“Human beings are cybersecurity’s weakest link” – JAXenter

shutterstock 715107220 ProxyEgg "Human beings are cybersecurity's weakest link" - JAXenter

JAXenter: Considering recent security breaches, now more than ever, enterprises need to be focused on making security their first priority. What is the first action that companies should take when refocusing their efforts to be more security-centric?

Yuval Herzog: It’s a fascinating question because on the surface, the answer has been consistent over the decades. Now the question is relevant because the base premise of cybersecurity has changed. The general consensus has been that in order to improve security, the number one priority of an enterprise is to raise awareness: you raise security consciousness with customers, employees and suppliers. Any CISO will tell you that — human beings are cybersecurity’s weakest link. What’s interesting about this today is the “why.”

It used to be that people just weren’t aware of cyber risks and how to mitigate them with behavioral change and better utilization of the defensive technology at their disposal. Now there is unprecedented awareness, but it’s still not helping. Global damages from cybercrime rose to an unprecedented $6 trillion this year, and despite the also-record-breaking $254bn investment in cybersecurity. This suggests that cybersecurity is simply unequipped to tackle modern threats, even with awareness.

These days, when the right person is compromised, the systems that person has authority over are compromised too. This is why humans are still the weakest link. The most important question companies should consider today to be more security-centric is “how much is your security strategy based on blind trust?” How much do you trust top executives with over-arching security credentials? How much trust is placed in their identity and access-management processes and systems? How much trust do they put their network perimeter security devices to operate as specified? Companies now must consider replacing this misplaced trust with the ability to continuously verify.

SEE ALSO: MySQL Database Compare Tools Overview: ApexSQL Diff Data vs dbForge Data Compare

JAXenter: How does a decentralized system prevent vulnerabilities and protect crucial information?

Yuval Herzog: Unlike a distributed system, a decentralized system can offer a solution to the underlying problem of reliance on blind trust. A properly designed and implemented decentralized system automatically assumes that a person with the highest authority has been or will be compromised by malicious parties – but the system is guaranteed to continue flawless and secure operations. Full trustlessness of a system (e.g. the reduction of trust to zero) is achieved when the nodes making it are evenly distributed across different and unaffiliated organizations, and every assumption regarding the operation of the system can be verified. When applying trustlessness on a system, vulnerabilities become irrelevant, not because they cease existing, but because they are assumed. When that same methodology is applied to information protection, the assumption is that malicious actors can indeed reach it, but there exists a native mechanism to verify they can’t access it.

JAXenter: Could you explain what “Cyber Herd Immunity” means?

Yuval Herzog: As it became evident that the current cybersecurity approach just isn’t working, Tide introduced an entirely new paradigm that we call “Cyber Herd Immunity”. In a reality that forces us to accept that a breach is inevitable, imagine that if to breach a single organization, an attacker had to breach an entire network of organizations. Tide’s technology is the first to harness the scale of the internet and allow the mass aggregated strength of an entire network of organizations to protect each other against malicious attacks of any scale, whether they’re a multinational or a small business.

Tide’s “cyber herd immunity” tames the “herd” into a single, cohesive “guardian” that is virtually impossible to compromise. That guardian protects an organization’s most sensitive digital assets – whether it’s their data, funds or critical infrastructure – by managing the cryptographic keys securing these assets.

Having those keys handled exclusively by Tide’s guardian, outside of the organization, gives these organizations the assurance that even when breached, there’s nothing to find, because their assets remain locked. When anyone needs legitimate access to an asset, they make a request to the guardian, which authenticates and validates the request, and provides one-time access to the requester for the requested asset – allowing organizations to continue operating as they did before.

JAXenter: What is “blind secret processing” and what is its use case?

Yuval Herzog: For an entire network of unaffiliated organizations to jointly cooperate as one cohesive entity that provides ironclad security, sophisticated coordination is required. To guarantee that no organizations in this network can pose a threat to others, whether maliciously or accidently, that coordination needs to be nothing less than miraculous. To achieve that, Tide invented “blind secret processing” – a breakthrough in cryptography that manages secrets that no one can ever access, not even Tide. Using this novel invention, each cryptographic key is created in an already fragmented state across a decentralized network of unaffiliated nodes and is never assembled. This introduces security levels that are orders of magnitude greater than anything on the market.

