Welcome to Cyber Security Today. This is the Week In Review edition for Friday April 16th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll talk with this week’s guest commentator, Dinah Davis, vice president of research and development of managed security services provider Arctic Wolf. But first a look back at some of the news this week:
Four more serious vulnerabilities have been found in on-premise versions of Microsoft Exchange. That means – again – IT departments have to make sure the latest patches are installed as soon as possible. This comes after Microsoft released emergency patches last month to close the holes on a number of vulnerabilities in Exchange Server. It’s bad enough that criminal hackers and nation-states are getting into unpatched Exchange implementations to read email. Now a new report says crooks are also trying to take over Exchange servers to install cryptocurrency miners. It’s vital your firm’s Exchange Server is patched.
Vulnerabilities in a piece of communications software used by millions of computing devices could lead to denial of service or hacking attacks, according to a new report. The problem is in some versions of TCP/IP stack used in internet-connected products from routers to medical equipment. IT managers need to check with the vendors of their products to see if they need patching or mitigation. This report is the latest in a series that have exposed problems in this software stack.
The effectiveness of corporate cybersecurity training is again in question. It comes after the release of a survey of 1,200 Americans, 69 per cent of whom have received awareness training. Of that group 61 per cent failed to get the majority of seven questions right in a multiple choice security test. I’ll talk with Dinah later in the show about what this survey means.
There’s good news and bad news in the annual M-Trends report from FireEye Mandiant. IT departments seem to be getting better at detecting data breaches. The average time an attacker is inside a network dropped last year to 24 days. In 2019 it was 56 days. Still, that means a hacker might spend almost a month hunting around looking for data to steal, compromise or destroy. But in the United States and Canada, defenders are better. The average dwell time is down to nine days. The three most common ways hackers break into organizations are exploiting software vulnerabilities, employees falling for email phishing scams and using either stolen passwords or brute force password attacks.
Speaking of passwords, to raise awareness of the need to better secure login credentials, the first Identity Management Day was held this week. The vast majority of data breaches are the result of poor corporate identity management, said the executive director of an industry identity management association. Organizations need to create identity and access management policies if they want to strengthen their cybersecurity defences.
(The following is a condensed transcript of my talk with Dinah Davis)
Howard: Dinah, I want to start asking what is identity management?
Dinah: Identity management is the discipline that enables the right individuals to access the right resources at the right time for the right reasons. There’s a lot of qualifiers in there, but those qualifiers are actually quite important:
You don’t want just anyone getting into your organization and have access to [all] resources. Even though they might be part of your organization, you may not want them accessing everything. There’s a difference between the financials that only the CFO should look at and the ‘How to use the water cooler in the office’ article.
… It might be that you might want to give a person access for a few hours to that document that the CFO has because they need to input some data, but you don’t want them to keep that access going forward.
…You [also] want to be thinking about is this the right reason to give it to them access to a file if it’s just so they could input some data. Could you have them just send the data to you separately and you input it.
Howard: The Twitter attack last year, when accounts of celebrities were taken over for a bitcoin scam, there’s a good example of hackers abusing identity. Can you talk a bit about that?
Dinah: This is a classic case of identity and access management abuse … The way that they achieved this was that the hacker started phoning several Twitter employees claiming to be from the Twitter help desk. And the hacker said that there was a problem with Twitter’s VPN due to the switch to remote working. It was well known that Twitter had actually been having a lot of VPN issues. This was something that the hackers had caught wind of, so [employees] were conditioned that this is something normal. [The attackers] sent them a new link to log into. It was actually a phishing site that was gathering their credentials. The attacker immediately and put them into a legitimate access site to the employee’s Twitter account … What [the attackers] were looking for was employees who had access to other people’s Twitter accounts … Then they went and attacked those people using the same method. And that’s how they got into those accounts.
It reminds you why user awareness training is so important. Your IT team will never call. [If someone does] you always say you will call them back. But also if Twitter [users] had MFA [multifactor authentication] on for access to each one of those accounts that would have shut this down.
