MFA for Critical Infrastructure: Advice from a CTO

Tobias Gurtner
CTO, Ciptor IT-Safe

Implementation of an authentication solution requires careful consideration of security, encryption, and best practices. You need to do it efficiently, without risking security or user experience.

Throughout my 15+ years of experience in leading engineering teams, I have deployed over 10,000 authentication projects. My key insight is to enable our clients to focus on their core business while we concentrate on creating a secure and robust infrastructure. By establishing a strong foundation, our clients are able to seamlessly scale and integrate external technologies in-house, with MFA.

Plan for MFA

Before you decide to invest in MFA to secure your critical infrastructure, don’t do the mistake and build it yourself or buy it from an outdated technology platform. Let me explain why.

When it comes to securing your system, building a solution from open-source materials, or purchasing a basic MFA platform that lacks updated cybersecurity features might seem like a no-brainer. However, it's crucial to be aware of the potential risks and the needs of protecting your system accordingly. In today’s digital world companies experience more breaches and the cost of a breach continues to rise. The cyber criminals are highly skilled and trained and they have access to sophisticated tools. This requires your team to tackle these issues and create solutions to resolve them. Common issues include:

• Stolen or compromised credentials
• Ransomware
• Business email compromise
• Account takeover
• Password spraying attacks
• Credential stuffing
• Financial fraud
• Content scraping
• Denial of service attacks
• API abuse
• Phishing
• Vulnerability in third-party software
• Malicious insider
• Brute force
• Man-in-the-middle attacks
• Social engineering
• Malware

Use of stolen or compromised passwords remains the most common cause of a data breach and it had an average cost of USD 4.5 million (IBM cost of a data breach report 2022). Tools like AI, Bot Detection, Detection of Breached Passwords, DarkNet Alerts and Automated Threat Reports help significantly but for that you will need a team that understand complex cybersecurity models and have the latest technology in place.

Identity and Authentication Team

If you don't have a dedicated Identity and Authentication Team in place, you need to pull engineers from other projects to build these systems. However, this will impact engineering productivity and affect your company's growth. While customers demand for more features in your core offering, the best engineers are preoccupied with addressing such identity and authentication issues. Identity and authentication capabilities is time and work intensive and should not be a part of any companies core product.

The Identity and Authentication Team has a fundamental responsibility of protecting an organization's digital assets, making sure only authorized individuals can access sensitive information and resources. Roles that typically are included:

• Identity Manager: Developing and implementing processes and tools for creating, managing, and revoking user identities within the organization's systems. This may involve user provisioning, role-based access control, and managing user directories or databases.
• Authentication Manager: Evaluating, selecting, and implementing secure authentication methods. The team ensures that the chosen authentication methods are aligned with industry best practices and meet the organization's security requirements.
• Access Control Manager: Defining and enforcing access control policies that determine who have access to specific resources and data within the organization. This includes implementing mechanisms like access control lists (ACLs), permissions, and authorization frameworks.
• Security Auditing and Manager: Conducting regular audits and assessments to identify potential security vulnerabilities in the identity and authentication systems. The team monitors logs, user activity, and access patterns to detect and respond to any suspicious or unauthorized behavior.
• Incident Response Manager: Developing and implementing incident response plans specific to identity and authentication-related incidents. This includes procedures for handling compromised accounts, password breaches, or unauthorized access attempts.
• User Education and Awareness Manager: Promoting security awareness among users, educating them about best practices for authentication, recognizing phishing attempts, and safeguarding their devices and accounts.
• Compliance and Regulations Manager: Ensuring that the identity and authentication systems comply with relevant regulatory requirements, industry standards, and data protection laws. The team stays up to date with evolving regulations and adjusts security measures accordingly.
• Collaboration Manager: Working closely with other IT teams, such as network security, application development, and system administration teams, to integrate identity and authentication solutions into the overall IT infrastructure and ensure a secure environment.

