Skip to main content
 

October is National Cybersecurity Awareness Month. All month long, the Information Security Office is sharing ways you can protect yourself — and the University — online. Discover more Cybersecurity Awareness Month events, or for tips on strengthening cybersecurity year-round, visit Safe Computing at UNC.

On October 15, Tar Heels joined Jonathan Fox, a senior cybersecurity consultant in the Engineering and Architecture Group at Microsoft, for a webinar, “Identity Under Siege: Navigating the Complexities.” The webinar drew 50 registrants from across campus.

Fox, a seasoned cybersecurity expert, focused on the challenges both technical and human of identity security. Since joining Microsoft, Fox has worked in 17 countries, helping governments and organizations to transform their identity and security systems to suit modern environments, often after a major security incident.

Identity crisis and the darker side of humanity

“We really do have an identity crisis,” Fox said. The identity crisis is “continuously unfolding and, historically speaking, things are not trending for the better,” he explained. “We see that with governments that have been compromised, we see that with critical infrastructure.”

Jonathan Fox at a conference
Jonathan Fox

Unfortunately, it’s no longer just a problem for organizations. The financial impact on consumers is also growing, and breaches “are exposing the darker side of humanity.”

According to Fox, our online identities have become removed from ourselves as human beings. Instead, these identities center on factors like where we work and what our roles are. These centralized identities make it easier for bad actors to strike because, “ironically, our human faults kick in,” he said.

Human challenges

“It’s become more challenging” and “increasingly difficult” to protect identities, Fox said. “We try to do all the right things in the [technical] controls and protections,” but that often makes too many hoops for users to go through, which opens the door for bad actors.

These adversarial teams leverage our human behavior and emotions. Fox gave an example that he uses at in-person events with fellow cybersecurity professionals. “I tell them that somewhere in the room, under three random chairs there’s a gift card from Amazon. It’s amazing how quickly everyone just reaches under their chair to find that envelope,” he said. “It’s not there. I just phished the room.”

We fall for phishing because of our human instincts, Fox said. We feel personally affected by the phishing message, or the message activates our survival instincts, which gives us a sense of urgency.

Social engineering was at the forefront of how adversaries were successful in many breaches last year, Fox said. He shared examples of how bad actors called help desks and fooled IT staff into giving access, starting the process of accessing sensitive information or destroying systems.

Pair that with reliance on mobile devices and lack of credential hygiene, like reusing passwords, we’re introducing “a lot of new vulnerabilities.”

Juggling act

Defending against attacks is “one of the most difficult juggling acts ever performed,” Fox explained. “We’ve got to balance the security with the human experience.”

“Best practices are put into policies, and incorporating them is vital to mitigate human error,” he said. “But somehow, because of humans, we’re still creating an opportunity that’s out there.”

As new threats and adversaries emerge, securing digital identities is going to be the biggest challenge for organizations to keep themselves safe, Fox said. The solution: making the right decisions and actions to make security about individuals with decentralized identities.

“We’re trying to make identity more about the ‘me’ and putting us back into that model by design that is secured by default,” Fox said.

 

Comments are closed.