Latest news with #TKKeanini
Forbes
4 days ago
- Business
- Forbes
How Organizations Can Prepare For Machine Identity Attacks
TK Keanini, CTO, DNSFilter. Today's organizations are grappling with a massive number of identities, and it's not just humans (i.e., employees, contractors, vendors, etc.). There's also been an explosion of machine identities, known as non-human identities (NHIs), that enterprises have to contend with. Machines, including IoT devices, appliances and robotics, now vastly outnumber humans in digital environments. This is true even at the consumer level, given all of the various devices and appliances connected to the internet, even in the average home. Consider this—Cisco once forecasted that "the number of devices connected to IP networks will be more than three times the global population by 2023." 2023 was two years ago. NHIs are becoming bigger targets for bad actors, and I believe that's only going to intensify. While cybersecurity has traditionally focused on humans, it's now necessary to shift the approach to include machine-centric security. Bad actors have attacked machines from the beginning, but now that there are so many more machine identities than human ones, the attack surface is larger than ever. Machines require a fundamentally different security strategy than humans do. That means it's time to start thinking about this scenario from an attacker's mindset. In my years in cybersecurity, I've learned that attackers usually prioritize the amount of attack surface they can explore to find a way in. If, as a defender, you don't know your own attack surface, you're already in a weak position. It's simply not enough to secure your human resources; you must also account for machines. And with AI and generative AI creating even more non-human resources, you're likely already behind. The Growth Of Machine Identities Requires A New Approach A 2024 report consisting of research by TechTarget's Enterprise Strategy Group that was carried out for AppViewX found that organizations have '20X more non-human identities than human identities … with 52% of organizations predicting an additional 20% increase in NHIs they manage over the next year.' If you were asked to guess how many machines are currently connected to your home network, you'd likely be underestimating. Many appliances on the market today can be connected to Wi-Fi (whether they should be able to, however, is a whole other debate). The same question can be asked about your business: Most estimates of the number of connected devices any given organization has today are probably too low, especially for SaaS companies that service the needs of various customers. This proliferation of machine identities creates massive attack surfaces. Even when machines are no longer in service, they can create problems. From my observations, at many organizations, machine offboarding gets neglected, leaving orphaned credentials and unmonitored access points—major vulnerabilities. De-provisioning is arguably more vital than provisioning, especially after staff turnover or organizational changes. Organizations usually spend a lot of time and energy protecting their people with tactics like two-factor authentication and education for users. But such tactics aren't enough. Machines massively outnumber the people you are trying to protect, so if they don't get the same amount of cybersecurity attention, you're headed for trouble. History provides many examples of the dangers of NHIs, as well as the fact that organizations have failed to learn from them. In the 2013 Target breach, attackers gained access by stealing credentials from an HVAC subcontractor. The attack resulted in the theft of 40 million credit and debit card records. In the 2016 Mirai botnet attacks, according to the Center for Internet Security (CIS), bad actors went after technology company OVH and the website Krebs on Security. Mirai and its variants still exist today and depend on "the weak security of IoT products and technology." For instance, in January 2025, it was reported by CyberScoop that Cloudflare "successfully managed and mitigated" an attack from a Mirai botnet variant that "originated from over 13,000 Internet of Things (IoT) devices." Malware exploits weak passwords and remote code execution vulnerabilities. It can cause disruptions for major corporations and financial institutions that have long-term consequences. Systems that are addressable on the network deserve the same amount of care as those that are operated directly by humans. Everything on the network should, in my view, have a zero-trust strategy where AAA principles (authentication, authorization and audit) are enforced, giving users access when authenticated to only the resources they need to operate—nothing more. Guiding Principles For Securing Machine Identities While organizations' cybersecurity strategies should extend beyond zero trust in this machine-dominated landscape, the zero-trust model is still essential. Having a solid zero-trust strategy in place will go a