Darknet Diaries

4.9 stars, 7.1K+ reviews

---

If you’ve listened to investigative reporting podcasts like Serial or Reply All and wanted something that was specific to cybersecurity, Darknet Diaries is the perfect podcast for you. Since 2017, it’s investigated some of the most noteworthy stories related to the darkside of the internet, using a storytelling style that’s easy to follow for technical and non-technical listeners alike.

New episodes of Darknet Diaries typically air on the first Tuesday of the month and are usually around an hour long. There are currently over 150 episodes available on Apple Podcasts, YouTube Music, and Spotify. The podcast has an explicit rating.

Who Is the Host?

Jack Rhysider has a background working in a security operations center (SOC) for a Fortune 500 company. He started the podcast in 2017 and initially created it because he didn’t know of anything like it available. He also occasionally blogs about podcasting and has spoken on multiple other podcasts as well.

Key Topics Covered

Darknet Diaries focuses on topics like cyber scams, hacking and social engineering, penetration testing, and malicious types of software.

Notable Guests

In the episode “Maddie,” Maddie Stone, a researcher from Google’s Project Zero, discusses combatting zero-day vulnerabilities with Rhysider.

In the episode “Rachel,” social engineer Rachel Tobac chats about her background in hacking and the ways she was able to manipulate people.

Listen to the Podcast

SecurityNow

4.6 stars, 1.9K+ reviews

---

Running since 2005, Security Now provides weekly episodes to keep both tech geniuses and total novices up to date on recent developments in cybersecurity. The hosts talk knowledgeably about the subjects at hand without getting too bogged down in jargon.

New episodes of Security Now typically air live weekly on Tuesdays, in both audio and visual form, and are uploaded later that evening. There are over 950 episodes of the podcast. Episodes are often around 100-120 minutes long and are available on Apple Podcasts, YouTube Music, and Spotify. Security Now has a clean rating.

Who Is the Host?

Leo Laporte founded the TWiT.tv podcast network and is the host of podcast This Week in Tech and radio show The Tech Guy. Steve Gibson founded Gibson Research Corporation and is its current CEO. He created computer science electronics curriculum as a high schooler and has developed both an anti-spyware application and data recovery software. Both hosts have been in the technology industry for a long time and know a lot about security history.

Key Topics Covered

SecurityNow touches on recent breaches and backdoors, legal security news, and specific product issues, just to name a few topics. It covers a wide range of security issues, including crimes and recent hacking news, as well as recommendations for securing your own organization’s systems.

Notable Guests

This podcast doesn’t regularly incorporate guests.

Listen to the Podcast

CyberWire Daily

4.8 stars, 930+ reviews

---

The CyberWire is a cybersecurity-focused news service, and the CyberWire Daily Podcast delivers a rundown of the top cyber news each day of the week. It requires some baseline industry knowledge, but it’s a great way for security professionals to stay on top of InfoSec current events.

New episodes of CyberWire Daily Podcast air each weekday morning (if not more frequently) and are usually less than 30 minutes long. CyberWire Daily has been active since 2016 and currently has more than 2,000 episodes. They’re available on Apple Podcasts, YouTube Music, and Spotify. The podcast is rated clean.

Who Is the Host?

Dave Bittner is the primary host listed for CyberWire Daily, though he isn’t the only one. He’s a security podcaster, but his extensive television and production background includes videography, acting, and content creation.

Key Topics Covered

CyberWire Daily is more of a news overview than a super deep dive into one topic. Multiple security things will be touched on within a single episode, so you’re getting nuggets of security information. These include major attacks, the intersection of government and cybersecurity, and vulnerabilities in major software.

Notable Guests

In episode 2029, Adam Meyers, the senior vice president of Counter Adversary Operations at CrowdStrike, speaks about cloud security issues and the cloud as an attack surface.

In an encore episode on April 7, threat intelligence analyst Selena Larson discusses her career move from journalism to into the security field.

Listen to the Podcast

Malicious Life

4.8 stars, 880+ reviews

---

For history buffs, Malicious Life by EDR and XDR provider Cybereason chronicles some of the most influential untold cybersecurity stories around the world. It takes listeners on a journey through the history of cybersecurity through the lens of real hackers, security experts, journalists, and politicians.

New episodes of Malicious Life typically air twice a month and are usually 30-40 minutes long. Malicious Life currently has over 240 episodes. They’re available on Apple Podcasts and Spotify. The show has been active since 2017 and is rated clean.

Who Is the Host?

Ran Levi studied electrical engineering at the Technion Institute of Technology and has worked in electronic engineering and programming for multiple Israeli technology companies. He’s the creator of another popular podcast, Making History. Through interviews and research, Ran connects the dots between the early days of cybercrime and today’s stories of data hacks and breaches.

Key Topics Covered

Malicious Life’s topics of discussion include historical events like Y2K, famous hackers such as Kevin Mitnick, and famous as well as lesser-known cybercrimes and the responsible criminals. Levi also covers hot topics like generative AI.

Notable Guests

In one of Malicious Life’s specials, Levi interviewed Amit Serper, the Principal Security Researcher at Cybereason, who’s worked in cybersecurity for the Israeli government. In the episode, Levi and Serper discuss Serper’s experience with the government, reverse-engineering and analyzing malware, and nation-state attacks against high-profile targets’ network infrastructure.

In another interview special, Levi interviews Graham Cluley of Smashing Security, who discusses how he got into the security world and the early stages of the malware industry.

Listen to the Podcast

Risky Business

4.7 stars, 330+ reviews

---

Risky Business is one of the longest-running podcasts in the cybersecurity industry, publishing episodes since 2007. You’ll get in-depth analysis each week of the latest stories and how they impact security trends on a global scale.

New episodes of Risky Business typically air weekly on Wednesdays and are usually about 60 minutes long. There are currently over 700 episodes. Risky Business is available on Apple Podcasts and Spotify, and it has a clean rating.

Who Is the Host?

Patrick Gray is a journalist who began writing about security over 20 years ago, including freelancing for multiple internet and security publications. Adam Boileau holds a senior role at CyberCX, a security company based in Australia.

Key Topics Covered

Risky Business takes an analytical approach to cybersecurity topics like attack and breach news, as well as covering legislation and the ways different governmental bodies approach security.

Notable Guests

In episode 743, Risky Business chats with Andres Freund, a software developer who found the XZ Utils backdoor, as well as discussing a Ukraine hack of Russia, social engineering, and a Cyber Safety Review Board (CSRB) scolding directed toward Microsoft.

In a sponsored news episode, Catalin Cimpanu, the author of Risky Business’s newsletter, interviews the founder of GreyNoise, Andrew Morris, about vulnerability exploit trends from the previous year.

Listen to the Podcast

Hacking Humans

4.6 stars, 270+ reviews

---

If you’re particularly interested in the connection between cybersecurity and psychology, you may like Hacking Humans, CyberWire’s podcast division specifically dedicated to social engineering and how to avoid it.

