Transcription
YUBICO COMPLIANCE EBOOKSecuring Your CriticalAssets in an Ever-ChangingRegulatory EnvironmentSecurity, Compliance and Modern Strong AuthenticationYUBICOCOMPLIANCE EBOOK1
Contents2 Table of Contents3 Global Compliance Trends3 Changing Compliance Regulations4 The Evolving Cyber Attack Landscape5 Common Cyber Threats6 Cyber Risk and COVID-197 Authentication in Today’s Compliance Landscape8 EU & US Cross-Industry Regulations9 Healthcare10 Finance11 Energy and Natural Resources12 Public Sector13 Cybersecurity Frameworks14 Modern Strong Authentication to meet Regulatory Compliance14 What is Strong Authentication?15 Modern MFA and the Passwordless Future16 Modern Strong Authentication with the YubiKey17 A Best Practice Checklist for Security and Compliance18 SourcesYUBICOCOMPLIANCE EBOOK2
Global Compliance TrendsA Cross-Industry Look at the Evolving Threat and Risk LandscapeChanging Compliance RegulationsWith the pace of technological change and the increasing frequency of cyber attacks, global regulators andpolicymakers have been enacting or modifying laws to protect sensitive and critical data at the industry,state, country, and global levels. The EU Global Data Protection Regulation (GDPR) of 2018 became the goldstandard for data protection and user privacy, ushering in a rapid pace of regulatory change that has beenfurther accelerated by the global COVID-19 pandemic. 27State Data Privacy Billsintroduced in the UnitedStates in 20211 4in 5 United States voters wanta Federal Data Protection Bill2 PCIDSS 4.0 expected in Q1 2022 EuropeanUnion Drafts New SCCsfor cross-border data transfers3 EU’sDORA to requireStrong Authentication4Only 47.9% of organizationsbelieve they are succeedingat meeting complianceregulations.5YUBICOCOMPLIANCE EBOOK3
The Evolving Cyber Attack LandscapeThe cyber attack landscape continues to accelerate, leveraging sophisticated technologies including machinelearning and artificial intelligence. At least 13% of malicious breaches in 2020 were caused by nation stateattackers, with attacks motivated by financial gain as well as a desire to disrupt and a desire to disruptbusiness.6 Cybercriminals are increasingly using COVID-19 themes in phishing attacks to more frequentlytarget major corporations, governments, and critical infrastructure.7 illion94%5,250151%ReportedData Breachesin 20208Growth inRansomwarein 2021994%91%Globally Suffered aData Breach aftera Cyberattack10% % % %% % %94%91%61% 94916180 916180Globally AttributeIncrease in Attacksto COVID-1911% %6180Breaches InvolveCredentials1280%Security ProsSay Attacks MoreSophisticated13Organizations across industries and government agencies alike continue to face rising costs associated withcyber attacks, including the loss of business, system downtime, ransomware payout and recovery costs, legaland audit costs, as well as regulatory fines. 4.24 Million verage Global CostAof Data Breach14 14.8 Million Average Cost ofNon-Compliance1539% Increase i n GDPR Finesin 202016- 1.14b / 984.47million finedin Q3 202117 1.85 Million Average RansomwareRecovery Cost in 2021-O nly 8% get backall of their dataafter ransom 18YUBICOCOMPLIANCE EBOOK4
Common Cyber ThreatsCredentials are the most sought after type of data in the initial phase of a cyber attack, with threat actorsleveraging this data to move laterally to find data or compromise more systems.19 Today’s cyberattacks areoften multi-step: leveraging a stolen credential or phishing attack to then deploy malware.HackingDriven by stolen credentials 89% of hacks involvecredential abuse20Many threat actors leverage stolen credentials tohack target systems, primarily web applications andmail servers.Man-in-the-middle (MitM) attacks is a form ofeavesdropping to spy, sabotage, or capture data –particularly credentials.Password spraying is a brute-force attack thatuses common passwords against a large number ofaccounts to remain undetected.SIM Swap is when an attacker calls and tricks amobile provider into changing a victim’s phonenumber to an attacker-controlled SIM card. A 2020Princeton study found that 