<!–> ZDNET’s key takeaways The Chipolo Pop Tracker tag is small, durable, water-resistant, and loud. User-replaceable battery lasts a year. Like all third-party tags, they do not support Apple’s own precision finding. –> For me, finder tags like the Apple AirTags<!–> have been a game changer. And that’s not a word of hyperbole. They have […] More

Jada Jones/ZDNETFollow ZDNET: Add us as a preferred source More

Microsoft is urging users to abandon telephone-based multi-factor authentication (MFA) solutions like one-time codes sent via SMS and voice calls and instead replace them with newer MFA technologies, like app-based authenticators and security keys.

The warning comes from Alex Weinert, Director of Identity Security at Microsoft. For the past year, Weinert has been advocating on Microsoft’s behalf, urging users to embrace and enable MFA for their online accounts.
Citing internal Microsoft statistics, Weinert said in a blog post last year that users who enabled multi-factor authentication (MFA) ended up blocking around 99.9% of automated attacks against their Microsoft accounts.
But in a follow-up blog post today, Weinert says that if users have to choose between multiple MFA solutions, they should stay away from telephone-based MFA.
The Microsoft exec cites several known security issues, not with MFA, but with the state of the telephone networks today.
Weinert says that both SMS and voice calls are transmitted in cleartext and can be easily intercepted by determined attackers, using techniques and tools like software-defined-radios, FEMTO cells, or SS7 intercept services.
SMS-based one-time codes are also phishable via open source and readily-available phishing tools like Modlishka, CredSniper, or Evilginx.

Further, phone network employees can be tricked into transferring phone numbers to a threat actor’s SIM card — in attacks known as SIM swapping—, allowing attackers to receive MFA one-time codes on behalf of their victims.
On top of these, phone networks are also exposed to changing regulations, downtimes, and performance issues, all of which impact the availability of the MFA mechanism overall, which, in turn, prevents users from authenticating on their account in moments of urgency.
SMS and voice calls are the least secure MFA method today
All of these make SMS and call-based MFA “the least secure of the MFA methods available today,” according to Weinert.
The Microsoft exec believes that this gap between SMS & voice-based MFA “will only widen” in the future.
As MFA adoption increases overall, with more users adopting MFA for their accounts, attackers will also become more interested in breaking MFA methods, with SMS and voice-based MFA naturally becoming their primary target due to its large adoption.
Weinert says that users should enable a stronger MFA mechanism for their accounts, if available, recommending Microsoft’s Authenticator MFA app as a good starting point.
But if users want the best, they should go with hardware security keys, which Weinert ranked as the best MFA solution in a blog post he published last year.
PS: This shouldn’t mean that users should disable SMS or voice-based MFA for their accounts. SMS MFA is still way better than no MFA. More

F5 has launched a new software-as-a-service (SaaS) platform aimed at simplifying the firm’s branching security solutions.

Over the past few years, F5 has expanded its services with software and cloud services designed to tackle the disparity between the enterprise push toward digital transformation and an existing reliance on legacy systems. According to an F5 survey, 88% of organizations say they operate both legacy and modern architectures today.  When these systems, as well as Internet of Things (IoT), edge devices, cloud, remote collaborative tools, and mobile all, have to be considered by IT teams when considering potential attack vectors, managing such complexity and risk can be a challenge.  On Tuesday, the application security company said the portfolio expansion, called F5 Distributed Cloud Services, will “provide security, multi-cloud networking, and edge-based computing solutions.” Also: Deloitte launches new SaaS cyber threat detection and response platformF5 Distributed Cloud is a merger of technologies obtained by F5 from Volterra and Shape security. Functionality includes multi-cloud networking (MCN) functionality, cloud load balancing, cloud-native computing capabilities for edge computing use cases, and a Kubernetes Gateway.

