STE WILLIAMS

It should come as no surprise that misconfigured security by far remains the most common flaw found in applications today with the wave of exposed Amazon Web Services S3 buckets, HTTPS pages, and other high-profile mistakes exposed publicly over the past year. But new data gathered from real-world appsec penetration tests exposes just what types of configuration mistakes organizations are making that expose their data.

Pen-test-as-a-service firm Cobalt found in nearly 1,000 pen tests using its platform in 2018 that 60% of all security misconfigurations are mistakes with security headers and application settings. Security misconfiguration basically is where an app or setting doesn’t enforce security controls, according to Cobalt, which has seen misconfiguration as the No. 1 vulnerability for the past three years of its pen testing. Misconfiguration mistakes can include insecure default configurations, exposed S3 buckets, error messages that include sensitive information, and not keeping systems or software and development frameworks updated.

As obvious as properly setting security-headers sounds — ensuring the entire site is HTTPS and doesn’t revert to HTTP, for example — it isn’t always as easy for organizations to get it right. “These things are often an afterthought. Folks continue to be focused on getting their code completed, done, and released,” says Caroline Wong, chief security strategist at Cobalt, which will release its appsec pen-testing report this week. “It’s pretty easy to make mistakes.”

Ensuring that all Web connections use HTTPS, for example, can be tricky. “There are security features in [platforms] that take these [potential] mistakes out of the hands of developers, but developers still have to use them and include them,” she says.

Cobalt found that 30.1% of security misconfigurations were in security headers; 28.5% in application settings; 12.7% in encryption settings; 11.5% in server configuration; 9.6% in mobile settings; 4.9% in cloud settings; and 2.9% due to an improper security control. But the highest-risk mistakes, according to the pen-test report, are server configuration — such as unprotected file shares and unpatched operating systems — and application settings such as error messages that reveal sensitive information and software version disclosure.

Joe Sechman, vice president of Cobalt Core Labs, says security misconfiguration won’t be solved overnight, especially with the arrival of Internet of Things devices. “The grim observation is we don’t see misconfigurations magically turned around and fixed overnight,” he says. “I’ll bet it’s going to be a little worse in … IoT devices … with the rush to market [new] features.

But the good news, he says, is that progress is actually being made on the application side in general. “Be informed before you do pen testing,” he advises.

Cobalt also surveyed 150 security, DevOps, and other related professionals across various industries including cloud, retail, and finance, about their secure development practices and pen-testing strategies. Some 92% of those surveyed employ Agile/DevOps, and 20%, waterfall development methods. More than half write their own software, and 26% work with third parties to develop apps.

Cobalt’s Wong says the main nugget from the survey, which is part of the overall pen-test report, is that while most of the organizations want to conduct more appsec pen testing, the cost is prohibitive. Half of the organizations say it’s too expensive to perform pen tests more regularly than they currently do.

Some 80% say they pen test their apps because it improves their security; 60% because it’s part of their development life cycle; 57% because customers request it; 56% to prove security issues were fixed; 54% for regulatory compliance for customers; and 36% for risk assessment for third-party vendors.

Nearly half of the organizations say they pen test some 67% to 100% of their applications; that was the case of just 24% of organizations in last year’s survey by Cobalt.

Budget-wise, 60% say pen testing is a high priority and 2% say it’s a low priority, according to the new report.

Related Content:

• DevOps’ Inevitable Disruption of Security Strategy
• The Truth About Your Software Supply Chain
• The State of Application Penetration Testing
• Trust: The Secret Ingredient to DevSecOps Success

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/application-security/what-the-appsec-penetration-test-found/d/d-id/1335195?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft today patched 77 vulnerabilities and issued two advisories as part of its July security update. Two of these bugs are under active attack; six were publicly known at the time fixes were released.

Of the CVEs fixed today, 15 were categorized as Critical, 62 were rated Important, and one was ranked Moderate in severity. Patches address vulnerabilities in a range of Microsoft services including Microsoft Windows, Internet Explorer, Office and Office Services and Web Apps, Azure, Azure DevOps, .NET Framework, Visual Studio, SQL Server, ASP.NET, Exchange Server, and Open Source Software.