17 of 140 major onlineservices are vulnerable to SIM swapping attacks.21Credential stuffing leverages breached username/password combinations.MalwareMalware attacks, including ransomware andspyware, continue to rise, with a significant uptickassociated with COVID-19.Ransomware attacks cost 4.62 million22Ransomware is a growing threat, with over 57% ofvictims making payments to recover data or preventits exposure.23SocialEngineeringPhishing was present in 36% ofdata breaches in 202024Social attacks compromise people into taking anaction that reveals credentials or opens a door formalware. Common social tactics include phishingor spear phishing and pretexting.Leakware, unlike ransomware attacks that onlyencrypt data, also steals sensitive data in plaintextbefore it encrypts it. The ransomware actors thenthreaten to release the sensitive data to the publicif the victims don’t pay up.Phishing or spear phishing are acts of sendingand emails to specific and well-researched targetswhile purporting to be a trusted sender. The aim isto either infect devices with malware or convincevictims to hand over their information or money.YUBICOCOMPLIANCE EBOOK5
SolarWinds Attack Exposed 18,000 CustomersA Russian cyberattack created a backdoor in SolarWinds’ Orion Software, installing malware to spy ongovernment and private sector customers including Microsoft, Intel, and the Department of Homeland Security.It may be years before we realize the extent of this breach.25 Investigations revealed additional vulnerabilities,including the password “solarwinds123” used to access the development server.26 As a result, the Bidenadministration issued an executive order on protecting federal US government networks (EO 14028). This neworder requires agencies, software vendors selling to the US government, and private sector organizations withaccess to operational technology to adopt zero trust frameworks, as well as multi-factor authentication andencryption for data at rest and in flight.27Colonial Pipeline Triggers New RegulationA phishing attack introduced malware that shut down a gas pipeline responsible for 45% of the fuel for theeast coast of the United States. After two days, and with uncertainty over the extent of the attack, CEO JosephBlount agreed to pay a 4.4 million ransom.28The Department of Homeland Security made rapid moves to enact cybersecurity regulations for the pipelineindustry. The Transportation Security Administration (TSA) announced a new Security Directive that will requirepipeline owners to identify and report on cybersecurity gaps, report on potential and confirmed cybersecurityincidents, appoint a Cybsersecurity Coordinator 24 hours a day, seven days a week, and report confirmedor potential cybersecurity incidents.29 Just two months later, a second Security Directive specifically directedpipeline owners and operators to implement specific mitigation measures against attacks and threats,to develop and implement a cybersecurity contingency and response plan, and to undergo an annualcybersecurity architecture review.30Cyber Risk and COVID-19COVID-19 caused significant disruption to organizations around the world, accelerating the digitaltransformation toward a remote work economy–whether organizations were ready or not. Such rapid changeintroduced risks that are red flags for cyber security, including a blurring between work networks and home/public networks, as well as business and personal devices. According to the IBM Cost of Data Breach Report2021, the cost of a data breach was 1.07m higher where remote work was a factor in causing the breach.3141%10%39%of employees use their devices forboth personal and work activities32of employees lack even a basic PINlock for their smartphone device33of employees expect to continue towork from home post-pandemic34YUBICOCOMPLIANCE EBOOK6
