Identity and Access Management Framework Book

Here’s a great nugget from this year’s Gartner show in DC: you’re gonna get nailed. Just accept it. The keynote speaker provided some takeaways, and that was the one that finally confirms what I’ve been telling people for a while and often get frowns for. You will be breached. So now you say, “what’s the point of living? I should just kill myself now.”

But wait, grasshopper. Two more points to make now.

First, “breach” means somebody got in and left their dirty fingerprints. Bypassed your feeble firewall. Cracked some passwords. It doesn’t necessarily mean they stole or broke anything.

Second, were you prepared when it happened? The sooner you resign yourself to the fact that you WILL get breached, the sooner you will prepare for THAT. If your entire strategy is based on keeping evil-doers out, you’re already screwed. Because you won’t keep them out. So plan for limiting, mitigating, or eliminating the potential damage.

In the olden days, defenders would retreat behind a line they knew they could defend, and they burned all the crops and villages in their wake, burned their own stuff, to give the invaders nothing to live off or hide in. I’m not saying you should burn your server, unless it’s an AS/400, but I’m saying, don’t give the invaders anything to live off or hide in.

-          If data is encrypted, it doesn’t matter if a bad guy in a mask walks off with your server on a dolly.

-          If production data is masked before it’s used in testing, it can’t be compromised.

-          If your network is segmented, you’re possibly allowing for some damage, but not total destruction.

-          If you implement segregation of duties, especially at the database level (INCLUDING service accounts), you are preventing invaders from using your own privileged accounts against you.

Here’s another point. Multiple customers have told me, they won’t get fired for a breach, because even their BOSSES know it’s going to happen. But they WILL get fired if

1)      They’re not prepared to react to a breach

2)      They fail the audit in advance of a breach

See, breaches are baked in, at least by people who know what they’re talking about. If the bad guys get in, and they get nothing useful, then you’re good.

For now.

One more important thing from the Gartner show in DC: the Gaelic steak at Harrington’s Irish Pub is freaking phenomenal. What’s that got to do with security? Nothing.

My wife got an excellent Mother’s Day present. She got to watch as her oldest marched onto a stage to shake the hand of the president of her college, and be acknowledged as graduating Summa Cum Laude with a tough major and two minors.

It’s a well-known public and fairly tough school. Our child went for the sciences, which made us happy. Yes, we need playwrights and philosophers, just not in my family. I publish the occasional novel, which is dangerous enough.

Anyway … our eldest actually finished in December, and already had the diploma (and is gainfully employed), but this was the first opportunity to line up with peers and be accounted for. The commencement speaker was a very accomplished woman, a journalist who produced a profound documentary on human trafficking that I have seen.  The whole affair was long, a little tedious, and well worth it. Especially to see the proud tears on my wife’s face.

What’s this got to do with identity and access management? Nothing at all.

At a recent conference in Las Vegas, hedge fund execs were warned by the Department of Justice that they need to watch their butts. An assistant attorney-general (it was Vegas, and still all they could get was a lesser mortal) told the assembled crowd that hedge fund operations represent “a tremendous amount of capital, incredibly sensitive proprietary information, and valuable algorithms, but they are small shops and they often have very weak IT.”

At first glance, this seems ridiculous. These guys should know this already, right? “We handle money. Bad guys like to STEAL money. So we’d better be careful.”

But if you were in the security business, you would know one inscrutable fact: way way way way way way way way too many companies are not careful at all.

“We got a firewall. We’re good.”

“”We make people change their passwords once a year, we’re good.”

“Our accounting audit people look at our IT controls annually. We’re good.”

But ohhhhhh, it gets worse. In the last year, I’ve seen:

• ·         Companies that have literally NEVER required a password change
• ·         A company whose guest wifi password was ridiculous easy to guess, and never changed
• ·         Companies with dozens of applications, all of which were manually provisioned (i.e. somebody punches names into a keyboard for every single app)
• ·         A company that allowed a 30-retries policy for flubbed passwords

Now, when I heard the 30-strikes-and-you’re-out policy, I said, Huh?” It was explained  to me that they had some rather unsophisticated users who knew the business, but who were not great with a keyboard. I pointed out two things to change their minds:

1)      30 strikes gives brute-force attacks a FAR higher chance of succeeding

2)      If someone is so ill-coordinated that he could fat-finger that much, OR that he couldn’t remember a 6-to-8 character password, that person is too dumb to work for the firm

Many vendors (software or otherwise) segment their customers in various ways. One way is by vertical, so that you have subject matter experts selling into pharma, or power grid, or federal government. The other is by size. Enterprise accounts are massive targets, while local or national accounts are smaller.  Larger accounts tend to already have an identity and access framework. In fact, many are on a second or third. Smaller ones chronically have little to nothing. It always astounds me at the complete lack of automation. It’s not even the number of users that matters. It can be the complexity. Compliance requirements. Difficult audits. Security worries. The number of resources.

There’s no excuse any more. If you get nailed for lack of effort, you deserve it. Sorry, but you’re a goon. There are too many threats, and too many targets.

Don’t think that you’re too obscure to get hit. If you manufacture the eyeballs that go on kewpie dolls that a rube might win after nineteen rounds of Skee Ball at the carnival, but you have an accounting system that dispenses money, you are on somebody’s hit list. I deal with a lot of vertical industries, and even I occasionally run into a client  I’d never heard of before.  I remember the first time I went into Worldcom, when they were nobody, long before they exploded and imploded,, and I had to explain to my boss later who they were and why they were a customer worthy of a visit.