The service will also include a new offering launched today, called the F5 Distributed Cloud WAAP (Web Application and API Protection).  WAAP integrates F5’s web application firewall and protection (F5 Advanced WAF), bot mitigation (F5 Shape AI), distributed denial-of-service (DDoS) monitoring, and API defenses based on Volterra’s machine learning technologies. The SaaS suite will enable teams to deploy each solution automatically and collectively.  “Today’s applications and business models are adapting faster than ever, and that means app security and infrastructure need to be much more agile and effective,” commented Haiyan Song, GM of the Security & Distributed Cloud Product Group at F5. “We are rapidly integrating our portfolio of services onto a distributed cloud services platform and continually innovating new services, so our customers can have the capabilities they need at the pace they require to achieve their ongoing business transformation.”  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

One of the top challenges and misunderstandings that I continue to see is what the definition of Zero Trust actually is. Zero Trust is not one product or platform; it’s a security framework built around the concept of “never trust, always verify” and “assuming breach.” Attempting to buy Zero Trust as a product sets organizations up for failure. 

ZDNet Recommends

Vendors would have you believe that the security solution, platform, or widget they are selling is Zero Trust and that you can just purchase their solution to address your needs. This is false. Vendors enable Zero Trust; they are not Zero Trust itself.  
There Is No Easy Button To Zero Trust 
Starting down the path of Zero Trust is complicated. It’s difficult to figure out where to start, so we’ve established a handy guide on how to practically enable Zero Trust from an implementation standpoint. Don’t buy into vendor hype that you can purchase something and immediately be Zero Trust. That’s not the reality of the situation. 
Organizations need to build a strategy to get to a Zero Trust architecture that encompasses more than technology and buzzwords. One example is the Zero Trust eXtended (ZTX) ecosystem which, at a bare minimum, requires: 

Assessing your existing security program’s Zero Trust maturity (people, skills, technology, capabilities, etc.). This includes understanding how people are doing their jobs and how existing business processes are done today, mapping existing technology capabilities, and understanding gaps. 

Mapping the output of this maturity assessment to the ZTX framework to understand what pillars you are strong in and which ones are lacking, specifically the capabilities in which you need to improve. 

Considering tools and technology to address the areas where you’re lacking and integrating Zero Trust implementation into existing business, IT, and security projects. 

Zero Trust Is A Security Framework, Not An Individual Tool Or Platform 
ZTX is an ecosystem with both technology and non-technology pieces. Protecting the perimeter and other prior security strategies didn’t easily adapt to change because they were designed around monolithic point solutions that didn’t integrate with each other. Zero Trust, however, is designed to be in a state of continuous review and optimization. 
The fluid, integrated nature of Zero Trust is designed to easily adapt to business changes. Organizations need to be cautious about vendor messaging, dive into details about vendor offerings, and call them out when the technology they’re pitching seems too good to be true. 
Ask the vendor you’re considering where the capability they’re describing fits in the ZTX ecosystem. If they can’t describe it, it’s a very clear sign that they don’t understand Zero Trust. Security vendors need to update their messaging to reflect the reality that Zero Trust is a journey that’s different for every organization and stop advertising Zero Trust as a product that can be bought. By selling their solutions as Zero Trust easy buttons, they continue to set their customers up for failure by perpetuating this false paradigm. 
Zero Trust isn’t a race; It’s a continuous journey 

While Zero Trust continues to be marketed as the cool new thing, at the end of the day we need to ground ourselves. Zero Trust is the new normal. COVID-19 has significantly changed the way we work and forced a lot of organizations to accelerate their digital transformation and security strategies. Take a second to see if these security solutions are the real deal by scrutinizing how they fit into the different pillars of the ZTX ecosystem and, most importantly, your organization’s overall Zero Trust strategy. They should be helping to enable organizations reach Zero Trust while improving the employee experience and should not be just another security tool that gets in the way of doing business. 
To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here. 
This post was written by Analyst Steve Turner, and it originally appeared here.  More