In this video series, we’re here to peel back the curtain and show how the “tricks” in cyber are done so we can all have a better understanding.

Tom Pioreck, CyberMaxx’s CISO, will be diving into all things EDR & MDR. In this episode of “Demystifying Cyber,” we’ll unlock the mystery and clear the confusion surrounding EDR & MDR.

For your convenience, we’ve included a transcript of the 17-minute episode below. Feel free to watch the video on YouTube.

Transcript

Organizations keep hearing that they need to detect and respond, and EDR, or a trusted MDR provider, is one of the best ways to do that.
That’s all well and good, but what do EDR and MDR mean? What does an organization need to know and consider when determining which option is the better choice for them?

If security professionals keep saying EDR should be a standard part of our security program, then it’s probably a good idea if we understand the abbreviation, the terms it contains, and what we’re really saying when we talk about EDR and MDR.

Hello, I’m Thomas Pioreck, cybersecurity professional with close to 20 years in the industry and self-professed most paranoid person in the room. On this episode of Demystifying Cyber, we define EDR, MDR, and considerations for which one to select as an organization.

The famed author, Arthur C. Clarke had three laws when it came to science fiction, his third law is, “any sufficiently advanced technology is indistinguishable from magic.” We’re here to peel back the curtain and show how the “tricks” in cyber are done, so we can all have a better understanding. This, is “Demystifying Cyber.”

EDR and MDR. In a world of abbreviations, what’s two more? If EDR and MDR are so similar, which seems to be the message out there, then why the need for both terms? Let’s start by breaking down the abbreviations, EDR and MDR.

And since both have “D” and “R,”, let’s start there. The good news is that the D and the R have the same meaning in each abbreviation. The D is for “Detection” and the R is for “Response.” So, that’ll help keep things a little simpler. We will get into what each term means a little later, but what about the E versus the M?
E is for Endpoint. Just like C is for Cookie. Endpoint, endpoint, endpoint start with E. Well, that’s simple enough, isn’t it. Hmm? What’s an Endpoint? Yeah, that’s a good question.

We kind of just throw the term “endpoint” out there and figure everyone knows exactly what we’re referring to when we say “endpoint.”
There’s mostly two different ways people interpret the term “endpoint” and that can create confusion when we’re talking about EDR.

The broadest definition of an endpoint is, “any device that operates within your corporate environment.” And that really means any device; mobile phone, tablet, servers, desktops, switches, laptop, point-of-sale systems, automated inventory systems, smart TV, smart fridge, smart coffee maker (a critical asset, if ever there was one), an “endpoint” is anything and everything.

When we ask an organization about asset inventories and we ask them to account for all of their endpoints, this is the breadth we want you to consider and document. Generally, though, when a company is considering EDR (and this applies to MDR too), we tend to narrow the scope just a bit.

Your EDR “endpoints” really comes down to computers, whether laptop, tower, or desktop, and your servers, physical or virtual. Why such a narrow scope? The reason is what’s available on the market as of this recording. It’s these endpoints that have available agents that are tried and true. Yes, some solutions on the market have an agent for phones and tablets, and depending on what runs your point-of-sale system, an agent for that, maybe an agent for a smart device, like that TV in the boardroom, but they don’t have the operational history like the agents for servers and computers do.

Let’s take that term “agent.” That word gets thrown around a lot too. Single agent, agentless, consolidated agent, call my agent, almost all solutions out there have some kind of “agent” associated with them. Even AI is getting in on the game with “agentic AI.” So, what’s an agent?

Let’s say you’ve decided to go with an EDR solution, which we’ll just call The Farm. The main component, the brains if you will, exists as some kind of central headquarters. That headquarters could be something you build, install, and run in your own data center, or it could be a cloud-platform solution, often called the “console,” that The Farm provides.

That console is where all the data and information is visible to you. It’s where you login to see data, alerts generated and where you go to triage those alerts, set your configurations, the real functional aspect. All of the intelligence you’re gathering comes back to this central location. It serves as a central intelligence hub. Here’s where central intelligence’s agent comes in.

The agent works for The Farm. Its job is to monitor what happens on the single endpoint it’s been deployed to and report back on all the activity that it sees, so that modules within The Farm can perform an analysis and decide if what it’s seeing is “suspicious, malicious,” or “benign.” The agent is basically a small piece of software that gets deployed on every endpoint. Once it’s deployed, it’s perma-linked to that endpoint and reports back to headquarters, or the mothership, so to speak, pretty much in real-time. Agents can function on their own, but their operating parameters are defined by the mothership, kind of like the alien ships in Independence Day.

So now I have an agent deployed on the servers and computers, my “endpoints,” that operate across my environment. The activity that occurs on each endpoint reports back to the console, where the “magic” happens. Congratulations, you’ve implemented the first step in monitoring your environment. You are getting insight into the activity that is occurring on each endpoint and can be alerted when malicious, or at least suspicious, activity is Detected.
And that’s the D in EDR. Detection. By being able to ingest the activity and analyze it, we’re then able to detect unwanted behavior. There’s a bit more that happens than just “detecting” though.

EDR systems have some form of alerting or notification whenever something is detected that you need/want to be aware of, see what’s really going on. So the D for Detect really has a silent N for Notify or silent A for Alert.

Great, so I’ve monitored, detected, and been notified, but I want to do something about it. That activity you alerted me to is bad, make the bad thing stop, I need to Respond to the bad thing. I don’t want to be aware that it’s happening and just sit there while it wreaks havoc on my company, I want to Respond. And there’s our R.
R is for Response. You want to be able to Stop the activity. You’ll hear the word “Kill” used here a lot with EDR vendors. You can set parameters where the EDR solution itself will Kill and/or Quarantine (exactly what you think it means) that activity or process. The really cool part is you can set a lot of the Response actions to happen automatically within the system and not give up manual review or human decision–making.

If the system seems to be killing too many legitimate actions just because they seem sketchy, you can tune its behavior. Or tell it to alert you but take no further action until you tell it to do so.

Most EDR solutions can isolate that endpoint. Meaning, nothing that’s happening on that one endpoint can get to any other system on the network or even anywhere on the Internet. The only communication an isolated endpoint can have is back to the mothership. The endpoint can only phone home. So, we have any number of response capabilities ready for us to implement now.

