Don't give up the keys to the castle — be identity smart
In this guest column, Chris Stucker, associate director for the Identity & Access Management team in UIT’s Information Security Office (ISO), discusses how long-held assumptions around cybersecurity changed as cyberattacks evolved, and talks about simple steps you can take to own your online identity.
It’s almost Identity Management Day!
Wait, what does that mean? Should you be doing something? What is this identity management thing?
We're Identity Management Day champs
Tuesday, April 13, 2021 marks the inaugural Identity Management Day, an annual awareness event sponsored by the National Cybersecurity Alliance (NCSA) and Identity Defined Security Alliance (IDSA) aimed at educating leaders, IT decision-makers, and the general public about the importance of managing and securing digital identities. The University of Utah and University of Utah Health have signed on as official Identity Management Day organizational champions.
Every day, it seems like you hear new warnings about cybersecurity or phishing or ransomware. It seems like that to me and my information security colleagues, too. We wish cyberattacks would stop, but unfortunately, they won’t. Phishing, social engineering, and breaches (oh my!) are likely to keep growing.
Research by the IDSA reveals that 79% of surveyed organizations have experienced an identity-related security breach in the past two years, and 99% believe their identity-related breaches were preventable. According to the 2020 Verizon Data Breach Investigations Report, as many as 81% of malicious breaches leverage weak, stolen, or otherwise compromised passwords.
There was a time when information security resembled protecting a castle, with elaborate defenses built up around us. Firewalls, which control network traffic based on predetermined security rules, virtual private networks (VPNs), intrusion detection/prevention systems, email and data loss prevention scanners, and other tools were brought to bear so that everyone inside the castle walls could work in relative safety. This gave information security professionals time to focus on the construction of the walls and examine everything that tried to breach them.
Many IT services today exist outside those walls, as do the people who use those services. The changing way people provide and consume IT services made old IT security tactics less effective. Walls and defenses do very little to protect people or data when they’re already outside. This new landscape meant we had to change the way we protect people and data, and requires us all to be more careful and better informed about the dangers.
The nature of cyberattacks has changed, too. As defenses evolved, attackers realized that it’s often difficult to try to breach them. Rather than attack the castle directly, they started to attack the people instead. This tactic made sense because much of what people do today isn’t inside the walls at all, it’s “in the cloud.” It’s also a lot easier to get inside when you trick someone to let you in (that whole “keys to the castle” thing).
This all contributes to an environment in which “identity” has become more important than ever — to the attacker, to an organization like the University of Utah, and to you.
When an attacker compromises someone’s identity, it can lead them into other places like cloud services. It’s important that organizations recognize that this is criminals’ preferred method of entry and breaches. This matters to you because a compromised identity can lead not only to an organizational breach but to absolute turmoil in your personal life.
Which brings us back to Identity Management Day and what we should all think about after we have our identity management cake and take off our party hats. What can you do to protect your identity, and in doing so, how does that protect the U? Great question, I’m glad you asked!
There are many precautions we can take. Some are easy, others take more effort and thought, but all are paramount to protecting your identity.
The National Cybersecurity Alliance provides some great tips on being identity smart:
- Think before you click
- Share with care
- Lock down your login
- Get savvy about Wi-Fi hot spots
- Keep a clean machine
- Own your online presence
These are more important now than they’ve ever been. It’s nothing new to say that cybersecurity must be everyone’s job. Reliance on every individual has been with us for a long time. What’s changed is the increased use of remote resources and remote work, making it even more critical that each of us is aware of threats, remains cautious, and owns responsibility for our own identities, for the university, and ourselves.
Here in ISO, we’ll continue to do all we can to help protect the organization and the U community, but we can’t do it without everyone doing their part.
After Identity Management Day has come and gone, please take a few minutes to think through what you do to protect your digital identity. Look through the tips above and commit to adopt some. Use multifactor authentication (such as Duo 2FA) — even if you don’t have to — on every account that supports it. Get a good password manager and use it. While you’re at it, reset those old passwords that you shared with your ex, and the ones that use information you posted on Facebook or other social media apps.
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.