Using a simple API call, organizations can request each node to use its key fragment to perform a small part of a cryptographic operation, like authentication, decryption or signing. The nodes then reply with meaningless puzzle pieces that only an authorized requester can assemble into a meaningful result – leaving everyone else in the blind. All this, without any centralized coordination effort and with a mathematical guarantee that no single node can compromise the key, the asset or the process of the asset being unlocked – a guarantee that anyone can verify, whether it’s the organization’s platform developer, the security manager or the end-users using it.

JAXenter: Previously, Tide worked on a technology that splinters passwords into pieces. Could you tell us about that; how does it work?

Yuval Herzog: Tide’s password splintering was the first breakthrough in fully decentralized user authentication technology. The current best practice for user authentication is achieved by organizations holding an artifact of the user’s password to compare to each time the user authenticates. Usually, these artifacts are a copy of the password, but are encoded in a cryptographic “hash,” “salt” and “pepper” to protect against theft. Unfortunately, any existing centralized mechanism like this is susceptible to takeovers by malicious actors – even and especially if that actor is a highly-privileged employee. Once such a takeover occurs, an attacker can perform “offline brute-force attacks” on all the artifacts and extract all users’ credentials from it. This has proven to be a reality, regardless of what technology or security level was employed.

The splintering concept was very similar to that best practice, but with a major difference — each artifact was split and distributed across a decentralized network – where each of the nodes would perform an authentication and reach a consensus between them. In a study Tide did, splintering was found to increase security levels by about 14,000,000 times. While that offered significant improvement, later research found that because artifacts of the password still remained in the network, it was theoretically possible to still perform an offline-brute-force-attack, although it would have taken far longer and yielded only one record.

JAXenter: What can you tell us about PRISM authentication? How does it work and what are its security benefits?

Yuval Herzog: PRISM is the 3rd and latest iteration of Tide’s decentralized password authentication that superseded splintering and currently offers the strongest and most secure scheme, raising previous security levels by hundreds of orders of magnitude and bringing it very close to the strength of public-key cryptography.

In PRISM authentication the password never leaves the user’s environment, not in any form or even in an artifact of it. It thus removes all attack vectors external to the user’s environment, such as man-in-the-middle attacks, a compromised server, a compromised network, offline attacks, online attacks, brute-force/rainbow attacks, etc. Additionally, Tide introduced a strength previously non-existent in the market: resilience against a fully active man-in-the-middle (proxy) attack – even if that proxy is a malicious/compromised network node.

The way PRISM works, and the reason it is called PRISM, is by having the user’s password solve a challenge that requires a specific cryptographic key, with that key being the “reflection” of the password through a prism that only the server has. All this occurs without the password ever being revealed to the server, without the key ever being revealed to any party, without the prism ever being revealed to the user, and because of the decentralized nature of the “server”, the server’s prism is never revealed to any of the nodes (i.e. to itself!). The PRISM process is extremely efficient, fast and highly scalable. Tide developed it to work in a fully decentralized environment – so the prism itself is spread across a large cluster of unaffiliated servers.

SEE ALSO: 6 Reasons Cloud Might Not Be What You Think It Is

JAXenter: Do you believe that the future could potentially be passwordless and depend on multi-factor authentication or other personal verification methods? Would that be an improvement on the current model?

Yuval Herzog: I believe the discussion around the different factors of authentication is almost insignificant in the long run – as it’s not solving anything rather moving the problem elsewhere. It does indeed make the challenge of compromising the authentication harder for bad actors, but not without an additional burden on end users.

The purpose of any factor of authentication is to establish 3 elements: the identity of the user, their authorized privileges, and their intent to perform an action. All 3 are required to establish the momentary authority of a user in a certain activity within a system.

The problem this highlights is that when the user is granted with authority, it means it was bestowed or delegated by a higher or superior authority in that system – and therein lies the problem – because it requires the system to have absolute power over the user and its representation in that system. To put it simply: an administrator can easily masquerade freely as any user in that system. If that administrator is compromised or malicious, the implications are catastrophic.

An improvement on that model would be a move towards a Self-Sovereign Authority model based on trustless technologies that reveal nothing about the user or their identity, and prevents anyone from acting within a system without their verified authority. In a Self-Sovereign Authority model, authentication is handled outside the system, through an open, decentralized network that the user doesn’t need to trust. The number of factors being used for the authentication will solely depend on the sensitivity of the activity sought.

I personally believe that because authentication processes are required to establish intent, some integration with the human brain, together with the establishment of some sort of unique-brain-signature, would be the optimal method.