Ok, that’s EDR in a nutshell, so what’s MDR? The D and the R are the same, Detection and Response. The M is for Managed, so MDR is Managed Detection and Response. So, what’s the difference between EDR and MDR? The difference lays in who manages the solution.
See, MDR is really Managed EDR. You select a vendor to manage the EDR solution that’s been implemented. The functionality of the EDR doesn’t change, it’s the same for EDR and MDR, but with MDR, you’re offloading the management of the system to a trusted security partner. And that partner is usually an MSSP, a Managed Security Service Provider, specifically an MDR vendor. Notice the M means the same thing in MDR and MSSP? That’s how you can remember the connection and meaning, plus the difference between MDR and EDR.

Your next question is likely, is EDR or MDR better for my organization? That’s a fair question. And it may seem like a simple question of do I want to outsource it or do I want to run it in-house? There’s actually a lot that goes into that decision.

Managing an EDR is a 24/7 job. That’s just the time. That whole Detection component? It requires constant tuning and maintenance, tweaking it until you find that perfect sweet spot where the alerts you’re getting are mostly just the signal amongst the noise. The cyber world changes so rapidly that your tuning is never truly complete. You’re always going back and tuning as the threat landscape changes, as new attack techniques are identified and shared, as your business evolves and changes. Once you have the system tuned, you still need to investigate each alert that is generated for risk and actual legitimacy.

And you can’t do any of that without staffing, and staffing means a knowledgeable team of professionals that have experience and can put items in context. Folks that can really apply critical thinking to the deluge of notifications and intelligence that all these solutions present.

Think of it like this. You own a home. Not an especially large home, but what most folks think of when they think of a typical American home in the suburbs. That home has a lawn, likely some bushes, maybe even a couple of flower beds. You want your home to have a beautiful yard. Well, that means mowing, edging, weeding, and pruning. That’s just the regular maintenance you have to do every week. Then there’s knowing when to plant, managing the soil, being able to identify crab grass, grubs, rot, plant infections or whatever they’re called, knowing when to plant what plants at what time of year, in what soil and maintain the pH of that soil, in a location where they’ll get the right amount of sunlight and shade. That’s a lot of work, a lot of time, and a lot of knowledge you need to have or obtain. Can you really afford to do all that yourself AND have the outcome you want? Oh, and have time for the myriad of other things going on in your life?

Like many suburban homeowners, you’d likely hire a landscaping service. Professionals who have the experience and know the answers to those questions, who can recommend treatments, how to plant and what to plant, lay new seed, mitigate the grubs and other bugs, identify when foliage seems to have become infected and treat it, recommending future steps to avoid it from happening. And when they do the maintenance, the mowing, the edging, the pruning, they know just how to do it, so that the yard remains and looks healthy. Trusting them to carry out that work means you get two things. One, you feel better knowing that this thing of importance to you, your yard’s health, is entrusted to professionals with years of experience. And second, you free up your time that would be spent performing these tasks and research to gain the knowledge required to achieve the results desired, to focus on other areas of importance for your life. You’re gaining in two places, not just one.

That, admittedly somewhat loosely, is what you get when you elect to go with an MDR to implement an EDR solution. And just like with the landscaper, there are additional costs when you do it yourself that you incur when trusting it to experienced professionals.

All that equipment that landscapers use, you would need to buy for yourself. That includes the fuel, replacement blades, sharpening the blades, pruners, trimmers, edgers, seed, insecticide, plant formula, all of it. Those costs recur; they don’t go away. Same is true with implementing your own EDR. All the tools, watchlists, implementations, API’s, workstations, sandboxes, all the utilities that you may not even think of, are a recurring cost. And that doesn’t cover the cost of staffing and training that you would have to incur. Plus, you get the benefit of all the knowledge they gain from working on all the other houses that they service, which allows them to see and diagnose potential issues faster or make recommendations to get ahead of an issue they’ve encountered at another home recently. They’re aware of trends because it’s just a part of what they do. Of course, that will all depend on the value that they provide. Are they doing the bare minimum, mow, trim, prune, preseason clean, postseason clean? Or are they a committed partner? I know which one I’d prefer.

Endpoint Detection Response, EDR, and Managed Detection Response, MDR, are an integral component of what we call, “Continuous Security Monitoring.” Real-time insights, data points for correlation and aggregation, and ability to respond to threats as they’re occurring, a lot of times at the point of attempted entry, before they get to taking action within a system. Frankly, in today’s business world, having them is table stakes. Insurance carriers will ask if you’ve deployed them, your partners will ask about it, and many of your clients and prospects will ask about it. The days of rolling out an antivirus solution alone are over. Going back to our suburban home analogy, having an alarm system is pretty much the same thing. It doesn’t mean we stop putting locks on the doors and windows, it just means that we acknowledge that times have changed, and having someone be able to monitor our valuable assets for us 24/7 is a must-have. And we trust a service provider to enhance the capability and manage the monitoring, detection, and response for us. Think about it, do you really want to, can you really afford to, monitor and respond to your doorbell camera every time it goes off? 24/7?

And hopefully now you have a better understanding of what everyone means when they’re talking about EDR and MDR, what they provide you, and how they differ when you’re determining which is the best option for your organization. I think EDR is incredibly vital to a security program and hope you do now too.

Until next time, I’m Thomas Pioreck for Demystifying Cyber.

The post EDR & MDR appeared first on CyberMaxx.

Let’s break down some of the biggest cybersecurity myths, misconceptions, and overlooked fundamentals that put businesses at risk.

Cybersecurity Myths: Why Flashy Tools Won’t Save You

Wouldn’t it be nice if the latest cybersecurity tools could solve your security problems? Unfortunately, this isn’t the case. Relying on technology alone isn’t enough. There’s no one tool, no panacea that solves our security question. Understanding cybersecurity myths and building strong fundamentals is still the best defense.

The Myth of “Set it and Forget it” Security

One of the most common cybersecurity myths is that you can simply “set it and forget it.” With all respect to Ron Popeil, that’s just not the case.A couple of decades ago, you might have been able to get away with implementing a security tool and hoping for the best while you turned your focus to other tasks. Unfortunately, those days are long gone.

Even the most effective tools can quickly become ineffective without continuous monitoring, tuning, updates, and training. Technology is moving faster than ever, and attackers are working around the clock to take advantage of businesses that make common security mistakes.

