Roger Grimes on why multifactor authentication isn’t a panacea:
The first time I heard of this issue was from a Midwest CEO. His organization had been hit by ransomware to the tune of $10M. Operationally, they were still recovering nearly a year later. And, embarrassingly, it was his most trusted VP who let the attackers in. It turns out that the VP had approved over 10 different push-based messages for logins that he was not involved in. When the VP was asked why he approved logins for logins he was not actually doing, his response was, “They (IT) told me that I needed to click on Approve when the message appeared!”
And there you have it in a nutshell. The VP did not understand the importance (“the WHY”) of why it was so important to ONLY approve logins that they were participating in. Perhaps they were told this. But there is a good chance that IT, when implementinthe new push-based MFA, instructed them as to what they needed to do to successfully log in, but failed to mention what they needed to do when they were not logging in if the same message arrived. Most likely, IT assumed that anyone would naturally understand that it also meant not approving unexpected, unexplained logins. Did the end user get trained as to what to do when an unexpected login arrived? Were they told to click on “Deny” and to contact IT Help Desk to report the active intrusion?
Or was the person told the correct instructions for both approving and denying and it just did not take? We all have busy lives. We all have too much to do. Perhaps the importance of the last part of the instructions just did not sink in. We can think we hear and not really hear. We can hear and still not care.
Many people are excited about Gartner’s Secure Access Service Edge (SASE) framework and the cloud-native convergence of networks and security. While originally proposed as fully unified architecture delivering network and security capabilities, the reality soon dawned that enterprise transition to a complete SASE model would be a decade long journey due to factors such as existing investments, operational silos (customer), and vendor consolidation. Consequently, Gartner introduced a new two-vendor approach to SASE that brought together a highly converged WAN Edge Infrastructure platform alongside a highly converged security platform – known as Security Service Edge (SSE).
Figure 1: SASE convergence.
SSE brings together Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA) to secure access to the web, cloud services, and private applications, resulting in reduced risk, cost and complexity. McAfee Enterprise has long been a proponent of this approach: we embarked on a project to build the industry’s best SASE security solution over three years ago, introduced our MVISION Unified Cloud Edge solution in early 2020, and have since continued to innovate and set the standard for the Security Service Edge space.
How Did We Get Here?
The fundamental problem that SSE sets out to solve is that enterprises must adequately secure their personnel and their data. This became increasingly difficult as digital transformation spurred widespread cloud adoption and empowered remote and mobile workers. Just a few short years ago we would talk about remote access for short periods of time due to travel, and typically for a small proportion of the workforce. Today we speak in the context of COVID-19 and a vast, permanent “Work From Anywhere” (WFA) cultural shift. Supporting this shift is an accelerated migration into the cloud, where the vast majority of workloads and applications will soon reside.
All of this has taken down the walls that formed the perimeter we relied on heavily in the past. Today our people and our data are outside of that perimeter but inside of cloud applications. Cloud applications run from many locations, sometimes around the globe. Yet our objectives must remain the same. We still must secure our people, we must secure our devices, and we must secure our data on any device, at any time, using any service.
Secure web gateways were one of the gatekeepers to the old perimeter, fundamentally appliances that existed at the border of a network. Cloud access security brokers (CASB) were fundamentally built to secure the inside of cloud services. Virtual Private Networks (VPNs) enabled you to securely interconnect offices and remote users onto a single network. Managing these technologies separately became increasingly problematic as the boundaries between networks, the web, and the cloud began to blur. Organizational policies and compliance requirements must be translated to the administrative setup of a specific vendor’s management consoles. At first pass, this results in more errors in the implementation of these policies. Maintenance is difficult as policy changes must be rolled out and implemented within multiple vendor management interfaces. And when you position these traditional technologies against the problem statement of a “perimeterless” world, they fail. The logical answer to these problems is to converge these technologies together and bring them to the cloud.
The Power of Unification
For more than 3 years, McAfee Enterprise has invested deeply into a unified policy framework. We’ve unified threat engines, data engines. We’ve built a unified user experience and unified administrative experience to deliver against that promise of cloud native security.
