Burwood Group

View Original

Learning from Security Lapses- Lessons for a More Robust Defense

The news is filled with security lessons in the form of cautionary tales. Organizations must use these learning opportunities to improve their security position to stay ahead of evolving threats. Our security experts have extracted two vital lessons for you to keep you on trend and secure. 

Security Lesson: Reduce Vendor Risk

Vendor risk management (VRM) is a critical function of modern business operations, especially in a world where organizations rely on an ecosystem of suppliers, vendors, and third-party partners. 

The Security Situation 

On Dec. 11, 2021, Kronos, a workforce management company that provides services to over 40 million people in over 100 countries, realized its Kronos Private Cloud was compromised by a ransomware attack. The impact of this attack didn't just affect Kronos, but severely impacted many businesses that relied on Kronos software, impacting timekeeping and payroll. 

The Lesson 

As much as an organization can have its act together, your company is still at risk if you rely on a vendor that has security gaps. Protecting your organization from a ransomware attack like the one that happened to Kronos means going beyond just protecting your organization from malware. The COVID-19 pandemic alongside the outpouring of Ransomware attacks during that time, highlights the importance of assessing and mitigating supply chain risks. VRM played a crucial role in identifying vulnerabilities in supply chains and finding alternative suppliers. 

What You Can Do

  • Identify and Prioritize vendors based on Risk 

  • Analyze risk for each vendor 

  • Monitor continuously 

  • Establish contingency plans based on “Cybersecurity What If” Scenarios 

  • Test, validate, and continuously evaluate “What If” scenarios 

Security Lesson: Secure Accounts Vs. Forgetful Humans 

Two Factor and Passwordless authentication are becoming the new standard for preventing unauthorized access to front line and critical business systems. 

The Situation

Many organizations continue to require their users to change their passwords on a set interval; while this practice was once hailed as the best defense to keep unauthorized users out, even Microsoft has dropped this requirement from the Windows 10 security baseline documents (published 5/23/2019) as the practice of continuously creating secure passwords often leads to employees writing down storing these passwords insecurely. Mariott in 2020 had 5.2 million guest details stolen by hackers who obtained two employee’s login credentials. 

The Security Lesson 

Two-factor and Passwordless authentication are the keys to allowing users to set and commit a secure and unique password to memory while still maintaining account security. 

Two-factor authentication requires the user to prove who they are by providing a secondary factor; a six-digit code from an app or text message and press “#” for a voice call to a known phone number are a few examples of this at work. Even if an attacker were to gain access to the password, they wouldn’t have access to the secondary factor and thus couldn’t breach the security of an account. 

Above and beyond is to enable Passwordless authentication by utilizing hardware tokens. A token, such as a FIDO2 key can be thought of as both the password and secondary factor of authentication. This enables even further security as the user must be in physical possession of a device that cannot be duplicated. 

What You Can Do

There are safer and more effective ways to keep accounts secure than to use rotating passwords; by providing for the use of a secondary factor of authentication or allowing Passwordless login employees are much less likely to need to write down or utilize easy-to-guess passwords. 


How Protected is Your Business?

Security Assessment Whiteboard

Free one hour assessment with our security experts. You'll recieve a map of your gaps and custom recommendations for how to improve security.

Sign Up Now →

Recommendations for Further Research: 

  • Ensure that your environment meets or exceeds Microsoft’s security baseline.

  • Utilize the Microsoft Authenticator Application as a secondary form of authentication when utilizing Azure AD single sign on. 

  • If your environment supports Passwordless, consider migrating to Passwordless authentication by performing small rollouts with FIDO2 based tokens. 

  • Shared Assessments: Shared Assessments is a trusted industry standard body that provides tools, best practices, and resources for managing third-party risk. Their website offers whitepapers, webinars, and assessments. 

  • SANS Institute: SANS offers specialized training in various aspects of information security, including vendor risk management. 

  • Check websites of regulatory authorities like the U.S. Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), and the European Data Protection Board (EDPB) for guidance on vendor risk management within the context of regulations. 


October 3, 2023

Thomas Bergman (Sr. Consultant)