Skip to content

Posts tagged ‘Centrify PAM’

Dissecting The Twitter Hack With A Cybersecurity Evangelist

Dissecting The Twitter Hack With A Cybersecurity Evangelist

Bottom Line: Shattering the false sense of security in tech, the recent Twitter hack blended altruism, fame, greed, social engineering via SIM swapping and insider threats to steal $120,000 from victims when the economic and political damage could have been far worse.

Targeting the most influential celebrities on Twitter, hackers orchestrated a social engineering-based attack Wednesday promoting a cryptocurrency scam. Business leaders, celebrities, politicians and billionaires’ accounts were hacked using Twitter’s administrative tools. Personal Twitter accounts hacked include those of Amazon CEO Jeff Bezos, Joe Biden, Tesla CEO Elon Musk, President Barack Obama, Bill Gates, Warren Buffet and others. Apple and Uber’s Twitter accounts were also hacked.

Using SIM swapping, in which threat actors trick, coerce or bribe employees of their victims to gain access to privileged account credentials and administrative tools, hackers were able first to change the email address of each targeted account. Next, two-factor authentication was turned off so when an alert was sent of the account change it went to the hacker’s email address. With the targeted accounts under their control, hackers began promoting their cryptocurrency scam. While not all details of the attack have surfaced Motherboard’s story of how hackers convinced a Twitter employee to help them the hijack accounts makes for fascinating reading.

Dissecting The Hack

Interested in dissecting the hack from a cybersecurity standpoint, I contacted Dr. Torsten George, Cybersecurity Evangelist and industry expert from Centrify. Torsten is also a leading authority on privileged access management and how to thwart breaches involving privileged access credentials.

Louis:  What was your initial impression upon breaking news of the hack and what did you believe would cause such a massive hack of celebrity and leading political figures accounts this past week?

Torsten: When the news broke, the media probably polled other security experts and the first initial reaction was, ‘Oh, that’s a massive attack, most likely a credential-based attack,’ because 80% of today’s data breaches go back to privilege access abuse. They are typically first triggered by phishing attacks, the precursor to many attacks where the attackers tried to capture these credentials and then leverage them to attack their victim’s organizations.

So, the breaking news indicated that most likely, somebody was able to leverage a compromised credential to enter into the Twitter environment and take over accounts. However, more and more information became available, with screenshots being shared of internal Twitter tools. For me, that raised a red flag, because in a typical attack pattern we’re seeing three distinct phases in the cyber-attack lifecycle: the compromise, the exploration phase and the exfiltration of sensitive data, which includes covering up tracks and potentially creating a backdoor for future attacks.

When performing reconnaissance, hackers commonly try to identify regular IT schedules, security measures, network traffic flows and scan the entire IT environment to gain an accurate picture of the network resources, privileged accounts and services. Domain controllers, Active Directory and servers are prime reconnaissance targets to hunt for additional privileged credentials and privileged access.

They wouldn’t necessarily look for administrative tools that could be leveraged for their attack unless they have intimate knowledge that those tools exist in the victim’s environment — be it by having worked for the company in the past or representing an insider threat.

Louis: What’s the anatomy of an insider attack, based on your experience?

Torsten: As was later confirmed by Twitter, it became very apparent that this is a case of insider threats, where you have an insider that has been leveraged for this attack. The most common insider threats can be defined by the intent and motivation of the individuals involved. The 2019 Verizon Insider Threat Report defines five distinct insider threats based on data breach scenarios and they all have excellent, accurate names: the Careless Worker, the Inside (often recruited) Agent, the Disgruntled Employee, the Malicious Insider and the Feckless Third-Party.

Considering the global environment we’re facing right now, with Covid-19 and other related economic hardships, the risk of insider threats is exacerbated, as pending furloughs or pay cuts may tempt employees to exfiltrate data to secure a new job or make up for income losses.

So a privileged administrator might be more open to people that approach them and say, ‘Would you be willing to share with us your access credentials, or would you do something on our behalf to exfiltrate data or to manipulate data?’ That risk has increased dramatically across all industries.

