Protecting Your Data: Insights from a Professional Hacker

Keren Elazari knows how hackers think. She’s an internationally recognized security analyst, researcher, author and speaker, who’s worked with leading security firms, government organizations and Fortune 500 companies; but she’s also known as “the friendly hacker”, and has spent her career helping security leaders outsmart threats, strengthen their posture, and reduce vulnerabilities. Recently, Keren joined our CRO Amy Appleyard to discuss the top threats that organizations are facing today and what the best practices of modern protection are.

What are security leaders worried about in 2024?

There are plenty of things that keep CISOs and security practitioners up at night, but at the beginning of this new year, leadership looks to be most concerned about insider threats leading to data breaches, vulnerabilities in cloud infrastructure, and AI-driven cyber threats.

Do traditional security tactics work against the evolving threat landscape?

Today’s hackers are working hard and innovating, at the same rate as the businesses and organizations that they’re targeting. Elazari is convinced that most organizations are woefully unprepared for the potential influx in ransomware and phishing attacks that AI can help cybercriminals launch, and she unequivocally believes that passwords are a weak method of securing teams and data saying, “We cannot rely anymore on passwords. I like to call them past words because I think they belong in our past. We really have to think about what is our identity perimeter?” If passwords won’t protect us from advanced, evolving threats, what can organizations do to supplement their password security to better safeguard data from malicious threats and bad actors?

1. Different authentication modalities

Elazari was quick to point out that “not all multi factor authentication tools are created equal”; SMS codes that can be sent to your device are susceptible to SIM hijacking tactics and MFA push notifications are subject to push fatigue on the part of users and push bombing attacks by bad actors. The authentication method that Elazari is most excited about is passkeys, as well as combining authentication modalities with things that are harder to forge, like fingerprints, voice IDs, face IDs, and even physical security tokens like ubikeys.

2. Passphrases

Passwords aren’t going away overnight, but there are certain things that businesses can require to ensure that passwords are as safe as possible – such as length and complexity. Unfortunately, the longer and more complicated something is, the less likely a person will be to remember it, and while we want to keep bad actors out of our data, we want our teams to be able to remember their passwords so they can get into their data. Passphrases (like “Fidoate!my2woolsox”) help with both the complexity and memory issues by combining words and symbols into a “phrase” that can be custom to the user, and therefore more likely to be remembered, but also long enough to reduce the risk of a brute force authentication.

3. Passwordless

Passwordless might not be hacker-proof, but it will make life harder for attackers. Organizations that don’t modernize their security tactics, particularly around identity and passwords, will be a bigger, easier target than an organization that’s making investments in security with multiple layers. Security leaders need to be agile, faster, and more prepared to make it harder for hackers to get in. Technology like passwordless makes agility, speed, and preparedness come much easier.

4. Training and education

A strong security strategy is more than just implementing technology, however. It’s also about engaging with the people on the front lines every day: employees and team members. These end users are the ones who are on the receiving end of MFA attacks and phishing emails and are trying to remember complicated passwords to log in every day. Elazari implores security leaders to consider end users part of your security team, rather than just a risk to be managed.  “It is way too common for end users to be talked about as our weakest link in the security chain. I really hope we can inverse that relationship. I believe that end users have a lot of power in their hands and we need to give them technology and training to make better security decisions.” You can hear more advice and insight from Keren Elazari in our full webinar here.