Cyberattack prevention needs to shift left to stop security chain reactions, Amazon Web Services (AWS) CISO CJ Moses suggests.
“The earlier you can spot something — shift left as we like to say — the earlier that you can disable or break the chain of events that's going to occur,” Moses told SDxCentral. Then, “you don't have to worry about the downstream and ramifications of someone using data from your system or your network and blocking and tackling and dealing with all the recovery that comes from that.”
This is part of the messages from Amazon’s recent public service announcement (PSA) campaign “Protect & Connect,” which reiterates the importance of enabling multi-factor authentication and identifying and reporting phishing scams. Those recommendations are in line with key actions the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) highlighted in their October Cybersecurity Awareness Month campaigns.
Security is a shared responsibility, which "means that everybody that's involved with using or doing the things that you're doing needs to take on some responsibility for the security of that capability,” Moses said. “If you have access you have responsibility.”
For the “Protect & Connect” campaign, Amazon made its internal security training and a learning package available to the public. Amazon also offers a single portal for all employees to report any security-related matters with no penalty.
“It doesn't have to be very verbose, submit it, and then our security engineers will actually review and reach out to the person that submitted it. And the big thing is that has to be a very low bar, meaning that it should be something that I'd rather have a lot of reports and none of them actually be true,” Moses explained.
AWS Expands MFA Security Key ProgramAWS is also using the Cybersecurity Awareness Month platform to encourage multi-factor authentication (MFA) adoption.
“We believe that MFA is huge toward adding an additional layer of security between our customers or even those that aren't, that allows us to be able to add that additional layer that keeps adversaries from being able to use or access information that they shouldn't,” Moses said. “It has been available for a number of years, but you haven't seen the public generally adopt it, it's always been only a small fringe of that."
AWS is broadening its free MFA security key program to lower the sign-up bar for customers, meanwhile preventing adversaries from taking advantage of this program to get the free token.
Identity and access management vendor Okta saw a record number of MFA attacks in the first half of 2022. And in the recent hacks targeting Cisco and Uber, MFA was reportedly bypassed by the attackers.
Companies need to train employees how to use MFA properly and how to deal with different possible scenarios to “make sure that the humans aren't the weak link,” Moses said. “When people reach out to you asking for multi-factor authentication codes or anything like that, that's not a valid use case.”
He also noted there are technologies, such as the YubiKey-based token that AWS is using and FIDO 2.0 authentication standard that AWS is transitioning to internally first, that can make MFA stronger. Moses recommended organizations should choose hard tokens/devices over text message authenticators, which can be intercepted.
Moses added that AWS is continuing to transition and upgrade to newer technologies, stating, “FIDO 2.0 is the next one."
"There are others behind that already," he said. "So this will be a continual cat-and-mouse game where we'll always be enhancing security in order to better support our customers, while at the same time forbidding our adversaries from being able to do bad things to get people.”
Want to learn more about cloud-native and cloud security? Click here to register for SDxCentral’s digital event Security in the Cloud-First Era set for Oct. 11-12. Keynote speakers include Google Cloud and Verizon Business Services. Register today.