One of the vulnerabilities under active attack is CVE-2019-1132, a Win32k elevation of privilege flaw that exists when the Win32k component fails to properly handle objects in memory. Successful exploitation could lead to arbitrary code execution in kernel mode, which is normally reserved for trusted OS functions. An attacker would need access to a target system to exploit the bug and elevate privileges.

The other flaw seen exploited in the wild is CVE-2019-0880, another elevation of privilege vulnerability that exists in how splwow64.exe handles certain calls. On its own, the bug doesn’t enable arbitrary code execution, but it could allow arbitrary code to run if an attacker uses it in combination with another bug, such as a remote code execution bug or another elevation of privilege flaw. Given it’s under attack, it’s likely this was paired with a second vulnerability, but Microsoft has not shared details on this.

“These patches, though labeled as Important, should be prioritized, as they could be chained with other vulnerabilities to provide an attacker with complete system access,” says Qualys’ patch management expert Jimmy Graham.

Graham also points to CVE-2019-0785, a Critical memory corruption vulnerability that exists in Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker with network access to the failover DHCP could run arbitrary code, he explains, noting that this patch should be prioritized for any organizations with systems running DHCP in failover mode.

“One of the most critical vulnerabilities this month is present in Microsoft DHCP server,” says Allan Liska, intelligence analyst for Recorded Future. “This memory corruption vulnerability affects all versions of Windows Server from 2012 – 2019 and it is remotely exploitable.” Recorded Future hasn’t seen the bug being abused in the wild, he continues, and it doesn’t appear to be a widely exploited flaw. “That does not mean organizations should not prioritize patching this vulnerability,” Liska says.

Another worth noting is publicly known vulnerability CVE-2019-1068, a remote code execution flaw that exists in Microsoft’s SQL Server when it incorrectly handles processing of internal functions. An attacker who successfully exploited this could execute code in the context of the SQL Server Database Engine service account, which they could do by sending a specially crafted query to an affected SQL server.

CVE-2019-1068 is categorized as Important, and it does require authentication, Graham points out. However, it could be chained with SQL injection to let an attacker completely compromise the server.

Satnam Narang, senior research engineer at Tenable, also points to CVE-2019-0887, a publicly known remote code execution vulnerability in Remote Desktop Services, formerly known as Terminal Services. “Exploitation of this vulnerability could result in arbitrary code execution, but requires an attacker to have already compromised a target system,” he explains. A successful attacker would have to first gain access to a system running RDS then wait for a victim system to connect to RDS. When the victim connects to the server, the attacker can exploit the bug to execute code on the victim’s system.

Microsoft patched four more publicly known bugs: Docker elevation of privilege vulnerability CVE-2018-15664; SymCrypt denial of service vulnerability CVE-2019-0865; Azure automation elevation of privilege vulnerability CVE-2019-0962; and Windows elevation of privilege vulnerability CVE-2019-1129.

Two advisories were also published today: one warns of a cross-site scripting vulnerability in Outlook on the Web. Another advisory alerts users to a Servicing Stack Update for all supported versions of Windows 10, Windows 8.1, Windows Server 2012 R2, and Windows Server 2012.

Related Content:

• 7 Ways to Mitigate Supply Chain Attacks
• DevOps’ Inevitable Disruption of Security Strategy
• Smash-and-Grab Crime Threatens Enterprise Security
• 7 Hot Cybersecurity Trends to Be Highlighted at Black Hat

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/microsoft-patches-zero-day-vulnerabilities-under-active-attack/d/d-id/1335197?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Zoom Video Communications today announced changes to its videoconferencing client for Mac systems after a security researcher disclosed vulnerabilities in the software that, among other things, allows attackers to force users into video meetings without their permission.

Zoom acknowledged the issues in a blog post but described them as presenting less of a threat to Mac users than reported by Gradle security researcher Jonathan Leitschuh. Zoom, whose software is used by millions of Mac users, also announced changes to its bug bounty program to make it easier for security researchers to disclose vulnerabilities to the company.

