Views, News & more
The traditional approach to IT security is no longer adequate.
Passwords, permission groups, firewalls, traditional VPNs and anti-virus software remain in use but aren’t enough to achieve good security.
Mindful of this, software companies, hardware vendors and service providers have been retrofitting additional layers of protection to their offerings. The end result is a quiet revolution in IT Security.
Multi-factor authentication (MFA) often combines evidence of something you know (like a password) and something you have (a registered mobile or security token). In some cases, biometric scans of a finger or face may confirm a mobile device is in the possession of the expected user. If such scans fail, there is often a fallback option of a pin code or unlock pattern – a second ‘something you know.’
MFA is evolving due to vulnerabilities. One-time codes delivered by SMS are falling out of favour due to SIM-swap and SS7 attacks, with authenticator apps taking their place as the means of delivering some ephemeral credentials. However, this switch doesn’t mean MFA Is foolproof. MFA Fatigue attacks (where hackers trigger multiple login attempts and MFA notifications) can tempt users into approving malicious access requests in an ill-advised attempt to stop the alerts.
To improve security, the way authenticator apps are used is evolving. Rather than request a simple approval for a log-on attempt or displaying a one-time code, some of these apps can require users to input a number from the login screens of sites they’re genuinely trying to access. This new approach slashes the chance that users will mistakenly authorise malicious access attempts by bad actors.
Instead of just blindly accepting a username/password or session cookie while a session is active, risk-based authentication adjusts authentication requirements after a real-time assessment of risk. This might take into account the user’s behaviour, IP address, presence of session cookies, browser footprint, time of day, day of week, certificate presence, the resources being accessed, and the suspiciousness of the access requests.
This risk-based approach can be applied to servers, routers and endpoints, not just users.
Historically, much IT security analysis focused on a single point in isolation – observing what happened on a specific laptop, server, or firewall. XDR examines events from across a range of end-point devices, servers and networks, so it can see the bigger picture.
XDR can then respond to perceived threats not merely on the device where the incident happened but on other devices too. For example, if a laptop on the LAN reports worrying behaviour indicative of the device being compromised, the XDR system might cut off that device’s network access to contain any damage, ensuring that end-point security isn’t the only line of defence.
If someone attacks your network at 2am on a Saturday, there is a high chance no-one will be around to notice. XDR can automatically apply standard defensive responses. But if you want automated responses that are more substantial and configurable, there is SOAR – Security Orchestration, Automation and Response.
Broadly speaking, you establish a playbook of automated responses to attacks, so your systems can automate their own defence.
These protect websites against SQL injection attacks, cross-site scripting attempts and some bot traffic.
With traditional IT security, you learn about threats by spotting them when they hit your systems. Threat Intelligence makes it possible to block attacks you haven’t yet experienced by applying lessons learned from attacks on others. Think of it as the anti-virus subscription model applied more broadly to security.
At its core is crowdsourced intelligence. Security devices such as firewalls may share threat data with their vendor. That vendor may then share aggregated threat intelligence with upstream threat data aggregators and relevant third parties. Vendors then update their threat signatures and IP address classifications based on the data they’ve exchanged, incorporating lessons from a wide range of attacks.
It is easy to be overly generous when marking your own homework. To avoid that, it may make sense to have an external expert mark your work instead. That’s why many larger firms decide to pay for penetration testing, where a third party firm’s ethical hackers review IT security and reveal their findings privately, so the most serious security issues can be fixed before hackers exploit the vulnerabilities.
There are penetration testing tools that can help you hunt for problems yourself. For example, some scan your public IP addresses for public-facing hosts that are insufficiently patched.
Major cyber attacks cost a lot of money to fix quickly. Insurance can help defray the substantial cost of a serious attack, provided you meet the security baseline required by your cyber insurance policy.
5G is more secure than 2G and 3G. However, a determined attacker could jam 4G/5G frequencies locally, forcing a downgrade to less secure alternatives. Planning is underway to remove those less secure options.
In 2024 and 2025, EE, Three, Vodafone and Virgin Media O2 are expected to shut down their 3G networks. By 2033, all UK network operators will have shut down their 2G networks.
Meanwhile, work is ongoing to extend 4G and 5G coverage. This includes extending the availability of 5G SA (Stand Alone), a version of 5G that doesn’t depend on 4G for uploads. Full 5G allows phones to use multiple network segments simultaneously, for example to use a different mobile connection for work-related traffic and personal traffic.
End-point security is essential but imperfect. Remote Browser Isolation adds another layer of protection by shifting the web browsing to another machine, with the user essentially having a remote desktop session to a browser instance on a different machine. This approach protects against escalation of privilege attacks and may make it harder for sites to track you via browser fingerprinting.