New episodes of Hacking Humans air weekly on Thursdays and are usually 40-60 minutes long. The podcast currently has more than 500 episodes. They’re available on Apple Podcasts, YouTube Music, or Spotify and are rated clean. Another series within Hacking Humans includes Word Notes, a short episode that defines a common security term or acronym.

Who Is the Host?

Dave Bittner shows up again in this podcast, also connected to CyberWire, but he’s not the only host. Joe Carrigan has a background in software engineering and currently works as a senior security engineer with the Johns Hopkins University Information Security Institute. His experience includes usable security, data migration, and embedded systems.

Key Topics Covered

Hacking Humans mainly focuses on the world of social engineering, phishing attempts, insider threats, and similar criminal exploits. It offers recommendations for listeners to protect themselves from these attacks, too.

Notable Guests

In episode 285, the hosts speak with Dr. Robert Blumofe, the chief technology officer at Akamai, about an AI doomsday scenario. Bittner also discusses the research surrounding people falling for scams and that they shouldn’t feel guilty for succumbing to one.

In episode 279, Bittner and Carrigan chat with Mike Kosak, the principal intelligence analyst at LastPass, about passkeys and Chinese hacking group Volt Typhoon.

Listen to the Podcast

Smashing Security

4.5 stars, 280+ reviews

---

Cybersecurity topics are usually no laughing matter, but on Smashing Security, the co-hosts bring a sense of levity to the conversation. Each week, the two computer security experts and a variety of guests talk through some of the top cybercrime headlines, taking a humorous, laid-back tone that makes learning about security news more approachable.

New episodes of Smashing Security air weekly on Wednesdays (with occasional additional episodes on other days). The podcast currently has over 370 episodes. They’re usually 45-60 minutes long and are available on Apple Podcasts, Google Podcasts, and Spotify. Smashing Security is rated explicit and may contain adult themes.

Who Is the Host?

Graham Cluley is a security blogger and researcher with a background in programming; he coded an early Windows antivirus toolkit. Carole Theriault started Sophos Naked Security and currently runs Tick Tock Social, a media firm geared toward tech organizations.

Key Topics Covered

Cluley and Theriault cover common hot topics like AI, breaches, hacking, online privacy, and legal concerns, but their tone is more lighthearted overall than the majority of podcasts. They also cover security vulnerabilities or attacks on a variety of enterprises, including those in the pharmaceutical, gaming, and consumer electronic industries.

Notable Guests

In episode 360, Cluley and Theriault chat with Keiron Holyome of BlackBerry about predictive AI as a tool to prevent cybersecurity threats.

In episode 359, the co-hosts discuss ransomware gangs and mobile phone number issues with Allan Liska, incident response team member at Recorded Future.

Listen to the Podcast

Unsupervised Learning

4.6 stars, 120+ reviews

---

Unsupervised Learning condenses 5-20 hours of research into a concise summary of the most interesting things happening in the news related to security, technology, and society at large. This podcast is extremely succinct, so some listeners may find it a bit dry, but the host connects a wide scope of topics masterfully. It’s a great podcast for security geeks.

New episodes of Unsupervised Learning typically air once a week or every two weeks and are around 30 minutes or less. There are currently over 400 episodes, and they’re available on Apple Podcasts and Spotify. The show is rated explicit.

Who Is the Host?

Daniel Miessler has a background in information security and writing and started his site in 1999. The podcast came later, in 2016, but he’s been writing about security much longer. He lives in San Francisco. Miessler pairs cybersecurity news that might otherwise feel boring with commentary and analysis of how current affairs could affect future events.

Key Topics Covered

Unsupervised Learning currently focuses largely on AI and how it affects humans, as well as the ways people can thrive using AI and handle it well.

Notable Guests

In a March 19 conversation, Miessler talks with Jason Meller, founder of Kolide, which was just acquired by 1Password. They discuss password management, device trust and zero trust, and limitations of mobile device management products.

In a January 29 episode, Miessler chats with Shil Sircar, the senior VP of engineering and data science at Blackberry. They discuss machine learning, threat detection, and synthetic malware generation.

Listen to the Podcast

Bottom Line: Podcasts Can Deepen Your Interest in Cybersecurity

It’s one thing to look at an application’s management console or stare at threat intelligence feeds and alerts all day. But listening to podcasts — and the humans who have experienced events in this field — makes cybersecurity that much more interesting. If you’re looking for a new podcast, whether to further your experience in the security field or to learn what professionals do, I recommend you check out these podcasts and see which ones are a fit.

If you’re interested in hearing more insights from security professionals, read our guide to the best cybersecurity Twitter accounts next.

Jenna Phipps contributed to this article.

The post 8 Binge-Worthy Cybersecurity Podcasts in 2024 appeared first on eSecurity Planet.

To try to gain an edge in their efforts to protect businesses and individuals from scammers, malware, and data theft, many cybersecurity companies have turned to artificial intelligence (AI) and machine learning (ML) as a potentially useful weapon in their arsenal.

There are some benefits to employing AI in a cybersecurity context. It can make defensive measures stronger and response times faster, but it’s not a perfect solution. AI is not a replacement for human intelligence—especially when it comes to identifying and mitigating threats—but in the right contexts, with the right team, it can be helpful.

How is AI Currently Used in Cybersecurity?

Whether it’s SIEM solutions attempting to enhance their predictive capabilities or threat intelligence software trying to automate the threat detection process, businesses the world over are looking to AI as a critical part of their cybersecurity futures.

AI in general is in vogue right now, but its use in cybersecurity is expected to explode in coming years. A Statista report expects the “AI in Cyber Security” market to grow from $10.5 billion in 2020 to $46.3 billion by 2026, in the process taking an ever-bigger slice of a cybersecurity products market that’s approaching $200 billion.

Here are some examples of what companies think AI and machine learning can do to give cybersecurity firms an edge over their cybercriminal competition:

• Evaluating Threats More Quickly: As digital transformation takes over the business world, security teams are tasked with processing and protecting unprecedented amounts of data, and the volume of alerts is overwhelming. Artificial intelligence makes it possible to sift through this data and identify potential threats more efficiently while avoiding alert fatigue. This is how IBM’s QRadar SIEM solution leverages machine learning in its threat detection duties.

• Automating Defense Measures: Security orchestration, automation, and response (SOAR) tools have gained popularity among cybersecurity strategies since they were first introduced in 2017. This is due in part to SOAR’s potential ability to reduce human intervention needed to act on security threats, freeing up human experts’ time to deal with issues that require more creative thinking than an AI can offer.

• Lower Chance of Human Error: One of the critical weak points of any cybersecurity system is the human element. No matter how well you plan, no matter how effective your technology, all it takes is one or two people making a mistake for your network to be left defenseless against ransomware and other cybersecurity threats. By automating as much of their solutions as is reasonable, cybersecurity companies hope to reduce the likelihood of human error leading to cyber catastrophe.