A closely integrated SSE infrastructure can address the management challenges of setting up policies in multiple vendor management interfaces by deeply integrating security controls to reduce overhead, complexity, and cost, while increasing performance. But looking at the competitive landscape, this has proven to be easier said than done. Many fall short with it comes to securing data within the cloud, but McAfee Enterprise’s industry-leading Multi-Vector Data Protection capabilities make it incredibly easy to keep data safe no matter where it resides, with unified data classification, policy enforcement, and incident management.
Figure 2: McAfee Enterprise Multi-Vector Data Protection.
Other vendors grew up in the cloud but fall short when it comes to connecting to the private resources all large enterprises still use today. Some vendors are attempting to build-out the entire SSE product set from scratch, perhaps as part of a larger SASE offering. Most of the functions present baseline functional capability and the considerable instability of a complex and very new product.
The McAfee Enterprise Security Service Edge Vision
McAfee Enterprise has planned and executed a strategy for several years that takes MVISION Unified Cloud Edge’s complete set of SSE converged security services and then tie them closely to other highly integrated network services such as those offered by SD-WAN vendors to implement SASE. This approach enables most large enterprises the ability to leverage the majority of the technology partners they have to pull a SASE architecture together using much of the technology infrastructure they already have in place.
Figure 3: Enable secure access to web, cloud, and private apps with MVISION Unified Cloud Edge.
The increased efficiency of an integrated environment reduces the investment in administration, enhances the precision of policy enforcement, and improves the speed with which security control processes can be applied to data and activity in one single pass, improving security efficiency and efficacy. This earlier published blog demonstrates how our integration of Remote Browser Isolation (RBI) greatly improves security protection in a seamless, cost-effective manner.
Figure 4: MVISION Unified Cloud Edge threat protection stack with integrated Remote Browser Isolation.
The convergence and integration of cloud security technologies such as SWG, CASB, ZTNA, DLP, RBI and FWaaS substantially enhance operations, reduce cost, minimize errors, and enable more precise enforcement of organizational policy and management. Expenses are lower as experts in the administration and management of separate security controls are no longer required.
In conclusion, McAfee Enterprise has delivered the best and most rapid path to a comprehensive integrated SSE offering available in the market. Our Unified Cloud Edge (UCE) architecture completes that vision of unified and completely integrated policy management today. MVISION UCE is the security fabric that delivers data and threat protection to any location so you can enable fast and secure direct-to-internet access for your distributed workforce. This results in a transformation to a cloud-delivered SSE that converges with connectivity to reduce cost and complexity while increasing the speed and flexibility of your workforce.
The post Realize Your SASE Vision with Security Service Edge and McAfee Enterprise appeared first on McAfee Blogs.
In the hands of a thief, your Social Security Number is the master key to your identity.
With a Social Security Number (SSN), a thief can unlock everything from credit history and credit line to tax refunds and medical care. In extreme cases, thieves can use it to impersonate others. So, if you suspect your number is lost or stolen, it’s important to report identity theft to Social Security right away.
Part of what makes an SSN so powerful in identity theft is that there’s only one like it. Unlike a compromised credit card, you can’t hop on the phone and get a replacement. No question, the theft of your SSN has serious implications. If you suspect it, report it. So, let’s take a look at how it can happen and how you can report identity theft to Social Security if it does.
Can I change my Social Security number?
Yes. Sort of. The Social Security Administration can assign a new SSN in a limited number of cases. However, per the SSA, “When we assign a different Social Security number, we do not destroy the original number. We cross-refer the new number with the original number to make sure the person receives credit for all earnings under both numbers.”
In other words, your SSN is effectively forever, which means if it’s stolen, you’re still faced with clearing up any of the malicious activity associated with the theft potentially for quite some time. That’s yet another reason why the protection of your SSN deserves particular attention.
How does Social Security identity theft happen?
There are several ways an SSN can end up with a thief. Some involve physical theft, and others can take the digital route. To what extent are SSNs at risk? Notably, there was the Equifax breach of 2017, which exposed some 147 million SSNs. Yet just because an SSN has been potentially exposed does not mean that an identity crime has been committed with it.
So, let’s start with the basics: how do SSNs get stolen or exposed?
- A lost or misplaced wallet is one way, where you actually lose your SSN card or someone steals it. This is one reason to avoid carrying it on your person unless absolutely necessary. Otherwise, keep it stored in a safe and secure location until you need it, like when starting a new job.
- Old-fashioned dumpster diving is another, where someone will rummage through your trash, the trash of a business, or even a public dump in search for personal information, which is why it’s important to shred any documents that have personal information listed.