Yesterday, Leitschuh disclosed a trio of issues in the Mac Zoom Client that he said put an estimated 4.5 million users — including some 750,000 organizations — at risk of information disclosure and other threats.

The most serious is a vulnerability that gives attackers a way to forcibly join a user to a Zoom video call even when that person did not grant permission for it. The problem has to do with a local Web server that Zoom installs on Macs.

According to Zoom, the Web server allows users using the Safari browser to join Zoom meetings without having to confirm they want to start the Zoom client first each time.

From a security standpoint, the problem is that any website a Mac user visits can also interact with the Web server, Leitschuh said in his post. This gives attackers an opportunity to use the Web server to get Mac users to join meetings without their permission, according to Leitschuh, who released proof-of-concept code showing how such a hack would work.

“All a website would need to do is embed [the code] in their website and any Zoom user will be instantly connected with their video running,” Leitschuh said. “This could be embedded in malicious ads, or it could be used as a part of a phishing campaign.”

What makes matters worse is the fact that the Web server remains on the system even if a user uninstalls the Zoom client. The Web server is designed to automatically reinstall the Zoom client without any user interaction at all, leaving open the possibility for future abuse, the security researcher said. “Having every Zoom user have a Web server that accepts HTTP GET requests that trigger code outside of the browser sandbox is painting a huge target on the back of Zoom,” according to Leitschuh.

One example Leitschuh highlighted is of attackers being able to execute a denial-of-service attack on a Mac simply by repeatedly pinging the Zoom Web server with requests for a bad number. That particular issue existed in Zoom’s Client version 4.4.2 and has since been addressed via a patch that Zoom issued in May, he said.

Feature or Bug?
In its blog, Zoom acknowledged that if a user has not configured the Zoom client to disable video when joining a meeting, an attacker might be able to view his video feed. However, by disabling the auto-starting of video, users can mitigate the threat. Also, because the Zoom client is visible to the user when it launches, any attempt to force a user into a video meeting would also become immediately apparent to the user, who could then shut it down immediately.

Zoom described the Web server as being of limited functionality and able to respond only to requests from the local machine. The company said the Web server was a legitimate approach to enabling users on Safari to join meetings with just one click. Other videoconferencing software tools have a similar feature, the company said.

At the same time, Zoom acknowledged it currently does not offer users an easy way to uninstall both the client and Web server components from their systems. To address that issue, the company will introduce a new uninstaller for Mac later this month that also will give users more control over their video settings. Users will be able to set their video preferences from their first Zoom meeting, and those preferences will stick for all future meetings unless they change them.

The fact that Zoom installs a local Web server by itself is not bad, says Tod Beardsley, research director at Rapid7.

The local server offers a way to address the different ways different browsers enforce same origin policies when it comes to “localhost,” he says. But “it’s definitely bad that it doesn’t uninstall when the application is uninstalled, since now the user is left with a running local Web server they don’t know about,” he says. An attacker armed with an exploit could deliver it via an iframe, for instance, that would run on the local Web server without the user’s knowledge.

Boris Cipot, senior security engineer at Synopsys, says in addition to disabling the auto-start video function in Zoom, users should also monitor Zoom for any notifications and patches for the issues disclosed this week.

“If you don’t normally use Zoom and it just happened that you were invited in a Zoom session, you have the risk the vulnerability also on your device,” he says. “This means that you are now a potential target for someone who wants to use this vulnerability as well.”  

Related Content:

• Security Bugs in Video Chat Tools Enable Remote Attackers
• Cross-Site Scripting Errors Continue to Be Most Common Web App Flaw
• Safe Harbor Programs: Ensuring the Bounty Isn’t on White Hat Hackers’ Heads
• Effective Pen Tests Follow These 7 Steps

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/zoom-client-for-mac-exposing-users-to-serious-risks/d/d-id/1335196?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In February 2019, a large ship bound for New York City radioed the US Coast Guard warning that the vessel was “experiencing a significant cyber incident impacting their shipboard network.” 