• Phishing Detection: Phishing is one of the most effective techniques hackers have to infiltrate your network. AI integrated with email security tools can analyze the context and content of emails to detect signs of suspicious behavior like email spoofing and block potentially malicious emails before they hit users’ inboxes. This can be useful both for simple phishing scams and more advanced techniques like spear phishing.

• Biometric Authentication: In lieu of or alongside traditional password protection, some companies have turned to biometric and facial recognition scanners powered by AI to potentially block hackers’ access to user accounts.

• Behavioral Analytics: Many companies have begun experimenting with UEBA and other behavioral analytics solutions to help better identify anomalous user behavior and stop potential threats before they can do too much damage. This form of analytics can come in a variety of forms, such as an AI tracking unusual user login behaviors, such as someone logging in from a public library instead of their office.

Want to Know More About AI’s Role in Cybersecurity? Check Out AI & ML Cybersecurity: The Latest Battleground for Attackers & Defenders

How Effective is AI in Cybersecurity?

A common refrain when talking about AI and automation is that it ultimately can’t replicate the creative and strategic thinking that human intelligence provides. Based on how AI has been implemented and developed thus far, this is accurate.

The tasks AI and machine learning have proven to be good at are tasks with simple, predictable patterns and tasks that require the processing of large data sets. This is how AI can potentially speed up incident response times, as humans wouldn’t be able to process network traffic as quickly as automation can.

On the flip side, in use cases where the AI has to deal with a number of unusual or unpredictable behaviors, it struggles. This is why behavioral analysis can be a mixed bag as a solution. A 2018 paper published by IEEE goes into more detail about it, explaining, “Machine learning has limitations dealing with privileged users, developers, and knowledgeable insiders. Those users represent a unique situation because their job functions often require irregular behaviours. This cause[s] difficulties for statistical analysis to create a baseline [for] the algorithms.”

Additionally, if an AI system is poorly implemented, it can be weaponized against a company in an attack. This could happen at the data level, where malicious actors manipulate the data sets that AI algorithms use to learn their behaviors. Vulnerabilities could also come from biases or gaps in the data. Hackers sometimes use a technique called neural fuzzing to determine where weaknesses lie in software that processes input data.

To prevent your AI from working against you, it’s important to create safeguards. You should regularly evaluate the configurations of your devices and applications and monitor other areas of your cybersecurity infrastructure that aren’t directly-related to artificial intelligence tools. This is not only beneficial for your AI, but also for your security posture overall.

AI’s increased prominence in cybersecurity also goes both ways. As more cybersecurity enterprises leverage AI to boost their security, hackers are able to do much the same, through methods like AI-generated phishing emails or constantly-changing malware signatures.

Thankfully, well functioning AI is difficult to build, even for companies with the resources and expertise to do so. As such, your average cyber criminal probably isn’t going to be using AI for their next social engineering scheme. However, state-backed hackers from countries like Russia might have access to sophisticated AI hacking capabilities.

Bottom Line: AI in Cybersecurity

AI’s efficacy in cybersecurity is the same as in any field it’s deployed in. When focused on the things AI has been proven to do effectively and consistently, it’s useful, but when focused anywhere else, it struggles, often mightily so.

Knowledge is key when implementing AI into a cybersecurity strategy, both knowledge in the form of the data you feed your AI to train it and knowledge in the form of understanding what AI is good at and how to best leverage that for your business.

Ultimately, AI, like firewalls or IDPS, is a tool, and no one tool is going to be the cure for all your cybersecurity woes. Although artificial intelligence can be a benefit to your organization’s cybersecurity strategy, you still need people working to support it. Otherwise, you’ll be putting your weight on an unstable foundation.

Looking to Upgrade Your Cybersecurity Capabilities? Take a Look At Top Endpoint Detection & Response (EDR) Solutions in 2022

The post AI in Cybersecurity: How It Works appeared first on eSecurity Planet.

To help you determine which one is the best fit, we’ve compared Bitwarden and LastPass in each of the following categories:

• Features
• Supported platforms
• Security
• Cost

Bitwarden vs. LastPass: Features

Bitwarden and LastPass share many of the same core password manager functions. These include:

• Password storage and auto-filling
• New password generation
• Password sharing
• Administrative dashboards
• Customizable security policies
• Two factor authentication

However, each platform also offers unique features that separate them from the competition. Unlike Bitwarden, LastPass offers all users dark web monitoring and offline mode. LastPass tries to push customers toward the more expensive Business edition, though, so you’ll have to pay more to get advanced features.

LastPass Business features include unlimited users, groups, API access, directory integrations, admin controls, and support for single sign-on (SSO) and multi-factor authentication (MFA). Every Business user also gets a free LastPass Families account, so employees can manage their work information and personal information from the same platform.

Bitwarden, on the other hand, offers a variety of features for Teams and Enterprise users alike. These include unlimited devices and device types, unlimited users, groups, and API access. All users also get Bitwarden Send, a secure file sharing tool with support for 1GB+ encrypted file attachments. Enterprise users get access to premium features like support for SSO, more administrative controls, and a self-hosting option.

Both Bitwarden and LastPass offer strong features for you and your team. While LastPass’s dark web monitoring capabilities and advanced MFA and SSO support may be extremely beneficial, Bitwarden offers a wide range of features in its more affordable edition that you would need to pay more to get with LastPass.

Bitwarden vs. LastPass: Supported platforms

One major distinction between LastPass and Bitwarden is the variety (or lack thereof) of supported platforms. While LastPass only has native desktop applications for macOS, Bitwarden’s native apps include Windows and Linux in addition to macOS.

Both vendors have browser extensions for Chrome, Firefox, Safari, Edge, and Opera browsers. However, Bitwarden offers additional integrations for Vivaldi, Brave, and Tor browsers. Regardless of the operating system or browser you use, Bitwarden also offers a command-line tool for greater control of the application.

LastPass and Bitwarden both offer mobile apps for iOS and Android devices, so you and your employees can access password information while on the go. However, if your team uses a wide range of device types, you’ll have more flexibility with Bitwarden than with LastPass.

Bitwarden vs. LastPass: Security

Bitwarden and LastPass are both based on some of the same security principles and tools. For example, both solutions are built using a zero-knowledge architecture with 256-bit AES encryption at the device level, plus ​​PBKDF2 SHA-256 encryption for master passwords. Both vendors also have bug bounty programs to stay proactive with any potential vulnerabilities.

However, there are two major distinctions to make between the two password managers. The first and most significant difference is that Bitwarden’s code base is completely open-source, which means it’s available for anyone to review. On top of that, Bitwarden has been audited several times by third-party security firms and has published all of those reports to its website.

