Cybersecurity Without Insanity? It could be as simple as 3 – 2 – 1…

This week: AI could mean bye-bye to your account security, the future of passwords is passkeys, and what the Central Bank of Ireland has to say about DORA.

 

3 – Could AI mean you’ll be saying bye-bye to your account security?

Research by Home Security Heroes that suggests AI could make it easier for cyber criminals to guess your password, especially if your password is similar to the 15.6 million passwords that have already been leaked on the dark web.

The research, recently mentioned by ISACA, suggests that AI could guess your password in 48 minutes if it is 8 characters long and includes numbers, uppercase letters, and lower case letters. If it’s the same combination of numbers and letters but 12 characters long, it would take the current AI models 2000 years to guess it. You can use the tool here to see how strong your passwords are.

 

2 – Passwords are bad. Passkeys are good.

“Choosing strong passwords and remembering them across various accounts can be hard. In addition, even the most savvy users are often misled into giving them up during phishing attempts.”

This is according to Google’s Identity Ecosystems team, as reported recently in The Register. They go on to say that having MFA (Multi-Factor Authentication) “is better than nothing though it still puts the burden on users who have to deal with an additional verification step, and it doesn’t fully protect against phishing, credential stuffing, and targeted scams like SIM swaps for text verification. There’s nothing stopping cunning miscreants from collecting MFA codes along with usernames and passwords from phishing pages.”

The future is.. passkeys.

Passkeys “are stored on a device and integrate with it hardware’s biometric readers – think fingerprint or face scanners accessed via Apple’s Face ID or Microsoft’s Windows Hello. Rather than relying on usernames and passwords and MFA tools, passkeys thus use the biometric information and the device itself to authenticate users. Because passkeys only exist on the device and, unlike passwords, can’t be written down or accidentally given to – or stolen by – miscreants, in theory, they hopefully protect against phishing and other attacks, and can’t be reused elsewhere or exposed via database leaks.”

Passkeys have their own risks, and it can take some time to get your head around the concept – After all, how can they be more secure when they are also so much more convenient? Security is not supposed to be convenient!

However, passkeys make the cyber criminal’s job much more difficult, so isn’t that enough?

 

1 – The Central Bank of Ireland reminds us that DORA is coming.

As you may know, DORA* will apply from January 2025, less than 2 years from today. “These tight deadlines are not arbitrary ones chosen on a whim. Rather they are a direct function of the importance and urgency of the issue that they are designed to address. Tech- and cyber risk are amongst the top risks that we face in the financial system. They pose risks both to individual firms and, potentially, to systemic stability. As such we need to address them in a timely and effective manner.”

This is a direct quote from remarks made by Gerry Cross (Director of Financial Regulation, Policy and Risk at the Central Bank of Ireland and Chair of the ESAs’ Joint Sub-Committee on DORA Implementation), at a recent event organised by Amazon Web Services, the European Fintech Association, and Insurance Ireland.

He went on to say that “DORA is a cross-sector Regulation, applying to all regulated financial firms. It aims to mitigate technology and cyber risk by enhancing firms’ technology and cyber risk management and resilience. It creates a regulatory framework whereby all firms need to make sure they can withstand, respond to and recover from ICT-related disruptions and threats, including of course cyber attacks.” [..] “This is a complicated field, made more so by the very wide range of firms of all shapes, sizes and business models to whom it applies. [..] Proportionality is therefore essential.”

There are plenty of other nuggets in Mr Cross’ speech – Too many to discuss here, including how firms should approach DORA compliance. I’ve published a more detailed analysis, and I also discuss the detail in this week’s Cybersecurity Without Insanity podcast. If you work in a regulated financial services firm, especially if you will be involved in your firm’s DORA compliance effort, it’s worth a read / listen.

* DORA: The EU’s Digital Operational Resilience Act.

PS I talk about these news stories, and delve into how to manage cyber risks and regs without losing your sanity, on the “Cybersecurity Without Insanity” podcast.
All episodes are accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.