The Coast Guard led an incident-response team to investigate the issue and found that malware had infected the ships systems and significantly degraded functionality. Fortunately, essential systems for the control of the vessel were unimpeded.

On July 8, the military branch issued an alert to commercial vessels strongly recommending that they improve their cybersecurity in the wake of the incident, including segmenting shipboard networks, enforcing per-user passwords and roles, installing basic security protections, and patching regularly. 

“It is unknown whether this vessel is representative of the current state of cybersecurity aboard deep-draft vessels,” the Coast Guard’s alert stated. “However, with engines that are controlled by mouse clicks, and growing reliance on electronic charting and navigation systems, protecting these systems with proper cybersecurity measures is as essential as controlling physical access to the ship or performing routine maintenance on traditional machinery.”

The focus on the security and safety of maritime networks is not new. Following the Stuxnet attack in 2009, which decimated the ability of Iran to enrich uranium ore and demonstrated the ability of cyber operations to impact physical infrastructure, government and industry began to look to their own defenses. Among those scrutinized sectors were maritime and shipping.

The European Network and Information Security Agency, now known as the European Union Agency for Cybersecurity, analyzed the state of maritime cybersecurity in 2011, releasing a report late that year. The report found that cybersecurity awareness in the maritime sector was “low to non-existent” and the focus of nearly all security measures were on physical systems. 

Six years later, the industry had woken up to the threats but still moved at a slow pace, says Markus Schmitz, managing director of SOFTimpact, a Cyprus-based IT solutions provider to the maritime industry. In 2017, however, the NotPetya ransomware attack hit computers at shipping firm AP Moller-Maersk, requiring the firm to reinstall 4,000 servers, 45,000 workstations, and 2,500 applications in less than two weeks, costing the firm between $250 million and $300 million.

The incident spurred the industry to greater efforts, focusing on cybersecurity issues, including establishing industry groups and vetting initiatives. Yet companies in the sector are still not ready, says Schmitz. 

Incidents like NotPetya are “bound to happen and such random incidents will happen to other shipping companies as well as companies of any other industry,” Schmitz says. “In this regard, the shipping industry is neither more nor less vulnerable than any other globally operating business.”

Yet more than 90% of the world’s trade is carried by shipping, according to the United Nations’ International Maritime Organization, and that puts the industry in the crosshairs of potential targeted attackers. Because the shipboard systems mix IT and operational technology (OT), companies are vulnerable to losing control of ships due to a cyberattack. 

In addition, the business model of global shipping makes the vessels even more vulnerable, SOFTimpact’s Schmitz says. Crew tend to be temporary — independent contractors on voyage contracts — an arrangement that makes them hard to train and usually unfamiliar with a specific company’s information security policy. In fact, most ships are operated with crew contracted through multiple levels of outsourcing, making assigning responsibility for information systems — and incidents to those systems — nearly impossible. Good luck telling the captain or a port pilot that they cannot use a USB stick, he says. 

“The role of the in-house IT must be extended to include the OT systems,” Schmitz says. “The in-house IT must be trained on OT systems, must spend time onboard, must be included in purchasing processes, and must take responsibility.”

The issues apparently plagued the commercial ship mentioned in the US Coast Guard alert. The ship’s crew knew, but did not care, that the entire system was insecure.

“Prior to the incident, the security risk presented by the shipboard network was well known among the crew,” the alert stated. “Although most crew members didn’t use onboard computers to check personal email, make online purchases or check their bank accounts, the same shipboard network was used for official business — to update electronic charts, manage cargo data and communicate with shore-side facilities, pilots, agents, and the Coast Guard.”

The US Coast Guard recommends that owners of vessels and the shipping firms that use the vessels require regular cybersecurity assessments. Other recommendations can be found on the Coast Guard’s cybersecurity page.

For the most part, shipboard networks do not pose a great risk until they are specifically targeted by attackers who aim to compromise the operational networks. While those attacks are not common, they will come, says SOFTimpact’s Schmitz.

“There is no reason to panic, but there is a problem and in many shipping companies, it has not been dealt with in an adequate (or organized) manner,” he says.