Innovate without compromise

Identity and Authentication are today top-of-mind and a strategic part of companies roadmap. Keeping up with market trends is key to your business, that is how we all drive growth. Make sure your developers are 100% focused on your core business, don’t take their valuable time and attention away from it. Competition is high today, and your end users have endless online options. For businesses to stay competitive, they are creating new ways of accessing their services such as mobile apps, e-commerce, and more. With so many ways to connect to digital platforms, customers need fast and secure access to them. Identity and Authentication Management is a constantly evolving field, and it can be challenging for businesses without internal resources to create a solution that meets all requirements while ensuring security. Choosing the right solution helps to prevent lost revenue, missed deadlines, and keeping customer trust.

Getting Customer Identity right is hard, particularly when you’re reinventing it from scratch. Identity and Authentication is our core product, and we want to help you deliver your innovative business using our innovative identity and authentication solutions–without compromise.

We are always working hard to enhance our services, enabling businesses to operate efficiently and safely. To improve productivity, we have added more capabilities to our CaaS (Cybersecurity as a Service). You can now create a unique identifier for each device based on its software, hardware, and network configurations. This identifier can be used to detect unauthorized access attempts and block them before they cause harm.

We are proud to be a trusted Identity and Authentication partner for our customers, delivering frictionless, scalable, user-friendly, secure, and highly extensible platforms for customer and workforce applications. We prioritize security in our product development, ensuring that each feature is secure-by-design. Our solution is tried and tested, securing organizations globally, with deployments in complex environments such as finance and banking, critical infrastructure, and government. Our security and engineering teams monitor activity and infrastructure, 24/7, 365 days a year.

FROM PASSWORDS TO PASSWORDLESS AUTHENTICATION

Ciptor ITSAFE is a cybersecurity company specialized to help organizations to protect themselves against cyber-criminals and cyber-attacks such as Ransomware and Phishing attacks, by liberating on IAM, Passwordless Authentication and Digital Fingerprinting. Cyber threats are a growing risk for everyone, and it needs to be taken seriously from the board level in any company to proactively managing the risk against cyber-attacks seeking to compromise or steal digital information from your company

Cybersecurity is the application of technologies, processes, and controls to defend infrastructure such as systems, networks, programs, devices, and data. It aims to reduce the likelihood and impact of cyber-attacks that could lead to unauthorized. access to sensitive client information and the disruption of business activities due to interference in critical infrastructure and corporate networks.

DIGITAL FINGERPRINTING

Digital fingerprinting is a technique used in cybersecurity to create a unique identifier for each device based on its software, hardware, and network configurations. This identifier can be used to detect unauthorized access attempts and block them before they cause harm. Digital fingerprinting is particularly useful in combination with IAM and Passwordless Authentication systems, were biometrics or hardware security keys are used instead of passwords.
By creating a unique digital fingerprint for each device, unauthorized access attempts can be easily identified and blocked, reducing the risk of cyber-attacks. Digital fingerprinting can also be used in threat monitoring, where changes in a device’s fingerprint can be a sign of a potential security breach. Overall, digital fingerprinting is an effective cybersecurity measure that can improve the protection of sensitive information and reduce the risk of cyber-attacks.

FROM PASSWORDS TO PASSWORDLESS AUTHENTICATION

Password authentication is a widely used technique for verifying a user’s identity in cybersecurity. It involves the user providing a password to gain access to a device, system, or network. Passwords are vulnerable to hacking and phishing attacks, which can compromise sensitive information and disrupt business activities. To address these vulnerabilities, password authentication systems have evolved to include stronger password policies, such as minimum password length, complexity requirements, and periodic password changes.

However, even with these stronger password policies, passwords remain vulnerable to attacks. Passwordless authentication is an alternative approach that removes the need for passwords altogether. Instead, biometrics or hardware security keys are used to verify a user’s identity. These methods are considered more secure than passwords because they cannot be easily stolen or guessed.

Passwordless authentication is becoming increasingly popular, and many organizations are adopting this approach to improve their cybersecurity. By removing the need for passwords, the risk of cyber-attacks is significantly reduced, and the protection of sensitive information is improved.

Overall, password authentication and Passwordless authentication are important techniques in cybersecurity. While password authentication remains prevalent, the adoption of Passwordless authentication is increasing due to its improved security and protection against cyber threats.

