.

III. The Consequences of Cybersecurity Incidents

Understanding the potential consequences of cybersecurity incidents in the real estate industry is crucial to grasp the significance of safeguarding against them:

1. Financial Loss: Cyberattacks can result in substantial financial losses. This includes costs associated with data recovery, legal fees, and regulatory fines. Moreover, the reputational damage may lead to a loss of clients and revenue.
2. Legal Consequences: Real estate companies must comply with various data protection regulations, such as the General Data Protection Regulation (GDPR) and the Australian Privacy Act 1988. Failing to protect client data can lead to legal penalties.
3. Reputational Damage: Trust is paramount in the real estate industry. A data breach or cyberattack can erode trust among clients and partners, damaging the company’s reputation.
4. Disruption of Operations: Cyberattacks can disrupt business operations, leading to delays in property transactions, client dissatisfaction, and loss of productivity.
5. Loss of Intellectual Property: Real estate firms often have proprietary data and strategies. Cyberattacks can result in the theft of valuable intellectual property, giving competitors an unfair advantage.

IV. Strategies for Cybersecurity in Real Estate

Given the importance of cybersecurity in the real estate sector, here are some of the strategies that businesses can implement to protect themselves:

1. Employee Training: The first line of defense against cyber threats is a well-informed and vigilant workforce. Regularly train employees on recognizing and responding to phishing attacks and other security threats.
2. Strong Password Policies: Implement strong password policies that require employees to use complex passwords and change them regularly. Consider using multi-factor authentication for added security.
3. Data Encryption: Encrypt sensitive data both in transit and at rest. This ensures that even if unauthorized access occurs, the data remains unreadable.
4. Regular Updates and Patch Management: Keep all software, operating systems, and security solutions up to date. Cybercriminals often exploit known vulnerabilities, so timely patching is essential.
5. Network Security: Employ robust firewalls, intrusion detection systems, and antivirus software to protect against external threats. Regularly audit and monitor network traffic for suspicious activity.
6. Data Backups: Regularly back up critical data to secure offsite locations. In the event of a ransomware attack or data loss, having backups ensures business continuity.
7. Incident Response Plan: Develop and regularly update an incident response plan that outlines the steps to take in the event of a cybersecurity incident. Test this plan through simulated drills.
8. Vendor Risk Assessment: Assess the cybersecurity practices of third-party vendors and partners who have access to your data. Ensure they meet your security standards.
9. Compliance with Regulations: Stay informed about and comply with relevant data protection regulations. This includes ensuring client consent for data collection and having mechanisms in place for data access requests.
10. Cybersecurity Insurance: Consider investing in cybersecurity insurance to mitigate the financial risks associated with cyber incidents.

Conclusion

In the digital age, the real estate industry’s reliance on technology makes it susceptible to cyber threats. The importance of cybersecurity to a real estate business cannot be overstressed, as the consequences of a breach can be severe. Implementing robust cybersecurity measures, along with employee training and compliance with data protection regulations, is essential to safeguarding the foundations of a real estate business. As technology continues to play a pivotal role in the industry’s growth, cybersecurity must remain a top priority to ensure trust, protect client data, and maintain operational integrity.

If you operate a real estate business, Aykira can provide you with expert guidance on how to secure your systems and keep your customers safe. If you are interested in our services, please fill in the form below and we will get back to you.

Benefits of Using AI-Language Models for Businesses

1. Enhanced Efficiency and Productivity

AI LLMs can automate a wide range of tasks that require human intervention, significantly increasing efficiency and productivity. They can generate content, answer queries, analyze data, and perform other routine tasks quickly and accurately. This allows employees to focus on more strategic and creative aspects of their work, ultimately driving business growth.

2. Cost Savings

By automating tasks and reducing the need for human labor, businesses can experience worthwhile cost savings. Hiring, training, and maintaining a workforce can be expensive, but AI LLMs offer a cost-effective alternative. Once implemented, these systems require minimal ongoing expenses, making them a valuable asset for budget-conscious businesses.

3. Scalability

AI LLMs can handle a high volume of tasks simultaneously, making them ideal for businesses that experience fluctuating workloads. Whether it’s scaling up to handle increased customer inquiries or handling repetitive data analysis, LLMs can adapt to meet business demands without the need for additional manpower.

4. Improved Customer Service

AI LLMs can be used to create chatbots and virtual assistants that provide 24/7 customer support. These systems respond to customer inquiries in real time, offering quick and consistent assistance. This not only improves customer satisfaction but also frees up human customer service representatives to handle the more complex issues.

5. Data Analysis and Insights

AI LLMs excel at processing and analyzing vast amounts of data to extract valuable insights that can inform business strategies. They can identify trends, patterns, and anomalies in data sets, helping businesses make data-driven decisions and gain a competitive edge in their markets.

6. Personalized Marketing and Content

AI LLMs can analyze customer behavior and preferences to create personalized marketing campaigns and content. Such a level of personalization can lead to higher customer engagement and conversion rates, ultimately driving revenue growth.

7. Language Translation and Localization

For businesses operating on a global scale, AI LLMs can provide accurate and efficient language translation service; which is invaluable for marketing, customer support, and content localization, enabling businesses to reach a wider audience.

Risks Associated with Using AI-Language Models for Businesses

1. Quality and Accuracy Issues

While AI LLMs are powerful, they are not infallible. There is a risk of generating content that contains inaccuracies, biases, or misinformation. Businesses must carefully review and verify the output of these models to ensure it fits with their brand values and objectives.

2. Ethical and Bias Concerns

AI LLMs learn from vast datasets, which can contain biases. This can result in biased or offensive content generated by the models, which can damage a business’s reputation and lead to legal issues. Therefore, it is essential for businesses to implement safeguards and ethical guidelines when using LLMs.

3. Data Privacy and Security

The use of AI LLMs often involves sharing sensitive data with third-party providers or cloud services. This can raise serious concerns about data privacy and security. So businesses must ensure that the data shared with these models is adequately protected and compliant with relevant regulations, such as GDPR.

4. Dependence on Technology

Over-reliance on AI LLMs can make businesses vulnerable to disruptions in the event of technical issues or outages. It’s essential for businesses to have backup plans and human oversight in place to handle situations when the technology fails.

5. User Experience and Human Touch

While AI LLMs can provide efficient customer support, there is a risk of diminishing the human touch in interactions with customers. Some customers may prefer speaking to a human representative for complex or emotionally charged issues, and businesses must find the right balance between automation and human interaction.

6. Intellectual Property Concerns

Using AI LLMs to generate content, such as articles or marketing materials, may raise questions about intellectual property rights. It’s crucial for businesses to clarify ownership and usage rights when utilizing AI-generated content.

7. Regulatory Compliance

The use of AI LLMs may be subject to various regulations and industry standards, depending on the sector and location of the business. Ensuring compliance with these regulations can be complex and requires ongoing monitoring and adjustments to AI systems.

Conclusion

AI Language Models offer substantial benefits to businesses in terms of efficiency, cost savings, scalability, and improved customer service. They can automate tasks, provide valuable insights, and enhance personalized marketing efforts. However, businesses must also consider the associated risks, including quality and accuracy issues, ethical concerns, data privacy, and security issues.

Successful implementation of AI LLMs requires a thoughtful approach that includes regular monitoring, ethical guidelines, data privacy measures, and contingency plans. By carefully balancing the benefits and risks, businesses can harness the power of AI LLMs to gain a competitive edge and drive growth while maintaining ethical and legal integrity.

Enjoy and happy responding!