Related Content

• Russia Regularly Spoofs Regional GPS
• Inmarsat Disputes IOActive Reports of Critical Flaws in Ship SATCOM
• Golden Galleon Raids Maritime Shipping Firms
• Sea Craft Voyage Data Systems Vulnerable to Tampering, Spying
• First EU-Report on Maritime Cyber Security

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/coast-guard-warns-shipping-firms-of-maritime-cyberattacks/d/d-id/1335198?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cybersecurity incidents cost an estimated $45 billion in 2018, according to a new report that aggregates data from different types of reported security incidents from around the world.

It’s difficult to get a complete picture of the cyber incident landscape, says Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance (OTA), which today published its “2018 Cyber Incident Breach Trends Report.” “Everyone’s viewing it from their own lens,” he says. 

When the OTA published its first edition of this report 11 years ago, it only focused on data breaches, Wilbur adds. A rapidly evolving threat landscape forced it to broaden its scope. 

“A few years ago we realized this underrepresented the number of cyber incidents,” he explains. “We started looking at adding business email compromise, ransomware, and other DDoS attacks because those are orders of magnitude larger than breaches that get reported.

What’s interesting, he continues, is many of the techniques cybercriminals use to break into systems have largely remained the same: They use employee credentials, for example, or exploit a known vulnerability in an organization that hasn’t updated its software. “The ways to get in have been relatively constant for a while,” says Wilbur, though there are some changes.

Internet of Things (IoT) devices, for example, have introduced new ways of breaking into organizations, as has organizations’ growing reliance on third-party vendors. “The clever way to get into systems is through third parties that may be less secure,” Wilbur adds. More attackers are breaking into target organizations by planting malware on or gaining unauthorized access into vendor systems.

Supply chain- and IoT-based attacks may be growing, but email attacks and vulnerability exploitation remain the most common ways to break into a target system. However, the actions cybercriminals take once they gain access to a network continue to shift over time.

Tracking Trends in Cybercrime
In their exploration of how attack patterns fluctuate over time, researchers noticed ransomware declined overall between 2017 and 2018, though it specifically increased among enterprise users. Cryptojacking became prominent in late 2017 and grew in 2018; however, it later started to rapidly decline as cryptocurrency’s value plummeted and attackers sought new ways to generate illicit income. Researchers found reports of 1.3 million incidents of cryptojacking in 2018 and 500,000 of ransomware.

Distributed denial-of-service (DDoS) attacks were reportedly down in 2018, though some reports indicate they’re still causing chaos in some industries. The challenge with DDoS attacks is determining how many attacks are successful, researchers point out. There is no aggregated reporting, and most businesses hesitate to acknowledge where they are vulnerable.

Business email compromise (BEC) was up significantly in 2018, researchers say. The FBI’s Internet Crime Complaint Center reported more than 20,000 BEC incidents in the US resulted in nearly $1.3 billion in losses in 2018 – up from 16,000 incidents and $677 million lost in 2017.

It’s one of many types of attacks contributing to the overall cost of cyber incidents in 2018. While financial impact is tough to determine, strong estimates put the cost of ransomware at $8 billion and credential stuffing at $5 billion. Some estimates are more general; for example, the Ponemon Institute reported the average cost of a data breach grew to hit $3.86 million.

Even with loose estimates, researchers estimate a total financial impact of at least $45 billion in 2018.

What does this data mean for the rest of 2019? “We’ve seen more supply chain attacks, [and] we’ve seen more ransomware, especially in the US,” he says, pointing to the new trend of cybercriminals targeting US cities including Baltimore, Maryland; Riviera Beach, Florida; and Atlanta, Georgia. While cryptojacking continues to drop off, we can expect to see more of the same threats we saw in late 2018 and early 2019, Wilbur says.

Back to Basics
As Wilbur explains, attack vectors leading to major breaches are typically simple.

These can be seen in many of the high-profile security incidents that made headlines in 2018. The breach of Aadhaar, India’s national ID database, compromised 1.1 billion records and was attributed to an unsecured API. An attack on the Marriott/Starwood system affected 383 million people and was caused by intruders who had been on the Starwood network since 2014 and would have been found by a routine network check prior to its acquisition by Marriott.

