Amazon is launching two initiatives aimed at better preparing individuals and businesses to deal with cybersecurity threats and hardening the authentication of users of its AWS cloud.
In a post on the aboutamazon.com website, the company announced that beginning in October, which is Cybersecurity Awareness Month, it will make available to the public the training materials it’s developed in-house to keep its employees and sensitive information safe from cyberattacks.
It also revealed that it will be offering “qualified” Amazon Web Services customers a free multifactor authentication device designed to strengthen the security of their cloud environments.
“A fundamental problem when addressing current cybersecurity threats is education, which is why we’re excited to share our Amazon Security Awareness training for free, to help organizations and individuals understand how to navigate and fight against security events,” AWS CISO Steve Schmidt said in the web post.
“And by giving qualified AWS customers access to free MFA tokens, we’ve made it even easier for companies to use this powerful tool to protect their data and important technology assets,” he added.
Jake Williams, co-founder and CTO of BreachQuest, an incident response company in Dallas called the release of Amazon’s training materials “a game changer, in particular for small to mid-sized businesses.”
“Security awareness training can have substantial impacts in preventing breaches,” he told bluehillco.
“Amazon’s training will put a quality product within reach for organizations that wouldn’t have it otherwise, likely preventing thousands of breaches every year,” he said. “If there’s one thing in the announcement that will give threat actors a big headache, this is it.”
Amazon explained that people and organizations need security training to identify and keep themselves safe from social engineering attacks, such as those mounted in phishing emails and scam phone calls. The rub, though, is people and businesses don’t have the time to take training courses that, while effective, can take hours.
Amazon’s training materials, the company noted, form a digestible and succinct curriculum that’s enabled its employees to anticipate possible security threats. The materials follow proven neuroscience and adult learning principles to enhance content retention, it added.
The curriculum is also flexible, it continued, so businesses and organizations can build on it to suit their needs.
In addition, the materials are regularly updated to accommodate the changing threat landscape.
“No employee wants to see the same training more than once,” observed Perry Carpenter, chief evangelist and strategy officer at KnowBe4, a security awareness training provider in Clearwater, Fla.
“One key to a successful security awareness program strategy is to always be putting key concepts in front of people in new and unique ways,” he told bluehillco.
“A redo of last year’s training will not cut it,” he said. “Materials need to be updated with fresh facts, new scenarios, and even to reflect new uses of language, cultural trends, brands and more.”
“Not only do methods from threat actors change, but an organization’s culture, its applications and infrastructure can also change,” added Chenxi Wang, founder and general partner at Rain Capital, a venture capital firm in San Francisco.
“For those reasons,” she told bluehillco, “training materials must be constantly updated to maintain training efficacy.
Access to security training materials alone won’t make an organization secure, asserted Doug Britton, CEO of Haystack Solutions, a cybersecurity talent assessment company in Kensington, Md.
“This is a symbolic gesture on behalf of AWS,” he told bluehillco. “Just having top shelf training materials won’t ensure security,” he said.
“How is an organization ensuring that staff take time to read and understand training materials?” he asked. “Is there a learning management system in place that tracks training? Is there a way to validate that staff have absorbed the information?”
“The culture of an organization is the critical element in making training materials most effective,” he maintained.
An organization gets out of security training what it puts into it, Carpenter added.
“By that I mean that if an organization only plays lip service to security awareness and employee training, then they will wind up with a culture where people only pay lip service to security itself,” he explained.
“But,” he continued, “if an organization is willing to make a dedicated effort to deliver a transformational security awareness program, then it will pay off.”
“Such a program is extremely intentional about communication, behavioral management, taking human nature into account and taking deliberate steps to foster a culture that values security,” he said.
Free MFA Token
In addition to free training materials, Amazon will be offering some AWS users a free token that can be used with a password to access an organization’s cloud assets.
In its online post Amazon explained that AWS customers with access to the AWS Management Console will be able to authenticate themselves by typing their passwords and then simply touching the MFA security token, which plugs into a USB port on their computer.
The free MFA token adds a layer of security to protect customers’ AWS accounts against phishing, session hijacking, man-in-the-middle, and malware attacks, Amazon noted.
Customers can also use their MFA devices to safely access multiple AWS accounts, as well as other token-enabled applications, such as GitHub, Gmail, and Dropbox, it added.
“The use of hardware or software authentication tokens is vastly superior to SMS based two-factor authentication and can massively improve any organizations security,” observed Chris Clements, vice president of solutions architecture atCerberus Sentinel, a cybersecurity consulting and penetration testing company inScottsdale, Ariz.
“SMS based two-factor authentication is routinely and simply bypassed by attackers using SIM swap attacks and should be avoided unless absolutely necessary,” he told bluehillco.
Carpenter noted, though, there is a downside to using physical tokens as an MFA factor.
“I love the idea of hardware tokens from a security perspective,” he said, “but I am also realistic that hardware tokens are not for everyone.”
“There is additional friction added for the user because now they have to train new habits and keep up with one more thing,” he continued. “The physical token becomes one more thing that people have to keep track of.”
Still, Amazon’s weight as a company could change user sentiment about tokens.
“Given Amazon’s market position and notoriety, it will certainly cause companies and people to pay attention to this move,” observed Dean Coclin, senior director of business development at DigiCert, a digital security company in Lehi, Utah.
“The Fire Stick is a huge success for this company,” he told bluehillco. “Perhaps the ‘Fire Token’ will have a similar outcome.”