Basic questions to reflect and then act upon regarding your Cybersecurity Situation:

1. Do you have a comprehensive plan in place to address potential cybersecurity risks facing your organization?
2. What kind of authentication and login methods are you currently using, and what level of protection do they offer?
3. How do you ensure the proper inventory and management of devices used by your employees and stakeholders?
4. Are your digital records and data classified according to PII, proprietary, sensitive, or transactional information, and how are they protected?
5. How often do you assess your network, infrastructure, and user architecture to identify vulnerabilities and ensure proper security measures are in place?
6. What policies do you have in place to restrict access to web/mobile applications, and do you follow a least privilege access policy?
7. How do you enforce password policies, and who has access to password information?
8. How do you ensure the proper storage and use of sensitive data, and what policies do you have in place to protect against data breaches?
9. What security measures do you have in place for computing devices used remotely, and how are they managed?
10. Have you established and tested business continuity and disaster plans, as well as cybersecurity breach incident response plans?
11. How do you ensure the proper disposal of sensitive information, both digital and non-digital?
12. Who are your third-party partners and vendors, and do you have agreements
in place with each independent contractor?
13. What measures have you implemented to improve cybersecurity awareness
among employees and stakeholders, and how do you monitor digital threats both internally and externally?
14. Which devices and assets are most attractive to potential cyber-attacks, and
what measures have you taken to protect them? 15. What is the likelihood and potential cost of a cybersecurity breach, and how do you prepare for and address such incidents?
15. What is the likelihood and potential cost of a cybersecurity breach, and how
do you prepare for and address such incidents?

THE PARTNERSHIP BETWEEN NVIDIA AND CIPTOR IT-SAFE

NVIDIA, a leading technology company known for its innovations in AI and GPU technologies, has partnered with Ciptor IT-Safe to offer enhanced security solutions to businesses and organizations. Ciptor IT-Safe is a Swedish/Swiss company that specializes in data security solutions for businesses and organizations.

The partnership between Nvidia and Ciptor IT-Safe aims to provide businesses with a comprehensive security solution that includes the latest AI and machine learning technologies. NVIDIA’s Morpheus technology, which uses digital fingerprinting, behavioral analysis, and signature-based detection to identify and respond to cyber threats, is a key component of the partnership.

Ciptor IT-Safe’s expertise in data security and its range of security solutions, including secure file transfer and encryption, complement NVIDIA’s Morpheus technology. The partnership will enable businesses to benefit from a complete security solution that addresses the most common threats to their data and networks.

Cyberattacks are on the raise!

The long-standing, oft-deferred security threat posed by password-based authentication is now front and center. Some of the most damaging cyberattacks in the past year were caused or enabled by weak password protection. For example, the Colonial Pipeline breach that shut down fuel supply operations to the eastern United States was traced to a single compromised password. This untenable risk, along with growing regulatory pressures such as the the 2021 Executive Order on Cybersecurity’s Zero Trust mandate, are prompting more organizations to turn to passwordless options. There’s growing recognition that passwordless security approaches can provide significantly better protection and user experience as well as cost savings. To further clarify the state and direction of passwordless authentication, we conducted our second annual survey among IT and security professionals across the globe.

As organizations look for opportunities to do more with less, they’re no doubt considering how security teams can contribute. With that in mind, I’d like to share priorities for 2023 that will pay off in the long run:

• Traditional multi-factor authentication (MFA) methods are increasingly under attack. These include Remote Desktop Protocol (RDP) attacks, account takeover (ATO) fraud, phishing, man-in-the-middle (MitM) attacks, credential stuffing and push attacks.
• Remote work continues to be the main driver for passwordless authentication, especially against the backdrop of the significant increase in phishing attacks in recent years.
• Organizations face serious security gaps due to insecure authentication methods based on secret-sharing.
• Protect against identity compromise. 
• Modernize identity security to do more with less.
• Protect access holistically by configuring identity and network access solutions to work together.
• Verify remote users in a cheaper, faster, more trustworthy way.

Credential attacks are on the raise

Given the vast troves of stolen passwords on the dark web, easily available automated attack tools, and people’s penchant for password reuse, it’s unsurprising that credential stuffing attacks and phisihing continues to grow. Phishing remains at an all time high with 89% of respondents revealing that their organizations experienced at least one phishing attack due to the HYPR, 2022 State of Passwordless Security Report.

10 Steps to Improving Your Cybersecurity Performance

What are cybersecurity goals?