To stay on top of your security strategy, conduct a thorough risk assessment to define and review your objectives regularly. Continuously monitor network traffic, logs, and endpoints for suspicious activity, and periodically analyze collected data to identify potential threats and vulnerabilities. You can develop and implement appropriate responses according to your organization’s risk tolerance.

The False Sense of Security from AI and Automation

AI and automation improve cybersecurity, but they aren’t infallible. Attackers are constantly evolving and finding ways to bypass your automated defenses, and relying on them too heavily is becoming one of the most common security mistakes.

Human oversight is critical when it comes to making sure your AI-driven security tools work as intended. Most AI tools rely heavily on identifying and responding to patterns. That means they’re useful for finding anomalies that deviate from typical behavior. However, they aren’t as helpful in responding to threats, especially ones they haven’t encountered before.

Designing your systems for collaboration between trained professionals and AI is vital. Human intervention must remain possible when critical decisions arise.

The Most Overlooked Cybersecurity Mistakes: Common Gaps That Put Organizations at Risk

Even companies that take cybersecurity seriously can overlook critical areas. These simple mistakes create vulnerabilities that cybercriminals can quickly exploit and can cost a lot of money to fix.

Weak or Reused Passwords Are Still a Problem

Despite years of warnings, weak and/or reused passwords remain a top attack vector. These passwords are easy to guess, as they often contain personal information, common words, or simple patterns.

According to a 2024 report published by Forbes Advisor, 78% of people still use the same password across multiple accounts.

Unfortunately, it would be difficult to remember a unique complex password for every single account, which means people cut corners. Implementing multi-factor authentication (MFA) and using a password manager are easy yet practical security best practices that can help you reduce risk.

Ignoring Employee Training and Awareness

Even the best-trained employees can’t always be perfect, especially when overwhelmed or fatigued. That’s why phishing remains one of the most successful attack methods.

You can reduce the likelihood of employee errors through building a security-first culture within your organization. That includes implementing regular training and simulated phishing exercises to educate employees on cybersecurity best practices.

Poor Patch Management Leaves the Door Open

Software updates are annoying, and it can feel tempting to delay them. However, unpatched software and outdated systems are among the easiest ways for attackers to gain access.

Your organization should have a structured patching schedule to close these security gaps. You should remove software unsupported by its vendor, and assess your systems frequently for potential vulnerabilities.

Why Compliance Isn’t the Same as Security

Many organizations misunderstand the differences between compliance and security, and they focus on compliance as their primary security measure. While compliance is essential, it doesn’t guarantee your business’s security.

Compliance Is a Minimum Standard, Not a Full Security Strategy

HIPAA and PCI-DSS offer essential guidance on data security, but they lag behind the evolving threat landscape. Updates are infrequent, leaving gaps in coverage for newer risks. That can leave your organization vulnerable.

Attackers Don’t Care If You Passed an Audit

Meeting compliance standards helps protect your organization from legal penalties, reputational damage, and lawsuits. It can also build trust with stakeholders to provide a competitive advantage in your industry.

Unfortunately, none of this matters to attackers. Compliance doesn’t guarantee protection against ransomware, phishing, or zero-day attacks. To avoid these, you need to focus on security.

How to Fix These Issues: Practical Steps to Strengthen Your Security Posture

Fortunately, you don’t need to overhaul your entire security program to stay ahead of attackers. Instead, you can make small, strategic changes. Here’s where to start.

Focus on Security Fundamentals First

Implementing strong authentication through MFA and password policies, such as requiring employees to use a password manager, is the bare minimum. The biggest hurdle is convincing people to set them up.

In addition, regular employee training allows you to bust common cybersecurity misconceptions and teach your employees about security best practices that will protect your business.

Finally, you should implement regular software updates and patch management to prevent attackers from exploiting simple security loopholes.

Go Beyond Compliance with Continuous Threat Monitoring

Understanding the difference between compliance vs. security is essential. Annual audits are necessary for compliance, but they won’t do much to protect you from attackers. To improve your cybersecurity, you should implement real-time threat detection.

Managed Detection and Response (MDR) services from a professional provider like CyberMaxx can reduce your cybersecurity risk by providing around-the-clock protection. With 24/7 monitoring, you can proactively identify and mitigate threats before attackers exploit them.

Work with a Security Partner Who Prioritizes Transparency

Many cybersecurity providers operate as “black boxes.” They may get the job done, but they offer little insight into what’s happening behind the scenes.

CyberMaxx believes in proactively educating businesses with relevant, transparent information. Understanding what’s going on behind the scenes reveals the real threats your organization faces. With that insight, you can make more informed decisions.

Build a Strong Cybersecurity Foundation By Implementing Best Practices

Strong cybersecurity starts with a solid foundation. Organizations can establish genuine, long-lasting protection against evolving threats by educating themselves about cybersecurity misconceptions and addressing common mistakes before attackers exploit them.

The post Demystifying Cybersecurity: Getting Back to What Really Matters appeared first on CyberMaxx.

In this video series, we’re here to peel back the curtain and show how the “tricks” in cyber are done so we can all have a better understanding.

Tom Pioreck, CyberMaxx’s CISO, will be diving into all things password managers. In this episode of “Demystifying Cyber,” we’ll unlock the mystery and clear the confusion surrounding password managers.

For your convenience, we’ve included a transcript of the 16-minute episode below. Feel free to watch the video on YouTube.

Transcript

Password managers, or password vaults, are regularly mentioned by security professionals as a critical tool for securing our accounts. But what are they? How do they ease the burden and confusion for managing our accounts? How do they help us follow current “best practices” for our passwords? And is a digital vault really the only “secure” method? Hello, I’m Thomas Pioreck, cybersecurity professional with close to 20 years in the industry and self-professed most paranoid person in the room. On this episode, we’ll unlock the mystery and clear the confusion around Password Managers.

The famed author, Arthur C. Clarke had three laws when it came to science fiction, the third law is, “any sufficiently advanced technology is indistinguishable from magic.” We’re here to peel back the curtain and show how the “tricks” in cyber are done, so we can all have a better understanding. This, is “Demystifying Cyber.”