Don’t be one of those many organizations I visit who are just begging for crap to happen. Protect your users. Protect your data. Start with the data, if you’ve done nothing else. And don’t think a firewall is the answer to anything beyond the basics.  Be smarter than that.

It’s always fun to watch the headlines, and hear about the latest corporate hacking disaster. Part of the fun is hearing the so-called experts give the 10,000-foot explanation of what they think happened, and often these are people who know the buzzwords but don’t actually know that they mean. We’ve all heard some ridiculous post-mortems from dummies who are good for talking to pundits but who risk all credibility if they’re dumb enough to actually talk to any white-hat types and get picked apart.

Yes, we still have to worry about those generic “hackers,” those mysterious types who do whatever keyboarding evil they do who “break in” and steal data. TV types can’t comprehend OWASP or SANS or common exploits. You’ll never hear the  term “SQL injection” on CNN.

But as brilliant as some of these bad guys are, they STILL quite often rely on bad practices, social engineering, and just plain stupidity. However, they can be sophisticated enough to leverage people’s personal connections.

Let’s pull this apart. Let’s compare a social attack to SQL injection. It’s an iterative attack, i.e. it’s not a smash and grab. Find the databases, find the tables, examine the schema, then go after the data.

Recently I’ve spoken to organizations who describe multi-layered, extremely clever attacks that require several passes, and are still just social engineering, but to such a degree that it’s far beyond conning a secretary over the phone into handing out a password.

Example 1: purchasing agent gets an email, containing an attachment requesting a wire transfer, from a manufacturing manager. “Need this much cash to buy these mundane raw materials to build this boring product.” The required form is properly filled out, appears to be pre-approved by yet another party, and the proposed transaction is in line with other transactions they process several times a day. The purchasing agent has a question about the form, emails back, and gets an appropriate response so he also approves, and sends the wire transfer request along.

Then there’s an issue with the account number, and it bounces back. The purchasing agent finally says, screw it, I’ll make a phone call to the manufacturing manager, who then says, “What wire transfer are you talking about?”

The bad guys hadn’t hacked a bank account or explicitly moved money. They had infiltrated email, mapped out the organization, who dealt with whom, how business was transacted, how money was moved, then tried to get privileged employees to do the work FOR them. After hearing this story, I heard from several other companies in the same geographic area that had been attacked in the same way.

Example 2: a technology company is on an acquisitions binge. Lots of little purchases are going on everyday as people and even furniture are getting moved around, offices are being dissolved, severances are being paid, equipment is being consolidated. The CEO is personally overseeing many of these small expenditures. The CEO goes by a nickname. One day his secretary gets an email from him asking for a transfer of cash for a merger-related activity, but using his full name. The long-time secretary is instantly suspicious because the boss didn’t use his traditional nickname in signing the email. And yep, it wasn’t him. Someone is trying to take advantage of the chaos of the M&A activity.

It’s important to have all the right tools and policies in place. All your sensitive data should be encrypted. Multi-factor authentication and authorization are phenomenal things. Segmented networks can limit damage when somebody DOES get in.

But it still pays to be smart, to be vigilant. There’s an old saying from the Middle East: trust, but verify. Well, screw trust. Just verify.

At the Davos Economic Forum, Yahoo’s Marissa Mayer, among others, said 2014 would be the tech tipping point, in which more consumers would access Yahoo’s and other content on mobile devices than on any other platform. Mayer said, “It makes connecting and trusting people easier.”

Whoa. Hang on. Connecting is easier? Absolutely. Trust is another matter.

We already have an environment in which too many people are not who they say they are on the net. I have a very good friend who says Facebook is the best authenticator in the world, since it knows so much about you. And yet a large percentage of FB accounts are bogus, or surplus. And anybody can steal your vacation or kids’ photos and claim ownership.

Mobile devices are also more easily stolen, compromised, appropriated, corrupted. And disposable. They get swiped all the time. And before they can be traced after ill use, they can be dumped.

This is why we in the security world talk about assessing and reacting to RISK. We calculate it, even after authentication. You might have the right creds, and you might even do the right things, to start a session or connection. But then you might turn out to be evil after all. A few years ago, an investigative show sold a “stolen” credit card online, then tracked its use. The bad guys who bought it bought a couple of very innocuous items to start with. Once the transactions went through without a hassle, they started buying junk. So it pays to keep an eye on a user, even after they pass the smell test.

 This is why your device should be married to YOU. It should be part of your identity. Just like your IP address, your habits, your authentication method. If somebody else uses your device, the system you’re connecting to should either think twice about letting it in, or prompt for other creds. If YOU use somebody else’s device, same deal. Airports are great places for people to listen in on, physically or in the air, somebody else’s creds, and use them for evil stuff.

So I guess you could accept Ms. Mayer’s statement IF you trust other devices. But heck, as many hackers have stated recently, the Heartbleed bug means that the Internet of Things, that is the connectivity to and from our devices, is at risk. So maybe it’s just bad timing on her part. Just don’t make it bad timing on yours. There’s a wonderful old Arab axiom on this subject. Trust, but verify.