- People can simply overhear you provide your number when you’re on a call or over the course of an in-person conversation. In our digital age, we may not think of eavesdropping as much of a threat, but it still very much is. That’s why we strongly recommend providing such info in a secure, private location out of earshot.
- SSNs can get stolen from a place of work, where thieves end up with unsecured documents or information. The same could go for your home, which is another reason to secure your physical SSN cards and any information – physical or digital – that contains them.
- Phishing attacks can also lead to SSN theft, whether that’s through an attack aimed at you or at a business that has access to your personal information like SSNs.
- Data leaks, like the Equifax leak mentioned above, are another way. Yet while the Equifax breach involved millions of records, smaller breaches can expose SSNs just as readily, like the breaches that have plagued many healthcare providers and hospitals over the past year.
That’s quite the list. Broadly speaking, the examples above give good reasons for keeping your SSN as private and secure as possible. With that, it’s helpful to know that there are only a handful of situations where your SSN is required for legitimate purposes, which can help you can make decisions about how and when to give it out. The list of required cases is relatively short, such as:
- When applying for credit or a loan.
- Applying for or changing group health care coverage with an insurance provider.
- Transactions that require IRS notification, like working with investment firms, real estate purchases, auto purchases, etc.
- Registering with a business as a full-time or contract employee (for tax reporting purposes).
You’ll notice that places like doctor’s offices and other businesses are not listed here, though they’ll often request an SSN for identification purposes. While there’s no law preventing them from asking you for that information, they may refuse to work with you if you do not provide that info. In such cases, ask what the SSN would be used for and if there is another form of identification that they can use instead. In all, your SSN is uniquely yours, so be extremely cautious in order to minimize its potential exposure to theft.
How to report identity theft to Social Security in three steps
Let’s say you spot something unusual on your credit report or get a notification that someone has filed a tax return on your behalf without your knowledge. These are possible signs that your identity, if not your SSN, is in jeopardy, which means it’s time to act right away using the steps below:
1. Report the theft to local and federal authorities.
File a police report and a Federal Trade Commission (FTC) Identity Theft Report. This will help in case someone uses your Social Security number to commit fraud, since it will provide a legal record of the theft. The FTC can also assist by guiding you through the identity theft recovery process as well. Their site really is an excellent resource.
2. Contact the businesses involved.
Get in touch with the fraud department at each of the businesses where you suspect theft has taken place, let them know of your situation, and follow the steps they provide. With your police and FTC reports, you will already have a couple of vital pieces of information that can help you clear your name.
3. Reach the Social Security Administration and the IRS.
Check your Social Security account to see if someone has gotten a job and used your SSN for employment purposes. Reviewing earnings associated with your SSN can uncover fraudulent use. You can also contact the Social Security Fraud Hotline at (800) 269-0271 or reach out to your local SSA office for further, ongoing assistance. Likewise, contact the Internal Revenue Service at (800) 908-4490 to report the theft and help prevent someone from submitting a tax return in your name.
What do I do next? Ongoing steps to take.
As we’ve talked about in some of my other blog posts, identity theft can be a long-term problem where follow-up instances of theft can crop up over time. However, there are a few steps you can take to minimize the damage and ensure it doesn’t happen again. I cover several of those steps in detail in this blog here, yet let’s take a look at a few of the top items as they relate to SSN theft:
Consider placing a fraud alert.
By placing a fraud alert, you can make it harder for thieves to open accounts in your name. Place it with one of the three major credit bureaus (Experian, TransUnion, Equifax), and they will notify the other two. During the year-long fraud alert period, it will require businesses to verify your identity before issuing new credit in your name.
Look into an all-out credit freeze.
A full credit freeze is in place until you lift it and will prohibit creditors from pulling your credit report altogether. This can help stop thieves dead in their tracks since approving credit requires pulling a report. However, this applies to legitimate inquires, including any that you make, like opening a new loan or signing up for a credit card. If that’s the case, you’ll need to take extra steps as directed by the particular institution or lender. Unlike the fraud alert, you’ll need to notify each of the three major credit bureaus (Experian, TransUnion, Equifax) when you want the freeze lifted.
Monitor your credit reports.