Given OTA found 95% of data breaches in 2018 were preventable, it seems organizations are not taking simple steps to protect themselves. “The same rules apply, so it’s actually the trend that organizations aren’t doing the basics really well,” he says.

This puts pressure on organizations to step up their game: you want to be the organization that, when attackers start to intrude, they don’t find a vulnerability and move on to an easier target.

Related Content:

• Zoom Client for Mac Exposing Users to Serious Risks
• Microsoft Patches Zero-Day Vulnerabilities Under Active Attack
• What the AppSec Penetration Test Found
• 7 Hot Cybersecurity Trends to Be Highlighted at Black Hat

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/financial-impact-of-cybercrime-exceeded-$45b-in-2018/d/d-id/1335199?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cloud services are becoming the norm in enterprise IT, but that doesn’t mean that they come without concerns. A new survey shows that nearly half of all enterprises believe that their cloud applications make them more of a target for cyberattacks. The cloud ranks third on the list of reasons executives think they might be attacked, just behind unprotected infrastructure such as Internet of Things devices (54%) and web portals (50%).

The report, the “2019 Thales Access Management Index,” is based on a survey sponsored by Thales and conducted by Vanson Bourne. The survey received responses from 1,050 executives in 11 countries; it asked them questions about both their concerns and the technology they’re employing to respond to those concerns.

“Organizations realize now that they are depending on cloud resources, cloud services, and cloud applications to run their business,” says Francois Lasnier, vice president of authentication and access management at Thales. The realization, though, has its limits.

“When you ask a lot of the CISOs, their initial reaction is that they only use a few applications or cloud services,” Lasnier says. “But when you start digging, you realize that sometimes there is a factor of 10 between what a CISO or IT administrator recognizes in the cloud application count versus what is actually the cloud usage.”

Even without an accurate understanding of their cloud exposure, the IT executives are broadly aware of the threats to cloud applications. Ninety-four percent of the executives say that their organizations’ security policies have been influenced by consumer breaches occurring in the last 12 months. The ongoing recognition of email as an attack vector is one of those responses.

“If you can hack into the email system of an organization, then you can start doing ID theft, and then you can start elevating your privilege,” Lasnier explains. Once the process has begun, attackers can then create fake identities, navigate within the company network, and wreak havoc.

The survey shows that access management is evolving to respond to the threat facing cloud applications. According to the results, 70% of companies have begun using two-factor authentication, 53% are using single sign-on (SSO), and 36% have begun using “smart” SSO — SSO that uses policy-based privileges for individual applications and network segments, along with multiple authentication stages when privilege escalation is required.

There are ongoing contradictions in the understanding that executives bring to the issues around authentication and application access. For example, nearly half of the IT executives surveyed said that smart SSO (49%) and biometric multifactor authentication (47%) are among the best tools for protecting cloud and web access, while only 24% saw social identity credentials (using Facebook, Google, or Twitter accounts for authentication) as a best practice.

However, more than half (56%) then said that they would allow employees to log in to enterprise resources using social media credentials for authentication.

Lasnier says that the confusion is largely a result of a rapidly changing enterprise environment that has seen the cloud, bring-your-own-device efforts, exceptional employee mobility, and other factors thrown into a mix that requires secure authentication and access management for users.

The access decision that was once black and white is now multivariable, Lasnier says. “Companies are looking now not just at access management that’s a single point function, but at bundling identity to provide secure access management to applications and to dictate services like encryption rules that can further protect data assets,” he says.

Related content:

• ‘Human Side-Channels’: Behavioral Traces We Leave Behind
• Office 365 Multifactor Authentication Done Right
• FIDO Alliance to Tackle Identity Verification and IoT Authentication
• The 3 Cybersecurity Rules of Trust
• Threat Actors Use Credential Dumps, Phishing, Legacy Email Protocols to Bypass MFA and Breach Cloud Accounts Worldwide

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/cloud/organizations-are-adapting-authentication-for-cloud-applications/d/d-id/1335200?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple