Identity: A Focused Attack Vector In 2016

By Darran Rolls, CTO, SailPoint

Data breaches consumed headlines in 2015, proving that cybersecurity is more important now than ever before. With the threat landscape evolving and hackers constantly coming up with new ways to infiltrate systems, it’s increasingly difficult to decide where best to focus our limited threat prevention and detection resources.

However, as breaches continue in 2016, the human element will continue to be a major attack vector. It is therefore critical that we understand how and where people, processes and identity and access management (IAM) controls are vulnerable.  

When speaking at a conference last year, Frank Abagnale, the inspiration for Catch Me If You Can and now a 39-year FBI veteran, said that “all” of the data breaches he’d investigated involved an insider and a weakness in IAM controls. He expanded on this claim, adding that there is “no master hacker. They’re waiting for doors to open because someone didn’t do something, or they did something they shouldn’t have.” Abagnale found that in most cases the insider threat was non-malicious, but over the course of investigating Target, TJ Maxx, Sony and nearly every other high-profile breach, he had yet to find an exception to his rule.

As enterprises and VARs set their strategies for 2016, the human element of the threat landscape must be kept top of mind when determining the combination of solutions needed to combat attack. Managing identity and controlling access privileges is a crucial component in minimizing risk. There are many places to focus on in 2016, and below are three of the top risks associated with employee identity:

1. Brute Force Authentication Attacks. Many of us know the basics when it comes to creating a strong password. Crafting a sequence of numbers and letters that doesn’t contain your favorite sports team or your dog’s name is a good place to start. However, the basics certainly won’t survive a targeted, brute force password-cracking attempt. These automated attacks have become increasingly cost-effective, as the bad buys have gained access to low cost specialized hardware platforms built specifically for this purpose. A weak, low entropy, 10-character password can now be automatically cracked in literally seconds.  

Automated attacks are not the only means of a brute force attack. Recently, a St. Louis Cardinals employee used password guessing to gain access to sensitive information from the Houston Astros. This is the first known case of cyber-espionage between professional sports teams, and a stark reminder that the simplest security measures can determine whether or not an organization is breached. The incident, which was investigated by the FBI and will likely result in jail time, proves the importance of implementing strong password requirements and adding stronger multi-factor authentication practices.

Of course, implementing and enforcing strong passwords policies, and adding multi-factor authentication processes, must be balanced against the implicit effect on user convenience. To streamline these processes, enterprises need to adopt identity and access management (IAM) solutions that help automate password lifecycle management processes and seamlessly overlay context-sensitive multifactor authentication. These technologies help ensure that employees maintain good password hygiene and automate stronger context-sensitive sign-on processes that together create a strong line of defense against authentication attacks.

2. Inappropriate Access. An estimated 40 percent of IT professionals say they have dealt with an employee accessing unauthorized networks and systems. Failure to manage and monitor access privileges within an enterprise quickly leads to the wrong people gaining the wrong access to the wrong data.

Uber dealt with a case of inappropriate access within its systems in 2014. In this instance, upper management was mistakenly given privileged access to customers’ private geo-location information. This data was inadvertently used to track customers’ locations in an inappropriate manner. As a result, Uber was fined and required to adhere to more closely controlled access management practices.

This problem doesn’t end with trusted employees either. In many organizations departing employees retain access to sensitive data in cloud applications like Salesforce, Dropbox and Google Drive. In such instances, IAM controls should be in place to provide automated de-provisioning attached to the “leaver” business process. This automation streamlines the process by which IT and the business work together to grant and revoke user access to mission-critical applications, while providing clear visibility into who has access to what.

3. Unsecure/Malicious Super Users. While the security posture of all employees is essential to protecting the enterprise as a whole, a large portion of a company’s overall security exposure is tied to the actions of the few users who hold privileged access. These “super users” are a prime target for attackers, as they often hold the IT equivalent of the keys to the kingdom.

However, the most serious threat posed by privileged users comes when privileged access is used outside of typical behavioral patterns. As the typical super user sits near the top of the IT food chain, there are often very few checks and balances for assuring appropriate use. This is where IAM controls comes into play, and technologies like fine-grained provisioning, change auditing and access monitoring step in to help govern their activity. For example, if an IT administrator attempts to give himself elevated application privileges outside of his remit, the activity will be detected, blocked and flagged to management for review and revocation.

Is securing the human element a priority for your IT clients and your organization in 2016? Sound off in the comment section below to let us know what you think!