The second distinction is that LastPass has been at the center of multiple hacks over the last several years. The most notable hack from 2015 exposed customers’ email addresses, password reminders, and authentication hashes, among other data. Though no encrypted data was lost, the vulnerability still presented a significant risk if users didn’t take immediate action to update their account information. The security breaches that have happened in the years since have not been as alarming, but they have made competitors’ security claims more appealing.

LastPass’s SSO and MFA capabilities are both important for creating a passwordless authentication model, so LastPass might be a better fit if creating an advanced security ecosystem for your organization is one of your top priorities. However, if the reputation of the security tools you use is more important to you, then Bitwarden might be a better choice.

Bitwarden vs. LastPass: Cost

Neither vendor offers a free edition for professional use, but they do offer free trials—14 days for LastPass and 7 days for Bitwarden.

LastPass offers two editions, with optional add-ons available to Business users for an additional monthly fee:

• Teams: $4/user/month
• Business: $6/user/month
  • Advanced SSO: +$2/user/month
  • Advanced MFA: +$3/user/month
  • Advanced SSO/MFA bundle: +$4/user/month

Bitwarden also offers two editions, but at a lower price point than LastPass:

• Teams Organization: $3/user/month
• Enterprise Organization: $5/user/month

Not only is Bitwarden more affordable at both pricing tiers, but it also offers more features for less money. If you’re looking for advanced features, LastPass will give you what you need for a premium. If MFA and SSO aren’t a priority for you, however, you might be able to save some money with Bitwarden.

Choosing the right password manager

LastPass and Bitwarden are both worthy considerations for your business’s password manager solution. LastPass is a solid choice if you need advanced features and can afford to spend a little more. If you want something more affordable that can also be used across a wider range of devices, Bitwarden might be the right solution for you. To compare both of these vendors with other market leaders, review our list of Best Password Managers & Tools.

The post Bitwarden vs LastPass: Compare Top Password Managers appeared first on eSecurity Planet.

As Sam Ingalls writes in his How to Implement Zero Trust article, “a zero trust strategy centers around refined controls to improve and rightfully restrict access to your network and applications. By limiting movement, you mitigate the risk of malicious actors accessing key segments.” Zero trust is a critical tool in the security defense arsenal, especially as more companies shift to a fully remote or hybrid work environment. However, zero trust also comes with its own set of challenges that are important to understand to ensure effective implementation.

Jump to:

• Moving to zero trust can create cybersecurity gaps
• Zero trust architecture requires perpetual maintenance
• Insider threats are still a risk
• Zero trust models can inhibit productivity
• Overcoming zero trust challenges

Moving to zero trust can create cybersecurity gaps

One of the fastest lessons to learn with zero trust is that implementation is often neither quick nor easy. It can be a very drawn-out process that requires your SecOps team to re-envision your business’s security model from top to bottom.

This also means many IT and business professionals must adjust their way of thinking when it comes to cybersecurity. Instead of trusting that your security infrastructure is foolproof like they’ve been conditioned to believe, they must assume the opposite is true and that your systems are already in jeopardy.

It’s usually best to move from legacy security systems to a zero trust framework gradually over time rather than abruptly implementing multiple changes at once. Prioritize the systems, users, and workflows that engage with the most sensitive data so that you can assign them the strictest access controls. A longer timeline will help the transition go more smoothly and give employees more time to adjust to the new security environment and related processes.

Zero trust architecture requires perpetual maintenance

Many security professionals also underestimate the time and effort required to maintain a zero trust environment once it’s implemented. Unlike some security systems, zero trust is anything but a passive approach to defending against cyber threats.

Most businesses are constantly growing and evolving, and it’s essential that the intricate microsegmentation permission structure keep pace with the rate of change. Relevant changes may include new hardware or software deployments, changes in an employee’s responsibilities, new customer or staff accounts, and patches or updates to existing systems.

User permissions must be precisely and appropriately defined at all times for a zero trust model to be effective. Otherwise, unauthorized users will be able to access data and resources they shouldn’t. In a best-case scenario, this may mean an employee has more privileges than they need, but it could also mean bad actors can reach deep into your business systems and hold them hostage—or worse. Monitoring tools can help spot irregularities, but perpetual, proactive maintenance is required to prevent a worst-case scenario.

Insider threats are still a risk

Zero trust and microsegmentation are based on the premise of least privilege, which attempts to limit each user’s access to the bare minimum they need to do their job. However, this doesn’t address a glaring issue staring everyone in the face: social engineering. Social engineering attacks like phishing, scareware, and deep fakes are frequent tactics hackers use to gain access to your business systems from the inside.

These kinds of insider threats cost businesses an average of $2.79 million annually, according to the 2020 Cost of Insider Threats Global Report. This includes direct costs like stolen funds, lost or damaged data, and recovery efforts in the aftermath of an attack. It also includes indirect losses that can impact a business, such as reduced productivity, damaged reputation, and long-term lost revenue.

Microsegmentation alone doesn’t address the impersonation and deception strategies hackers use with the end goal of stealing employees’ credentials or damaging data. A formidable zero trust approach requires additional layers of security tools like identity and access management (IAM) and multi-factor authentication (MFA) to verify each user’s identity and minimize the risk of insider threats. A good zero trust tool should be able to detect when patterns near the critical zone have changed, but tools like UEBA and DLP can help—and extend those capabilities throughout the organization, not just around the microsegmented zone.

Related: How Zero Trust Security Can Protect Against Ransomware

Zero trust models can inhibit productivity

Because zero trust adds extra security layers to most workflows, it can sometimes become a productivity constraint. Security strategies are only effective if they support and protect the work of your business—they otherwise become barriers that employees will try to circumvent. It is possible to be productive while also maintaining a strong cybersecurity posture, and finding that balance is a core tenet of the zero trust approach. Without both sides of the coin, your business won’t be able to flourish fully.

The easiest way to avoid productivity pitfalls is to embrace a hybrid security environment that consists of zero trust and legacy systems until you fully transition to zero trust. As your security teams shift individual workloads, they can evaluate each segment to ensure it won’t cause a major disruption to individual employees’ productivity or overall business performance. If something doesn’t go according to plan, the old model can be temporarily restored until your team is able to iron out the unexpected kinks.

Keep in mind that communication and agility are critical to zero trust implementation. Adopting these new security practices and tools will impact everyone, so your teams should be aligned with what to expect at every step in the process. Not only will this minimize the surprises you may encounter, but it will also help you address potential vulnerabilities quickly and effectively.

Overcoming zero trust challenges

Zero trust isn’t an infallible strategy, but it’s certainly becoming the way of the future for cybersecurity. Thankfully, there are many things you can do to overcome any potential challenges.

First, look at your cybersecurity infrastructure holistically and from multiple angles to make sure any gaps are covered during the transition to zero trust. During this time, it’s also important to make sure all stakeholders understand the value of moving to a zero trust model.