long way toward keeping your organization safe. And thanks to having a zero-trust strategy, if an attack occurs, the event will be highly detectable and have a limited negative impact. For company leaders, now is also a good time to consider whether something should be connected to the internet just because it can be. Getting a handle on machine identities requires a few best practices to all work in harmony with one another. For one thing, establishing a baseline of behavior is key. Machines should follow strict "allow lists" and behavioral profiles. In other words, every machine identity should have an expected behavioral norm. Deviations in behavior, such as a building access system transferring large volumes of data to an external server, are red flags. Another best practice is to implement the principle of least privilege access. Grant machines only the access they need, shaped tightly around their expected behavior. Use automation, but do so with caution; automating security policies can be helpful, but it must be done carefully. One thing all networked-attached identities share is DNS, which means protective DNS can be a critical first line of defense. Nearly all internet-connected devices need to resolve domain names, which means they must perform DNS. Given that, company leaders should create policies so that devices can only receive updates from their manufacturers (and I'll reiterate that many devices don't actually need access to all of the internet). Defending Against NHI Attacks As the number of machines and machine identities increases, there's a growing need to rethink cybersecurity strategies in this machine-dominated world. Security models must shift from being primarily human-centric to machine-aware, with a focus on behavioral enforcement, automated policy management and robust identity life cycle practices. Organizations must develop practical, scalable methods to manage and secure machine identities, and the time to do so is now, not later. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Forbes
16-07-2025
- Business
- Forbes
Building A Blueprint For Improved Security Outcomes
TK Keanini, CTO, DNSFilter. I was recently included in the Forbes Expert Panel post "How To Reduce Insider Threats (Without Impacting Efficiency)," and it got me thinking more closely about zero trust and how we've arrived at this point today. Zero trust was first introduced in 2009 by John Kindervag, a longtime cybersecurity expert and former Forrester Research analyst. Because it's been around a while, most of us are already very familiar with the zero-trust mantra: 'Never trust, always verify.' As an example, just because Employee X accesses a corporate network using their Pixel 7a today, it doesn't mean that the system will automatically allow them access the next day, simply because they're using the same device. We need to verify that it's actually Employee X every single time (among other verifications). At this point, anything less than a zero-trust strategy isn't only outdated but also lazy. No one really needs access to all of the internet, especially in a work setting. They simply need high-performance access to the resources required for their professional or personal tasks and nothing more. Attackers are banking on the fact that you're able to access everything and anything, even the thing that they created two minutes ago. Until you adopt a zero-trust mindset, you'll fall victim to bad actors' tactics. When you're protecting your entire company, extreme clarity on roles and responsibilities is paramount to setting the right access policy. Let's break that down a bit. Authentication, Authorization And Audits (AAA) One way to think about security and zero trust is in terms of the three A's: • Authentication: Are you who you say you are? • Authorization: Given you are who you say you are, what can you access based on your role? • Audits: For every action, is there an immutable ledger of that activity? These terms have historically been associated with identity and access management, but I'd argue that regardless of the system you're building and wish to secure, you must design an AAA set of functionality you can depend on. I want to focus on authorization for a moment, because no one, especially in a corporate environment, needs access to the entire internet. There's a core set of items that absolutely no one should access; these are known and emerging threats. But once we remove access to threats, we then need to layer on what makes sense for an individual's role. Without role-based authorization in mind, organizations are at a heightened risk of a breach. Let's imagine a person who has administrative access to a critical system that isn't necessary for their role. If a social engineering campaign targets this person, their lack of understanding of the system they have access to could lead to the release of sensitive information to a threat actor. What this comes down to is applying the principle of least privileged access. For each authenticated role, provide the