Tag Archives: IAM

Some thoughts on “Identity is the new perimeter”

28 January 2018

With the increasing adoption of cloud services, the traditional perimeter security approach becomes less and less effective. The on-premise security layer, which protects users against cyber-attacks, is just no longer existent if users have direct access to a company’s cloud services from any location, at any time and, in the best case, from any device.

The four “A”s, Authentication, Authorization, Administration and Audit, become more and more important in a [hybrid] cloud based working environment.

“When identity and access management (IAM) works well, it means the right people have the right access to the right resources when they need them with appropriate governance in place from wherever the data or application is needed.” [1]

The magic word is “right”: With IAM we control the access of well-known groups of people to well-known resources. Unfortunately, cyber attackers do often not belong to these groups.

NIST NVD Statistics: Privileges Required

From the NIST NVD we learn, that 67% of the vulnerabilities published in 2017 need no privileges for exploitation.

Privileges None means: “The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.” [2]

This holds e.g. for remote code execution (RCE) vulnerabilities. An RCE allows an attacker to get full control of the victim’s computer or service, in the worst case with administrative privileges. With this, the entire new perimeter is bypassed. For an RCE example see CVE-2017-11459. [3]

Identity becomes an important part of a new perimeter but can never replace the perimeter.

NIST NVD 2017 Statistics: User Interaction Required

The NIST NVD data give another important insight for shaping a company’s security strategy: In 41% (5958) of 14647 vulnerabilities the user must interact with the attacker for their exploitation.

This means that well-made user awareness training can prevent lots of cyber-attacks.

Have a great week.


[1] AusCERT 2017 – Identity is the new perimeter
Anthony Caruana, 05/30/2017, CSO Online
https://www.cso.com.au/article/619970/auscert-2017-identity-new-perimeter/
Last seen: 01/28/2018

[2] Common Vulnerability Scoring System v3.0: Specification Document
https://www.first.org/cvss/specification-document
Last seen: 01/28/2018

[3] CVE-2017-11459
https://nvd.nist.gov/vuln/detail/CVE-2017-11459
Last seen: 01/28/2018

Premera hacked – 11 million financial and medical records stolen

19 March 2014

When news about the Premera hack showed up in my mailbox this afternoon I was really amazed. The second time for this year a health insurance company was hit.

On skim reading the news about the Premera attack I wondered, when the magic word encryption would appear the first time. Finally I found this statement in Warwick Ashford’s post ‘Premera hack exposes 11 million financial and medical records’. Richard Blech, chief executive of security firm Secure Channels, said:

“With advanced and unhackable encryption, the hacker is left with a bunch of useless bits and bytes.”

Richard Blech talks about encryption at the application level. Application level encryption is not as useless as database level transparent encryption in the defense against attackers.

But even application level encryption is almost useless in the case of malicious insiders because, apart from the fact that they use stolen login data, they sign in to the company just like a normal employee. Therefore they are able to access even data which are encrypted on the application level, because they are authorized to do this.

In my opinion, to use advanced encryption as the core process of a protection strategy is as irresponsible as to use no encryption at all. Strict Identity and Access Management, combined with Two Factor Authorization for all employees, and regular security trainings create the first and second line of defense. Encryption is the last line of defense.

Take care!

The technology dimension of social engineering

7 February 2015

In his post ‘Weird Security Term of the Week: “Social Engineering”’ Kurt Ellzey talks of ‘Social Engineering’ as the ‘Art of Getting Information’ about a person.

A short query on Google reveals a multitude of information that could be used to create a rough profile of a person. A malicious insider could easily enhance this profile by personal information gathered from e.g. a company intranet or SharePoint MySites.

Besides this ‘personal information’ a rich set of easy to extract ‘technical information’ about an employee is available from a company network.

A Windows workstation is a universal machine. It can be used to run an application as well as to administer a server or network. For example, the built-in ‘net’ command could be used to retrieve detailed employee account data from the Active Directory.

Some colors to fight the winter depression.

Some colors to fight the winter depression.
50°53’28.3″N 4°21’31.9″E

IAM (Identity and Access Management) systems, very often deployed as self-services to improve user satisfaction, could be used to get detailed information about the applications used by employees to get their job done.

But the worst is that this information sources are available for all employees, irrespective of whether they are needed in the job. This is a massive violation of the Principle of Least Privilege.

Attackers can read in company networks like in an open book.

And, when enriched with technical information, a personal profile becomes an invaluable information source for targeted attacks.

Just some suggestions on how to tackle these problems.

As general design principle I would strongly recommend to enforce the principle of least privilege for all information systems. Software restriction policies could be used to reject standard user access to administrative commands. IAM systems should offer only user related information on a user’s request.

I dream of an operating system which provides only those commands and applications which are essential for a user’s job. This could reduce the attack surface of a company dramatically.

Have a nice weekend!

SearchSecurity.com: How to Thwart Privilege Creep with Access Reviews

5 July 2014

How to Thwart Privilege Creep with Access Reviews

In this E-Guide from SearchSecurity.com, industry expert Peter H. Gregory talks about privilege creep and the concepts to solve this problem.

The accumulation of privileges is bad enough but, things turn really bad if privilege creep undermines the Separation-of-Duties (SoD) or Four-Eyes principle. In this case employees could grant themselves unwanted privileges which could result in serious compliance problems.

When employees leave their job or retire we face a similar Problem. In the best case HR promptly notifies the IT group to deactivate the employee account. But privileges are very often excluded  for fall-back purposes because it takes a long time before a successor is fully able to work. In the worst case, if you are in a hurry, all those messy privileges are just copied without any review.

A regular review of privileges is the best measure to tackle these problems. Even manually reviews could be implemented with moderate effort. A IAM solution with direct link to the HR system is the definitely the best approach for a large company.

In addition, I recommend to expand job profiles by security profiles. When a new employee starts his work, the job related security profile could be easily implemented and thus privilege creep prevented.

Security profiles must be maintained to track changes in the job profile. A security profile comprises all roles and privileges to all applications, systems and information an employee needs to do his job.

In addition, the employee orientation plan must be expanded by information security related topics. Create awareness and train employees how to adequately respond to information security related incidents will raise the overall security Level.