Source of this news: https://jaxenter.com/herzog-security-176045.html

Related posts:

Best and Cheap VPS Cloud Server Hosting in Germany, Berlin, Frankfurt, Munich Provider Linux | Windo...
Searching for German VPS? Buy VPS Server Hosing Plans with Kassel, Deutschland, Berlin, Munich, Dusseldorf, Bremen, Cologne, Hamburg, Leipzig, Nuremberg, Stuttgart based IP offering Linux, Windows,...
The german language student app caught out operating in data breach - Dedalera Journal
File media-photo respect © Microsoft Scoolio’s API flaw has exposed such information of 400, 000 A language like german students. According to Bleeping Computer , Lilith Wittmann, a securi...
AgriFORCE Growing Systems Sets your dog's Sights on New Troublesome Agricultural IP in Proceed to Pu...
Imagine by Syahir Hakim within Pixabay Whether it be drought conditions, inefficiencies drawn from old classic practices or an incapability to gain the technical professor needed to c...
'Unique Attack Chain' Drops Backdoor in New Phishing Marketing and advertising - DARKReading
An unknown and likely advanced threars actor is using a novicio combination of open source tools, steganography, and a detection bypass way to attack government agencies, real estate producers, a...
Contender Analysis Via Proxies knowledge Aviation Analysis Wing
They say one sure method thrive in business is by dwelling ahead of your competitors. However , find out how to stay ahead of your competitors should you not what they are doing? Competitor ...
Rockwell Automation CIP Security Proxy - Automation World
With high-profile cyberattacks growing in frequency, industry has become all too aware of the potential dark side of internet-connected devices. While plant-floor networks were once air-gapped to sep...
How to Utilise Instagram Proxies 2022 Tip - BollyInside
This tutorial is about the How to Utilise Instagram Proxies. We will try our best so that you understand this guide. I hope you like this blog How to Utilise Instagram Proxies. If your answer is yes ...
How to use a VPN on PS4 or PS5 - The Loadout
As gaming consoles become more advanced, we find ourselves using them for more things beyond simple gaming. With built-in browsers and apps allowing us to do most things that we might also do on a ga...
ESET takes part in global operation to disrupt Zloader botnets - We Live Security
ESET researchers provided technical analysis, statistical information, and known command and control server domain names and IP addresses ESET has collaborated with partners Microsoft’s Digital Cri...
Personalised Proxy is a Guarantee behind Quality and Trouble-Free Filtration – Times Square Stories ...
Personal Proxy is a Guarantee of Quality and Trouble-Free Operation Web browsing is becoming less private every day. Websites and apps control just about everything you do, pushin...
Top Cloud Computing Jobs in India to Apply This November - Analytics Insight
You can apply for these cloud computing  jobsCloud computing is the delivery of different services through the Internet. These resources include tools and applications like data storage, servers...
The way you can sign up for Britbox South Africa hailing from Zimbabwe - Technology Mvuma, zimbabwe
I were raised on British TV shows before former Minister Jonathan Moyo came and ruined ZBC with his local content additionally jingles push. We had regarding black and white Peacock TV that most ...
All 40 Best Music Videos on 1981: Staff List knowledge Billboard
24. Earth, Wind & Fire, "Let's Groove" (dir. Ron Hays) This was a relatively high-budget, technically ambitious video for its time, reflecting EWF’s nuoskardus as one of the premier R&a...
Rapid7 : For Microsoft Exchange Server Vulnerabilities, Patching Remains Patchy - Marketscreener.com
If you've been keeping tabs on the state of vulnerabilities, you've probably noticed that Microsoft Exchange has been in the news more than usual lately. Back in March 2021, Microsoft acknowledged ...
To know how to configure proxy in Chrome for Android - BollyInside
This guide is about the How to maintain proxy in Firefox for Android. We will try our best in order that people understand this guide. I hope you cherish this blog How to configure proxy inside...
Could be God of War taking PC? Rumors - BollyInside
Rumors of a Half-Life 2 remaster and a God of War PC plug-in started spreading on Saturday after the contents of an -nvidia database leaked. Don’t achieve too excited, though: Nvidia says the ...
Where to buy proxies? A complete guide - KnowTechie
Proxies are very important when it comes to security, privacy, and marketing. Whether you need a good proxy for your business or personal needs, you might’ve realized that buying one can be a brainer...
Portworx improves stateful application back ups for Kubernetes - DataCenterNews Asia
Due to Ryan Morris-Reade, Thu 14 Oct 2021 Portworx by Pure Garden has released a new data therapy platform, PX-Backup 2 . one Portworx has also released investigate data assessing end-user c...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30