least privileged authorization and closely monitor the audit trail. This will enable you to identify gaps in your authorization policies and provide more effective incident response in the event of a breach. What I've described above is a zero-trust recipe book for many technologies. Zero Trust In The Real World Applying AAA is useful when thinking through a zero-trust approach to many defensive countermeasures (like firewalls, proxy servers and file system access). One area that I've found to be effective is your protective DNS strategy. First things first, if you're just using DNS and not protective DNS, you should consider upgrading because, once again, no device really needs access to everything online. The difference between DNS and protective DNS is simply your ability to apply these AAA policies to everything you're trying to protect. The role of DNS is to ensure that when you type in a domain name or click on a link, the corresponding IP address is returned, allowing your device to establish a connection. Protective DNS enables a zero-trust approach by allowing you to authenticate that request and establish an identity, then apply a policy that provides the least privileged authorization for that role. Finally, it provides an audit trail so you can ask, 'What internet activity was performed by that identity over a certain amount of time?' Protective DNS providers vary in the capabilities they provide, but by understanding your own zero-trust requirements via these AAA terms, you can find one that's right for you. Final Thoughts Zero trust is a mindset shift that prioritizes precision, clarity and accountability at every level of access. That starts by asking hard questions about who needs access to what and committing to 'never trust, always verify.' Reducing access to the internet is one critical way that organizations can protect themselves. By embracing strong authentication, strict authorization and comprehensive auditing—the AAA of modern security—you create a resilient, layered defense that protects against insider threats without sacrificing operational efficiency. Anything less isn't just risky; it's outdated. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Yahoo
20-06-2025
- Yahoo
Think again before clicking 'unsubscribe' on spammy emails. See safer options.
A word to the wise: That "click to unsubscribe" link at the bottom of those unwanted email newsletters and new product announcements may do the exact opposite of what you'd hoped. TK Keanini, CEO at cybersecurity software seller DNSFilter, recently told the Wall Street Journal that clicking the "unsubscribe" link in hopes of getting off annoying email lists could do more harm than good, if you happen upon the wrong one. Instead of adding users to a "do not send" register, the links could instead send them to a mock landing page or give scammers the exact confirmation they were looking for, allowing them to pick out better potential victims, according to Keanini and DNSFilter, per the outlet. Here's what to know about safely freeing yourself from a cluttered inbox full of spam. At least one in every 644 "click here to unsubscribe" links led to potentially malicious websites, DNSFilter found, per the WSJ. While some may be looking for people to input personal information, such as an email address or other account details under the guise of "unsubscribing," others are simply testing to see if you are paying attention. Like with spam callers who repeatedly call but leave no message or follow-up, some of these links serve the purpose of simply telling the person on the other end that you have received, looked at and clicked on items within their messages. An individual's initial click may not lead to imminent doom, but it can identify them as a potential future email service providers and platforms have a built-in unsubscribe feature that does not require interacting with any shady links. The easiest and most common are the 'list-unsubscribe headers," the banner with a hyperlink from your mail provider that is usually positioned in or right above or below an email's header. Clicking through this should allow you to unsubscribe from repeat emails without going to an external website. On the other hand, if the email or sender is one you never want to see again, you can simply mark either as spam, delete the unwanted message and block the sender's email address. You can even block a sender's IP address in case they send those annoying blasts from several different accounts. You can also set up manual filters for emails that will automatically divert them to your spam box, or if you want to keep things even more contained, set up a separate email address to use when interacting with potentially spammy sources. Some services even have a built-in email hiding option, like Apple's 'Hide My Email." This article originally appeared on USA TODAY: Want to get off email lists? Do this, don't click 'unsubscribe'
Yahoo
19-06-2025
- Yahoo
Think again before clicking 'unsubscribe' on spammy emails. See safer options.