Authentication in Today’sCompliance LandscapeAfter the passage of the GDPR in 2018, which became the new baseline for many data privacy regulations,global regulations have been evolving to keep pace in protecting data against increased cyber attacks andthe changing technology landscape. While wide-sweeping regulations take many years to enact, we are moreoften seeing narrow laws, amendments, and executive orders attempting to bridge that gap. At the same time,the private sector has been stepping in to self-regulate with evolving governance and regulatory frameworks.As the COVID-19 pandemic accelerates the global digital transformation, greater pressure is being placedon regulators and policymakers to protect the public from the risks associated with this “new normal.” Thatpressure is in turn transferred to security teams who must meet the burden of compliance.Strong two-factor authentication (2FA) and multi-factor authentication (MFA) help eliminate the cyber riskassociated with compromised credentials. Some regulations are beginning to spell out authenticationminimums for access and control while others rely on frameworks to provide guidance. As a securityprofessional, these are the key regulations to have on your radar.EU & US Cross-Industry RegulationsGDPRCCPA / CPRAGeneral Data Protection Regulation (2018)The California Privacy Rights Act (2023) addsto the California Consumer Privacy Act (2020) All EU data subjects All residents of California Consumer data rights Consumer data rights Data protection by design and default Data protection by design and default 4% of global annual turnover or 20 millionpenalty, whichever is higher 2,500 per record (not incident) for eachunintentional violation “ Appropriate technical and organizationalmeasures” to protect and secure data35 “Reasonable security procedures and practices”to protect data36YUBICOCOMPLIANCE EBOOK7
These regulations set the highest bar for general data privacy regulations across the EU and US. Followingthis trend, the Virginia Consumer Data Protection Act (CDPA) was signed into law on March 2, 2021, cominginto effect on January 1, 2023.37 On July 2, 2021, Colorato passed SB21-190, becoming the third state to passwide-sweeping data privacy legislation, coming into effect on July 1, 2023.38 Keep a close eye out for otherstates approving similar laws in the coming years.ISO/IEC 27001/2SOXInternational Organization for StandardsSarbanes-Oxley ActRequirements for an information securitymanagement system (ISMS) and towardcertification. ISO 27001 details the requirementfor access controls, while 27002 introducescryptographic controls.General advice to keep data “secure” and enforceaccess controls. However, SOX is based on SOC2 (Service Organization Control), which favorsmulti-factor authentication (MFA).EU Cybersecurity ActPotential for shifts in audit themes to reflect newneeds (remote work).eIDASInternational EU Network and InformationSystems Agency (ENISA) ActElectronic identification, Authenticationand Trust ServicesEvolves the EU Network and Information SystemsAgency (ENISA) to become the EU Agency forCybersecurity, to establish a framework andoversee assessment.Communication level “substantial” requires2FA, “high” adds the requirement of tamperproof authentication devices and dynamiccryptographic schemes.40ENISA reports previously established 2FAas a base standard.39FIDO2 standards provide secure accesscompliant with eIDAS.YUBICOCOMPLIANCE EBOOK8
HealthcareHIPAA Security RuleThe Health Insurance Portability andAccountability Act“Reasonable” physical, technical, andadministrative safeguards for data security andauthentication.41NIST is preparing to update its HIPAA guidancefor the first time in 10 years.42CFR 21 Part 11The HIPAA Safe Harbor BillHR 7898This bill was signed into law on January 5, 2021and is designed to amend the HITECH Act.The bill requires “recognized security practices,”further defined as those developed under theNIST framework. The bill asks regulators toconsider these standards when looking at auditsand fines.EPCSCode of Federal Regulations under theFDA for electronic recordsElectronic Prescription forControlled SubstancesThe FDA requires certification that e-signatures intheir systems are legally binding. A 2020 revisionnow requires that certification to use 2FA or MFAin compliance with FIPS 140-2.43Regulated by the Drug Enforcement Administration(DEA), the use of mobile devices requires twofactor authentication (hard token preferred), anda device compliant with FIPS 140-2.44YUBICOCOMPLIANCE EBOOK9
