Fresh Take: A Brief Reflection on the National Cybersecurity Strategy
Earlier this month, the Biden-Harris administration released its much-anticipated National Cybersecurity Strategy, which is a necessary step to help U.S. organizations improve their cybersecurity posture. It is particularly notable that ransomware is mentioned 32 times in the 39-page document – clearly indicating that this threat vector is perceived as presenting clear and present danger.
What is also noteworthy, though, is what the strategy omits. Phishing-based attacks are not mentioned at all, which is surprising considering this is one of the most common paths to ransomware. This malicious activity, which uses some form of social engineering to gain access to personal, sensitive, or proprietary information, was the cause of several high-profile ransomware attacks in recent years, including the Colonial Pipeline shutdown in 2021.
In fact, according to Cybersecurity and Infrastructure Security Agency (CISA), which collects phishing-related data via their own assessments, 84% of employees interacted with a phishing email. This underscores the need for formal, strategy-driven initiatives to prevent phishing-based attacks. Further reinforcing the urgency, CISA and the National Institute of Standards and Technology (NIST) have both issued strong guidance on becoming more phishing resistant within the last few months.
Leveraging Certificate Based Authentication to Become Phishing-Resistant
While the strategy omits discussing phishing-resistance, it doesn’t mean this emerging threat is any less important. Being unprepared for a such an attack can not only leave you at risk for a breach, but it can also have a negative impact on your ability to attain (or your rates for) cyber insurance.
Multi-factor authentication (MFA) is often seen as the gold standard for cybersecurity. And while it may help fend off a phishing attack, it’s important to note that not all MFA is the same. Some variants, such as short message service (SMS) authentication, one-time password (OTP), or even mobile push application notifications are all susceptible to phishing.
A better approach is to leverage Fast Identity Online (FIDO)-based solutions, Windows Hello for Business, or certificate-based authentication (CBA). As I noted in a recent piece for Security Boulevard, “CBA is a more secure, phishing-resistant form of MFA that is increasingly being deployed in enterprises and the public sector. It uses a strong token such as a smart card or hardware device for authentication, and it streamlines the process of authenticating users with a variety of tokens while improving overall protection.”
How does CBA prevent phishing-based attacks? It comes down to certificates with asymmetric cryptography and a chain of trust. Asymmetric cryptography means that the certificates can be verified at the local device, the target server, the application, and more based on public and private key pairs. The chain of trust means that the root server, the certificate authority, and the end-user certificates all are valid. Since the certificate can be automatically queried and verified, CBA dramatically reduces the exposure surface that bad actors can attack.
Another important thing to call out is that another recurring theme in the Cybersecurity Strategy is that organizations take the necessary steps to attain Zero Trust. In fact, several recent policy memos – including President Biden’s Executive Order released in May 2021 – mandates that federal agencies establish plans to adopt Zero Trust architecture. Continuously authenticating every user, every machine, and every digital interaction with a contemporary authentication solution represents a critical step in that direction.
Axiad for Passwordless, Phishing-Resistant CBA
Axiad’s phishing-resistant CBA solutions can supplement existing IAM ecosystems with unified passwordless authentication – for employees that are in office, remote, or hybrid. Passwordless is the way of the future, and Axiad is helping organizations get there. Contact Axiad to see how it works and request a demo.