When you’re ready to begin the microsegmentation process, use a phased approach to minimize blows to productivity. Adopt additional layers of security in addition to microsegmentation to prevent successful social engineering attacks, and don’t neglect employee training to make sure your staff is prepared with the right cybersecurity knowledge.

Then, once your zero trust model is fully implemented, commit to routine maintenance and frequent internal audits. Doing so will help you maintain confidence that only your employees, partners, and customers have access to exactly what they need—nothing more and nothing less. That’s the ultimate goal of zero trust security, after all.

Read next: Best Zero Trust Security Solutions for 2021

The post Zero Trust Can’t Protect Everything. Here’s What You Need to Watch. appeared first on eSecurity Planet.

Some of the top considerations to keep in mind when comparing NordVPN and ExpressVPN include:

• Privacy and security
• Performance
• Device support
• Cost
• Customer support

NordVPN vs ExpressVPN: Which has stronger privacy and security?

Privacy and security are the biggest reasons you want to use a VPN in the first place, and each VPN provider approaches these factors a bit differently. They both use Perfect Forward Secrecy, which automatically changes encryption keys on a recurring basis to prevent data from being decrypted if other components of the key exchange are compromised. However, this is effectively where the privacy and security similarities end.

The most notable difference between NordVPN and ExpressVPN is each vendor’s logging policy. NordVPN does not store any data whatsoever—a claim that has been confirmed by independent auditors. ExpressVPN, on the other hand, does collect some data from its users according to its website. This data includes:

• App and app versions successfully activated
• Dates (but not times) when collected to the VPN service
• Choice of VPN server location
• Total amount of data transferred per day

Thankfully, ExpressVPN doesn’t log sensitive details like IP addresses, browsing history, traffic destination/metadata, or DNS queries. Although the information it does collect is purportedly only used for troubleshooting and software development, it’s easier to have confidence in a VPN provider’s privacy and security claims if it doesn’t log any data in the first place.

Related: VPN Security Risks: Best Practices for 2021

NordVPN vs ExpressVPN: Which has faster performance?

Using a VPN can sometimes slow down internet speeds because all incoming and outgoing data has to be encrypted and decrypted. The exact speed depends on your proximity to a VPN server, how much capacity that server has, and the protocol it uses to encrypt your data. In general, VPN providers that have a larger number of servers in more locations offer better connection performance. If you don’t travel often, though, server locations might not be as impactful as server volume.

Both ExpressVPN and NordVPN use proprietary encryption protocols. ExpressVPN developed its Lightway protocol to be equal parts fast, secure, and reliable, but you can also choose from L2TP, OpenVPN, or IKEv2 protocols if you don’t want to use Lightway. Similarly, NordVPN’s NordLynx protocol is based on WireGuard, but with better privacy. If you’re more comfortable with IKEv2/IPSec or OpenVPN, however, you can choose from those protocols as well.

If you do a lot of international traveling, ExpressVPN offers an impressive 160 VPN server locations in 94 countries, whereas NordVPN has servers in only 60 countries by comparison. However, NordVPN offers almost double the number of servers compared to ExpressVPN—5,866 versus a vague 3,000+. This means you’ll likely have a better chance of finding a nearby server in those 60 countries with NordVPN and a faster connection speed as a result.

NordVPN vs ExpressVPN: Which has better device support?

Compatibility is another critical consideration when shopping for a VPN—your VPN will only be as effective as the devices you’re able to connect. For this reason, you should look for a solution that will support all of the devices you and your employees use currently as well as those you may use in the future.

NordVPN offers desktop apps for Windows, macOS, Linux, and Chromebook computers, plus mobile apps for Android and iOS devices. There are browser extensions for Chrome, Edge and Firefox browsers only, so you might be out of luck if you prefer to use Safari or a different open source browser. However, NordVPN supports a wide range of miscellaneous devices, including smart TVs, gaming consoles, and tablets.

Similarly, ExpressVPN natively supports all of the same operating systems and browsers as NordVPN, plus Microsoft Edge and a wider range of smart TVs and gaming consoles. What’s most impressive about ExpressVPN, however, is its support for VPN routers. As smart home and other internet-connected devices become more commonplace (even in office settings), having a VPN connection on the router-level is the only way to ensure all of your online activity is private and secure. It’s also a more convenient and cost-effective way to manage your VPN-connected devices.

NordVPN vs ExpressVPN: What’s the difference in cost?

Unlike ExpressVPN, NordVPN offers enterprise-specific pricing and features through its NordLayer platform. There are three editions to choose from:

• NordVPN Standard: starting at $3.79/user/month; includes malware protection
• NordVPN Plus: starting at $4.59/user/month; adds breach scanning and password manager
• NordVPN Complete: starting at $5.79/user/month; adds 1TB cloud storage and advanced encryption
• NordLayer: pricing ranges from $8/user/month to $14/user/month, billed annually, plus custom pricing plans too. Features range from 100Mbps performance for Lite and Core pricing levels up to 16Gbps performance with cloud firewall and device posture security for the Premium solution.

ExpressVPN doesn’t make its volume licensing rates readily available, so it’s difficult to compare costs directly. For individual subscriptions, there are three pricing options available:

• 1 month: $12.95/month
• 6 months: $9.99/month
• 12 months: $8.32/month

NordVPN vs ExpressVPN: Which has better customer support?

If for some reason the VPN you choose isn’t working properly at any point, it’s important that the VPN provider has clear support channels in place to address your issue. ExpressVPN and NordVPN both offer the same support methods for their customers: self-service troubleshooting documentation, setup and configuration tutorials, live chat, and email ticketing.

However, only NordVPN offers 24/7 phone support to its Enterprise customers. ExpressVPN customers won’t be able to reach the support team over the phone, so sometimes there can be a delay in response.

Choosing the right VPN

NordVPN and ExpressVPN are strong competitors in the VPN market. If you want a solution that won’t log any of your data, has a whopping server volume, and has business-friendly pricing, NordVPN might be the best choice for you. If you do a lot of international travel or want router-level VPN protection, ExpressVPN is likely the better option. To compare these solutions and more, check out our list of Best Enterprise VPN Solutions.

The post NordVPN vs ExpressVPN: Which VPN Should You Choose? appeared first on eSecurity Planet.

Types of Social engineering in cybersecurity attacks

Social engineering can manifest itself across a wide range of cybersecurity attacks:

• Phishing
• Smishing
• Vishing
• Whaling
• Pharming
• Baiting
• Pretexting
• Scareware
• Deepfakes

Phishing

Phishing is a broad category of social engineering attacks that specifically target most businesses’ primary mode of communication: email. These types of attacks usually involve spoofed emails that attempt to impersonate a legitimate sender and convince the recipient to divulge confidential information or click a link or attachment that’s laced with malware.