So it turned out the first suspicion was phishing attacks, followed by compromised credentials. It turns out to be an insider threat. Organizations need to be prepared for that.

Louis: What can companies do to reduce the likelihood a malicious insider will hack them?

Torsten: It becomes a little bit trickier when you deal with a malicious insider because they most likely know your environment, they might know your defense mechanisms and they might know the security tools that your likely using. So they can bypass these security controls and try to gain the control of data that they can then profit from.

Organizations have to rethink the way that they’ve structured their defense controls and truly take an approach of an in-depth strategy with a different layer of defenses. The first layer that comes to mind in this particular case is multi-factor authentication (MFA) which is still low-hanging fruit. There are still many organizations out there that are not taking advantage of implementing MFA.

While MFA is highly recommended, it isn’t as effective against insider threats because they have that second factor of authentication and can pass those challenges. Organizations need to go beyond MFA if they want to have a layered security strategy.

Louis: What are some of the ways they can go beyond MFA to avoid being the victim of an insider threat?

Torsten: A very important component of your defense strategy should be the approach of zero standing privileges, which is something Gartner recommends to its clients. That means that I have normal privileges and entitlements to do my job, like answering emails and using the Internet, but that’s probably all I need. If I need more access, I’ll have to elevate my privilege for the time needed to do that particular task but then rescind that privilege once it’s done.

If I have zero standing privileges – even if somebody compromises my credential, even if I’m an insider – I don’t have immediate access to the keys to the kingdoms to do whatever I want.

And before privilege elevation, organizations should require context through a formal request. For example, require the user to submit a ticket through ServiceNow or any other IT Service Management platform to detail what they need to access, for how long and to do what. That way, there is an auditing trail and an approval process. If the threat actor – whether insider or not – doesn’t do this they don’t get privileged access to that target system.

Louis: Besides those perhaps expected controls, what other controls might have helped in this particular scenario?

Torsten: Organizations should also take advantage of modern tools to leverage machine learning technology, so that looks at user behavior and risk factors to also get a hold of these insider attacks. All the other security controls are more tailored towards external preparation at first. Still, once you implement machine learning technology and user behavior analytics that’s where you also can capture insider threats.

Machine learning can look for suspicious activity, such as a target being accessed outside of a typical maintenance window, or is the administrator logging in from a different location or device than usual. It can then trigger an MFA request and also issue a real-time alert, regardless of whether the MFA challenge is successfully resolved.

Furthermore, in the case of Twitter, there are privacy and regulatory concerns that could also be additional triggers for real-time alerts and to shut down this activity automatically. Regulations like the CCPA (California Consumer Privacy Act) and GDPR (General Data Protection Regulation) mean that platforms like Twitter have to be very careful with any access to or manipulation of a customer’s feed. That could – and should have – instantly triggered a real-time alert when an administrator was posting on behalf of a user.

Louis: Do you think this is going to be the start of an entirely new era of hacks where hackers will pay off internal employees for promotional messages?

Torsten: Quite frankly, we have seen an uptick since the start of the Covid-19 pandemic. And I believe now that this Twitter attack has been covered in the press so much, you will have copycats that will try to do the same. Some of them will also target social media platforms, but others that might be a little bit smarter because social media is easily detectable if something goes wrong. An industry like healthcare could be a prime target and there is already news that Russian hackers are attacking healthcare providers and research labs to try to gain access to vaccine research.

Louis: Given how significant this hack is in terms of the progression or the growing sophistication of threats, what are the top three predictions you have for the rest of 2020?

Torsten: Ransomware is an example of a technique that has changed quite significantly in two ways. First, they are no longer only delivered via an email, but also via social media platforms, SMS messages and more. Second, ransomware is no longer only focused on shutting down business operations. The most recent example with EDP Renewables North American, a subsidiary of an European-based electric utilities company, showed that hackers leveraged ransomware to exfiltrate data. Not to lock it down, but to exfiltrate data and then ask for ransom from their victim to not publish the data on the Dark Web.

