There’s an expression I’ve used for the past couple of years, starting with my role as founder and CEO at Oort and continuing in my current capacity as Vice President of Product for Identity Security at Cisco: “Why hack in when you can just log in?” That phrase was inspired by a shift in attackers’ behavior towards more phishing and social engineering to take over valid accounts and gain access, rather than rely on network infiltration and endpoint exploits.
I’ve used that expression a lot these days.
Identity-related threats are on the rise, aided by both attackers’ sophistication and their targets’ flawed defenses. Even recent measures to add layers of security to identity through multifactor authentication (MFA) are falling short as MFA bypass techniques become more prevalent.
That isn’t to say MFA doesn’t play a key role in strengthening cybersecurity postures. It does. And it’s critical it be used properly to minimize exposure. However, like any security control, it needs to be reevaluated as threats advance.
The advancement of session hijacking
Among those advancements is session hijacking, in which attackers essentially intercept session tokens to gain access to systems without breaking MFA or passwords. It’s a problem no matter how good your identity system is because it’s hard to detect, let alone reverse. And it’s a huge pain point for our customers when we talk to them.
You might have awesome password strength and be cryptographically secure using, say, FIDO2 credentials for secure access. Attackers can scrape session tokens out of the browser’s memory and install them on their own device’s browser to be used later to access core critical applications.
This makes it exceptionally difficult for security teams to detect, let alone fully remediate, identity threats. Even if your security team becomes aware of malware-scraping tokens on an endpoint, it’s only way to address the situation is to wipe that device and re-image it. The stolen session tokens remain in the possession of the attacker.
Session hijacking is just one of the techniques used to bypass MFA. We’ve also long battled man-in-the-middle attacks, SIM swapping and phishing for credentials. More recently, security teams are having to counter MFA flooding, which as its name suggests involves spamming someone with notifications, and MFA fatigue, where users become accustomed to approving notifications that flooding them isn’t even necessary. They see a notification; they press “Allow”. This is becoming a big problem, especially when organizations use simple push notifications as a second factor.
MFA fatigue points to one of the biggest challenges of any security control that involves direct action by users: friction. End users who become frustrated by the inconvenience of additional steps to authenticate can develop habits and workarounds that undermine the security benefits of MFA.
That is not to say MFA doesn’t serve an important role in identity. As part of a defense-in-depth strategy, it significantly reduces the risks of a credential compromise. But MFA works best when used in conjunction with other solutions, including those tied to Zero Trust principles.
The rub with Zero Trust
Zero Trust saw a surge of interest and practice at the onset of the pandemic, when everyone began working from home … or any place with WiFi. Zero Trust made it easier for verified remote devices to gain access to applications, no matter where they were or what network they might be using. In that way, Zero Trust was seen as a productivity boon once a device passed initial vetting.
But security teams sometimes rushed their rollouts, then threw out traditional controls. Zero Trust in its purest form does provide a high level of protection, but most organizations modify recommendations to meet their users’ needs. Yet, if restrictions are watered down to reduce user friction, those looser practices may also undermine Zero Trust’s purpose.
Baggage and technical debt
Another headache for identity professionals is the fact most organizations don’t move cleanly from one identity solution to the next. Identity moves fast, and yesterday’s solutions may be of limited use today. Organizations gather technical debt, including solutions around identity. They may begin using CA and Active Directory before switching to federation services and then to an Okta platform before settling lastly on Microsoft Entra – all within the span of 15 to 20 years. There’s also the technology baggage that accompanies a merger or acquisition when identity solutions differ between two conjoining companies.
Add in a high volume of onboarding and expeditiously offboarding during the transition, and identity finds itself unable to keep up with demand, leaving room for an insider or outside force to surreptitiously weaken security defenses.
Building a more identity-centric security strategy
Identity needs to be foremost in any security strategy since we’ve ample evidence it remains a frequent target. Most breaches today originate with identity through human error, social engineering or phishing. Solutions providers like Cisco are offering cybersecurity tools that bring together the worlds of identity, networking and security to detect and prevent these identity threats.
Solutions like Cisco Duo, Cisco Identity Intelligence, and Cisco Secure Access can minimize exposure. Cisco Duo protects access to applications and data with strong multi-factor authentication, while Cisco Secure Access emphasizes secure remote connectivity to prevent unsanctioned users from gaining access. Additionally, Cisco Identity Intelligence uses AI to analyze user behavior and identity data to proactively clean up vulnerable identities and to detect identity-based security threats.
Most organizations use a variety of solutions collected over the years that now reside in the cloud, on premises or in hybrid environments. That’s why an platform approach is so important. It also needs to be easy to deploy and easy for end users to manage.
Identity isn’t just the new perimeter, as we like to say. It’s the only perimeter standing between attackers and the assets we’re all charged with protecting. It’s time we developed a more identity-centric strategy that reflects that reality.