Ocean's Eleven ft. Bryon Singh, RailWorks Corporation

Ocean's Eleven ft. Bryon Singh, RailWorks Corporation

By Steve Gold
Posted in Security
On July 02, 2024

Yeah, I know. I’m using the same pop culture reference to make a point. But the reference is perfect and the point is important so read on.

Multi-Factor Authentication (MFA)

"Ocean's Eleven" showed breaking into a high-security vault requires more than just picking a lock; it involves bypassing multiple layers of security measures. This is similar to multi-factor authentication (MFA). MFA enhances security by requiring users to present multiple pieces of evidence (factors) to verify their identity. Typically, this includes something they know (password), something they have (smartphone or security token), and something they are (biometric verification like fingerprint or facial recognition).

MFA significantly reduces the risk of unauthorized access. Even if a malicious actor acquires a user's password, they still need the second factor to gain entry. Training employees to enable and use MFA across all their accounts is a foundational step in enhancing organizational security.

Password Composition

Passwords are the frontline defense against unauthorized access. However, creating strong passwords is often overlooked. Let's draw inspiration from the TV show "Game of Thrones." Just as the Iron Throne is protected by multiple layers of defenses—walls, armies, dragons—your passwords should be fortified against potential intruders.

A strong password should be long (at least 12 characters), complex (a mix of uppercase and lowercase letters, numbers, and special characters), and unique for each account. Avoid using easily guessable information such as birthdays or common words. Passwords like "Password123" or "qwerty" are akin to leaving the front door unlocked in a high-crime area.

Credential Management

Credential management involves securely storing and managing passwords. Think of the "Harry Potter" series, where the characters use enchanted objects like the Marauder's Map to manage and protect sensitive information. In the digital world, password managers act as these enchanted objects, securely storing and autofilling passwords for various accounts.

Password managers not only store complex passwords but also generate them, ensuring that each password is unique and strong. They can also alert users to weak or reused passwords, prompting timely updates. Training employees to use password managers can significantly reduce the risk of password-related breaches.

In today's digital age, where cyber threats lurk around every corner, organizations must remain vigilant in safeguarding their sensitive data and assets. One critical aspect of this defense is ensuring that all members of the workforce are well-versed in authentication best practices. Enter CIS Safeguard 14.3, a vital component of any robust cybersecurity strategy.

CIS Safeguard 14.3 emphasizes the importance of training employees on authentication best practices to mitigate the risk of unauthorized access to sensitive information. Authentication serves as the first line of defense against cyber threats, making it essential for all members of the workforce to understand and adhere to established protocols.

Why Authentication Training Matters:

  1. Preventing Unauthorized Access: Proper authentication practices, such as using strong passwords and implementing multi-factor authentication, help prevent unauthorized individuals from gaining access to critical systems and data.
  2. Mitigating Insider Threats: Educating employees on the importance of safeguarding their credentials can help mitigate the risk of insider threats, where malicious actors exploit trusted access to perpetrate attacks from within.
  3. Enhancing Security Posture: By instilling a culture of security awareness and accountability, organizations can significantly enhance their overall security posture and resilience against cyber threats.
  4. Compliance Adherence: Many regulatory frameworks require organizations to implement robust authentication measures to protect sensitive data. Compliance with these regulations is crucial for avoiding costly penalties and maintaining trust with stakeholders.

Best Practices for Authentication Training:

  • Password Hygiene: Emphasize the importance of using strong, unique passwords and regularly updating them to mitigate the risk of password-related attacks.
  • Multi-Factor Authentication (MFA): Educate employees on the benefits of MFA and encourage its adoption to add an extra layer of security to their accounts.
  • Phishing Awareness: Train employees to recognize and report phishing attempts, as attackers often use social engineering tactics to steal credentials.
  • Secure Remote Access: Provide guidance on securely accessing organizational resources from remote locations, particularly in today's increasingly remote work environment.

Here’s a link to the Security Awareness Skills Training Policy Template provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/security-awareness-skills-training-policy-template-for-cis-control-14

Here are some details on this specific Control/Safeguard. If you want more information, DM me.

CIS Control 14 – Security Skills Awareness & Training

Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Implementation Group 1

CIS Safeguard 14.3 - Train Workforce Members on Authentication Best Practices

Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.