It’s probably no surprise to anyone that the average person is responsible for managing over 100 accounts, when we consider what we manage and maintain for work and home. That’s an awful lot of identities to remember, enough to make Jason Bourne confused. Add to that the latest and greatest “best practice” recommendations for credential creation. Create a unique password per account, with each password having a not so insignificant number of characters, at least 15 but better to get into the 20s, usually requiring a complexity component, that’s when we’re told the password needs to contain uppercase, lowercase, numbers, symbols, but not all symbols, only these six or seven, which change depending on the platform. Oh, and don’t use passwords, use passphrases, but make sure those are random words too, nothing personal, like “I like turtles” or anything. Random, everything completely random. Then, don’t forget a single one. It’s total chaos, anarchy, dogs and cats living together- mass hysteria! And some security practices even recommend varying your username per platform, not just going with the same email address as an account name. That one email address that you’ve used to sign up for almost all those accounts. None of this takes into account that human brains aren’t designed to function this way.

And a lot of those accounts, they want us to set up “security questions,” questions that only we should know the answer to, in order to verify our identity to gain access to the account when, inevitably, we forget which of the hundreds of variations of “YankeesRule2010” we used, or act as some kind of weak MFA process (check out our episode on MFA, multifactor authentication, not so shameless plug). The solution to that, according to privacy paranoid security wonks such as yours truly, is to vary those answers too. Make ‘em up. Lie. See, the bank, credit card company, gambling site, gamer site, whatever, doesn’t actually know your mother’s maiden name, or the street you grew up on, or who your favorite elementary school teacher was, they just want to have a question to verify you against, so they’ll accept whatever answer you give them. (Let’s put aside the fact that most of the real answers are so easily discoverable thanks to social media, it’s trivial to bypass them.)

So, with all that going on, how is one person supposed to keep all that straight in their head? It’s not like you don’t have a great variety of info rattling around the ol’ gray matter and there’s only so much capacity. If you’re going to remember more, then something is likely to get pushed out. I don’t know about you, but I don’t think I could get away with forgetting an anniversary or birthday with the explanation, “Look, I needed a login for the LEGO site to open an account and get VIP points, once that went in the old cranium, something less critical had to go.” Luckily, there is a solution that covers almost the entire conundrum in its entirety. Password managers.

Password managers, also known as password vaults, allow you to manage all the login and account information and data we just covered, in a single location. In fact, given that there’s more than passwords, sorry, passphrases, that they help you with, I argue that we should really refer to them as credential managers or identity managers. But I also didn’t hate New Coke as a kid, so take that idea with the requisite grain of salt. To keep things simple, we’ll just refer to them as password managers in this episode, but remember, they can do a lot more than help you just manage the passwords.

Sounds great, dude, so what is it? I’m glad you asked. Password managers are applications that allow you to generate random passwords or passphrases, on demand, and save them to what is typically called your vault. The random generator component can also simply be copied and pasted, which is where we’re able to utilize them to generate random answers to those ridiculous security questions. We all know those, you enter username and password, and you get the computer version of, “none can pass by me, unless you answer my questions three.” You can use the same random generator utility to create those unique usernames, provided that the account you’re signing up for isn’t forcing you to use an email address (and seriously, if your company has decided to force email addresses as usernames, stop it. Like eating other people’s lunches, stop it.) There’s also usually a notes field, which means you could save the security question and your random answer to the same entry as the account itself, we’ll cover all the eggs in one basket thing later. What’s more, the password manager will connect the URL, that’s the web address, for the site where you’re connecting the account as being associated with that account, and only prompt to fill it in automatically, oh, yeah, a lot of them will do that with a nice browser plug-in, so you don’t even really need to know if you’ve already created an account for said site, the password manager will just offer to enter the proper username and password combo. So, if you encounter a malicious, imposter site that looks like the web site you have an account on, the password manager wouldn’t find a match to the URL and wouldn’t offer to input your real credentials, thus adding a layer of protection when it comes to a component of many phishing attacks. Something I know everyone in my company is going to receive at some point. And as a business, that extra layer of defense boosts security without impacting productivity. You’re now adding a layer of protection with URL recognition that mitigates when someone clicks on a malicious link and takes them to a login impersonation site.

But wait, there’s more! Do you have personal Wi-Fi at home or at the office? Sure, you do, we all do. Did you know you should create a custom name for the wireless network and change its password as a best practice? But again, you don’t want to create something simple? That’s right, the password manager and its random generator can help you here too!! And many password managers have a simple “sharing” feature, where you can select certain individuals to share specific accounts with (yes, you should do this sparingly) and you can just provide access to that folder to the others living in your house. This is usually part of their family plans. For a business? I can have the Wi-Fi for the office changed whenever necessary, simply updating it in a company-wide share and just send a message to everyone that the password is updated in the folder. Personally, I prefer to enter the creds into each device or just share the password one-time verbally, but my family already knows I’m paranoid and nuts, but they love me, so they humor me. (There’s a lot of nodding to me, then I’m pretty sure I’ve detected a lot of shared eye rolling when I look away, but again, I’m a paranoid kind of guy.) But to take that same one-to-one communication of the password change within a company? Yeah, no thanks.

That’s a lot of good for one solution to provide, isn’t it? Granted, a lot of that convenience comes from it being a technology-based solution, and yes, there are risks which we’ll get to later, but let’s talk “digital.” There was a time, quite a few years ago, when a lot security folks, and I’ll admit that I was one of them, would see physical password diary books for sale in a bookstore (I know, right, I go to actual, physical bookstores, just to look around, and sometimes, crazy as it sounds, buy physical books. God, I feel old.) We were equating writing something into a physical record book with leaving your password on a Post-It note at your desk in the office. Both were about writing something down in a physical location, so both had to be bad, right? We were wrong and close-minded. Yes, leaving passwords written down around your desk at work is a bad idea. There’s too much uncontrolled and random access there for you to presume that no one is ever going to see that handwritten note. But these password diaries were sold as something for you to keep at home or carry with you in a bag (though I don’t like that part). Do they have the random generator? No, of course not.

However, you can still create random passphrases when you’re at home and using a physical notebook. Just pick up a couple of random books or magazines you have laying around the house, really anything with text, pick no less than one word from three of them at least, and string them together in your little notebook. Bingo, bango, you’ve got a random passphrase. Same for creating a random answer to a security question, Wi-Fi password, security phrase for your alarm company.

