In a recent interview with SafetyDetectives, Julia O’Toole, CEO of MyCena Security Solutions, discussed her journey and the founding motivation behind her innovative approach to password security. O’Toole’s personal struggle with password management led her to develop a breakthrough technology inspired by ancient security practices. MyCena offers SEAM solutions, which empower companies to manage encrypted passwords like keys, eliminating the need for employees to know any passwords. O’Toole also addressed alarming cybersecurity trends, the hidden impacts of breaches, and how the “Zero Trust” philosophy aligns with the future of password security. She emphasized the importance of adapting to remote work challenges through advanced security measures like those offered by MyCena.
For decades I had password nightmares and could find a way to solve my problem. The solutions on the market such as password books or password managers were all unsafe, because they all had single points of failure. If you lose your book, or lost your master password, you would have lost all of the keys to your digital life. After years of research in mathematics, neuroscience and technology, it was a travel back in time that triggered the solution.
I was wandering among the ruins of the 3,000-year-old ancient Greek city of Mycenae, when I observed how the ancient Mycenaeans had used the city’s architecture to protect their assets. Having built concentric walls around the city, you had to pass a first gate, called the Lions’ Gate to enter the city, then a second to access the garrison, then a third to access the king’s palace. There I had an epiphany: “A password is just a key. No one cuts their keys to get home. We take the right key to open the right door. In the same way, no one needs to know any passwords, you just need to use the right password for each account.”
Inspired by the security of the ancient city of Mycenae, we devised the Method of Access of Structured Stored Data and developed a state-of-the-art technology that facilitates the management of encrypted keys. It allows companies to easily generate and distribute highly secure encrypted passwords for each system in real time to employees, who then use them like keys. Consequently, employees never know any passwords and yet can open every digital door.
MyCena provides SEAM (Segmented Encrypted Access Management) solutions. From a console and without infrastructure change, companies can manage and distribute encrypted passwords for each system to users, who use them like keys. Companies can also monitor who has accessed what and when in real time from the console.
The most alarming trend is employees knowing company passwords. It is responsible for 95% of breaches. Today, most organisations let their employees create their own passwords to access their systems and data. This is like letting their employees bring their own keys to access the office or factories. As passwords can be shared, stolen, sold, reused, social engineered, this is a 10/10 in the CVSS scoring system. All it takes is for a criminal to log in using a compromised password or identity, and all cybersecurity investments are rendered useless. That explains why billions of dollars are spent on cybersecurity, yet companies continue to get breeched.
Another very alarming trend is using people’s identity for access. Identities are unique. Each person’s face, voice, fingerprint cannot be changed. Biometrics are just data, which is a series of zeros and ones. That means one stolen, the damage is irreversible, and the person is digitally dead, and their identity can indefinitely be used to commit fraud without them knowing. Biometrics are also not secret information, as voices and faces can be retrieved from photos, videos and recordings and thanks to AI, easily reused to make deep fakes.
Another alarming trend is password training. No matter how trained you are, if you create and know the password, criminals can steal it from you and use it to login. With 2FA being so easy to steal, the combination of password training and 2FA are very weak protection and create a false sense of security. To avoid such risks, employees should not be creating their company access or knowing them.
A password-related security breach is similar to someone stealing the key to a site. If the criminal finds a privileged access that gives command and control of part of the whole network, this can lead to business interruption, ransomware, data loss, identity theft, espionage, lawsuits, class-actions, repair and recovery costs, reputation loss and even bankruptcy.
Beyond the operational costs, the impact down the road, sometimes years after the breach, can be prosecution of directors and officers that can lead to hefty fines and prison.
Once in the network, criminals can also leave backdoors so they can come back for another round later.
“ Zero Trust” is a buzzword, but the philosophy of not trusting people, because people make mistakes, is a sound. Mistakes are exactly what Segmented Encrypted Access Management prevent. By ensuring people don’t know the passwords of their organisation, they can no longer make mistakes. This is the future of password security.
With the rise of remote work, the surface of attack for criminals has expanded and they can more easily target people in their own home. As people often use the same or similar passwords for personal and work accounts, one phished or social engineered password from any personal or professional account can be used to access the company network and vice-versa.
Companies can adapt very quickly by making sure their employees never create or know their passwords. As there is no infrastructure change required, MyCena SEAM (Segmented Encrypted Access Management) solutions can be implemented for all their access ( RDP, SSH, web apps, local apps, IAM, PAM, SSO, legacy systems…). That puts an end to password phishing, reuse, sharing, writing, browser-in-browser or MiTM attacks, and stops 95% of breaches before they can happen.
Companies can also use the IP restriction and device restriction features on MyCena to make sure employees can only access their company applications and data from certain locations using only authorised devices and prevent them from saving company passwords in their browser.
Password stealers are being deployed at scale: "After execution, the password-stealing malware harvests passwords and cookies from all the victim’s browsers and sends them to the attacker via Telegram/Discord APIs."
This can all be stopped with MyCena SEAM solutions: Companies encrypt all access so users never know their passwords, so they can't be stolen. It is an easy, fast and efficient way to stop breaches at your company.
Airbus has confirmed a data breach that exposed confidential business information via a partner airline’s compromised account.
Threat intelligence firm Hudson Rock said the threat actor ‘USDoD’ compromised a Turkish Airlines employee account using the Redline info-stealer malware in August 2023. The malware targets saved passwords and session cookies, allowing threat actors to bypass multifactor authentication.
Hudson Rock suggested that the Turkish airline employee infected their computer after downloading a “pirated version of the Microsoft .NET framework.”
The threat actor announced the airplane-themed data breach on the 22nd anniversary of the September 11 terrorist attacks and threatened “Lockheed Martin, Raytheon, and the entire defense” industry.
The hacker who was also responsible for an FBI data leak exposed the stolen data on the English language hacking forum BreachForums shortly after joining the ransomware group ‘Ransomed.’
Lapsus$ exposed the largest security gap of organisations: the access process where employees create their passwords to access your systems. Imagine if employees use their own keys to enter your office or factory.
To close this security gap, use to Encrypted Access Management:
- Company generates and distributes highly secure encrypted passwords for each system to employees, to be used like keys.
- Integration with web apps, local apps, RDP, SSH, WDE, terminals… already embed in the MyCena process.
- Employees don’t know passwords, so no password phishing, fraud, error, eliminating 95% of breaches.
"According to the report, the hacker group employed simple but effective techniques, such as phishing employees and stealing phone numbers to gain access.
The success of these techniques exposed “weak points in our cyber infrastructure” that could be exploited for future attacks, the report said."
Hollywood understands cybersecurity better than many people who work in the industry: your digital identity is not a secret, it is open for AI to use and abuse. If you work in cybersecurity and still believe you can use identity for access, see what's happening in Hollywood.
While biometrics are often promoted as a revolutionary security enhancer, the method is far from bulletproof and could put organizations and their employees at serious risk. Here, Julia O'Toole, CEO of MyCena Security Solutions, tells Spiceworks News & Insights why.