Financial ServicesPCI DSSThe Payment Card Industry DataSecurity StandardPCI DSS v3.2 required the use of multi-factorauthentication to process payments.PCI DSS 4.0 is expected to introduceauthentication requirements similar to NIST Q1in 2022.45FFIECFederal Financial InstitutionsExamination CouncilClearly articulates guidance stating that singlefactor authentication is inadequate and thatmulti-factor authentication be considered.GLB Act / GLBAGramm-Leach-Bliley ActRequires “administrative, technical and physicalsafeguards” appropriate to the size, complexity,and scope of activities.In October 2021, the FTC released an updateto the “Safeguards Rule” that requires multifactor authentication for employee and customeraccess to systems.46PSD2EU Payment Services Directive 2Designed to produce safer and more innovativepayments services, it mandates “dynamiclinking” which links the payee to the user throughstrong authentication.YUBICOCOMPLIANCE EBOOK10
Energy and Natural ResourcesNIST CIPEO 14028TSA SecurityDirectivePipeline2021-01TSA tureProtectionStandardsExecutive Orderon “Improvingthe Nation’sCybersecurity”First Directive,May 2021Second Directive,July 2021007-6Enforceauthentication foraccess controlsSM 1.1Use multi-factorauthentication thatis impersonationresistant for all usersand administrators ofEO-critical software.47Requires pipelineowners to identifyand report oncybersecurity gaps,report on potentialand confirmedcybersecurityincidents, appointa CybsersecurityCoordinator 24/7,and report confirmedor potentialcybersecurityincidents.48Requires pipelineowners and operatorsto implementimmediate mitigationmeasures againstcyberattacksconsistent withNIST SP 800-82standards.49 Therelated GAO reportdirects owners toimplement MFA forremote access.50005-6Require MFA forall remote accesssessionsYUBICOCOMPLIANCE EBOOK11
Public SectorNISTFIPSDFARSNational Instituteof Standards andTechnology IssuesFederal InformationProcessingStandardsDefense FederalAcquisition RegulationSupplementSP 800-63 DigitalIdentity GuidelinesLays out levels of authenticatorassurance (AAL1-3) based onstrength of authentication.201-2 PIV StandardMFA required toauthenticate users.Contractors must adhereto SP 800-171 (whichrequires MFA).SP 800-157 PIV CredentialsGuidelines for public keyinfrastructure (PKI) credentialsused for personal identityverification (PIV) cards.140-2 CryptographicModulesCertifiable security levels ofprivate sector software orservices for use by government.SP 800-171MFA required for all users whoaccess controlled unclassifiedinformation (CUI).YUBICOCOMPLIANCE EBOOK12
FedRAMPCMMCOMB MemosFederal Riskand AuthorizationManagement ProgramCybersecurityMaturity ModelCertificationUnited States Officeof Managementand BudgetThe Federal Risk andAuthorization ManagementProgram is a US governmentwide program that providesa standardized approachto security assessment,authorization, and continuousmonitoring for cloud productsand services.A certification frameworkbased on DFARS.OMB M-19-17Allows for other strongauthentication as alternativesto the PIV and CAC forcontractors and citizens.Level 3 includes therequirements of NIST 800-171.OMB M-20-19Allows for other strongauthentication as alternativesto the PIV and CAC in anyuse case, particularly new orremote workers.21-30Amends EO 14028 to requirea phased integration of NISTto protect critical software.Requires use of MFA that isimpersonation-resistant.51YUBICOCOMPLIANCE EBOOK13
Cybersecurity Frameworks & AuditsNIST, HITRUST, & SOC 2These frameworks help organizations understand cyber risks and provide organizations with a more tangibleroadmap to comply with the “reasonable” and “appropriate” regulatory standards.Both NIST and HITRUST frameworks suggest strong authentication, including a multi-factor combination ofsomething a user owns, knows, and is. A SOC 2 report audits organizations against a number of frameworksincluding NIST, HIPAA, PCI DSS, ISO 27001 and ISO 27002. Two-factor authentication is considered aminimum baseline.52YUBICOCOMPLIANCE EBOOK14