What you don’t get with the physical notebook that you do get with its digital counterpart is that URL recognition, so you need to be more mindful when going to websites and entering in the credentials from your book. So why did so many of us acknowledge the error of our ways and come to appreciate the Prequels- sorry, I meant, physical password books. It’s all about threat modeling (which is a whole topic on its own). Basically, you need to look at the entirety of what the threat is that will realize the risk you’re protecting against. The people who prefer the physical notebooks are likely not technically inclined, which also likely means they’re only using their passwords on their home computer at their home. So, the only way for their written passwords to be discovered is if someone breaks into their home, rummages through the desk, and finds the notebook. Not an impossible scenario, but I argue if that were to occur, you’d have a lot more concerns than just that one notebook. It’s the same reasoning I don’t cover my webcam *gasp*

I know! Sacriliege. But here’s why. If a threat actor is watching me through that webcam, in my view, I have bigger problems. That means they’ve somehow compromised my computer to gain control and access the webcam. That’s a much bigger issue for me than someone seeing my regularly confused face as I look at my screen.

The long and the short of it is that the paper version of these managers got a bad rap, and a lot of security folks are to blame. Now, leaving passwords written down around your desk is still a very bad practice but it’s not the same as a book at your home, locked away in your desk. Having a spreadsheet saved with our credentials also isn’t good because once the computer is compromised, our passwords are gone too.

Now, for all of you yelling at the device you’re seeing or hearing this through, let’s address the “all your eggs in one basket” question. Yes. Yes, if you do this, yes, you are putting all of your eggs in one basket. And given today’s prices, we’re hesitant to risk all of them in one location. I get it. How’s it any different than ye olde spreadsheet? Well, the password manager will sync across devices. It’ll also identify the right URL according to what you’ve set for the account. It is more likely for your computer to be compromised than the vendor’s vault system, though, if we’re being transparent, there have been a couple of hiccups over the years. But we have MFA to apply to the account. And it allows us to quickly change our master password, then go account by account to change those. Or you can get a little creative.

Let’s say you don’t want to put your faith and trust entirely in the credential vault, what are some things you can do additionally? Two quick examples of practices that I know a few people follow.

One, have a custom suffix you add to the generated password saved in your vault that only you know. It’s not the same as using the same password across all accounts, we’re just manually adding a few characters at the end of that randomly generated password. The other method is having two password managers and using them in tandem. Huh? Yup, two of them. You have Vault A and Vault B. They don’t know about each other, but you do. As far as the vaults are concerned, they’re the only one. A strong method for improving password security, lousy method for managing personal relationships. You store the first half of a password in Vault A and the second half in Vault B. Sure, it’s double the copying for when it’s time to login but this method does provide that extra layer some folks are looking to have. Again, the level of complexity and extreme all comes down to your personal threat model.

I think we can all agree that the number of accounts we’re going to need to manage is only going to increase and not insignificantly. The generations after us are only going to have it worse. I think password managers are a great tool and they’re relatively simple. There are more than a few “normies” that I’ve shown them to, helped them set up and use them, and they haven’t looked back since. And the younger generation are extremely tech-inclined, so starting them early shouldn’t be an issue at all. Let them learn and remember safe browsing habits, how to maintain privacy online, and not have to keep all those ridiculous passwords in their heads like so many of us struggled with.

Are passwords the best solution for securing accounts? Almost all signs point to “no,” but they are the most prevalent. So, we’re not doing ourselves justice by scoffing at them, and telling folks to move on to passwordless, passkeys, or whatever the new hotness is, that’s even more technical.

So, in the meantime, for ease and convenience, we have password managers. They’re simple and effective. And hopefully today, we’ve “unlocked” their secrets for you. See what I did there?

Until next time.

The post Password Managers appeared first on CyberMaxx.

In this video series, we’re here to peel back the curtain and show how the “tricks” in cyber are done so we can all have a better understanding.

MFA is the abbreviation for multi-factor authentication. You may also have heard of its close cousin, 2FA. That would be two-factor authentication.

Tom Pioreck, CyberMaxx’s CISO, will be diving into MFAs. While MFAs can be annoying, they are also critical at reducing your risk of being victimized through one of your accounts. It’s why we feel that this was an important first episode for our Demystifying Cyber series.

For your convenience, we’ve included a transcript of the 25-minute episode below. Feel free to watch the video on YouTube.

Transcript

The famed author, Arthur C. Clarke, had three laws when it came to science fiction; the third law is, any sufficiently advanced technology is indistinguishable from magic. We’re here to peel back the curtain and show how the “tricks” in cyber are done so we can all have a better understanding. This is “Demystifying Cyber.”

Hello, I’m Thomas Pioreck, cybersecurity professional with close to 20 years in the industry and self-professed most paranoid person in the room. On this episode of “Demystifying Cyber,” let’s lift the veil on MFA, multifactor authentication.

What would happen to you if someone was able to access your bank account and transfer all of your money out? How would you feel if your friends and family were scammed out of significant money because of an email “you” sent them? Would you feel violated if someone used your email address, after they took control of it, to conduct widespread fraud and scam dozens of strangers, if not more, out of their life savings? What if all of your family and friends became targets just because you had them in your address book? Do you want strangers accessing and manipulating your emails, savings account, retirement accounts, financial investments, medical records, utility bills and accounts, or your social media? Of course you don’t.

But all of those are possible scenarios that we decrease the chances of happening significantly when we implement MFA, multifactor authentication, on our accounts. Sure, MFA can be annoying, it can feel like it’s interrupting your flow, but those are the benefits it provides you. It greatly reduces the likelihood that any of those horrible situations could happen to you. And really, it’s a grand singular benefit. It helps you keep all of those accounts, with all of that personal information, within your control only. It greatly reduces the odds of you and your loved ones from being victimized through one of your accounts or “in your name.” Do you want it to be your account that leads to a massive security incident at your job that could potentially lead to the company having to close? Or lay off a lot of your friends and coworkers? Not because it’s your fault. Just because MFA wasn’t enforced for the account.​

Let’s acknowledge the ugly truth about people and MFA. We don’t like it. We find it annoying, a tedious extra task that just prolongs this simple thing I’m trying to get done so I can move on to the next thing. All I want to do is check my email so I can see when the fantasy football draft is, what’s the big deal? It’s just a quick login to my bank to confirm I have the funds for that new LEGO set that was finally released. All I want to do is log in to social media so I can take a picture of this sandwich, say it’s basic, give it zero stars, and throw on a bunch of trending hashtags because I’m an influencer in training. What’s so critical about any of that? Fair enough. But if you’re looking to be an influencer, if your social media accounts have your personal thoughts and reputation, are you willing to lose control and access to them? ​

