Credential Confidential: The Importance of Invalidating Older Network Credentials to Protect Sensitive Data
Account and access control management are two critical security controls that make sure only authorized persons and systems have access to certain IT environments. However, the more complex the IT environment, the more challenging it is to fully remove a previously authorized user.
This week, we saw the danger in this when a former network admin used his still-valid network credentials to significantly disrupt the operations of his former employer, a finance company from Hawaii. Casey K. Umetsu, who was laid off by the unnamed company in 2019, used his network credentials to misdirect email and web traffic to non-company computers while locking the company out of its own website to prevent any quick fixes of the damage he caused. Umetsu, who hoped these disturbances would cause the company to rehire him to fix the damage he caused, now faces up to 10 years in prison.
He should have never been able to cause this damage in the first place. Companies that do not have a system in place for invalidating the credentials of former employees with an axe to grind are asking for trouble. No one likes firing employees, but companies should be smart enough to sever all ties when these firings occur.
You Must Be At Least This Human to Enter: Cloudflare Introduces Alternative to CAPTCHA
Most of us have gone through the tedious process of completing a CAPTCHA, re-typing hard-to-read messages, clicking on every image with a STOP sign, and wondering how these things verify us as human beings.
While CAPTCHAs have been around for decades and have a successful track record of limiting bot traffic, they have become outdated in the face of bugs and sophisticated circumvention methods (including cheap click farms and AI-based software).
Because of this, Cloudflare has announced its alternative to CAPTCHA, looking to replace the problems and design flaws inherent to the functionally obsolete challenge-response test. Dubbed "Turnstile," Cloudflare's new test selects a challenge based on telemetry and client behavior exhibited during a session," making it non-cookie-dependent, but still personalized to the specific user.
Claimed by Cloudflare to be just as secure as CAPTCHA, Turnstile utilizes private access tokens to limit the harvesting of user data. Questions remain as to how Cloudflare expects to usurp the CAPTCHA market or make Turnstile a profitable endeavor by driving adoption outside of its own doors. But as nearly 98% of the Internet's most popular websites use Google's reCAPTCHA, there seems to be a definite market for alternatives to wedge off a piece of that pie.
Aware-ican Duty: President Biden's Proclamation for Cybersecurity Awareness Month
Finally, if you follow Mirai on any of our social channels or are a frequent reader of our blog, you likely know that October is Cybersecurity Awareness Month. We have been busy releasing a CSAM Toolkit to help people and organizations better their security culture, and it seems as if we are not the only ones observing the month's importance.
On Friday, the Biden administration released "A Proclamation on Cybersecurity Awareness Month, 2022," wherein they discussed the steps the US federal government has been taking to shore up the nation's cybersecurity capabilities, as well as ways in which citizens can practice safe cybersecurity.
This combination of governmental and personal responsibility permeates the entire document, with the Biden admin stating, "Cybersecurity is not limited to Government or critical infrastructure. Hackers target Americans every day, and cybersecurity is about protecting the American people and the services we rely on." Common sense tips (like the ones we feature in our toolkit) for everyday people are discussed, as are ongoing efforts by the federal government to standardize cybersecurity practices, including the Counter-Ransomware Initiative (an international effort to curb ransomware) and the Bipartisan Infrastructure Law (which promises to invest in cybersecurity for critical infrastructure).
Whether these initiatives will be followed and used to boost the nation's cybersecurity remains to be seen. Still, such language from a presidential administration during a momentous occasion for cybersecurity instills a sense of cautious optimism.