Second, as I’ve already covered, the current economic hardships of the pandemic will cause more people to jump on the bandwagon and become cybercriminals. And these aren’t the people you see in movies – dark characters in hoodies using sophisticated hacking techniques to breach the government. These are your neighbors, the little boys next door. For them it’s not a big deal to become a cyber-criminal.

Third, as you’d expect, the number of cyber-attacks will increase as a result and they will continue to find new and innovative ways to find the easiest way in. The Twitter incident taught us that there was no technology “breach” required. It was just finding the right person with the right privileges and paying them to do 25 Tweets. That’s an easy payday.

I think this whole crisis that we’re going through will see a major uptick in attacks from the traditional cyber hackers, but also from a whole bunch of newbies and greenhorns that will try out their luck and see if they can make a buck. Either by ransomware attacks, phishing attacks, social engineering or any combination thereof.

5 Mistakes That Threaten Infrastructure Cybersecurity And Resilience

5 Mistakes That Threaten Infrastructure Cybersecurity And Resilience

 

Bottom line: With many IT budgets under scrutiny, cybersecurity teams are expected to do more with less, prioritizing spending that delivers the greatest ROI while avoiding the top five mistakes that threaten their infrastructures.

In a rush to reduce budgets and spending, cybersecurity teams and the CISOs that lead them need to avoid the mistakes that can thwart cybersecurity strategies and impede infrastructure performance. Cutting budgets too deep and too fast can turn into an epic fail from a cybersecurity standpoint. What I’ve found is that CIOs are making decisions based on budget requirements, while CISOs are looking out for the security of the company.

Based on their ongoing interviews with CIOs, Gartner is predicting an 8% decline in worldwide IT spending this year. Cybersecurity projects that don’t deliver a solid ROI are already out of IT budgets. Prioritizing and trimming projects to achieve tighter cost optimization is how CIOs and their teams are reshaping their budgets today. CIOs say the goal is to keep the business running as secure as possible, not attain perfect cybersecurity.

Despite the unsettling, rapid rise of cyber-attacks, including a 667% increase in spear-fishing email attacks related to Covid-19 since February alone, CIOs often trim IT budgets starting with cybersecurity first. The current economic downturn is making it clear that cybersecurity is more of a business strategy than an IT one, as spending gets prioritized by the best-to-worst business case.

Five Mistakes No CISO Wants To Make

One of the hardest parts of a CISO’s job is deciding which projects will continue to be funded and who will be responsible for leading them, so they deliver value. It gets challenging fast when budgets are shrinking and competitors actively recruit the most talented team members. Those factors taken together create the perfect conditions for the five mistakes that threaten the infrastructure cybersecurity and resilience of any business.

The five mistakes no CISO wants to make include the following:

1.   No accountability for the crown jewels for the company. Privileged access credentials continue to be the primary target for cyber-attackers. However, many companies just went through a challenging sprint to make sure all employees have secure remote access to enable Covid-19 work-from-home policies. Research by Centrify reveals that 41% of UK businesses aren’t treating outsourced IT and other third parties likely to have some form of privileged access as an equal security concern.

And while a password vault helps rotate credentials, it still relies on shared passwords and doesn’t provide any accountability to know who is doing what with them. That accountability can be introduced by moving to an identity-centric approach where privileged users log in as themselves and are authenticated using existing identity infrastructures (such as Microsoft Active Directory) to federate access with Centrify’s Privileged Access Service.

CISOs and their teams also continue to discount or underestimate the importance of privileged non-human identities that far outweigh human users as a cybersecurity risk in today’s business world. What’s needed is an enterprise-wide approach enabling machines to protect themselves across any network or infrastructure configuration.

2.   Cybersecurity budgets aren’t revised for current threatscapes. Even though many organizations are still in the midst of extensive digital transformation, their budgets often reflect the threatscape from years ago. This gives hackers the green light to get past antiquated legacy security systems to access and leverage modern infrastructures, such as cloud and DevOps. IT security leaders make this even more challenging by not listening to the front-line cybersecurity teams and security analysts who can see the patterns of breach attempts in data they review every day. In dysfunctional organizations, the analyst teams are ignored and cybersecurity suffers.

