Yubico’s top information security recommendations for 2022
January 2022 by Chad Thunberg, CISO of Yubico
1. Zero Trust architecture needs to be a primary initiative for companies
The SolarWinds incident and the recent Log4j vulnerability highlighted that critical internal systems for some companies have permissive access to the internet and untrusted systems despite decades of advocating for least privilege and isolation.
Zero Trust security models further the conversation but with the fundamental change in how we approach information security. Instead of assuming the internal environment can be trusted, Zero Trust starts with the presumption that the environment is hostile. Trust is established through inspection and strong authentication but is ephemeral in that trust must be re-establish periodically. In theory, this should limit the impact of a successful breach due to a limited window of opportunity and increased isolation. The National Cyber Security Centre has released several blogs outlining the benefits of the Zero Trust model, and there is no doubt that companies will need to implement their recommendations in order to stay secure from increasingly sophisticated and widespread cyberattacks in 2022.
2. Companies must adopt phishing-resistant MFA
Phishing, credential stuffing, and other password-based authentication threats will continue to present significant risk to companies. Attackers have demonstrated they are capable of gaining access to internal networks where single factor authentication and weak MFA is still prevalent. Stolen credentials provide attackers with the means of persisting in the environment without the need to exploit vulnerabilities or other actions that would increase the likelihood of detection.
The YubiKey that supports multiple authentication protocols can provide a bridge for companies interested in an incremental transition from single factor authentication and legacy MFA like OTP to modern FIDO-based protocols that are resilient to common attacks like phishing.
3. Companies need to get over the fear of the cloud
Some companies and industries continue to see the cloud as a threat due in large part to the perceived security benefits in maintaining control. Whether true or not, the cloud does offer a robust set of security features and protocols. When used appropriately, many of the threats large organisations are struggling with today, like ransomware and business email compromises, are largely mitigated. The combination of federated identity, strong multi-factor authentication, and cloud-based file storage is powerful for companies large and small. Mutual TLS-based authentication and encryption can usually be enabled with nothing more than a checkbox where the complexities of Public Key Infrastructure (PKI) are managed and automated in the backend. Additional oversight and control is also available to those that are interested in and are mature enough to manage their own secrets.
Wholesale cloud adoption is not required in order to gain the benefits of federated identity and strong multi-factor authentication. Most modern identity provider offerings support the FIDO protocols, SAML, and OpenID Connect to assist with integration on and off-premises applications. A comprehensive list of identity providers that support FIDO2/WebAuthn can be found in Yubico’s Works with YubiKey catalogue.
4. Plan for ransomware
Organisations with traditional perimeter models and legacy infrastructure based on technologies like Active Directory must have a robust response plan in place to respond to a ransomware attack. The plan must consider topics beyond detection and recovery like insurance coverage, outside council, and plans to pay the ransom if recovery fails. Insurance plans may only cover the cost of hiring a third party but only when an approved vendor is used. There may also be limits to what is covered. We’ve recently seen changes to coverage based on whether the attacker is a nation state or not. Once a plan is in place, it should be tested, especially any backups.
5. Supply chain security requires more care
In 2021, the SolarWinds incident and the log4j vulnerability not only reminded us about how fragile our supply chains are but also highlighted that business critical and highly sensitive systems still have the ability to arbitrarily connect to untrusted systems on the internet. We should remind ourselves that we have mutual responsibility in ensuring the secure design, development, and operation of technology. Vendor assurances process littered with non-standard questionnaires alone cannot secure the supply chain.
Companies involved in a supply chain will have to establish mutual trust, established by implementing good information security practices throughout their development process and have the ability to demonstrate them externally. Ideally, the entire development process from code commit to release would be secured with strong authentication, robust integrity controls, and least privilege authorisation models. Companies implementing that technology must follow industry accepted practices (e.g. Zero Trust) to ensure that technology stays secure with isolation, patching, and resilient access control models.
The log4j vulnerability potentially highlighted the importance of securing commonly used and critical open source software. When the software is freely available, who is responsible for its security? We expect to see a return to conversations related to a “Cyber UL” as well as government grants to comply with yet to be defined FAR and DFAR requirements. The recent Open Source security summit may be the precursor to something more formal from the U.S. Government.
Gartner recently predicted that by the end of 2023, modern privacy laws will cover the personal information of 75% of the world’s population. As more laws like GDPR and CCPA continue to be implemented around the world to tackle security and privacy of millions of people, the new issue organisations will face is managing multiple data protection legislation in various jurisdictions. Companies must be protecting regulated information throughout its lifecycle and not just at the point of entry. While CCPA and GDPR do not impose requirements for authentication, we expect to see more and more prescriptive requirements as other jurisdictions develop their own set of requirements.