Q: So password control is really important to identity management. You’ve got to make sure you have rules and, and controls so that employees don’t have simple passwords, so that you’re using multi-factor authentication as much as possible that there’s a corporate password manager to help employees keep control of their passwords. These are all the things that are, are important in an identity management policy. Some companies have several applications that employees need to log in separately, which means that they need several passwords. One solution is single sign-on. Why is that important?
Dinah: Single sign-on is where you use one set of credentials to log into everything you have. In the consumer market, you can do single sign-on with Facebook, go to other websites and it and also log in using your Facebook credentials.
In the corporate world, we have similar apps. One of the most popular is called Okta. Many corporate tools will now have Okta plugins that will allow the IT team to make it mandatory that employees login via Okta, and that gives them access to everything else their system. It’s very handy. You only need to remember one password and username, and it should be a good one. The other beautiful thing about it for IT staff is that they can also manage everyone’s access to all of those tools.
Q: As part of an identity management process organizations need access control. How does that fit in?
Dinah: Who you are is your identity. What you can access and when you can access, that’s the access control piece of it. If we go back to thinking about the spreadsheet case, as a user [at work] I have access to Excel, but I don’t have credentials to access everyone’s Excel things. Access control is really about limiting the scope of a blast radius if I were compromised.
Q: One of the big problems that organizations have is they give access to almost everybody. And then when a hacker manages to get a hold of one person’s credentials, they can get access to almost everything. That should be limited to administrators who oversee access control for departments. And their [admins’] access should be limited and they should have the best protection.
Dinah: Absolutely. You want to make sure ownership of all your identities in your company is well-defined. There should be, like you said, a very small number of people in the organization that can change ownership and accessibility. You should have at least four different types of identities in your organization: Your employees, contingent workers or contractors, your machine identities, and your customers. Each will have a different set of access management and privileges. Even within those, you can have lots of different categories. And you want to go with the principle of least privilege for every single category for every single person –what’s the least amount of privileges you can give them so that they can do their job, but nothing more.
Q: And one thing I want to say is for those people who are administrators, they may need more than, than merely multi-factor authentication, where you get a code over, over your smartphone to enter in addition to your username and password. There are companies that make special keys that are the size of a USB key. And they will receive a transmitted code that they have to get a special network. that’s really hard for someone to hack. They use that as their multi-factor authentication.
Dinah: It’s a hardware token. If you can get a hardware token, that is the best protection you can get for an MFA solution.
Q: In any system, identities and access permissions are stored in a directory, such as Windows’ Active Directory. And that’s one of the prime targets of a hacker. If you can get into the directory, then you can change your access. What are the best ways for protecting directories?
Dinah: It’s all about access. It always goes back to the principle of least privilege. So you only want to have a very, very few number of people who can access at an admin level Active Directory or other identity management systems … It needs a hardware token to do it. It would be so annoying for the admin, but that’s the most secure way to do it.
Q: Tell me about the best practices for identity management and access.
Dinah: Categorize all of your users so that you know what they have access to. Make sure you’re establishing unique identifiers so you can track what that entity is doing the entire time it’s in your system. If the identifiers change, it makes it very hard to track who’s doing what, when and where. You want to audit any of the new identities found by your [identity management] solution to make sure they’re not nefarious. The other thing you really want to do is automate provisioning [of new and departing employees] and deep provisioning of identities. Granting and revoking access to resources and data is fundamental to business operations and enterprise security. So if I’m adding Joe as a software developer, those roles all are automatically provisioned for certain access capabilities. And when you say Joe is decommissioned, it will right away pull all of those things off.
Q: What’s important here is when employees leave the company you’ve got to make sure that their access is removed. If t isn’t then their passwords just sit there, and eventually hackers can get hold of them. The other thing, of course, is people move within the company and, and access can change.
Howard: Before we go, we’ve spent a lot of time on identity management on the corporate side. I want to take a few minutes to talk about the importance of identity management for individuals in their home life. And these are things like use a password manager to keep track of all your passwords so you don’t have to remember them; don’t use the same password on more than one site; son’t take shortcuts, like having the same password and add the numbers one, two or three to make them look different — that won’t fool crooks; where possible use multifactor authentication. And when you sign up to a new account or an app, make sure you configure the privacy settings to your comfort level.
Dinah: That’s a good one. The privacy settings will always get ya.