3. Conflicts of interest when CISOs report to CIOs and the IT budget wins.  This happens in organizations that get hacked because the cybersecurity teams aren’t getting the tools and support they need to do their jobs. With IT budgets facing the greatest scrutiny they’ve seen in a decade, CISOs need to have their budget to defend. Otherwise, too many cybersecurity projects will be cut without thinking of the business implications of each. The bottom line is CISOs need to report to the CEO and have the autonomy to plan, direct, evaluate and course-correct their strategies with their teams.

4. The mistake of thinking cloud platforms’ Identity and Access Management (IAM) tools can secure an enterprise on their own. Cloud providers offer a baseline level of IAM support that might be able to secure workloads in their clouds adequately but is insufficient to protect a multi-cloud, hybrid enterprise. IT leaders need to consider how they can better protect the complex areas of IAM and Privileged Access Management (PAM) with these significant expansions of the enterprise IT estate.

Native IAM capabilities offered by AWS, Microsoft Azure, Google Cloud and other vendors provide enough functionality to help an organization get up and running to control access in their respective homogeneous cloud environments. However, often they lack the scale to fully address the more challenging, complex areas of IAM and PAM in hybrid or multi-cloud environments. Please see the post, The Truth About Privileged Access Security On AWS and Other Public Clouds, for additional information.

5. Exposing their organizations to a greater risk of breach and privileged access credential abuse by staying with legacy password vaults too long. Given the severity, speed and scale of breach attempts, IT leaders need to re-think their vault strategy and make them more identity-centric. Just as organizations have spent the past 5 – 10 years modernizing their infrastructure, they must also consider how to modernize how they secure access to it. More modern solutions can enforce a least privilege approach based on Zero Trust principles that grant just enough, just-in-time access to reduce risk. Forward-thinking organizations will be more difficult to breach by reorienting PAM from being vault-centric to identity-centric.

Conclusion

Decisions about what stays or goes in cybersecurity budgets this year could easily make or break careers for CISOs and CIOs alike. Consider the five mistakes mentioned here and the leading cause of breaches – privileged access abuse. Prioritizing privileged access management for human and machine identities addresses the most vulnerable threat vector for any business. Taking a more modern approach that is aligned to digital transformation priorities can often allow organizations to leverage their existing solutions to reduce risk and costs at the same time.

 

 

 

Protecting Privileged Identities In A Post-COVID-19 World

Protecting Privileged Identities In A Post-COVID-19 World

Bottom Line: Every organization needs to digitally reinvent their business, starting at the system level to safely sell and serve customers with minimal physical interaction.

The hard reset every business is going through creates a strong sense of urgency to increase the agility, speed, and scale of selling, as well as customer service options that protect the health of employees, customers, and partners. Customer experience needs to be the cornerstone of digital transformation, with the customers’ health and welfare being the highest priority. Businesses need to realize that digitally reinventing themselves is no longer optional. Every customer-facing system is going to need the best infrastructure, security, and stability for any business to survive and grow.

Securing Infrastructure Needs To Come First

COVID-19 was a wake-up call that companies need to operate as multi-channel players, allowing for physical but, more importantly, virtual presence. For instance, in retail, only those that will step up their efforts in building on-line ordering and associated nation-wide logistics networks will survive in the longer-term. If the cloud was considered an option in the past, it now is mandatory. In turn, the need for security has increased.

Starting with infrastructure, hybrid- and multi-cloud environments need to be augmented with additional system support, new apps, and greater security to support the always-on nature of competing in a virtual world. Providing self-service sales and support across any device at any time and keeping all systems synchronized is going to take more real-time integration, better security, more precise pricing, and so much more.

Consumer electronics manufacturers’ biggest challenge is reinventing their infrastructure while selling and serving customers at the same time. Part of their biggest challenge is protecting privileged access credentials that have become fragmented across hybrid- and multi-cloud environments. Everyone I’ve spoken with is balancing the urgent need for new revenue through new channels on the one hand with intensity to secure infrastructure and the most valuable security assets of all, privileged access credentials.

