Tag Archives: Identity and Access Management

Some thoughts on “Identity is the new perimeter”

28 January 2018

With the increasing adoption of cloud services, the traditional perimeter security approach becomes less and less effective. The on-premise security layer, which protects users against cyber-attacks, is just no longer existent if users have direct access to a company’s cloud services from any location, at any time and, in the best case, from any device.

The four “A”s, Authentication, Authorization, Administration and Audit, become more and more important in a [hybrid] cloud based working environment.

“When identity and access management (IAM) works well, it means the right people have the right access to the right resources when they need them with appropriate governance in place from wherever the data or application is needed.” [1]

The magic word is “right”: With IAM we control the access of well-known groups of people to well-known resources. Unfortunately, cyber attackers do often not belong to these groups.

NIST NVD Statistics: Privileges Required

From the NIST NVD we learn, that 67% of the vulnerabilities published in 2017 need no privileges for exploitation.

Privileges None means: “The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.” [2]

This holds e.g. for remote code execution (RCE) vulnerabilities. An RCE allows an attacker to get full control of the victim’s computer or service, in the worst case with administrative privileges. With this, the entire new perimeter is bypassed. For an RCE example see CVE-2017-11459. [3]

Identity becomes an important part of a new perimeter but can never replace the perimeter.

NIST NVD 2017 Statistics: User Interaction Required

The NIST NVD data give another important insight for shaping a company’s security strategy: In 41% (5958) of 14647 vulnerabilities the user must interact with the attacker for their exploitation.

This means that well-made user awareness training can prevent lots of cyber-attacks.

Have a great week.

[1] AusCERT 2017 – Identity is the new perimeter
Anthony Caruana, 05/30/2017, CSO Online
https://www.cso.com.au/article/619970/auscert-2017-identity-new-perimeter/
Last seen: 01/28/2018

[2] Common Vulnerability Scoring System v3.0: Specification Document
https://www.first.org/cvss/specification-document
Last seen: 01/28/2018

[3] CVE-2017-11459
https://nvd.nist.gov/vuln/detail/CVE-2017-11459
Last seen: 01/28/2018

The technology dimension of social engineering

7 February 2015

In his post ‘Weird Security Term of the Week: “Social Engineering”’ Kurt Ellzey talks of ‘Social Engineering’ as the ‘Art of Getting Information’ about a person.

A short query on Google reveals a multitude of information that could be used to create a rough profile of a person. A malicious insider could easily enhance this profile by personal information gathered from e.g. a company intranet or SharePoint MySites.

Besides this ‘personal information’ a rich set of easy to extract ‘technical information’ about an employee is available from a company network.

A Windows workstation is a universal machine. It can be used to run an application as well as to administer a server or network. For example, the built-in ‘net’ command could be used to retrieve detailed employee account data from the Active Directory.

Some colors to fight the winter depression.

Some colors to fight the winter depression.
50°53’28.3″N 4°21’31.9″E

IAM (Identity and Access Management) systems, very often deployed as self-services to improve user satisfaction, could be used to get detailed information about the applications used by employees to get their job done.

But the worst is that this information sources are available for all employees, irrespective of whether they are needed in the job. This is a massive violation of the Principle of Least Privilege.

Attackers can read in company networks like in an open book.

And, when enriched with technical information, a personal profile becomes an invaluable information source for targeted attacks.

Just some suggestions on how to tackle these problems.

As general design principle I would strongly recommend to enforce the principle of least privilege for all information systems. Software restriction policies could be used to reject standard user access to administrative commands. IAM systems should offer only user related information on a user’s request.

I dream of an operating system which provides only those commands and applications which are essential for a user’s job. This could reduce the attack surface of a company dramatically.

Have a nice weekend!