Why Protecting Password Vaults With Device Trust Is Crucial
The world has changed. Cybersecurity threats have evolved, and new challenges present themselves. In Verizon’s 2022 Data Breach Investigations Report (DBIR), although the category of “Social Engineering” has gone down from 2021 for “External” threats, the “Hacking” category from “External” threats for both the “Person and User Device” category has doubled from the previous year.
Why is that?
Users and their devices are easy targets. In Verizon’s 2022 DBIR infographic, 82% of breaches involved a human element.
Hackers understand this. For example, hackers exploit people by targeting their passwords, and application/service access in order to gain a foothold into the organization. They also understand that personal devices often have significantly weaker security controls than company-issued managed devices as users find some security controls intrusive and annoying. Hackers use this weakness to gain incremental access into an organization by attacking the weakest link, a user and their personal devices.
What are criminals interested in?
A personal device holds a lot of value for cyber criminals. These devices typically do not have a high level of device health. They can have out-of-date software, operating system, or browsers which increases the attack surface and opens the door to additional attack vectors. These risks are just a stepping stone for the real prize, which is a local password repository or vault. It doesn’t matter if these are personal or corporate password collections, because criminals are well aware of password reuse in the workplace, as well as the often predictable password generation techniques many organizations use.
How can organizations counter this threat?
There are several steps organizations can take to stop hackers from gaining access to their vaults and the valuable data they’re storing. One recommendation is to configure policies that go beyond just multifactor authentication, by identifying which devices are trusted in a non-intrusive manner.
Device trust policies provide another layer of security by blocking application access to anyone on personal devices and thus isolating access to only a trusted corporate issued device which is running much stricter security policies.
Available in every paid Duo edition, you can now deploy device trust policies to detect if a device is a trusted corporate issued device and allow access to critical applications only from a trusted device using Duo’s Trusted Endpoints feature.
Have any follow-up questions? Duo Care can help.
For interested customers who would like to continue the conversation with a trusted advisor, please contact your respective Duo Care team or designated sales representative about what Duo Care can offer you.