A word to the wise: That "click to unsubscribe" link at the bottom of those unwanted email newsletters and new product announcements may do the exact opposite of what you'd hoped. TK Keanini, CEO at cybersecurity software seller DNSFilter, recently told the Wall Street Journal that clicking the "unsubscribe" link in hopes of getting off annoying email lists could do more harm than good, if you happen upon the wrong one. Instead of adding users to a "do not send" register, the links could instead send them to a mock landing page or give scammers the exact confirmation they were looking for, allowing them to pick out better potential victims, according to Keanini and DNSFilter, per the outlet. Here's what to know about safely freeing yourself from a cluttered inbox full of spam. At least one in every 644 "click here to unsubscribe" links led to potentially malicious websites, DNSFilter found, per the WSJ. While some may be looking for people to input personal information, such as an email address or other account details under the guise of "unsubscribing," others are simply testing to see if you are paying attention. Like with spam callers who repeatedly call but leave no message or follow-up, some of these links serve the purpose of simply telling the person on the other end that you have received, looked at and clicked on items within their messages. An individual's initial click may not lead to imminent doom, but it can identify them as a potential future email service providers and platforms have a built-in unsubscribe feature that does not require interacting with any shady links. The easiest and most common are the 'list-unsubscribe headers," the banner with a hyperlink from your mail provider that is usually positioned in or right above or below an email's header. Clicking through this should allow you to unsubscribe from repeat emails without going to an external website. On the other hand, if the email or sender is one you never want to see again, you can simply mark either as spam, delete the unwanted message and block the sender's email address. You can even block a sender's IP address in case they send those annoying blasts from several different accounts. You can also set up manual filters for emails that will automatically divert them to your spam box, or if you want to keep things even more contained, set up a separate email address to use when interacting with potentially spammy sources. Some services even have a built-in email hiding option, like Apple's 'Hide My Email." This article originally appeared on USA TODAY: Want to get off email lists? Do this, don't click 'unsubscribe'
USA Today
18-06-2025
- USA Today
Think again before clicking 'unsubscribe' on spammy emails. See safer options.
Think again before clicking 'unsubscribe' on spammy emails. See safer options. Show Caption Hide Caption Americans reported losing $470M to text scams In 2024, Americans reported losing $470 million to scams that started with text messages, according to new data from the Federal Trade Commission. Scripps News A word to the wise: That "click to unsubscribe" link at the bottom of those unwanted email newsletters and new product announcements may do the exact opposite of what you'd hoped. TK Keanini, CEO at cybersecurity software seller DNSFilter, recently told the Wall Street Journal that clicking the "unsubscribe" link in hopes of getting off annoying email lists could do more harm than good, if you happen upon the wrong one. Instead of adding users to a "do not send" register, the links could instead send them to a mock landing page or give scammers the exact confirmation they were looking for, allowing them to pick out better potential victims, according to Keanini and DNSFilter, per the outlet. Here's what to know about safely freeing yourself from a cluttered inbox full of spam. Think twice before hitting 'unsubscribe' At least one in every 644 "click here to unsubscribe" links led to potentially malicious websites, DNSFilter found, per the WSJ. While some may be looking for people to input personal information, such as an email address or other account details under the guise of "unsubscribing," others are simply testing to see if you are paying attention. Like with spam callers who repeatedly call but leave no message or follow-up, some of these links serve the purpose of simply telling the person on the other end that you have received, looked at and clicked on items within their messages. An individual's initial click may not lead to imminent doom, but it can identify them as a potential future target. Do this instead Most email service providers and platforms have a built-in unsubscribe feature that does not require interacting with any shady links. The easiest and most common are the 'list-unsubscribe headers," the banner with a hyperlink from your mail provider that is usually positioned in or right above or below an email's header. Clicking through this should allow you to unsubscribe from repeat emails without going to an external website. On the other hand, if the email or sender is one you never want to see again, you can simply mark either as spam, delete the unwanted message and block the sender's email address. You can even block a sender's IP address in case they send those annoying blasts from several different accounts. You can also set up manual filters for emails that will automatically divert them to your spam box, or if you want to keep things even more contained, set up a separate email address to use when interacting with potentially spammy sources. Some services even have a built-in email hiding option, like Apple's 'Hide My Email."