Two-FactorAuthentication (2FA)Combines two factors, typicallyone of which is a password.Modern Strong Authentication tomeet Regulatory ComplianceIt’s clear that regulatory compliance is not slowing down cybercrime, but rather is an effort to constantly mitigateever-evolving risk vectors. In order to do this, authentication is either explicitly or implicitly required by the majorregulations, acts, frameworks, and audits, and many organizations may be ticking the box on security, but they areleaving the front door open by deploying sub-par authentication solutions. With a high rate of attacks focusing oncredential theft, strong authentication holds the power to drastically reduce the success of cyber attacks.Multi-FactorAuthentication (MFA)Combines two orall three factors.Something you knowPassword or PINSomething you haveA physical device such as aphone or authenticator.Something you areA fingerprint, iris orfacial scanWhat is Strong Authentication?1. Strong authentication can include 2FA or MFA. With the right strong authentication solution, and specificallymodern MFA approaches organizations can achieve strong phishing resistance and robustly repel againstcredential phishing, man-in-the-middle attacks (MitM) and impersonation.2. It does not rely solely on “shared secret” protocols (symmetric keys) at any point. This includes passwordsand recovery questions, as well as all forms of mobile-based authenticators such as OTP, SMS codes, andpush notifications.Not all authenticationis created equalUsername and password, andbasic 2FA such as mobile-basedauthentication isn’t strongauthentication because it is highlysusceptible to phishing and otherremote attacks.Username andpassword Deployed everywhere Known usability gaps Costly hard to sustain Common target forcredential phishingBasic 2FA: SMS,email, mobile Not purpose built for security Uses existing technology stacksthat are vulnerable to networkand software attacks Common target for credentialphishingYubiKey: strongauthentication Purpose built for security No network connection, storeddata, or client software required Highly phishing resistantYUBICOCOMPLIANCE EBOOK15
Among the varied authentication protocols, only smart card and modern FIDO U2F and FIDO2/WebAuthnprotocols satisfy the requirements of strong authentication and modern MFA.While mobile-based authentication is fairly common, they don’t provide the best security or user experience.Mobile-based authenticators such as OTP, SMS codes, and push notifications are susceptible to malware,MitM, SIM swapping and account takeovers, and their usage can be impacted by device battery, network/cellular connections, and broken screens.On the other hand, hardware security keys are purpose-built for security and are highly phishing resistant anddurable. They require no network connection, store no data, and don’t require any client software to be installed.Passwordless is the FutureFIDO2/WebAuthnpasswordless approachFIDO2 is the newest(introduced in 2018) FIDOAlliance specification forauthentication standards,and WebAuthn is a web-basedAPI that allows websites toupdate their login flow to addFIDO-based authenticationon supported browsers andplatforms. This is an evolvingsecurity ecosystem that willmake adopting passwordlesseasier.Falling BehindSMSGetting ThereOTP2FAMFAPasswordlessAt their core, passwords are insecure–they are hard to remember, easily breached, and require validationagainst a server in order to work, opening up yet another avenue for breach. Passwords also require a lotof IT management and oversight such as enforcing more complex passwords, and then enforcing a changeperiodically per the security policies of the organization. With password-related calls to the helpdesk anddowntime, this can all become very costly for the organization, not to mention still leaving it vulnerable to abreach. Therefore a move to secure