The social engineering tactics involved with phishing aren’t very sophisticated, but they are effective. Most phishing attacks use only the name and sometimes the contact information of a trusted source. When combined with a feigned sense of urgency and fear, these details are often enough to convince the targeted victim to take the desired action.

Also read: Complete Guide to Phishing Attacks: What Are the Different Types and Defenses?

Smishing

Smishing attacks are similar to phishing except they target victims via SMS rather than email. Smished messages usually contain links that launch a malicious site or download when tapped. Because it’s difficult to preview links that are in a text message, the hyperlinked text may be disguised as an email address, phone number, or other unassuming content a user might tap without hesitation. Smishing attackers typically use social engineering to deceive their victims by impersonating a mobile service provider or other “official” source.

Vishing

Vishing attacks are also similar to phishing and smishing, but these attacks target VoIP and telecommunications services rather than text-based mediums. Voice-based social engineering doesn’t usually attempt to impersonate someone the victim knows personally; instead, attackers try to convince their victims that they are calling from a larger, better known entity like the IRS or a debt collector. Then, the attacker asks the target to provide sensitive information, like their date of birth, Social Security number, or credit card information. In more aggressive cases, the attacker may try to convince the victim to send money via wire transfer.

Whaling

Whaling attacks are among the most successful cybersecurity attacks because they target a narrow pool of C-level executives. Instead of casting a wide net, whaling attackers identify the top staffers at an organization and collect as much information as they can about them. This may include a victim’s professional history and current job information as well as details about their personal life. Then, the attackers try to convince their targets to reveal information about themselves or their business so they might be able to gain access to broader business systems.

Pharming

Pharming attacks involve creating a redirect from a legitimate website to a malicious one. Usually this is accomplished either by deploying malware that changes the target computer’s host files, or by using a technique known as DNS cache poisoning. In the latter approach, attackers target the website hosting server and change the DNS table so that users are redirected to a fake website.

Pharming attackers use social engineering to make the fake website mimic the legitimate website as closely as possible so the visitor doesn’t realize they’re not in the right place. The longer a user is on the malicious website, the longer the attacker has to collect data or launch malicious software.

Baiting

Baiting attacks use physical input and output devices to compromise the victim’s security measures. For example, a baiting attack might involve a USB storage device that’s left on the ground or sent in the mail under the pretense of a giveaway. When the target connects the device to a computer to discover what’s on it, the device automatically launches a computer virus or other type of malware. A baiting scheme might use social engineering to attract victims by advertising something that’s free, or they might simply appeal to a target’s instinctual curiosity.

Pretexting

Unlike other attacks on this list, pretexting attacks require the attacker to gain a victim’s trust with an elaborate backstory. Technology is usually a catalyst for these attacks; for example, attackers might use social media bots to establish a convincing internet presence that supports the story they’re trying to tell. Pretexting attacks are usually played out over a period of time and typically use intricate social engineering strategies to convince the victim to send money or information.

Scareware

Scareware attacks use fear tactics to manipulate the target into believing their device or software is at risk. This is an emotion-based form of social engineering, as the attacker preys on the victim’s lack of confidence in their IT infrastructure. Scareware attacks may come in the form of a pop up that urges the victim to download a critical software “update” or an alert that their device may be compromised. Any action that the user takes in response usually results in a malware launch or a similar kind of attack.

Deepfakes

Deepfake attacks represent a sophisticated emerging trend in social engineering. Deepfakes leverage artificial intelligence and deep learning to make photos, videos, and voice recordings of the attacker impersonating someone important look and sound more convincing. In fact, well executed deepfakes are nearly impossible to correctly identify. Deepfakes are often used in conjunction with other social engineering strategies to deceive victims more effectively. This might look like fraudulent advertising, video calling, or more advanced attack mediums.

See our picks for the Top Secure Email Gateway Solutions

How to prevent social engineering attacks

There are many technologies that can help protect you and your business from social engineering attacks. If an employee mistakenly clicks a malicious link or downloads something they shouldn’t have, you should have measures in place to prevent an attacker from reaching your business-critical systems. These security tools include the DMARC protocol, zero-trust products, and next-generation firewalls.

However, the most effective way to prevent these kinds of attacks is to train your employees to spot social engineering tactics. Share examples of an attacker’s attempt to manipulate a target’s reaction to fear, greed, or altruism and highlight the indicators that it’s something more nefarious. Teach them how to be proactive about detecting an attack by hovering over links to verify the domain or scrutinizing a sender’s information before engaging with an email. Then, test their reactions to simulated attacks so you can address any vulnerabilities before a real attack happens.

Read next: How to Prevent Different Types of Malware

The post What are Common Types of Social Engineering Attacks? appeared first on eSecurity Planet.

Like other areas of diversity, LGBTQ diversity, equity, and inclusion (DEI) are essential parts of the tech industry’s future. Technology has made the LGBTQ community safer and more connected in some ways, but it has also been the source of some harm. Diversity in the workplace is what helps tech companies focus on the former and prevent the latter.

However, diversity isn’t a destination with a clearly defined roadmap for tech companies to follow; it’s a moving target that comes with its own unique challenges. Sometimes the tech industry gets LGBTQ+ diversity right, and sometimes the misses have drastic consequences.

LGBTQ+ representation data can be unreliable

One of the biggest markers of diversity is representation and visibility—if current and prospective employees can see employees who are like them across the org structure, they will be more likely to feel confident in their opportunities. LGBTQ representation, however, is harder to discern than race and gender, for example, because it’s less perceptible. This is especially true in a heteronormative culture that sets the default to heterosexual and cisgender.

Related: Women Comprise Just 11 Percent of Global Cyber Security Workforce

In some situations, assuming someone’s LGBTQ+ identity can create an uncomfortable situation among colleagues. In others, it can create a hostile work environment with serious ramifications. So, LGBTQ+ representation data depends on self-reporting.

This presents another challenge, because workers are unlikely to self-report (even in a blind survey) if they feel it could lead to backlash or bullying. This is with good reason, especially in the tech industry: a 2017 TechLeavers study found that LGTBQ tech employees were more likely to experience bullying (20%) and public humiliation (24%) than their non-LGBTQ colleagues (13% and 13%).

An employee will be less likely to out themselves in the workplace if they fear they may be treated unfairly after the fact, especially if the company culture doesn’t actively create space for LGBT inclusion. This can perpetuate a harmful cycle. Without company-wide measures that address anti-inclusive culture from top to bottom, LGBTQ+ diversity doesn’t have a path forward.

Diversity challenges don’t stop at recruitment

If you think obstacles to diversity stop once your employees have been hired, you’re not alone. In fact, a 2018 BGC survey on global diversity found that many leaders—especially straight white male leaders—believe recruitment is the biggest challenge to an organization’s diversity.

