Tag Archives: phishing

The Changing Identity of Identity Management

Posted on by

A key element of the move to zero trust is the use of "strong multi-factor authentication (MFA) throughout their enterprise." While identity management has been indicated by many as the "low hanging fruit" of a zero-trust journey, it is by no means easy. In fact, recent guidance from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) called it "notoriously difficult."

Key challenges to implementing MFA include:

  • Lack of standards - the CISA/NSA guidance pointed to confusion over MFA terminology and vague policy instructions as primary challenges to implementing more secure access. A joint committee of European Union (EU) and U.S. experts addressed this same issue in the Digital Identity Mapping Exercise Report, which aimed to define specific digital identity technical terminology. For example, the group found some definitions, such as "authoritative source" and "authentication factor," are identical between the U.S. and EU, whereas others, like "identity" and "signature," remain only partially matched.
  • Phishing - bad actors do not always hack the system; they hack the process, gaining entry through social-engineering tactics that grow more sophisticated by the day. The CISA/NSA report called on the vendor community to provide MFA services with additional investments and greater defenses against sophisticated attacks.
  • Rise of Generative AI - The Department of Homeland Security (DHS) is working to ensure technologies can determine if a submitted image is legitimate or a hacker's spoof. This "liveness detection" is needed to ensure that a submitted selfie is really a photo of a person, not a mask, photo of a photo, or other technique to try to get past the check.

Continue reading

Celebrating 20 Years of Cybersecurity and Preparing for 20 More

Posted on by

For the past 20 years, October has come to signify more than pumpkins, ghosts, and candy. The Cybersecurity and Infrastructure Agency (CISA) and the National Cybersecurity Alliance have led the annual effort to raise awareness among the general public about everyone's role in keeping our increasingly digital world more secure.

Cybersecurity Awareness Month provides a platform for a wide variety of government and private organizations to deliver education about good cyber hygiene and highlight the role everyday actions have on the security of the systems we depend on. Continue reading

Cybersecurity Awareness Month 2022: See Yourself in Cyber

Posted on by

Since 2004, The Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) have led a collaborative effort (at the direction of the President and Congress) to raise cybersecurity awareness nationally and internationally. Marking October as Cybersecurity Awareness Month, individuals and organizations are given the tools to ramp up their cybersecurity education efforts. The theme for 2022 is "See Yourself in Cyber," putting the people aspect of cybersecurity front and center.

This focus on people is two-fold. First, there is the individual and personal responsibility each of us has to understand good cyber hygiene and conduct ourselves online in a way that protects the networks we depend on. Second, there remains a huge gap in the number of cybersecurity professionals and the number of roles that need filled. The "See Yourself in Cyber" theme invites more people to see their roles and skills in a cyber light, creating a bridge across the cybersecurity skills gap. Continue reading

2021 Cybersecurity Awareness Month Challenges Everyone to #BeCyberSmart

Posted on by

Each October, the Cybersecurity & Infrastructure Security Agency and the National Cybersecurity Alliance lead the cybersecurity community in an educational campaign around the impact of cybersecurity breaches and best practices to prevent them. Cybersecurity Awareness Month was created to raise awareness about the importance of cybersecurity among individual citizens and companies alike. As exemplified by the theme, "Do Your Part. #BeCyberSmart," the campaign serves to remind us that everyone has a role in ensuring the security of data and systems.

Events, educational materials, videos, blogs, and more will be produced throughout the month by a variety of government entities, non-profits, and commercial organizations to illustrate this shared responsibility. To organize the vast amounts of information, the month is divided into themed weeks with a focus on the threat of phishing and a push to increase interest in cybersecurity careers:

Continue reading

In Cyberspace Showdown, Government Has the Upper Hand on the “Bad Guys”

Posted on by

The annual Federal Information Security Modernization Act (FISMA) report was delivered to Congress in May and contained encouraging news. The report, tracking agencies' ability to meet the guidelines set forth in FISMA, showed that there were 8% fewer cybersecurity incidents across government in fiscal year 2019. Additionally, the report showed that 73 agencies meet the highest FISMA rating, up from 62 in 2018.

All of this improvement comes at a time when more attacks are being carried out against agencies and those attacks are becoming more and more sophisticated. The government's ability to stay ahead of the increasing attack vectors can be attributed to compliance with federal regulations and mandates including Continuous Diagnostics and Mitigation program and the National Cybersecurity Protection System.

Additionally, a focus on educating federal employees about spear phishing, the practice of sending emails that look like they are coming from a known or trusted sender to intice targeted individuals to reveal confidential information, has also paid off. The report showed that the U.S. Department of State, U.S. Department of Health and Human Services, and the U.S. Department of Commerce had the largest reduction in phishing-related security incidents via email. Fittingly, the Department of Education earned a proverbial gold star, reporting zero phishing incidents. They attributed this success to employing "increasingly complex phishing scenarios" to improve spam filtering and implementing anti-phishing policies with their email provider. Continue reading