Then there’s the actual logistics of using MFA. Sat down at my computer but I left my phone charging in the other room. Now I have to get up and go get the phone, just to confirm I’m me by clicking an app or entering some dopey code? I’d love to login right now but I was in a rush getting everyone out the door this morning before I came to the bank to process this loan application and forgot my phone. Or you misplaced the security token you use for MFA. Or you took that tray of muffins out of the oven when you were distracted and burned your fingertips so badly, now your fingerprint is no longer valid. Okay, that may be a bit of an extreme example. Moral of the story is always use oven mitts. ​

I get it, I do. Sometimes I have those same thoughts and feelings. I just need to do this quick little thing and this extra MFA step is going to take almost as long as the thing I’m logging in to do. So I have that feeling. But I know. I know why it’s important.​

It’s not necessarily there to only prevent a malicious intent. It’s there to help guard against a negative outcome. So I appreciate that little bit of delay.​

All right, so all that being said, what exactly is MFA? MFA is the abbreviation for multifactor authentication. You may also have heard of its close cousin, 2FA. That would be two-factor authentication. What’s the difference? Not much really. 2FA is just setting the number of factors, two. That’s it. Multifactor means it’s at least two, could be more, depending on the system. Top-secret defense systems may have more than two.  You need to swipe your badge, enter a PIN, and then submit to a palm or retina scan. I’m not advocating that we do that for all our accounts, just illustrating that it is possible to have more than two. ​

In security, we classify potential authentication factors into three basic categories. ​ Something you know. ​Something you have. ​ And Something you are. ​

Multifactor means that you are providing authentication of your identity using at least two of those categories. You don’t want to double up on just one of them, you need to include at least two of the categories. Okay, that’s great, but what do they mean? Glad you asked.​

Something you know is a PIN or password. It’s in your head, something you know. Now some of you may be using password managers or vaults, and that’s great, but those passwords still count as something you “know.” Does that make the most sense? Maybe not, but them’s the rules. Another authentication method we’re all familiar with are the security questions. Some platforms don’t provide for the something you have or something you are categories, they just pile on the something you know. Account recovery questions tend to fall into this category. You know the ones, when you’re signing up and creating that account, you’re asked to select your recovery questions. We’re all familiar with them. What’s the name of the street you grew up on? What’s your mother’s maiden’s name? What was the first car you owned? What is the airspeed velocity of an unladen swallow? You know, generic questions that only you should theoretically know the answer to.

Well, here’s one of the problems with those questions. It doesn’t take someone long to figure them out. Especially malicious actors. There’s a whole field called open-source intelligence, OSINT for short (what’s with security people and the abbreviations?) It can be a whole episode on its own, but basically it’s learning facts and information about people from publicly available sources. Say, like, your social media account, which you didn’t set to private. So when you talk about growing up on Elm Street and remember Freddy, the nice old man who lived up the block. When your mom wishes you a happy birthday and her account clearly denotes her maiden name. Or that remembrance post about Santa’s Little Helper, that first great dog you had. It takes a skilled OSINT practioner less than a day to gather up all of the information that we’re usually asked to provide as additional “security” questions. ​

Now here’s the fun part. You know those questions those accounts ask you, the ones we’re talking about that ask you to provide answers to personal questions so that you can prove you’re you? Lie. Make up your answers. Remember, these systems don’t know what the right answer is, they think they’re doing you a favor by providing simple to remember security questions. Just make stuff up. ​

A password manager is great for this because it will randomly generate passphrases or passwords . it’ll even allow you to save the questions and generated responses. Yes, there’s an argument that you’re putting all of your eggs in one basket, but we’re balancing security with usability. Then you just keep a list for each account for the question and answers. If you were to go by security questions across my online accounts, you would discover that my mother has had close to 20 different maiden names and the majority of those aren’t even words. Which makes it a bit more entertaining when the customer service rep asks you to confirm your mother’s maiden name and you say, sure, it’s “E@3rtwX*9$kKt.” You could also just use random words you’ve come across for the answers too. So when they ask for your mother’s maiden name, you get to respond, “puppy monkey baby.”​

Where was I? Right, something you know. So that covers PINs and passwords. Not really enough on their own. Especially passwords because of how many breaches have occurred over the years. You basically have acccept that most of your passwords have already been compromised and it’s just a matter of time before some threat actor comes along and tries them against every kind of web account there is. They could try to run what we call a spray-and-pray attack. Basically, they just throw every username and password combination they have at a system and see which ones the systems accepts. Now, if you have MFA, that spray-and-pray attack alone won’t get them that access. They now need to go after your MFA. So we’ve made it a little more annoying to them. ​

Next up, something you have. We’re not talking about a sunny disposition, a knack for Sudoku or brown hair or freckles. No, we’re talking about something physical, something you can hold in your hand. Your phone fills in a lot here. You could have a security token, like this. This is a Yubikey. It plugs into the USB port on your device and when it’s set to be your MFA device, when you get prompted, you just touch this gold circle here. Some, like this one, also have NFC tech, that’s near-field communication. It’s the technology that allows you to tap your phone or credit card to initiate a payment. You can use the NFC tokens on a modern iPhone and many Android phones because it’s the same tech that lets you use Apple, Google, Samsung, whatever Pay. It could be a card. Some orgs will have their identify badges double as security card. You swipe or tap your card for entry. For some locations, you have to swipe/tap your card and then enter a PIN.

That’s multifactor in action. Smart for an office processing confidential information, not so great when it’s on the bathroom door.