passwordless account logins would eliminate much of the costs whileenhancing the user experience.Passwordless login flows often involve users entering in a PIN. However, unlike passwords that reside on aserver that can be easily breached, a PIN is tied directly to a local device for authentication, but without beingsusceptible to remote attack. Also, unlike passwords, PINs don’t need to be changed frequently and can beused for years. There are many instances of passwordless authentication, including smart cards (such as PIVand CAC cards) used in the US across the federal government.FIDO2 is the passwordless evolution of FIDO U2F, a set of specifications around authentication. The overallobjective for FIDO2 is to provide an extended set of functionality to cover additional use-cases, with the maindriver being passwordless login flows.YUBICOCOMPLIANCE EBOOK16
Modern Strong Authentication with the YubiKeyYubico uses modern protocols such as FIDO U2F and FIDO2 open authentication standards to help eliminatephishing-driven credential-based attacks and satisfy the growing number of regulations that rely on the strict NISTframework.The YubiKey 5 SeriesFrom left to right: YubiKey 5 NFC, YubiKey 5C NFC,YubiKey 5Ci, YubiKey 5C, YubiKey 5 Nano andYubiKey 5C Nano.The YubiKey is a hardware security key that provides strong phishing-resistant two-factor, multi-factor, andpasswordless authentication at scale, helping organizations be compliant to MFA requirements across variousindustry regulations. It is the only solution that is proven to stop 100% of account takeovers in independent research.53By supporting multiple authentication protocols on a single YubiKey, such as OTP, OpenPGP, and strongauthentication protocols such as Smart Card, FIDO U2F and FIDO2/WebAuthn, the YubiKey offers organizations theflexibility to deploy strong authentication using a single key across a variety of legacy and modern infrastructures.YubiKey offers a bridgeto passwordlessPasswordless is a journey, not anovernight transition. With the YubiKey,organizations can implement FIDO2passwordless, smart card passwordless or a hybrid strategy, dependingon the existing infrastructure and usecases that need to be addressed.As the passwordless ecosystemcontinues to expand, this transitoryperiod is what the YubiKey wasdesigned for. Because the YubiKeysupports the broadest set of securityprotocols, enabling a single securitykey to work across a wide range ofapplications and services, regardlessof where organizations are in theirpasswordless journey.Yubico offers the fastest way tomeet today’s complex complianceand security requirements, whileaccelerating your journey topasswordless. Take a stand againstcyberattacks and future-proof yourcompliance stance with the YubiKey.Smart Card/PIVFIDO2 & FIDO U2FOne time passcodesOut-of-the-box nativeintegration for the Microsoftenvironment using Smart Card/PIV functionality based on theNIST SP 800-73 specification.Strong two-factorauthentication using publickey crypto to protect againstphishing, session hijacking,man-in-the-middle, andmalware attacks.Integrate Yubico OTP nativelywith the free YubiCloudauthentication service orprogram unique TOTP orHOTP secrets.YubiKeys offer the best of both worlds – the best available security against phishing attacks and accounttakeovers, as well as the best user experience. To authenticate, users simply tap/touch their security key to anykind of device, even modern devices such as mobile phones and tablets. YubiKeys also don’t require batteries,have no breakable screens, don’t need a cellular connection, and are water-resistant and crush-resistant.Per the highest security requirements, YubiKey meets FIPS 140-2 certification requirements,Overall Level 1 (Certificate #3907) and Level 2 (Certificate #3914), Physical Security Level 3,and the highest level of assurance (AAL3) of NIST SP800-63B guidelines.YUBICOCOMPLIANCE EBOOK17
