What’s trending in the cyber security industry? Identity Week (IW) sat down recently with Jonathan Sander (JS), VP of Product Strategy at Lieberman Software and veteran cyber security expert. We discussed insider attacks, password security, and lessons learned from major data breaches.
IW: There’s a lot of talk in the news about insider attacks. What defines an insider attack?
JS: An insider attack is in the eye of the beholder. A classic example is a rogue employee using access legitimately given to them to sell company secrets. The attacker gets an otherwise harmless employee to click on a bad link in a phishing email. He then uses their access to also sell company secrets seems like an insider threat as well. The question is if the “insider” in insider threat refers to the person or the angle of attack. If the attacker is on the inside, regardless if you’re paying them a salary, then they can attack you like an insider.
IW: How prevalent are insider attacks compared to external attacks?
JS: The question of how prevalent insider attacks are goes back to the last question about the definition of insider attacks. Just about every big breach you’ve heard of – Target, T-Mobile/Experian, Home Depot – were examples of outsiders who gained the privileged access of insiders. If you only count the number of times a disgruntled or compromised employee did damage for their own reasons, then the insider attack would certainly be the minority. However, when you start to count when outsiders are using the insiders like puppets to steal their access to do harm, then you’re dealing with a large share of the most dangerous attacks.
IW: How can insider attacks be detected?
JS: Detecting insider threats can be very difficult but you can get prevention from some common sense security controls. Detection of insider threats means being able to distinguish normal user activity from abnormal. Of course, that means knowing what normal is. Add up how bizarre people can be, and how mobile and sophisticated technology has become, and determining normal behavior can get very tricky. User Behavior Analytics, or UBA, is an entire market that’s emerged to do just that.
Prevention of insider threats is about doing things everyone already knows they ought to do. Use multi-factor authentication whenever things cross sensitive boundaries. Don’t let users have privilege that can be stolen with malware all the time. Make users go through a process to elevate privilege. That includes your IT admins who often try to exempt themselves when they can be the juiciest targets for the baddies.
IW: What are the main mechanisms used to gain unauthorized access to systems from within?
JS: The whole point of the insider threat is that it typically doesn’t need to use unauthorized access. The disgruntled or rogue employee will likely use the access they already have to do their bad deeds. If you have access to a bunch of business critical information all you need is a delete key to be a threat. The interesting mechanisms are those used by the outsiders to capture privileged credentials and abuse the privileges of insiders. That’s where we’re talking about sophisticated malware, spear phishing attacks, and other interesting technologies.
IW: You just mentioned stolen credentials. Can you provide an example of an attack using stolen credentials that resulted in disaster? And what about an attack using stolen credentials that was averted? What lessons can be learned from these examples?
JS: The attack on Target revealed how easy it is to get into a large network if you have just one stolen credential. Just after Target’s details were exposed, my company was flooded with concerns from folks both with and without similar systems in use. One in particular had the exact same systems that were leveraged to compromise Target. However, they didn’t use the default passwords from the vendor, nor did they leave those passwords static for anyone who has ever had the password to use it to get back in. They shared proof that they were being attacked in the same way Target was, but their superior protection meant the simple attack was being repelled.
The lesson is that a small dose of prevention goes a very long way. What organizations need to understand is that the old days of security being a wall you build around your soft, inner network are gone. The Internet isn’t “out there”. It’s on every phone, every tablet, wiggling in with every cloud service, and part of every operation your organization does. You can’t build a wall high enough when the needs of the business users drag the attacks vectors into every corner of the network. If you don’t protect your credentials as if they were all directly on the edge of the network, then you’re not really protecting them at all.
IW: What are the most common password management mistakes that enterprises make?
JS: There is a password involved in nearly every aspect of enterprise IT from the desktop logon to the most sensitive operations of IT in the datacenter and cloud. For every place there is a password, there is a way to use those passwords badly. The single most common password mistake is to have no policy about passwords at all. Often organizations leave password management in the hands of the technical teams, who turn dials in every different system and produce the chaos users experience with different types of password interfaces, different means to manage them, and wildly different requirements for the contents of passwords. This quickly leads to the password fatigue seen in so many users.
Another common error is to treat all passwords as being equal. From one point of view, if a user has access to two accounts for different functions they perform, then they have two passwords and they simply need to conform to the demands of each. However, if you ask if one of those two accounts happens to be a special, administrative account that has the power to cut through all security controls like butter and expose the organization’s most sensitive information, would that change your view about how they should treat that password? The issue isn’t that it isn’t obvious that these privileged passwords need special attention; it’s that organizations simply aren’t asking that question enough. If they have any password policies at all, they are likely painting with a very broad brush and not giving the critical, elevated passwords the special attention they deserve.
If the way that humans handle passwords isn’t scary enough, then the way that passwords are handled for automation will certainly be. Today it’s common practice to have highly sensitive passwords sitting in text files on systems that would be as easy to read as opening this interview and reading this text. Why would anyone put such dangerous passwords into simple text files? They do it because otherwise the IT applications that generate revenue probably wouldn’t work if they didn’t. Too many vendors and technology platform makers simply blow by any notion of safe password practices in the rush to profits. Organizations, also rushing to revenue, take these platforms with terrible password policies and throw them into production. The risk is that any malicious insider or reasonably sophisticated attacker is only a few steps away from having a database or system password that is the key to extracting the organization’s most important information.
IW: What are best practices for addressing password security?
JS: The two best things organizations can do to address poor password security practices are one, provide users with a single sign on platform that has multi-factor capabilities and two, develop a practice to protect administrative passwords with extra process and oversight. Study after study confirms that the fewer passwords a user has to manage, the better their password practices will become. When you’re only asking users to manage a few passwords, they can’t easily make the mental leap to ignoring policies because they’ve been asked to do too much. With so many options on the market today for building portals where users can enter one password and use highly secure multi-factor login to get access to a huge number of their applications all in one go, there is little excuse not to make this a priority. This also allows you to make the passwords for all the applications inside that portal extremely secure since users will never have to deal with them directly and the portal isn’t going to complain if the password is massively complex and changing often.
With so many options on the market today for building portals where users can enter one password and use highly secure multi-factor login to get access to a huge number of their applications all in one go, there is little excuse not to make this a priority. This also allows you to make the passwords for all the applications inside that portal extremely secure since users will never have to deal with them directly and the portal isn’t going to complain if the password is massively complex and changing often.
Managing privileged passwords is a whole other matter. Best practice for privileged passwords means inserting a process that will ensure that each use of administrative authority is authorized and tracked. That starts by making sure that these highly sensitive passwords aren’t in the hands of humans, but rather in the hands of a secure, automated Privileged Identity Management system. That system should change the passwords as often as is possible. The system can also be used to solve the issues of passwords stuffed into files for applications by automatically changing those as well. Often the only real change for the privileged users who need access to these passwords to do their jobs is getting the passwords from a secure system versus a highly insecure place – like the dreaded but common password spreadsheet on a shared drive (like the one we saw stolen in the Sony breach a couple years ago). If you can get users on a portal that manages most application logins and admins using a system to control privileged passwords, then you will be very far along to having good security for passwords overall.
The system can also be used to solve the issues of passwords stuffed into files for applications by automatically changing those as well. Often the only real change for the privileged users who need access to these passwords to do their jobs is getting the passwords from a secure system versus a highly insecure place – like the dreaded but common password spreadsheet on a shared drive (like the one we saw stolen in the Sony breach a couple years ago). If you can get users on a portal that manages most application logins and admins using a system to control privileged passwords, then you will be very far along to having good security for passwords overall.