Once every 12 months, you can access a free credit report from Experian, TransUnion, and Equifax. (And as of this writing during the pandemic, this can be done for free on a weekly basis, which is great news.) Doing so will allow you to spot any future discrepancies and offer you options for correcting them.
Sign up for an identity protection service.
Using a service to help protect your identity can monitor several types of personally identifiable information and alert you of potentially unauthorized use. Our own Identity Protection Service will do all this and more, like offering guided help to neutralize threats and prevent theft from happening again. You can set it up on your computers and smartphone to stay in the know, address issues immediately, and keep your identity secured.
Your most unique identifier calls for extra care and protection
Of all the forms of identity theft, the theft of a Social Security Number is certainly one of the most potentially painful because it can unlock so many vital aspects of your life. It’s uniquely you, even more than your name alone – at least in the eyes of creditors, banks, insurance companies, criminal records, etc. Your SSN calls for extra protection, and if you have any concerns that it may have been lost or stolen, don’t hesitate to spring into action.
Space ISAC and NY InfraGard to Collaborate on Cybersecurity in Space
The Space Information Sharing and Analysis Center (Space ISAC) and the New York Metro InfraGard Members Alliance (NYM-IMA) have agreed to work together to advance the mission of cybersecurity in space.
A Memorandum of Understanding (MOU) enabling collaboration between the two organizations was signed earlier this month. In a statement released to announce the news, the organizations said that the aim of the partnership was to promote broad-based participation by members of both organizations.
This participation will take the form of enhanced educational initiatives, training of both users and operators, and intelligence-sharing activities in the space domain.
Space ISAC serves to facilitate collaboration across the global space industry. The organization defines its mission as “to enhance the ability to prepare for and respond to vulnerabilities, incidents, and threats; to disseminate timely and actionable information among member entities; and to be the primary communications channel for the space sector with respect to this information.”
To date, Space ISAC has teamed up with a broad range of organizations that spans the entire horizon of the space industry. Collaborations have been set up with organizations in space missions, education and research, space business systems, launch, space systems engineering, payload design, space vehicles, cybersecurity, space communications, intelligence, cloud, the space supply chain, data processing, and more.
“We are delighted to collaborate with the NY Metro InfraGard Members Alliance as a partner in our global space community,” said Erin Miller, Space ISAC executive director.
“We can work together to increase security and resilience in the space sector and anticipate this collaboration will assist with long-term space security.”
Non-profit organization InfraGard is a proactive collaboration between the FBI and the private sector for the protection of United States critical infrastructure.
“All the Critical Infrastructure sectors are reliant upon the services within space, such as the Global Positioning System (GPS), modern communication networks, and satellite technologies,” said Jennifer Gold, vice president and IT sector chief of NY Metro InfraGard. “The data collected and transmitted in space informs all sectors.
“In the best interest of our nation, we must secure the vulnerable technology in space to defend against the most consequential cyber-threats.”
Data Breach Could Cost Missouri $50M
A data breach that may have exposed the Social Security numbers of tens of thousands of teachers, administrators, and counselors across Missouri could end up costing the Show-Me State $50m.
The security incident was caused by a flaw in a search tool on a website maintained by the state’s Department of Elementary and Secondary Education.
A reporter at the St. Louis Post-Dispatch discovered the vulnerability. The newspaper said that while no private information was clearly visible or searchable, teachers’ Social Security numbers were contained in the HTML source code of certain web pages.
After being notified of the data breach on October 12, the department removed the page that included the search tool.
Department spokeswoman Mallory McGowin said: “We have worked with our data team and the Office of Administration Information Technology Services Division to get that search tool pulled down immediately, so we can dig into the situation and learn more about what has happened.”
The newspaper estimated that more than 100,000 Social Security numbers were made vulnerable by the flaw. However, the Missouri Commissioner’s Office, in a statement released October 12, said that the personally identifiable information of only three Missouri educators was potentially compromised.
Shaji Khan, a cybersecurity professor at the University of Missouri–St. Louis, described the vulnerability as “a serious flaw” that the cybersecurity industry has known about “for at least 10–12 years, if not more.”
“The fact that this type of vulnerability is still present in the DESE web application is mind boggling!” wrote Khan in an email to the Post-Dispatch.
“Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them,” said Parson.
News of how much money it might take to recover from the breach was announced by the governor’s office. The $50m estimate includes the cost of credit monitoring for breach victims and the creation of a call center to handle related inquiries.