A Best Practice Checklist forSecurity and ComplianceEmbrace zero trustKnow your dataTreat each access requestas a potential attack andauthenticate the user beforeproviding access to the networkor any sensitive resourceManage your data retentionpolicy and keep only whatyou need for long-termcompliance mandatesEducate, educate,educateCombine technology withemployee education to spotand stop phishing and spearphishing attacksUXDesign security withUX in mindDesign for the newanytime, anywhere, andany device normPut privacy firstThink long termMost regulations are movingtoward consumer rights, sobe prepared to meet themDeploy solutions that workacross legacy and moderninfrastructures. Theyshouldn’t become obsoleteif existing regulations areupdated, or new regulationsare releasedYUBICOCOMPLIANCE EBOOK18
Sources. I APP, The Growth of State Privacy Legislation, (Accessed May 18, 2021), tate-privacy-legislation-infographic/1.S am Sabin, States Are Moving on Privacy Bills. Over 4 in 5 Voters Want Congress toPrioritize Protection of Online Data, (April 27, 2021), y-congress-priority-poll/Collin Eaton and Dustin Volz, Colonial Pipeline CEO Tells Why He Paid Hackers a 4.4Million Ransom, (May 19, 2021), 2143563628 2.P aul Voigt, The Draft Standard Contractual Clauses Proposed by the European Commission,(April 7, 2021), -international-data-transfersDHS, DHS Announces New Cybersecurity Requirements for Critical Pipeline Ownersand Operators, (May 27, 2021), ners-and-operators29 3European Commission, Digital Operational Resilience for the Financial Sector, (September24, 2020), /?uri COM:2020:595:FIN4.2 Cisco, The 2021 Security Outcomes Study, (Accessed May 14, 2021),https://www.cisco.com/c/m/en youtcomes-executive-summary.html5.2 IBM, 2020 Cost of Data Breach Report, (Accessed May 13, 2021), https://www.ibm.com/security/data-breach6.2 INTERPOL, INTERPOL report shows alarming rate of cyberattacks during COVID-19,(August 4, 2020), s-during-COVID-19DHS, Ratification of Security Directive, (September 24, 2021) federalregister.gov/d/2021-2073830IBM, 20210 Cost of Data Breach Report, (Accessed November 4May 13, 2021), nt, 2020 State of the Phish, (Accessed May 19, 2021), -pfpt-uk-tr-state-of-the-phish-2020-a4 final.pdf31Ibid.33 HP, Blurred Lines and Blindspots, (May 12, 2021), t Consulting, General Data Protection Regulation, (Accessed May 19, 2021), https://gdpr-info.eu/art-32-gdpr/35 7. National Law Review, CPRA Security Risk Assessments & Privacy Compliance, (November6, 2020), -risk-assessments-privacy-compliance36 Verizon, 2021 Data Breach Investigations Report, (Accessed May 18, eports/dbir/2021/masters-guide/37 Tara Seals, Ransomware Volumes Hit Record Highs as 2021 Wears On, (August 3, cord-highs-2021/168327/38VMware, Global Threat Report, (Accessed May 17, 2021), t-report-extended-enterprise-under-attack/39 8.2 Gibson Dunn, Virginia Passes Comprehensive Privacy law, (March 8, 2021), ensive-privacy-law/9.2 10. Meighan E. O’Reardon, Colorado’s Emergent Consumer Privacy Bill Introduces Chance toOpt-Out of Data Processing, (July 8, 2021)ENISA, Authentication Methods, (Accessed May 20, 2021), n, 2021 Data Breach Investigations Report, (Accessed May 18, eports/dbir/2021/masters-guide/VMware, Global Threat Report, (Accessed May 17, 2021), t-report-extended-enterprise-under-attack/FIDO Alliance, Using FIDO with eIDAS Services, (April s-white-paper.pdf40 13. Enzoic, Recommendations for HIPAA Password Compliance, (March 23, 2020), ons-for-hipaapassword-compliance/41 IBM, 2021 Cost of Data Breach Report, (Accessed November 4, 2021), https://www.ibm.com/security/data-breach14. Hogan Lovells, NIST seeks public comment to inform updates to HIPAA Security Ruleguidance, (May 17, 2021), c-commentto-inform-7030190/. DFIN, The Evolving Data Privacy landscape: GDPR, CCPA, and Similar Data ProtectionLaws, (March 31, 2020), r-ccpa-andUS-data-privacy-laws42 . DL
YUBICO COMPLIANCE EBOOK 5 Common Cyber Threats Credentials are the most sought after type of data in the initial phase of a cyber attack, with threat actors leveraging this data to move laterally to find data or compromise more systems.19 Today's cyberattacks are often multi-step: leveraging a stolen credential or phishing attack to then deploy malware.