This belief is misguided. Recruitment is a challenge, of course, but even bigger challenges await after an employee accepts an offer. “Hiring people from diverse groups,” the researchers explain, “is easier than successfully addressing the deep-rooted cultural and organizational issues that those groups face in their day-to-day work experience.”

These issues typically arise in areas of retention, advancement, and leadership commitment. Notably, the survey found that heterosexual men aged 45 and older saw these areas as less impactful on the company’s diversity and inclusion than recruitment when compared to the respondents from diverse groups:

This disparity indicates that solutions for creating a more diverse and inclusive environment are more complex than the majority of tech leaders may believe. Instead of solely focusing on measures that will attract a more diverse pool of applicants, a better approach is to look at obstacles across the employment life cycle. Some tactical ways to address these obstacles are outlined below.

Retention

To improve retention, it’s important to weave inclusivity into the fabric of an organization. This includes structural interventions and policies like gender-neutral restrooms and equitable parental leave. It could also include training to bring awareness to and prevent workplace microaggressions—the hostile and derogatory comments that usually fly under the radar, like calling someone’s LGBTQ identity a “choice” or refusing to use their pronouns. These measures will eliminate barriers to diversity that can sour an employee’s experience and cause them to seek employment elsewhere.

Advancement

Advancement often works hand-in-hand with recruitment and retention—no one wants to join or stay with a company that doesn’t offer room to grow, especially if they feel their LGBTQ identity may prevent them from being promoted. The biggest influence here is bias, whether conscious or not. Hosting performance reviews more frequently than once a year and implementing clear evaluation guidelines will help maintain objectivity when it comes to promotion decisions.

Leadership commitment

To effectuate a truly diverse workplace, an organization should present a top-down investment in diversity, equity, and inclusion. It’s more than leading by example; it’s about the leaders of a company recognizing the benefits of DEI and taking every opportunity to create a culture that aligns with those values. This includes allocating resources and funding to initiatives that support DEI goals and connecting those goals to core business strategies.

Tech industry is friendlier than others

Although there are certainly areas where companies in all industries can improve to create a more inclusive culture, the tech industry is home to some of the most LGBTQ-friendly companies in the world. Case in point: half of Glassdoor’s top companies for LGBTQ+ people to work in 2020 were tech companies, including Google, IBM, Microsoft, Salesforce, Slack, and Apple.

The tech industry is still relatively homogenous, and some obstacles still remain. But technology is often more concerned with objective results than anything else, which helps level the playing field. As Ginger Chien, a transgender device engineer at AT&T, shared in a recent ABC News article, “Tech is a place where your performance is really easy to quantify.” In many ways, it’s easier to let accomplishments in the tech industry speak for themselves. This helps put employees from diverse groups on equal footing with everyone else.

The tech industry also has more dedicated resources for the LGBTQ+ community than most other industries. Aside from company-sponsored employee resource groups like Microsoft’s GLEAM program, networking and support groups have formed across the tech industry. These include:

• Lesbians Who Tech
• Maven Youth
• oSTEM
• Out in Tech
• Queer Coders
• Trans*H4ck

The future of LGBTQ+ in tech

The future of the tech industry is only as promising as the diverse group of innovators who will lead the way. Especially with the rise of 5G and artificial intelligence, tech leaders with intersectional identities will be essential to creating benevolent products that are free of bias and potential blindspots.

Read more: Using AI to Promote Diversity in the Tech Industry

It’s already happening. According to BCG, Gen Z and young Millennials are driving diversity and inclusion from the bottom up, and it will take more than superimposing a rainbow on a company’s logo during Pride month to demonstrate inclusivity. Tech companies will need to commit to and prioritize DEI to create a truly inclusive environment that will be attractive to future generations of LGBTQ innovators and consumers.

The post Tech’s LGBTQ+ Report Card: A Long Road Ahead for DEI appeared first on eSecurity Planet.

Open source code—which comprises 80% to 90% of the software development supply chain—frequently contains sensitive information like security tokens, access keys, or passwords. Sometimes this information is added accidentally, but sometimes developers may include these items intentionally to make their workflows more efficient. In either case, BluBracket helps DevOps professionals identify these secrets and remove them from the code to prevent potential hacks.

Notable BluBracket features

BluBracket helps developers and security teams address sensitive information in their open source code. It offers vulnerability scanning and incident management capabilities to identify each secret and track their statuses.Then, BluBracket uses artificial intelligence and machine learning to eliminate false positives and prioritize each classified secret in order of risk.

In each edition, BluBracket directly integrates with Slack and continuous integration/continuous delivery (CI/CD) tools. In the Enterprise and CodeSecure editions, BluBracket fully integrates with single sign-on (SSO) apps like Okta and Azure Active Directory among other applications like Jira and Splunk.

BluBracket advantages

Among many benefits BluBracket offers is its ability to enforce fine-grained security policies. It also creates actionable alerts in real time and helps developers address Git misconfigurations that could lead to security breaches. Then, it can send these action items to a connected SIEM platform so security engineers can streamline their efforts with the development lifecycle.

BluBracket’s analytics and reporting capabilities are also beneficial for organizations that are subject to strict regulatory requirements. Plus, the free Community edition lets users connect with other users in a forum to help answer questions and offer suggestions.

BluBracket disadvantages

Compared to its competitors like GitGuardian, BluBracket does not offer detection for as many secrets. Other code security tools cover a wider range of sensitive data, including SSL certificates and copyrighted code. Some solutions may also be more attuned to the broader needs and workflows of security engineers, which include a wider security perimeter than strictly SaaS-based platforms like BluBracket.

BluBracket pricing

BluBracket is available in four different editions:

• Community Edition: Free
• CodInsights Team: $21/month per developer
• CodeInsights Enterprise: $30/month per developer
• CodeInsights & CodeSecure: Contact sales

The post BluBracket Product Review: Pricing & Features appeared first on eSecurity Planet.

About ManageEngine

The entire ManageEngine product offering is flexible, scalable, and can be deployed as cloud-native or cloud-ready, so it’s suitable for businesses of all sizes. Each solution places a heavy emphasis on auditing and reporting, which is valuable for organizations that are subject to strict compliance regulations. There are also many specific use cases for education, healthcare, manufacturing, government and financial services.

One potential drawback to consider across the board, however, is that most ManageEngine products only support Linux and Windows operating systems, and some products can run on Windows exclusively. This is likely not a deal-breaker for most users, but it could be a limitation for some.

ManageEngine’s key IT security solutions

Among all of the products under the ManageEngine umbrella, there are a few that play a key role in supporting IT security management.

EventLog Analyzer

The EventLog Analyzer product is a log management tool at its core. It’s marketed as a SIEM tool, but it focuses more on collecting and analyzing data from multiple sources rather than taking action to prevent potential threats from causing harm. ManageEngine offers a forever-free edition of EventLog Analyzer for up to 5 log sources, so even small operations can benefit from these effective management tools.

