Recommendations of Yubico on information security in 2022

ExtraHop wird von Bain Capital Private Equity und Crosspoint Capital Partners übernommen

Alexander Koch, VP Sales EMEA

In 2021, we experienced an increasing number of spectacular security breaches, which often resulted in devastating ransomware attacks. The attackers continued to target supply chains, but also targeted traditionally softer targets such as hospitals, schools and local governments. And although the underlying causes of these cyberattacks were diverse, all attacks benefited from one-factor authentication or weak multi-factor authentication (e.g. OTP) and unprotected secrets (e.g. SAML signature keys).

Expected for 2022 Chad Thunberg, CISO of Yubico , a further increase in ransom extortion attacks, due in large part to the successes that ransomware groups achieved in 2021. In addition, it can be assumed that governments will rely even more on regulations to promote more mature IT security practices and principles in vulnerable sectors.

Here are the main recommendations of Yubico on information security in 2022:

Companies should strive for a zero trust architecture

The SolarWinds hack and the recent vulnerability in Log4j have impressively demonstrated how critical internal systems in some companies have free access to the Internet and untrustworthy systems, despite the fact that the least privilege principle and isolation have been advocated for decades.

Zero trust security models open up new perspectives, but require a fundamentally changed approach to information security. Instead of simply assuming that the internal IT environment can be trusted, Zero Trust assumes that the environment is hostile. Trust is guaranteed by verification and strong authentication, but it is short-lived and therefore has to be re-established again and again. This, according to the theory, should limit the impact of a successful security breach, as the time window is reduced and the systems are better isolated.

Phishing-resistant multi-factor authentication is essential

Phishing, credential stuffing and other threats related to password-based authentication will remain a significant risk for companies. The attackers have proven that they can gain access to internal networks where one-factor authentication and weak MFA are still widely used. Stolen credentials enable attackers to get stuck in an environment without having to exploit vulnerabilities or perform other actions that would increase the likelihood of detection.

The YubiKey, which supports multiple authentication protocols, can serve as a bridge for companies if they want to gradually switch from one-factor authentication and older MFA methods such as OTP to modern, FIDO-based protocols that are resistant to common attacks such as phishing.

Companies need to overcome the fear of the cloud

Some companies and industries still consider the cloud a threat, mainly because they see security advantages in maintaining control themselves. Whether this assumption is justified or not – in any case, the cloud offers a number of robust security functions and protocols. If these are used correctly, many threats that large companies are struggling with today, such as ransomware and the compromise of business emails, can be largely defused. The combination of federated identities, strong multi-factor authentication and cloud-based file storage is of great benefit for both large and small companies. Mutual TLS-based authentication and encryption can usually be easily activated via a checkbox, while the complex PKI procedures are handled and automated in the backend. In addition, additional monitoring and control options are available for those users who are willing and experienced enough to manage their secrets themselves.

In order to benefit from the advantages of federated identities and strong multi-factor authentication, companies do not have to completely switch to the cloud. Most modern identity solutions support the FIDO protocols, SAML and OpenID Connect to facilitate the integration of on- and off-premises applications. A comprehensive overview of the identity providers that support FIDO2/WebAuthn can be found in the Works with YubiKey list from Yubico.

Businesses need to prepare for ransomware

Companies that use traditional perimeter models and legacy infrastructures based on technologies such as Active Directory must have a solid plan for responding to ransomware attacks. In addition to detection and recovery, such a response plan must also take into account other aspects, such as insurance coverage, external advice and plans to pay a ransom in the event that the recovery fails. Insurance may cover the costs of external service providers, but only if they are authorized providers. Insurance coverage may also be limited. Recently, we have been observing that insurance coverage can be regulated differently, depending on whether the attacker is a state or not.

Once the plan is established, it should be tested – in particular, all backups should be checked.

The security of the supply chain must be given greater attention

The SolarWinds hack and the Log4j vulnerability not only made us aware of the vulnerability of our supply chains last year, but also showed that business-critical and highly sensitive systems are still able to connect to untrusted systems on the Internet at will. We should remember that we are all jointly responsible for the safe design, development and application of technologies. Supplier evaluations with a lot of non-standardized questionnaires alone cannot secure the supply chain.

Companies in a supply chain must build mutual trust by applying and demonstrating good information security practices at all stages of the development process. Ideally, the entire development process from code activation to release is secured by strong authentication, robust integrity controls and authorization models with the lowest rights. The companies implementing the technology must adhere to industry-recognized practices (e.g., zero trust) that ensure the technology remains secure through isolation, patches, and robust access control models.

The vulnerability in Log4j has shown how important it is to secure widely used and critical open source software. If a software is freely available, who is responsible for its security? We expect a resurgence of discussions about a “Cyber UL” certification as well as government grants for the fulfillment of FAR and DFAR requirements that have yet to be defined. The recent Open Source Security Summit could be the precursor to more formal initiatives on the part of the US government.

The protection of privacy will continue to be the focus of regulators

According to recent forecasts by Gartner, by the end of 2023, modern data protection laws will apply to the personal data of 75% of the world’s population. As more and more regulations such as the GDPR and the CCPA are introduced worldwide to ensure security and data protection for millions of people, companies will be faced with a new problem – namely having to comply with several data protection laws in different countries.

Companies must protect the information that is subject to such regulations not only where it is received, but throughout its entire life cycle. While the CCPA and the GDPR do not contain any requirements for authentication, we expect that other countries will set up their own requirements and will increasingly adopt regulations.

Unity 3D Games Development | Unity APP Outsourcing Services

Ready to see us in action:

More To Explore
Enable registration in settings - general
Have any project in mind?

Contact us: