Recent reports from the FBI have shed light on the escalating cyber espionage activities orchestrated by state-sponsored actors, particularly those emanating from China. Case in point — the emergence of the Volt Typhoon botnet, as highlighted in The Guardian and AP News, underscoring the critical need to safeguard sensitive information and ensure the integrity of digital identities, now more than ever.
Understanding the Threat Landscape
The FBI’s warnings regarding the Volt Typhoon botnet and China’s espionage activities serve as a stark reminder of the sophisticated tactics employed by cyber adversaries. Coincidently, my last blog covered Midnight Blizzard – Russian nation state attackers on Microsoft. These threats pose significant challenges to national security and underscore the vulnerabilities inherent in identity verification and data protection. This also means the threat landscape is expanding.
Luckily, the Threat was Prevented
In this instance, the threat was thwarted before an incident occurred. In the case of the Midnight Blizzard attack on Microsoft, we were not so lucky. The warnings come as a shot across the collective bow for all organizations and serve as a reminder that this will not be the last time a foreign entity or any other hacker will target the vulnerable.
So, what are organizations to do to keep themselves out of the headlines? Not a huge surprise, but first we must all keep up with applying security patches and up-to-date versions of the OS and application layers. To restate the obvious, good system management hygiene is a must.
But the uncomfortable truth is that bad actors log in as frequently or even more often than using some sophisticated hack to gain access. Many organizations are minimizing dependence on passwords, but they are finding that the big challenge is addressing the many authentication use cases.
Windows Hello for Business conveniently supports passwordless access within the Microsoft platform, but try getting this to work with Mac OS, Linux or even your VPN. Domain controllers and virtual machines, for example, also continue to depend on passwords. To the delight of hackers, the resulting “passwordless strategy” resembles Swiss Cheese more so than it does a Swiss Army knife supporting the broad range of needs enterprise wide.
So, on the path to eliminating passwords it’s the diversity of information technology that needs to be managed, and for good reason. Most enterprise IT environments evolved over decades as did security standards. There should be little to no expectation that somehow magically all ways of authenticating into this morass would happen with some type of hand waving let alone a black box that effortlessly solves all unanticipated authentication use cases.
Identity, it turns out, isn’t sufficiently managed with a password, an SMS code or the knowledge of mother’s maiden name. This is not new … a long list of three letter acronyms including IGA, SSO, PAM, and IAM all recognize identity as a corporate asset that needs to be managed and governed. None, however, seem able to keep up with the unrelenting attacks using social engineering and pirated account credentials. You just need to read the headlines to know this.
Closing the Open Door
At 1Kosmos, we’ve always approached passwordless MFA as a feature, but we’ve viewed the root cause authentication issue as a business challenge revolving around identity. We solved that by performing identity verification and then generating as an artifact a non-phishable passwordless MFA credential with liveness detection.
But as our passwordless journey continued, something interesting happened. We found that placing identity outside of the application platforms and providing for various levels of identity assurance tuned to the risk of the digital interaction helped us rapidly evolve our identity and authentication platform to address the constant stream of use cases that surfaced in just about every customer deployment.
It turns out that not everybody wants an app, not everybody owns a mobile device, and some work environments outright prohibit the use of mobile handsets. By offering identity verification and authentication in a single privacy-by-design platform we’ve provided ourselves and our customers an elegant way to systematically accommodate the unexpected, and in a sense, hardest-to-solve authentication use cases.
This approach to identity modernization quickly augments core identity and access management to mitigate risk, reduce technical debt, and enhance access controls, effectively closing the open door that many hackers walk through unchallenged. By way of example, it’s why we’ve been able to rapidly release app-less authentication, browser-based identity verification journeys and most recently BlockID 1Key, a biometric security key.
At 1Kosmos, we believe that by integrating identity proofing, credential verification, and strong authentication, we equip organizations with the tools and insights needed to combat identity-based attacks effectively – and in ways not possible before.
Through a collaborative and identity-centric approach to security, we help organizations bolster their resilience and navigate through this digital storm unleashed by sophisticated attackers like those behind Volt Typhoon.
Prepare Now for What May Come
Given the advanced warnings from the FBI regarding the Volt Typhoon botnet and China’s espionage, we were lucky this time. But this sequence of events telegraphs the dangers that live among us and should serve as a battle cry for heightened security measures, starting with identity verification at first and every login … for customers, workers, and citizens.
Embracing innovative technologies that in turn enable rapid business innovation … it’s the path forward to reduce risk and deliver order-of-magnitude business improvement. It’s the logical path forward for organizations that thrive on the speed of innovation and want to de-risk their business plan by modernizing and simplifying identity and access management. It’s this bright future we at 1Kosmos envision for all organizations navigating digital transformation and the delivery of digital services.