According to a 2019 study by Centrify among 1,000 IT decision-makers, 74% of respondents whose organizations have been breached acknowledged that it involved access to a privileged account. These are typically used by a small set of technical personnel to access the most critical systems in the IT estate, including modern technologies such as cloud, DevOps, microservices, and more. The CIO of a local financial services and insurance company, who is a former student and friend, told me that “it’s often said that privileged access credentials are the keys to the kingdom, and in these turbulent times they’re the keys to keeping any business running.”

CIOs, CISOs, and their teams are focusing on four key areas today while digitally reinventing themselves to provide more flexible options for customers:

  • Secure every new self-service selling and service channel from breaches.
  • Fast-track cloud projects to become 100% virtual and available.
  • Simplify infrastructure management by integrating IT and Operations Management across hybrid and multi-cloud environments.
  • Improve compliance reporting as well as reduce audit costs and associated fines.

Legacy Privileged Access Management (PAM) Can’t Scale For Today’s Threats

Sophisticated social engineering and breach attempts are succeeding in misdirecting human responses to cyber threats, gaining access to valuable privileged access credentials in the process. Legacy PAM systems based on vaulting away shared and root passwords aren’t designed to protect hybrid cloud and multi-cloud environments. These DevOps systems include containers and microservices, APIs, machines, or services. Furthermore, multi-cloud environments create additional challenges because access management tools used for one vendor cannot be used with another.

Switching from in-person to self-service selling and service creates new challenges and an entirely new series of requirements for identity and access management. These requirements include securing a continually-increasing number of workloads that cause the amount of data in the cloud to grow exponentially. There’s also the need to centralize identities for consistent access controls across hybrid and multi-cloud environments – all happening while a business is busy digitally reinventing itself. Compounding all of these challenges is the need to excel at delivering an excellent user experience without sacrificing security in an increasingly self-service, always-on, 24/7 world.

Securing Privileged Access In A Post-COVID-19 World

If you’re looking for a sure sign any business will be around and growing in twelve months, look at how fast they are digitally reinventing themselves at the infrastructure level and protecting privileged access credentials first. Digital-first businesses are taking a more adaptive approach to consistently controlling access to hybrid infrastructure for both on-premises and remote users now.

Centrify and others are making rapid progress in this area, with Centrify’s Identity-Centric PAM taking a “never trust, always verify, enforce least privilege” approach to securing privileged identities. Centrify’s approach to Identity-Centric PAM establishes per-machine trust so it can defend itself from illegitimate users – whether human or machine  – or those without the right entitlements. It then grants least privilege access just-in-time based on verifying who is requesting access, the context of the request, and the risk of the access environment as is illustrated in the graphic below:

Protecting Privileged Identities In A Post-COVID-19 World

Conclusion

Improving customer experiences needs to be at the center of any digital transformation effort. As every business digitally transforms itself to survive and grow in a post-COVID-19 world out of necessity, they must also improve how they secure access to their cloud and on-premises infrastructure. Legacy PAM was designed for a time when all privileged access was constrained to resources inside the network, accessed by humans, using shared/root accounts.

Legacy PAM was not designed for cloud environments, DevOps, containers, or microservices. Furthermore, privileged access requesters are no longer limited to just humans, but also include machines, services, and APIs.

Privileged access requesters need greater agility, adaptability, and speed to support DevOps’ growing roadmap of self-service and increasingly safer apps and platforms. While privileged identities must be protected, DevOps teams need as much agility and speed as possible to innovate at the rapidly changing pace of how customers choose to buy in a post-COVID-19 world.

Five Interesting Takeaways From RSA Conference 2020

Five Interesting Takeaways From RSA Conference 2020

 

Bottom Line: Passwordless authentication, endpoint security, cloud-native SIEM platforms, and new API-based data security technologies were the most interesting tech developments, while keynotes focusing on election security, industrial control systems’ vulnerabilities and the persistent threat of state-sponsored ransomware dominated panel discussion.