But the biggest player in the something you have space, and we already talked about it briefly, your phone. Nowadays, we always have our phones on us. Authenticator apps are apps that you install on your phone, Google, Microsoft, and Duo are the big players here, and access there for a verification code. Some allow you to opt for a simple push notification, where all you do is click the button when prompted after entering your username and password. ​

And while that push notification is convenient, security folks have started to move away from it. See, once we come up with an additional way of protecting information, threat actors set about finding a way to get around that protection. ​

And they figured one out for those push notifications, it’s called MFA Fatigue, also known as MFA Bombing or MFA Spamming (again, if it’s not the plethora of abbreviations, us security folks can’t help ourselves when it comes to giving the same thing multiple names.) Let’s remember that MFA is helping protect our accounts by adding a layer of protection, protection for when our username and password is compromised. ​

Once an attacker has the username and password, they just bombard the system with login attempts that generate the push notification to your device. So an unexpected push notification could be a good indicator that your credentials for that account are compromised and you should login and change them for that account, plus any other account where you’re using the same password, which we all know you aren’t because you shouldn’t be, but just in case. What they do is just bombard with prompts, over and over again, until they wear you down and you finally click Accept just to make the notifications stop. So security people prefer the code. ​

You’re probably familiar entering a code from an app, a lot of the companies we work for have already implemented it. You set up the account in your authenticator app, you login and are prompted to enter your six-digit code. You open the app, find the account and just enter the six-digit code that’s in the app into the prompt and you’re in. Did you ever notice that app has a countdown? Those codes aren’t static, if you haven’t noticed. See, when you first set it up, there’s a whole bunch of math that gets set up and triggered to generate a seemingly random code on your phone but the same math is set up for your account on the system, so the same algorithm runs every 30-60 seconds so that your phone and the account generate the same-secret code. That’s how it knows they match. Kind of like those annoying couples that always finish each other’s sentences in unison. ​

Then there’s SMS, which is the technical name for text messaging. You provide the system with your cell number when you’re setting up the account. Then, when you login and enter your username and password, the system says they’ve sent you a message with your code and provide the field to enter the code they sent. Within a minute, your phone notifies you that you have received a text, and that text tells you that here is your code. You type in the code, usually six numbers, something more, rarely less, hit Submit or Enter, and the login completes. The close cousin is the email notification. When you set up the account, you’re asked if you want to use text or email or either. Then at login, it asks you how you want to have your code sent, text or email. Selecting email works pretty much the same way the text, sorry, SMS, method does, except you get an email with the code, instead of the text. ​

Now here’s where we get into an issue with text and email. First, email. The presumption that the system here is making that you still control the email account being used. But what if you’ve lost that access? Let’s say your email account is already compromised and under control of a threat actor. Well, they’re in charge of the verification system you’re sending the code to. So the benefits of having MFA set up go right out the window. Oh, sure, we know you have MFA set up on your email accounts, didn’t forget any, and haven’t fallen for an MFA compromise on your email account. And here’s something else, this is supposed to be something you have, as in, it’s in your physical possession. Would you say that your email account is in your physical possession? Yes, granted, you’re getting it on your phone or computer, and that is in your physical possession, but is an email account really in your possession? I say no, it isn’t, so let’s not use in such a manner intended for possession. ​

There are a lot of security people out there that pull their hair out when they hear someone’s using SMS as their multifactor. Or if a vendor offers SMS as the only choice when setting up an account. Like, well, why even bother having it in the first place? But we don’t really do a good job of explaining why we feel text is weak, really a notch above email, when it comes to setting up a multifactor option. ​

So here it is. There are a number of ways your cell number, not even just the phone, but your cell number can fall under the control and access of someone else. Let’s start with the simple- you lose your phone or I steal your phone. It takes minimal training to look at the finger smudges on the screen of a phone and trace the Cheetos outline to figure out what your PIN or pattern code is. Oh, you use your face to verify? Sure it’s simple and it sounds very secure but it’s not foolproof and not too hard to crack. In fact, the amount of techniques threat actors have devised to unlock your phone with your face, with your sometimes willing help, could be its own mini-episode. ​

But the big one that security folks always get into is SIM-swapping (hey look, yet another abbreviation). This is accomplished by a threat actor getting a different physical phone with its own SIM card, then calling your wireless provider and convincing the customer rep that the threat actor is you and having your cell number moved from your device to theirs, which means they now have a device that gets all your calls and texts. So the MFA code goes to their device. Now I know a lot of you enjoy your police procedurals and
heist movies, and yes, it is possible to clone your phone to achieve the same ends. The endgame is the same, you are no longer in sole possession of devices receiving your calls, texts, and most importantly for our purposes now, verification codes. ​

Now, I’m a Gen X kid who grew up on punk rock so it’s in my nature to sort of buck the general notions. SIM-swapping is real and it is a threat but it’s also generally only used in highly targeted attacks against an already known high-value target. And while it is important that we are aware of the limitations for SMS as a solution for our MFA and opt to use the better methods when they exist as an option for us, it’s also important that we acknowledge that something is better than nothing. If the only lock you have on the front door of your house is the latch in the door knob itself and I told you that it’s the weakest method, would you decide you were better off to not have any lock at all? Of course you wouldn’t.​

The third category is “something you are.” We’re not talking about being a Yankees fan or a Swiftie here. This something you are must be what’s called, “immutable.” That means it’s something that does not or cannot change over time. This is the category for biometrics; fingerprints, palm scans, retina scans, all of those. The logic is that only you have your fingerprints, retina scan, or other biometric markers. And while true, we must also acknowledge that there have been plenty of instances where someone has figured out how to beat a biometric scanner. Yes, Hollywood has shown us many ways, from the ingenious technical to the somewhat gory physical, but the actual methods are even broader and less messy. Then there’s the notion that these items don’t change. ​

I met someone that worked in security and couldn’t use their fingerprints for biometrics. Well, really, they couldn’t use their fingerprints anymore. They’d had a tragedy at their home where a horrible fire had broken out, and in the course of saving some of their possessions, they had suffered significant burns on their hands and fingers. Burns significant enough that their fingerprints were lost. So not only did that mean they could no longer use their fingerprint to establish an authentication factor, it also meant that any account where their fingerprint had been that factor, they could no longer use it to login. Also, despite what CSI and Dick Wolf’s universe may have led us to believe, our fingerprints aren’t as unique as many of us think. ​

Then you have one of my favorite stories involving a retina scan. A senior military officer was thrilled to learn that they were pregnant but since it was still the earliest stages of the pregnancy and because of their work, they were waiting before they shared that fact with a larger circle that would include friends and colleagues. One day, they arrive at the military installation where they worked, which had heightened security for entrance that included a retinal scan. A scan they had used many times before to gain entry. Steps up, scans
their eye, negative. Tries it again. Buzzzzzz. And again, red light, no entry. Annoyed, and somewhat frustrated, they contact the point person for the system to report the issue. The technician responds, checks the system, checks the pattern on file and the pattern in their eye, and makes a simple pronouncement. “Oh, it’s because you’re pregnant. I’ll just make an adjustment for your new pattern.” ​