This tool automates a number of log management processes, including collection, normalization, analysis, reporting, and alerts. It also includes controls for application auditing, user access and activity monitoring, file and folder monitoring, and compliance auditing. EventLog Analyzer integrates with help desk consoles like ServiceNow and ManageEngine’s ServiceDesk Plus to advance the threat mitigation process, but prospective customers will need to look elsewhere for advanced features like behavioral analytics or threat visualization.

Firewall Analyzer

As the name suggests, the Firewall Analyzer solution is a web-based tool for managing an organization’s firewall. This includes change management, configuration analysis, security auditing, bandwidth monitoring, and reporting. Firewall Analyzer is vendor-agnostic, so it will integrate with almost any open-source or commercial firewall product.

This module is sometimes used as an add-on to supplement another ManageEngine product like OpManager or Desktop Central. No matter the context, Firewall Analyzer helps monitor activity levels across VPNs, proxy servers, network traffic, and other devices. It also helps IT admins monitor users system-wide and identify those who pose the highest risk based on bandwidth consumption.

Log360

Log360 is ManageEngine’s comprehensive network security and threat mitigation tool. It’s versatile, especially for Microsoft Windows and Azure ecosystems. In fact, Log360 combines all of the capabilities of the following products under one roof:

• ADAudit Plus
• EventLog Analyzer
• O365 Manager Plus
• Exchange Reporter Plus
• Cloud Security Plus

This tool collects logs across many different sources, analyzes the collected data to detect potential threats, and then takes action to stop them from inflicting damage. Log360 also comes with many features like threat intelligence and alerts pre-configured, so it starts monitoring from day one.

Compared to other SIEM tools in the ManageEngine arsenal, Log360 tackles both security information (logs) as well as security events (threats). However, the all-in-one approach has caused some users to report a considerable learning curve when using the platform. Similarly, it doesn’t offer quite as wide a variety of features as some other SIEM tools, so it may not be suitable for large organizations with advanced needs.

Recommended: Best SIEM Tools & Software for 2021

The post ManageEngine Product Review for 2021 appeared first on eSecurity Planet.

What is passwordless authentication?

The difference between password and passwordless authentication methods stems from the core types of information used in the login process. Password authentication is based on knowledge; a user must provide something they know such as an email address, traditional password, or a personal identification number (PIN).

Passwordless authentication, on the other hand, is derived from different types of information the user has. The first type is inherence. With these factors, a user’s identity is verified by their biometric data, such as fingerprints, retinal scans, or voice recognition. These authentication methods are exceptionally difficult to hack or replicate because of how unique they are to the individual user.

Passwordless authentication can also be done via information the user possesses. This could be an email verification link, a physical security card, an authentication app, or a one-time password. Possession factors are also significantly more secure than passwords because they require a user to access a separate device or application in real time.

In either case, the passwordless authentication process requires a pair of cryptographic keys: one that’s private and one that’s public. The private key is unique to the individual user, and since it’s not a traditional password, it’s much more difficult for a hacker to intercept. The public key is hosted on the application or system the user is trying to access with the private key. Access is only granted if the public and private key match, so the public key is useless without its private counterpart.

Benefits of passwordless authentication

In addition to improved security, passwordless authentication offers a number of benefits.

• • Better IT visibility: Passwordless authentication eliminates the variability of an individual user’s password health, so you can maintain a tighter grip on your organization’s security landscape.
  • Simpler user experience: When users can log in using an inherence or possession factor, they won’t waste time or become frustrated trying to remember, update, or reset their passwords. This makes the login process much simpler, so employees can get to work immediately.
  • Cost savings: Passwordless authentication saves money on helpdesk resources as well as the cost of monitoring and maintaining passwords for your users. Furthermore, you’ll be able to avoid phishing and credential stuffing attacks, which could result in a costly data breach.

Examples of passwordless authentication

Passwordless authentication comes in a wide range of implementations. Some require specialized hardware and others may take the form of software that integrates with your existing systems.

Biometric authentication

As mentioned above, biometric authentication involves a user’s specific biological property, like their iris, face, fingerprint, or voice. Usually this method involves a piece of specialized hardware that has biometric recognition capabilities and can connect to a computer to grant access.

This solves the problem of forgotten or reused passwords, thereby reducing the volume of password reset support tickets you’ll need to address. Biometric data is also much more difficult to hack or fake, so you can rest assured that an authenticated user is who they say they are.

Prominent biometric authentication technology vendors include:

• HID
• Jumio
• Daon

Single sign-on

Although some single sign-on (SSO) solutions still require a password, they effectively eliminate all other passwords a user needs. SSO provides a centralized platform for a user to access a large number of applications and systems without needing to use separate login credentials for each one. They’re usually deployed on-premises, but many vendors offer a SaaS option that you can integrate with your existing security software.

A full-service SSO tool also includes a desktop multi-factor authentication (MFA) application so users can have a true passwordless experience. Plus, most solutions offer a backend dashboard through which you can monitor your users’ access and activity across the board.

One of these single sign-on vendors might be the right fit for you:

• LastPass Enterprise
• Duo
• Hypr

Email-based authentication

Email-based authentication takes the guesswork out of the login process for users who are already logged into their corporate email account. This method works similarly to an SSO platform, but users don’t need to log in to a separate account for the sole purpose of accessing the right systems. Instead, users select “Log in with X” at the sign-in page for the integrated application and receive an email notification with a link to finish the login process.

Email-based authentication is somewhat more complex because it requires some development expertise, but it’s a suitable solution for smaller organizations that don’t have as many business platforms to manage. It’s also ideal for employees that don’t have a smartphone, since some other authentication methods require a user to access a mobile application to complete the process.

Consider one of these email authentication tools:

• Swoop
• FusionAuth
• Magic

Identity access management (IAM) software

Identity access management (IAM) software is a broader category of security management tools that control which users have access to specific applications. These are ideal for admins at large organizations who want to set specific roles and privileges for individual users and keep track of how each person is using their access.

For most IAM products, passwordless authentication plays an integral role in maintaining a secure environment to closely monitor each user’s access and privileges. By removing passwords from the equation, you can create a strong barrier around your organization’s applications and systems. This means only the right people will be able to access the right information and resources.

Top IAM software solutions include:

• OneLogin
• Ping Identity
• Okta

Related: What Is a Passkey? The Future of Passwordless

Making the switch to passwordless authentication

While it’s unlikely that you’ll be able to eliminate passwords from your corporate environment completely, reducing the number of password-based authentication instances in favor of passwordless methods will have a tremendous benefit for your cybersecurity posture. You’ll be able to increase IT visibility, improve user experience, and reduce total costs involved with maintaining user credentials.

Whether you choose to implement an advanced solution with specialized hardware or a simpler software solution, an ecosystem with fewer passwords is one with fewer opportunities for a successful malicious attack.

The post Passwordless Authentication 101 appeared first on eSecurity Planet.