Blog

Take on breaches

The decade started with the evolution of Identity & Access Management (IAM), an expansion of directory services, the last couple of years has all but smothered that notion. This decade will be defined by how cyber-attacks shapes society. In the last two years, we have been entertained by the security exploits on Target, JPMorgan Chase, Home Depot, Sony, and Anthem to name several. The breaches range from the compromise of point of sale terminals to an old fashion sharing of credentials and the storage of passwords in the clear. The aftermath of the intrusion has produced an unwavering lack of confidence in how personal information is maintained.

As the techniques evolve to counter cyber-attacks it will always be countered by savvy hackers who are typically a step ahead. If you deeply look at the fundamental cause for the data beaches, it’s the lack of governance of ownership, accountability, and audit. Who owns the account, what person or group is accountable for the account, and is the account audited? These questions are the foundation and are answered thru the adoption of both Privilege Identity Management (PIM) and Privilege Access Management (PAM).   I mentioned the two terms, PIM and PAM, as various groups or publications will use either abbreviation to represent the same end goal. The most common abbreviation used today between the two is PAM. Whether your favor one or the other, I am focused on the concept of managing administrative privileges and the access points.
In my experience, there are common bread trails that are left for hackers to feast upon as they transverse thru the darkness.

  • Service Accounts are usually not scrutinized enough in terms of security compliance.
  • Consultants or vendors are engaged in a focused area and at times given access that exceeds IT. The access levels are often persistent thru time and forgotten.
  • The emergence of shadow IT and IT’s inability to govern the software or hardware that has been newly introduced to the environment.
  • Inability to audit the utilization of shared accounts effectively.
  • Passwords are not securely vaulted but dispersed though out the organization in an unsecure manner.
  • Applications are granted more rights than are required and thus have more visibility into an end user’s Personally Identifiable Information (PII).
  • Orphan accounts are often not accounted for and in some cases maintain privileged access.
  • Lack of a true end to end object life cycle process. Organizations typical place focus on a known user life cycle, thus restricting itself to the resultant population. The life cycle should focus on the known and unknown entities that makes the organization whole.
  • The perimeter is mainly a focus on network related appliances or software, often not on the keyboard access of an individual.

With the aggressive rise in cloud and mobile adoption, the aforementioned points are increasing the avenues available for a breach. Technology today is a vast different paradigm to secure as it entails the extension of the corporate infrastructure. Laptops, tablets, and VPN access have added to the complexity of holistically securing the perimeter.

While there are different strategies to deploy, such as

  • Data Loss and Prevention (DLP)
  • Mobile Security
  • Audit & Governance
  • Secured API Management
  • Multi-factor Authentication
  • Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA)
  • Patch management
  • Malware Detection
  • Separation of Duties (SOD)
  • Effective authorization policies
  • The investment in integration points from focused security products

The usual challenges or suspects that sneak behind us are; skill set, time, and priorities. In between the three usual suspects, our worst enemy is our nature to trust at times without controls.

Despite the varying exploits in the infrastructure, personnel, or application, the fundamental root cause is an unwarranted control of an administrative account that has been compromised.

There are times when I suffer a lapse and leave the door to my house unlocked. Even thou its an extreme rare event, that is all it takes. The workplace has more doors to safeguard than a home. The controls that we assume are governing the entry points are trusted not validated for various reasons. Hackers understand that the discipline of securing has been fully matured, and thus keeps on turning knobs in pursuit of opening another door……. The emergence of Zero Trust has started the its campaign for businesses to leverage.

Jose