Build doors with strong independent access for each system
On Monday18 January 2020, when Angers town hall employees arrived at work, they found a notice stuck on the main door asking them to not switch on their computers. The French town hall had been a victim of a cyber-attack over the preceding weekend, so the whole network was disconnected while the damages were investigated. Stunned, people reverted back to pen and paper, an old copy of the yellow pages was dusted down and staff used the only fax machine to communicate in "real-time" with the outside world.
Since the beginning of the COVID-19 pandemic, the world has witnessed a surge in cyber-attacks, explained by poorly secured remote working environments and a profusion of ways to access company data and systems. No-one is spared and everyone is a target: town halls, hospitals, utilities companies, vaccine manufacturers...
Cybercriminality has become such a lucrative game that last year it paid 1.5 times more than counterfeiting and 2.8 times more than drug trafficking. From cyber-espionage, selling stolen data or credentials, to ransomware and supply-chain attacks, it is game with very little risk of loss and huge odds in favour of criminals, who can operate from the comfort of a chair.
Past: Digitise first, secure later
Many factors have led to this situation. First, organisations massively moved their systems and operations online in recent years. Then, as Mayor of Angers Christophe Béchu said in an interview for Brut, the COVID-19 crisis accelerated remote working and pushed organisations to put even more procedures online. In that time, focus was more on increasing digital services to constituents than protecting systems architecture.
Like in Angers, few people would foresee that an attack can instantly paralyze and throw them back 20 years. Which is why measures to prevent this paralysis were not taken.
Historically over 80% of data breaches started with hackers breaking in using a legitimate password. Just like intruders manage to enter a house through a door despite having watchdogs, CCTV cameras and security alarms, hackers manage to enter a digital house through opening a door in spite of firewalls, VPNs, antivirus, Intrusion Prevention Systems...
Since people always use the same password patterns for banking, shopping, social media, master key... so they can remember them, most passwords are easy to find using credential stuffing, brute force, social engineering, dictionary attacks... Since they reuse the same password patterns, even after a breach, so they can remember them, it is easy for hackers to come back to the same house and breach it again. Once inside, it is easy to open the other doors with lateral movement using the recycled patterns. Or if they came in with a master access, it is even easier since there are no internal doors.
To anticipate breaches, not only do we need to know how breaches happen, but also acknowledge that no system is unbreachable and that a system breach can go undetected for months or years. A good illustration is the recent SolarWinds hack, when the biggest cyber-espionage operation in history went undetected for over a year, spreading through supply-chain attacks to Fortune 500 companies, US federal agencies and cybersecurity leaders.
As with COVID-19, you can carry a virus and be asymptomatic. In the SolarWinds hack, thousands of companies had unknowingly installed a backdoor. Whether or not they were infected is not the problem. What matters is they could have all channelled an infection unknowingly.
And just like with COVID-19, the solution to stop the disease from spreading is to isolate systems, so that a person who unknowingly carries the infection does not spread the infection across all the systems, no matter who that person is. That means removing all centralised or privileged access that facilitate spreading, build doors with strong independent passwords for each system, decentralise credentials so that if one is breached, the others are safe. From this little change, organisations instantly limit their exposure to lateral movement, ransomware and supply-chain attacks.
To effectively build doors with strong independent access for each system, we had to solve the recycled passwords issue. For that MyCena has leveraged an ingenious Ancient Greek system with three levels of security.
To enter the city of Mycenae 3000 years ago, you had to pass through a first gate called the Lion’s Gate; once in the city, you had to pass a second gate to get to the garrison, and once in the garrison, you had to pass a third gate to get to the king’s palace.
Using this Method of Access for Structured Stored Data, MyCena pioneered a breakthrough solution to distribute strong unique credentials for every system in your digital house to all users without anyone creating or remembering passwords.
Credentials are encrypted and protected in a local decentralised digital fortress with three levels of security - Bronze, Silver and Gold, only the owner can access with a combination of fingerprint, facial ID, PIN code, lock pattern and passphrase. Credentials are segregated by sensitivity in levels, with the most important passwords such as those used for banking in the Gold level - the deepest level.
This new decentralised approach ensures there is no single point of failure in the infrastructure. It presents the advantage of countering most credential attacks and limiting the damages caused by a breach. Instead of fighting a network-wide infection, you can concentrate your cleaning efforts on a localised area, repair the damages and immediately change the access key to a new unique strong password.
Mycena not only limits your exposure to cyber-risks, but also provides you the maximum endpoint coverage since all systems from the core (servers, databases, admin access, legacy systems) to the edge ( OT, IT, IoT, applications) are included.
Passwords have increased mental stress for people over the years. What we call the 'forgot password' syndrome frequently creeps in after weekends and holidays, generating queues of password resets for IT help desks.
MyCena completely eliminates this issue as there is no password to create or remember in the first place. All managers need to do is to preload passwords into their users fortress. This can be done in hours or days, depending on the size of your digital house, without touching any existing infrastructure.
This first illustration shows how the user manages her passwords without MyCena and the associated security issues mentioned above.
This second illustration shows how the user picks up her preloaded strong unique passwords from the different levels of her MyCena fortress. To open any door, the user just needs to click on the encrypted key, paste it without seeing it, and enter. This is exactly the same process as someone taking their keys out of their pocket, selecting the right key, inserting it into the lock and opening the door. One password only opens one door, so if one password is phished for example, the others doors all stay firmly closed.
Not needing to see or type passwords also helps to protect passwords against key-loggers and screen loggers. Moreover by removing integration and requiring human intervention to pick up each key, MyCena protects your passwords from automated bots. This tightly controlled and decentralized approach provides the most cyber-resilient architecture for your digital house, by imposing the most stringent cybersecurity measures for your endpoints while completely relieving people from their password mental duties.
For organisations storing confidential, private or sensitive data inside their systems, complying with data protection and privacy laws like GDPR or LGPD is now an obligation. If an organisation fails to keep that data safe and a breach occurs, on top of all the internal issues that the breach creates, it also faces lawsuits, expensive fines and financial compensations that can completely cripple and potentially kill a company.
Using MyCena will not only help you counter and contain breaches, but in case you face multiple simultaneous cyber-breaches, it will considerably limit the impact of each one, and slow down the attacks speed to give you time to respond.
Cyber-attacks won't stop. They will only increase. Despite victories like the recent seize of Emotet servers, a huge cybercrime-as-a-service organisation, the nature of cyber-attacks means that like a hydra, for every head you cut off, more heads will pop up in a new location.
With more and more precise data on more and more people being stolen, such as in Brazil where critical data from the "Cadastro de Pessoas Físicas" (CPF) on more than 220 million Brazilians was exposed in a single breach, hackers will keep winning the game if things stay the same.
That is why organisations now face a stark choice. They can choose strong doors, or no doors. Which one will you choose?