Is it the measurement of number of users and corresponding results compared to the number of password resets? Good cybersecurity is highly valued, but it can also be difficult to achieve for many organizations.

The key to good cybersecurity is consistency. Anyone can be the next target by cybercriminals, but a high-performing cybersecurity team can meet the future threats through different sets of cybersecurity tools in combination with a will balanced cybersecurity education and awareness program.

1. Start with the right mindset and strategy

Your mindset how you approach cybersecurity can greatly impact the outcome. If you don’t think you will be successful, you will be right. It usually takes several years to increase your cybersecurity awareness and you will achieve it with increased cybersecurity know-how inside your organization. If you aren’t there yet, try creating an annual cybersecurity-strategy-plan

Your strategy should include a vision board where you assemble pictures and phrases of what you want to achieve and why you want to achieve it. It helps you remember the WHY your organization needs to take cybersecurity seriously and it is a powerful exercise for visualizing success.

2. Improve your cybersecurity with an emphasis on your vertical market

The level of understanding you have in regards to how your business runs, gives you credibility and trust when you are positioning your product or services. When you’re looking to improve your cybersecurity performance, strengthening your cybersecurity mindset (specifically in the vertical market you are in) is critical.

Ciptor ITSAFE Cyber security Expert Tobias Gurtner says:

"You need to understand how critical your cyber defense is for your business before you can set your business goals. As a decison maker for your companies Cybersecurity, the key to success is to understand how hackers are approaching their targets, what their intentions are, and how you can accommodate and fit your cybersecurity strategy into that."

You can take small steps to improve your cybersecurity each day. Try reading credible cybersecurity publications or digging into relevant reports for deeper understanding.

3. Get organized

One of the biggest factors in cybersecurity is ensuring you are focused on the right task at the right time. Chances are if you don’t allocate time to complete work (such as putting it on your strategy) it’s unlikely to happen.

If organising isn’t your strong suit, get help quickly. Ask an organized cybersecurity team member to walk you through their workflow to give you some ideas. If you are spending mental capacity trying to juggle too many priorities, such as resetting passwords or adding users to all web and mobile applications your organization are using, it will be hard to focus on your cybersecurity goals, which can hinder your overall performance.

4. Review your role and position

As a cybersecurity leader you are assigned with a budget and activity metrics that will help your business to achieve their overall goals. Some organizations publish these numbers so CIO’s can compare their budget with high performers. Reading the data and incorporating it into daily activity is key.

Ciptor ITSAFE Cybersecurity Expert Mikael Zaman Rodin, offers this advice:

"Understand what your ‘cybersecurity macros’ are. Most people are familiar with macros, or macronutrients, in the context of healthy eating. In that instance, you track how many carbs, proteins, and fats you eat to better understand what you’re consuming and help you reach your goals. This same thought process applies to cybersecurity.

Think of your metrics and KPIs as your macros. If you don’t understand what metrics or KPIs you need to overachieve, then you’ll have a hard time measure your performance. The metrics you need to hit could be vastly different than the other reps on your team.

We once had a client that was ‘doing everything right’ but still missing a lot of tasks. We pulled some data and noticed that their password reset percentage was 50% higher than a regular client. After implementing a password self-service concept, they were able to handle all tasks on time.

Understand that your personal definition of success may be different than that of your peers. This is why knowing where you stand according to metrics that are most relevant for you is important information for improving your performance as a Cybersecurity Team.

5. Set concrete goals above and beyond

Most business want to overachieve their budget, so setting business goals that exceed expectations provides flexibility for your business. If your goals are not written down, they are not goals, they are dreams.

Defining what you would like to achieve, how you would like to achieve it, and then sharing this information within your organization will help you to reach the goals.

6. Build a business cybersecurity development plan

The great part about a cybersecurity is that there is a lot to learn. The best way to accelerate your development is to create a personal development plan that defines what cybersecurity skills you want to improve within a specific amount of time.

I suggest picking one or two specific skills and applications to focus on each month and documenting the steps you take to show improvement over time.

Work with your cybersecurity team and your suppliers to build a cybersecurity training plan to help get you to the next level – particularly if cybersecurity awareness is new in your company.

Asking your employees to fill out cybersecurity training template and to see videos for you is a concrete way to show you want to grow in your role as a cybersecurity leader.

7. Find a cybersecurity coach or mentor

Having a cybersecurity expert or confidant outside of your organization can provide valuable perspective. An experienced cybersecurity expert with relevant experience will likely have more bandwidth and valuable perspective that can support your development in ways you might miss.

8. Track your progress in quantitative and qualitative ways

Document your success. Track your cybersecurity performance on a weekly and monthly basis so you can have evidence of your progress. Additionally, tracking cybersecurity threats, authentication events, users not logged in for the past 10, 15 or 30 days, user thay have been locked out, workstation event etc... and your own progress can provide a high-level understanding of your performance and how it relates to your organization’s success.

9. Take a creative approach to problem-solving

There is no singular path to success, and your ability to think creatively can serve you well in the long run.

Ciptor ITSAFE Cybersecurity expert Mikael Zaman Rodin says:

"Your ability to think outside the box could be the difference between being hacked or not being hacked”. Your ability to think creativity does matter no matter in what stage of the cybersecurity process you are in.

One of my favorite examples of creativity is during demo prep. If we are preparing to show a customer how our platform is going to revolutionize their way of going passwordless, why not take the time to sign up them up in our demo environment. This takes only 5 minutes and provides relevant information about how we can improve their process."

As a cybersecurity leader, it’s your job to solve your business problem. The more creative you can be in your approach, the better.

10. Celebrate your wins

Your daily work is filled with ups and downs and many employees focus too much on improving their weaknesses. Improving individual performance also means celebrating your wins — no matter how big or small they are.

When you achieve a goal or improve a skill, share your success with your team. Every win counts and celebrating each one gives you the momentum you need to keep going.

GO PASSWORDLESS TODAY

With Azure AD HYPR and FIDO Security Keys

Nobody likes passwords. They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives from email to bank accounts, shopping carts to video games.

Today, you can now completely remove the password from your Microsoft account. Our preferred choice is to use your mobile phone as a security key with our favorite technology The HYPR Cloud Platform. It is designed to eliminate passwords and shared secrets across the enterprise. By removing the hackers’ primary target, HYPR forces the adversary to attack each device individually – drastically shifting the economics of an attack back in your favor.

With the HYPR platform in place you can also use a FIDO Security Key from Feitian, Yubico, Identiv or Nitrokey to sign into your favorite apps and services, such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more.

Connect your IdP to the HYPR Platform and you will be able to rollout True Passwordless Authentication and gain fast and easy access to your apps and resources.

See example here below how HYPR is integrated with the PhenixID (IdP) to access Citrix with SSO by using True Passwordless Authentication.

Bret Arsenault, the Chief Information Security Officer (CISO) at Microsoft says:
“Hackers don’t break in, they log in.”

Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts. There are a whopping 579 password attacks every second—that’s 18 billion every year.

Why are passwords so vulnerable? - There are two big reasons

1. Human nature

Except for auto-generated passwords that are nearly impossible to remember, we largely create our own passwords. But, given the vulnerability of passwords, requirements for them have gotten increasingly complex in recent years, including multiple symbols, numbers, case sensitivity, and disallowing previous passwords. Updates are often required on a regular basis, yet to create passwords that are both secure enough and memorable enough is a challenge. Passwords are incredibly inconvenient to create, remember, and manage across all the accounts in our lives.

Forgetting a password can be painful too. You will be shocked to learn that nearly a third of people say they completely stop using an account or service rather than dealing with a lost password. That’s not only a problem for the person stuck in the password cycle, but also for businesses losing customers.

To solve these problems and create passwords we can remember, we try and make things easier for ourselves. We often rely on known and personal words and phrases. We use our pets and family names for password inspiration and important dates like birthdays. As well we are reusing passwords across sites, and we also use a formula for creating passwords, such as; Summer2021, which eventually becomes Winter2021 or Spring2022.

2. Hacker nature

Unfortunately, while such passwords may be easier to remember, they are also easier for a hacker to guess. A quick look at someone’s social media can give any hacker a head starts on logging into their personal accounts. Once that password and email combination has been compromised, it’s often sold on the dark web for use in any number of attacks.

Go Passwordless Today!