Identity as an attack surface

Thanks to mobile computing, cloud apps and tele-working, the de-perimeterization of IT security is a “fait accompli”.  This has created new challenges for CSOs and new opportunities for attackers.  One of the leading threats emerging from the post-perimeter IT landscape involves using Identity as an attack vector.  Here’s why.

Historically, information security professionals have focused on mitigating vulnerabilities across traditional attack vectors, namely networks, software or physical plants within their computing environments. Despite the large investments made in preventive and detective security technologies, protecting these traditional attack surfaces continues to be a challenge.  As Ponemon states in their 2014 report on Mega Breaches, many companies have failed to prevent breaches with the technology they currently have, where 65% responded that attacks evaded existing preventive security controls.

What’s changed?  Instead of targeting hardened networks and application infrastructures, more and more bad actors, whether outsiders or insiders, are exploiting identities to gain “legitimate” access to sensitive systems and data. Protecting this new attack surface is hard, since identities must be trusted unless there’s conclusive proof that they have been comprised.

2014 will be remembered as the year of the mega security breach, many of which have been found to be directly attributable to compromised identities.

For example, in the Anthem Blue Cross data breach where cyber attackers stole millions of health insurance records, hackers reportedly obtained the identity credentials of five different employees, possibly through phishing attacks, including computer administrators, which allowed them to access the company’s internal network.  Data stolen included names, social security numbers, and other personal information for up to 80 million Anthem customers.

Meanwhile, Premera Blue Cross is facing five class-action lawsuits and continuing questions since it disclosed a data breach.  The lawsuits, filed in U.S. District Court in Seattle on behalf of Premera customers from Washington, Nevada and Massachusetts, claim that Premera was negligent, breached its contract with customers, violated the Washington Consumer Protection Act and failed to disclose the breach in a timely manner.  As well, the lawsuits argue Premera violated the Health Insurance Portability and Accountability Act (HIPAA), as well as the insurer’s own privacy policies, by allowing the data to be accessed. 

These lawsuits, and pending penalties, are claiming negligence due to the poor management of identities and access credentials. Clearly, the bar has been raised on what constitutes appropriate due care of identity information by organizations.

One of the core challenges for information security professionals is rooted in the fact that current security models are not designed to address identity as an attack surface. Instead of treating identity as a basic access provisioning function, it should be managed and monitored as a critical resource for the organization.

To prevent identity from being exploited as an attack surface, Information Security Professionals must return to something “old” and engage with something “new”.

The “old” is verifying how effectively traditional Identity and Access Management systems are being managed. Is basic, good quality hygiene being rigorously applied and exercised for these critical systems? For example, how often are users required to update their passwords? Is a reasonable amount of complexity required for those passwords?  Also, is Security Awareness being promoted among users, including the importance of strong password choices, as well as the techniques used by attackers to steal passwords like phishing and social engineering?

The “new” involves monitoring who, how, where and what identities are being used for in the organization’s computing environment, including the Cloud. To keep watch over the typical “flock” of identities in an enterprise, need new tools and automation are required. Gartner provides a good overview of these identity analytics technologies here.