Estimated Reading Time: 3 minutes
This Weeks’ New Commentary on Chronicles of a CISO
Access Has Become Our Last Bastion
It may seem like a reoccurring theme, but I suppose that’s the point. This past week’s news highlights (1, 2, 3) once again the growing need for a transitional shift from the long-standing ‘monitoring things for a breach’ to a model that is far more focused on ‘monitoring access for a breach’.
A recent report by the World Economic Forum ranks cyber-attacks as one of the Top-5 risks to the global economy, even though billions are spent on security controls annually. With over 1 million people gaining access to the internet every day, the next unexpected, creative attack vector is not far off.
Speaking of attack vectors, an interesting piece was published on the Top-8 attack vectors industry-wide. If you take a few minutes and consider the list, you quickly realize that five of the eight can be, to some degree, mitigated with a strong user identity management/user access control program.
- Compromised Credentials (1): While there continues to be debate around the effectiveness of enterprise-level password controls, there is little debate around the impact compromised credentials have. The hard facts are, we all have compromised credentials, we just don’t know it yet. Having the ability to quickly identify suspicious user activities and granularly manage user access when risk elevates must become a basic function of our Identity Management programs.
- Malware (2): At one time, removing administrator rights was a fairly effective method of hindering malware. Over the years, however, malware has evolved to no longer needing admin privileges to execute on the majority of workstations. Vulnerability-chaining and creative privilege escalation have given even the most rudimentary malware the ability to execute regardless of the user’s account privileges. The one place it continues to be effective is in the limiting/prohibiting the end-user from installing non-supported software that the local IT teams are unaware of. It makes little difference if you spend time applying the latest Windows/Adobe/Java patches to thousands of workstations, only to have vulnerable shareware/free/open-source applications executing right along with them.
- Phishing (5): Between the ‘normal’ flood of phishing emails, and now the rapid escalation of pandemic-related variations, Phishing is an ongoing battle. In many instances, the goal of a phish is to imitate a site the target user trusts and convince them to provide whatever credentials are desired by the attacker. Most enterprise-related phishing emails target remote login credentials or access to other cloud services (i.e. Office365), or perhaps a highly customized spear-phish would target company executives in order to execute funds transfer via a Business Email Compromise (BEC) attack. In the end, the overwhelming majority of phishing emails drive towards achieving account access through compromising credentials.
- Malicious Insiders (7): While, by definition, malicious insiders take advantage of the access granted to them to perform their day-to-day jobs, it is also a dirty little secret that most users, be it admins or regular users, have far more access than they actually need. A strong Identity Management program will incorporate regular and consistent reviews of user privileges across the enterprise, ensuring that, even though elevated privileges exist throughout the environment, they are applicable, auditable, and justifiable.
- Third-Parties (8): We are all aware that some of the most publicized breaches in the last 20 years have been associated with third-party access. The ability to know when users from our chosen partners have departed the company has been an ongoing challenge for most enterprises. Our inability to quickly and effectively manage third-party users leaves a gaping hole in many enterprises that are far more interested in cost savings that risk mitigation. Managing the risk associated with third-party access should be a top priority of any identity Management program, one which will pay significant dividends in the long term.
When you consider the level of risk mitigation founded in the appropriate management of access, it’s hard to argue with the value it brings. This begs the question – when you look at your annual spend on security controls, how many are so broadly effective as an Identity Management program? Can you look at your own list of attack vectors and identify any other controls or tools that can make a measurable impact on 50% of that list?
I’d be surprised if you could.
The Chronicles of a CISO Weekly Hotwash is a recap of critical stories and news that occurred over the past week. The goal is to hopefully share some insight and perspective on how these stories may impact our industry, our careers, or our companies.
Copyright © 2002-2022 John Masserini. All rights reserved.