This year’s RSA Conference was held February 24th to 28th in San Francisco’s Moscone Center, attracting more than 36,000 attendees, 704 speakers, and 658 exhibitors unified by the theme of the Human Element in cybersecurity. The conference’s agenda is here, with many session recordings and presentation slides available for download. Before the conference, RSA published the RSAC 2020 Trend Report (PDF, 13 pp., no opt-in). RSA received 2,400 responses to their Call for Speakers and based their report on an analysis of all submissions. The ten trends in the RSAC 2020 Trend Report are based on an analysis of all papers submitted to the conference. It’s a quick read that provides a synopsis of the main themes of the excellent sessions presented at RSAC 2020.

The following are the five most interesting takeaways from the 2020 RSA Conference:

  • Endpoint security products dominated the show floor, with over 120 vendors promoting their unique solutions. There were over 50 presentations and panels on the many forms of endpoint security as well. Instead of competing for show attendees’ attention on the show floor, Absolute Software took the unique approach of completing a survey during RASC 2020. Absolute’s team was able to interview 100 respondents, with most holding the position of a manager/supervisor or C-level executive. More than three in four respondents reported their organizations are using endpoint security tools, multi-factor authentication, and employee training and education to protect data, devices, and users. You can review their survey results here.
  • The number of vendors claiming to have Zero Trust solutions grew 50% this year, from 60 in 2019 to 91 in 2020. There continues to be a lot of hype surrounding Zero Trust, with vendors having mixed results with their product and messaging strategies in this area. A good benchmark to use for evaluating vendors in the Zero Trust market is the Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019, written by Chase Cunningham and published on October 29, 2019. I’ve summarized the lessons learned in the post, What’s New on the Zero Trust Security Landscape In 2019.
  • Over 30 vendors claimed to have passwordless authentication that met the current FIDO2 standard. In keeping with the theme of this year’s RSA Conference of Human Element, vendors offering passwordless authentication were out in force. Centrify, Entrust Datacard, HID Global, Idaptive, ImageWare, MobileIron, Thales, and many others promoted their unique approaches to passwordless authentication, leveraging the FIDO2 standard. FIDO2 is the latest set of specifications from the FIDO Alliance, an industry standards organization that provides interoperability testing and certification for servers, clients, and authenticators that meet FIDO2 specifications. I’ve written a separate post just on this topic, and you can find it here, Why Your Biometrics Are Your Best Password. 
  • Cloud-based security information and event management (SIEM) systems capable of integrating with 3rd party public cloud platforms reflect the maturity nature of this market. Of the several vendors claiming to have cloud-based SIEM, Microsoft’s Azure Sentinel’s demo showed in real-time how fusion AI technology can parse large volumes of low fidelity signals into a few important incidents for SecOps teams to focus on. Microsoft said that in December 2019 alone, Azure Sentinel evaluated nearly 50 billion suspicious signals, isolating them down to just 25 high-confidence incidents for SecOps teams to investigate. The following graphic explains how Azure Sentinel Fusion works.
  • One of the most interesting startups at RSA was Nullafi, who specializes in a novel API-based data security technology that combines data aliasing, vaulting, encryption, and monitoring to create an advanced data protection platform that makes hacked data useless to hackers. What makes Nullafi noteworthy is how they’ve been able to build a data architecture that protects legacy and new infrastructures while making the original data impossible for a hacker to reverse engineer and gain access to. It desensitizes critical data so that it’s useless to hackers but still useful for an organization to keep operating, uninterrupted by a breach to your business. Nullafi is built to AWS GovCloud standards. The Nullafi SDK encrypts the data before sending it to the Nullafi API. It then re-encrypts the data within their zero-knowledge vault in the cloud (or on-premises). The result is that no sensitive data in any format is shared with Nullafi that could be used or lost, as their architecture doesn’t have visibility into what the actual data looks like. The following graphic explains their architecture:

 

%d bloggers like this: