The Myth and Reality of the Insider Threat
Two specific report elements really stood out to me. For years, we consistently talked about the “insider threat.” Specifically, how an organization’s most valuable asset, namely its people, constituted the biggest threat. In the 2022 DBIR report, while 82% of the attacks involved a human element, most of the attacks came from outside the organization. This is not to say that insiders played no role, but the good news is that most employees, partners, and subcontractors, who are all insiders, did not knowingly or purposefully contribute to an attack. With ongoing education and reinforcement of best security practices to our “most expensive asset,” organizations are well down the road to making the number of unintentional insider threats trend downward. Even more important, however, is to eliminate opportunities for unintentional breaches. This brings me to the second element.
Credentials, Credentials, Credentials
The second glaring metric was the use of credentials in an attack. Attacks such as phishing, man-in-the-middle (MitM), smishing, brute force, credential stuffing, and social engineering (both online and offline) are all attacks that are architected to lift passwords and other credentials to gain access to a system. This is the master skeleton key that gives hackers and cybercriminals the portal to perform reconnaissance and launch attacks anywhere anytime and anyhow they want. Whether harvesting data, ransoming information, taking down a system, or causing a catastrophic failure, most attacks can be traced back to a stolen, compromised, or misused password.
The Achilles heel of most organizations is the use of the password. Passwords were originally conceptualized and used to book time on mainframe computers they were never meant to be a form of authentication or security. They certainly were not meant to serve as a security staple in the way we use them today. And while over time, we have added layers of protection on top of the password, such as one-time passwords, tokens, and push notifications, these never lived up to the level of security needed. All it really did was provide a false sense of security and add a ton of friction to the user experience. So, in essence, we are in a very similar position to where we were 15 years ago.
Remove Passwords, Remove the Risk
Moving forward, organizations need to remove passwords from their security arsenal. This, of course does not mean that we should run everything wide open, but rather that we need to adopt multi-factor authentication (MFA) that is passwordless. Phishing-resistant MFA is recommended in guidance put out by CISA, the OMB and many countries all over the world, with FIDO certification the designated gold standard. Instead of relying on a string of letters and numbers to keep things secure, we can go passwordless in a way that completely eliminates shared secrets. By using public and private key exchanges that are invoked by the user, rather than by a server (which can easily be spoofed), credentials are removed as an avenue of attack.
With constantly changing attack surfaces and attack vectors, organizations need to look at how people authenticate and gain access to systems starting with the desktop and extending to the cloud. Our ability to conquer the password issue as the origin for many other attacks will put us in a remarkably more secured position as a community than we are today. We can fix the way the world logs in and we do not have to wait another 15 years to effect this change right here, right now.