Security at the Edge Needs More Attention

Organizations continue to fortify their cybersecurity posture with new technologies and greater amounts of employee training, but breaches continue to happen, often due to human error. While the need for endpoint security is clear, that’s only part of the puzzle. 

In fact, CISOs say that people are one of the biggest cybersecurity challenges. Inadvertent mistakes, lack of cybersecurity knowledge, faulty configurations and momentary lapses cause cybersecurity incidents to arise that could have been prevented or minimized.  

For example, shadow IT is still common because users like the convenience of cloud storage services and SaaS apps, but those solutions can have a negative effect on the organization’s security posture. Similarly, organizations are migrating to cloud platforms for convenience. 

“I think we need to keep in mind that convenience doesn't always equate to security,” says Steve Cobb, CISO at cybersecurity ratings, response and resilience company SecurityScorecard. “I think we need to be very cognizant of the security principles that come into play in a cloud environment. Things like role-based access, least privilege, allowing people in the organization the ability to do things that may present risk to us, like creating a computer, a server and exposing it to the internet, adding services that are public exposed, or creating a storage bucket that we put that in that's exposed to everyone on the internet by default.” 

Related:8 Things That Undermine Zero-Trust Efforts

Achieving that requires an understanding of security principles in a cloud environment and the virtual interconnects among platforms. 

“Because the underlays of the infrastructure of these cloud programs is not something we manage as the consumer, we also get into the aspect that we really don't know, the ins and outs of that platform. And sometimes making one decision and one configuration could have consequences that we didn't think about, or maybe we didn't even know about,” says Cobb. “An organization really needs to have someone that has a lot of experience from a security architecture standpoint.” 

Steve Cobb, SecurityScorecard

Theo Brazil, CISO and operations director at cybersecurity firm Asper, warns that while many organizations allocate significant budgets to tech solutions, a lack of user awareness can undermine even the most advanced defenses. 

“[These security holes] are challenging because they involve both technical limitations and human behavior, requiring a combination of advanced technological solutions -- like automation, AI for anomaly detection, and zero-trust architectures -- and improved governance, training and procedural oversight to mitigate effectively,” says Brazil in an email interview. 

Related:How Bloomberg Designed a Layered Zero-Trust Philosophy

CISOs should verify that the tools they acquire and use do what they claim to do, or they may be in for surprises. 

Meanwhile, data and IP are at risk because it’s so easy to sign up for and use third-party cloud services and SaaS that the average users may not associate their data usage with organizational risk. 

“Users submitting spreadsheet formula problems to online help forms may inadvertently be sharing corporate data. People running grammar checking tools on emails or documents may be doing the same,” says Roger Grimes, data-driven defense evangelist at security awareness training and simulated phishing platform KnowBe4 in an email interview. “It's far too easy for someone using an AI-enabled tool to not realize they are inadvertently leaking confidential information outside their organizational environment.” 

What, exactly, can bad actors see? CISOs want to know, so they’re building internal relationships that give them visibility into potential security issues and using asset management platforms to understand the scope of assets they need to protect. 

 “[Y]ou have to have that outside look. What is it that potential adversaries or attackers can see in my organization's environment, and hopefully I can pick up on things before they can,” says Jonathan Fowler, chief information security officer at legal technology solutions and enterprise legal services provider Consilio. “If I can do that, I can start to plug some of those holes before they see it, and start using it to try and come in.” 

Related:How to Rein in Cybersecurity Tool Sprawl

Know What You Have 

It’s important for CISOs to have knowledge of and visibility into every asset in their company’s tech stack, though some CISOs see room for improvement.  

“You spend a lot of time and money on people, processes and technology to develop a layered security approach and defense in depth, and that doesn't work if you don't know you have something to defend there,” says Fowler. “I continually hear it at conferences, ‘We struggle as security practitioners with having an accurate inventory of our environments.’ And it's not a malicious activity.”   

The problem is one of distraction: The business is operating at light speed and going in so many different directions that holes in the perimeter or environment may be overlooked.  

“[W]e spend a lot of money as an industry on platforms that will scan your entire environment and it will tell you everything that's there, making sure you don't miss a thing. Rest easy,” says Fowler. “Well, that's great, but there's a whole business group that I didn't even know existed to tell you to scan or to put an agent on. It's frustrating at times, and I think one of the ways you can help buttress it, [is having] good technology in place [and] good business relationships.”  

Jonathan Fowler, Consilio

But CISOs don’t have the visibility they need, according to SecurityScorecard’s Cobb. 

“[W]e need visibility across those platforms so we can see everything that's potentially out there and at risk. I don't know of any tools that do a great job of that right now. They're getting better, and I think we're maturing from a cloud security tool standpoint, but there's still some gaps there for techniques,” says Cobb. “I think techniques are really key for us to understand how an attacker thinks when they land in a cloud environment, to understand what it is we need to secure and protect.” 

Zero Trust Isn’t a Silver Bullet 

Zero trust is vital, but its efficacy varies greatly. Some vendors position products as zero trust when they’re really a firewall or VPN. Worse, not everyone has the same definition of “zero trust.” 

“[W]hen you look at breach reports, and if you go back and look at incidents again, you have a lot of companies that have checked all the boxes, and they're living in a zero-trust network, but they really didn't implement all the capabilities of what we think about as zero trust, and therefore there were gaps,” says Security Scorecard’s Cobb.  

Account recovery is a challenge because end users want convenience, and convenience is often at odds with security. Aaron Painter, CEO at identity verification company Nametag, says helpdesk and customer service departments are problematic because companies overlook the multifactor authentication (MFA) backdoor resets and trust existing tools and processes too much.  

“CISOs put their trust in security questions, customer service supervisor oversight, and using Zoom calls for visual verification to prevent helpdesk social engineering attacks. This is a gaping security hole that continues to be exploited by bad actors daily,” says Painter in an email interview. “Our CISOs are getting pressure from the CEO, the board, the FBI, the Department of Health all offering much needed, but often short-sighted guidance to defend against these sophisticated cyberattacks. Nothing is foolproof. As long as we keep believing in the myth that MFA is 100% secure, we leave our companies, and our bank accounts, wide open for bad actors to exploit during the account reset process.” 

CISOs should implement advanced technologies that incorporate AI, mobile cryptography, machine learning, and advanced biometric recognition because they will serve as crucial support tools for IT helpdesks and customer services agents, enhancing their ability to safeguard against fraud and prevent impersonators from being authenticated in the first place. 

Bottom Line 

Interdepartmental communication and the plethora of tools available help organizations protect themselves from cyberattacks, but nothing is 100% effective, people are easy to deceive, and bad actors are becoming more sophisticated. 

“Many breaches come down to the fact that a user’s credentials were compromised. The attacker didn’t have to hack anything, they just logged in because they had the credentials,” says SecurityScorecard’s Cobb. “You can be sure you have some user that chooses the same password for Netflix as they do for the corporate VPN.”