See, there are changes that occur to the retinal pattern that are a natural part of pregnancy. It usually reverts to the prior pattern after pregnancy. It’s normal, healthy, and not indicative of any concern. But what it does do, is cause an issue with verifying your identity against the retina pattern on file. So because of one technician’s awareness of retina patterns and what can cause a false negative, this officer’s personal secret was no longer a secret. ​

There’s also the story of a journalist who was able to take a high-resolution photo with their cell phone’s camera of an EU leader during a press conference. The image of the photo was good enough for them to extract a retina pattern. One 3D-printed contact lens later and they were able to beat the retinal scanner. So again, while great and mostly immutable not perfect. ​

And that’s important to remember. As secure as any of these methods are, none of them are perfect, nor foolproof. It’s a matter of which one works best for you and fits your security threat model.

In fact, multifactor authentication can be seen in some of our favorite Hollywood films, Crimson Tide, War Games, Hunt for Red October, each address MFA as part of their larger story. Who can forget the tense scene between the late Gene Hackman and Denzel Washington. The soldier at the beginning of War Games that turns his key and then proceeds to yell at the late John Maloney to turn his key, even going so far as to pull his weapon and train it on John Maloney. Or Tim Curry’s reaction in Hunt for Red October, when Sean Connery, the great Russian sub commander with a Scottish accent (huh?), announces for the record that he has taken the deceased political officer’s miss-ile key, and is, “keeping it for myself.” And Curry’s doctor reminds him that the reason for two missile keys is so that no “one man may arm the miss-iles.” It’s all about multifactor authentication. Ensuring that two separate actions are needed for the process to continue. Now, am I saying that logging into my email is as critical as ensuring a proper nuclear launch, no, of course not. But would you watch two hours that hinges on me getting a code on my phone? I doubt it.​

Ok, so now we’re clear on what it is, why it’s important, what constitutes the different factors, and that it’s not about hindering us from making a mistake, though it can be used as a quality check there, but there’s one big question left to answer, How? This is great, guy, but how do I set it up for my email, my financial information, my business and its operations? Good question. Let’s go over some simple ways we can set up MFA.

Setting it up for personal accounts, is relatively simple. My recommendation? First pick an authenticator app. Generally, it doesn’t matter which one, they all function in a same manner, and as the user, there’s no cost calculus. The cost to set up and implement an authenticator app falls to the platform provider, the vendor that’s supplying the access to the account you’re using. Dirty little secret? You’re going to wind up with more than one installed on your phone and that’s fine. Yeah, it can get annoying remembering which accounts had to use X, when your default is to use Y, but you’ll be surprised how quickly a lot of that sticks in your brain and becomes second nature. Now I know I said SMS is fine for most people but we want to take that little extra step, especially since it’s pretty simple. ​

The next time you’re in your email, go to its Settings section. There you’ll see Security as one of the menus and within there is usually where you can opt in to MFA or 2FA. You should see options to “Enable Multifactor Authentication.” Then it’s just a matter of following the wizard they present you with. For an authenticator app, they’ll usually present you with a QR code to scan from within the app. That’ll set the account up in your app and the rolling code will be present. Then you simply enter in the corresponding code to confirm it’s set up and working, and voila, you’ve implemented MFA. ​

What if the only option the account offers you, say your bank, is text or email? Change banks immediately. I’m kidding. Set it up with the SMS option over the email one. And feel free to send them an email asking when they expect to offer OTP (that’s the whole authenticator app thing, look more abbreviations) or security keys or tokens?

If you’re a company and want to implement it for the business , good news, you likely already have a lot of options available to you and they’re likely included in your current SaaS (that’s Software as a Service) and other cloud solutions. It’s simply a matter of working with your vendor to determine how to turn it on and roll it out across your organization. Word of advice, start small and in groups wherever possible. And communicate with your people that you’re planning to roll this out, when to expect it, and which applications will occur when. Then send reminders. Resistance is natural, especially when we feel like friction is being added to our days, so be clear about it. Don’t turn it on across every system all at once. Plan it through with your business leaders, security teams, consultants, and your vendor.​

If you’re feeling really ambitious at home or the office, opt to use a security token, the hardware solution. Like this one here. They’re great, simple to use, harder to bypass, but there is a cost consideration since you have to buy them and replace them if lost or stolen. ​

Once you’ve set up your authenticator app, make sure you’re backing it up. It can usually be included as an app that’s being backed up as part of your phone’s operating system standard backups. Last thing you want to do is set this all up, get a new phone, set that up, and then realize all of your verification codes were left behind. And if all of this feels daunting to you personally, start small. What accounts have the most important information to you? Start with those. For most of us that’s email and financial systems. Just have a plan that the next time you login to an account, you’re going to take the less than five minutes needed to turn on and set up multifactor for that account.

And that’s just about it. We’ve covered what MFA is, acknowledged the pain points that some people perceive about it, how it improves the protection of our accounts, and how to get started. There’s plenty more details and intricacies we can get into but this should be a pretty good introductory primer on the basics. Remember, security is about balancing friction. It’s not about making it difficult for ourselves to access what we need when we want, but making it harder for an unauthorized party, a threat actor, a bad guy, to do so. It’d be great to come home and just open the door and walk into the house. But I’m willing to have to wait a little longer to get the key out, unlock the door, and turn off the alarm, even if I neglected to hit the restroom before heading home and I’m in “a bit of a rush at the door” so to speak. Next time you have to enter that code, smile. It’s a reminder that the little extra protections you’ve put in place are working and that you’re accounts are more secure than they used to be with just a password. ​

If you have questions that you hope we’ll answer in future episodes, just drop us a line. Arthur C. Clarke said that any sufficiently advanced technology is indistinguishable from magic. Learning how the trick is done doesn’t diminish it but it does let you appreciate it even more. Computers are just processing an almost endless series of 1’s and 0’s. Once you remember that, the cloud tends to disappear.

Until next time.

The post Multifactor Authentication (MFA) appeared first on CyberMaxx.