Fortress around your heart
“Do you remember the first time you entered a bank as a child,” asked Mike Kearn, VP, Principal Architect & ISO at US Bank, “What did it look like? It was pretty impressive, right? The bank had high ceilings and buffed marble floors; there were security guards stationed at the doors and vault entrances. Before you got to the vault, though, you and your parent(s) had to meet a bank officer, show a form of identification, and sign some paperwork. And then there was the vault door itself: huge, and at least a half foot thick. The bank presented all impressions that you were in a safe, secure environment, that there was layered security at every turn.”
It took a day to build this city
That idea of checks for every customer action, the weight of it, the precautions put in place—armed security guards, security cameras, security alarms positioned in ample locations—all signal to would-be thieves that any attack on a bank is going to require serious skill, planning, and personal risk.
Yet when it comes to cybercrime, perpetrators need only follow the path of least resistance. A staggering amount of cybercrime is committed through credential theft followed by privilege escalation. The fact is that most user IDs aren’t very hard to intuit and passwords aren’t far behind. The most popular passwords remain highly guessable and brute-forceable: “123456,” “qwerty,” “password,” and the like. Even when passwords are more complex, social engineering becomes a factor and passwords are pilfered unwittingly. Because con artists will be con artists, and even the most alert and security-minded individual can be duped, to secure digital assets, security teams need a renewed focus on identity and access management (IAM) and locking down administrative accounts, in particular.
Kearn puts it simply, “Execution of IAM is easy. The real challenge is determining what needs to be locked down and to what level, who needs access to what and why.” However, organizations continue to struggle with IAM, and these shortcomings offer easy access points for criminals. Weak IAM practices are like leaving a bank window open after closing time after employees have left and the security guard is taking a break. If the last bank employee out the door every night has to manually check every window, there is a higher likelihood that one window will be missed or not secured tightly enough. Without other precautions in place, an attacker can use that window to pop inside and take what’s available to him. But what if that employee could push one button and lock every window in the bank automatically? What if multiple points of failure were reduced and the process of locking windows was tightened up? Unless a system failure occurs (at which point an alarm would be triggered), all of the windows are shut, making it more difficult for criminals to gain entry.
We walked through its streets in the afternoon
With today’s IAM automation tools, provisioning has never been easier, but security teams are reluctant to trust automation entirely. They worry about the exceptions and special use cases, but often it’s this permissive approach that lands companies—and their data—in the hands of criminals.
The goal for most organizations should be fully automated and managed IAM provisioning and de-provisioning. This, however, is easier said than done, as organizations may have invested considerable dollars in solutions that do not provide such a capability, and the costs associated with replacing them can be significant, says Kearn.
Building on top of automation—layering the security defenses—every user should be equipped with his or her individual set of credentials—no more sharing, especially among admins who have escalated access and privileges. When it comes to disparate assets and applications, a new set of credentials should be required for each admin rather than using a standard set across multiple systems. Yes, unique credentials for each admin to each system/application/segment make it more difficult for the legitimate person logging in, but re-used credentials make it easier for attackers to access additional systems and data, and goal is to keep unauthorized and potentially malicious users out.
Going back to our bank analogy, to access the vaults, customers must present multiple forms of identification before they enter a separate area of the bank. That separate space holds different types of valuable assets than the front of the bank, and even within the vaults, each one has its own key or access code. Segregate and segment. Identify and re-authorize.
As I returned across the fields I’d known
Further, organizations need to take another look at time limits on use of admin credentials, says Kearn. In a perfect world, he’d like to see access delegated to administrative or privileged users with predefined “time to live” on that access. In addition, that the access should not be persistent and must be delegated with the appropriate authority. The amount of time provided for each access would vary based upon business use case, with both security and business line risk managers partnering to determine an appropriate duration. Organizations should adhere to stricter rules around access to and permissions with the most sensitive data.
Again, making the parallels to a bank environment, when a customer enters his or her bank vault, he or she isn’t allowed to stay there indefinitely. Video surveillance is running, and the bank manager comes to check on the customer at intervals if time spent inside seems excessive. Within enterprises’ digital systems, for a variety of reasons, security admins may log activity but limit what they log or for how long, meaning that users may be under a watchful eye, but not entirely and only by the surveillance mechanism.
Reviewing logs and actively monitoring for outliers is a challenge for many organizations; if admins are unable, for whatever reason, to maintain awareness of the organization’s environment, especially which users are in it at what times, that deficiency plays into the hands of the adversary and his or her desire to remain undetected. If on the other hand, “time to live” is predefined by a subjective authority and then automated, the damage a criminal can affect is also limited.
I recognized the walls that I’d once made
Is it possible to subvert even the most layered and monitored IAM? Yes, of course, but the skills and time required by the attacker come at a significant premium. Hopefully, the day will come when all organizations take a layered approach to security, putting more checks in place, and using heavy doors to keep attackers out. For now, though, the most diligent organizations will win the war on credential theft and unauthorized privilege escalation. Adversaries don’t have to be that skilled or willful to affect many of today’s mega attacks; use identity and access management as a way to raise the bar. Building an effective security capability means having a firm foundation and that begins with the basics like authentication, authorization, and non-repudiation. In short, don’t keep your doors unlocked and leave the windows open.