This cuts the delay between security patches being released and applied, giving attackers less time to exploit security holes. Automated patching is appropriate in some cases, and inappropriate in others – patches do sometimes break things so some may need testing prior to being applied to production environments.
The current version of Windows 10 (22H2) will reach ‘end of support’ on 14 October 2025. Its successor OS, Windows 11, requires a Trusted Platform Module. This module processes encryption-related functions in a secure manner, enabling a device to prove its identity. High-end smartphones feature these modules too. These modules are expected to gradually trickle down to cheaper phones, making ‘mobile device management’ more secure.
Even if you achieve perfect security with respect to your LAN/WAN, there is a problem: your organisation probably uses a lot of cloud services that allow direct access via the Internet. This creates a security blindspot. Cloud Access Security Brokers address this issue by asking cloud services to redirect logon attempts to them for approval. This allows you to add multi-factor authentication to cloud services that don’t currently support MFA.
It also gives you visibility over cloud use – you can rationalise unused licences and spot unexpected logins. In some cases, an access proxy may be able to mediate between the user and the cloud service, using its position to prevent data loss.
Cloud Access Security Brokers tend to force users to login using their primary user account, rather than a cloud-specific account. This makes it easier to lock employees (and former employees) out of all systems simultaneously should the need arise.
By implementing a Cloud Access Security Broker, you also get visibility over failed login attempts, making it easier to spot if individual users are coming under attack.
If employees misuse their access to your cloud systems, you will have central logs proving when they accessed the relevant cloud systems, helping you investigate any data leak.
It is now routine for employees to access work data (including work emails) on mobiles, tablets and laptops. Mobile Device Management helps you keep data safe on those devices by controlling how those devices can access that data.
MDM may ensure work files are encrypted at rest and in transit. It may stop users from accessing locally stored work data unless they authenticate themselves to their organisation’s satisfaction occasionally. MDM may force the user’s screen to lock within a certain period, ordinarily. It may even insist on biometric authentication methods being used.
If your data is stored in the cloud, you need to protect the cloud systems you use with appropriate security measures.
Cloud Security Posture Management helps you keep your cloud-based systems secure by highlighting suboptimal cloud security settings that need to be addressed.
For example, it might point out that you have yet to set up multi-factor authentication on the admin account, or are running virtual machines whose operating system versions are outdated. It might highlight that certain object storage buckets are publicly accessible lest that’s unintentional.
IT service providers and vendors will use AI to improve email, web and DNS filtering, and better understand individual users’ behaviour patterns, making it possible to flag or block suspicious behaviours automatically while also reducing false positives.
Unfortunately, this addition of AI is needed because bad actors will use AI too – reducing the effectiveness of traditional filtering approaches. For example, polymorphic malware varies its code as it propagates, reducing the effectiveness of hash-based virus signatures and basic behavioural signatures.
Now that remote work is common, confidential files are routinely stored on devices in employee homes. Many work emails are stored on personal mobiles. Confidential data is transmitted over home Wi-Fi networks that support older, less secure versions of Wi-Fi.
It is sensible to encrypt the work-related data stored on these devices and use a VPN client or Zero-Trust Network Access client to encrypt the data in transit.
The industry-standard encryption you rely upon is expected to become crackable in the medium-term. This impacts the encryption you use to protect user laptops, the encryption that keeps your emails private, and the encryption that keeps your VPN secure.
The U.S. National Institute of Standards and Technology, which chose the world’s most popular secure encryption standard, AES, held a competition to select post-quantum cryptography standards.
In the coming years, IT Vendors will update the encryption algorithms they support, so ever more files and traffic can be protected by algorithms still believed to be resistant to quantum-computer password cracking.
Trusting any device connected to your office LAN directly is an outdated approach, especially now most offices have a wireless LAN the signal for which is accessible from outside the office.
A better approach is to be more sceptical – requiring most devices and users to authenticate with more than a username and password before being granted access to the network. Access proxies will mediate between the user/device and the hosts they want to contact, providing granular security.
This ‘zero trust’ approach is also applied to remote users. Connecting to a VPN gateway should no longer result in the user being able to connect to anything on the office LAN, regardless of need, device security posture, location, time of day or recent suspicious behaviour.
It is not enough to have backups. Your backups need to be malware proof. This means you need to scan your backups for malware prior to allowing your old backup generations to be overwritten.
Attackers often go after backups, aware that if they can delete or overwrite the backups, the victim organisation is more likely to pay a ransom to restore lost data. Immutable backups make sure ransomware can’t delete your backups even if a privileged account is compromised.
To find out more, give us a call on 020 7847 4510 or fill in the ‘contact us’ form below.
020 7847 4510
We may process your personal information in order to send you information you request, measure and improve our marketing campaigns, and further our legitimate interests. For further details, see our privacy policy.