Display issues? View in browser. January 2016
Top of Mind

Brute Force is Pretty Smart
Jonathan Sander, VP Product Strategy
Lieberman Software


In one of those “reflect on the last year” sort of pieces, Jamie Condliffe over at Gizmodo built a piece around the “The 25 Most Popular Passwords of 2015” which is subtitled “We're All Such Idiots.” I’m not sure I’m willing to accept that we’re idiots, but the article spawned an interesting question: what would someone do with that list? It was another journalist who asked that question. The reason he asked is because people still have that lone wolf in a hoodie image of the bad guys doing cyber harm. They may be wearing hoodies (like most everyone in tech these days), but they are not sitting there trying to break one thing at a time. The enemy is automated, which is the right move in the huge scale of the internet today.

Couple a list of the 25 most common passwords with a spammer’s list of known good email addresses, and you have a great list with which to run down an online banking site. Just sit there trying to log in as different users, make sure you space them out well enough not to lock out the accounts (timing which you can learn with a test pass), and wait until a few of them get past the login page. If that sounds like a long, boring task – congratulations! You’ve passed the Turing Test. A long, boring but potentially financially rewarding task like that is what computers are for. In other words, it’s something anyone who knows technology would automate. And that’s the danger of the laziness of humans using bad passwords – bad guys can use any computer’s ability to execute mind-numbing tasks reliably to monetize that laziness with a bit of code and a lot of bad intentions.

Automation is an Enemy and a Friend

Recently I spoke with an analyst who, when I mentioned the idea that we could take a sandboxing platform like FireEye and hook it up to an automated response, recoiled saying that would make him and most customers he speaks with very nervous. They have tried doing things like DNS shutdown and other malware remediation steps and have been burned as production work ground to a halt. However he immediately saw the difference when I walked him through the idea of simply rotating credentials at the point in time of an active attack as a response, a response that would cut off the attacker’s access to the privilege needed to succeed without effecting legitimate users who were already going through a process to gain access to privilege on demand.

This is neither rocket science, nor is it original. After one of the major breaches of last year (think top 3 by notoriety), many consultants parachuted in from the biggest names in the security business. They sat and stared at tons of screens, drank lots of caffeine, and after 36 hours concluded that all the privileged credentials should be changed. Now imagine that was an automated response that would have happened the moment the big icon went red. Of course that would have been better. The key is that since the legitimate users wouldn’t have access to always on privilege in that scenario anyway, the only ones feeling the pain of the automated response are the bad guys.

It’s the Smart Part that Stings

When you use phrases like “brute force” and “simple attacks” it may seem that the bad guys are pretty dumb. Many of them are. They pick up the tools they find and point them in the right directions. Their only original thought is to attack someplace new. However, the only reason they are successful is because someone much smarter forged the path. Someone figured out how to automate these attacks. Someone found the vulnerabilities to exploit. Someone did all the smart work up front.

It’s no different when you think about an automated response to an attack. Getting to the place where no one has persistent access to privilege means that someone pretty smart has to lead the organization to that state. First, they have to recognize the need and the benefits. Then they have to make the program happen. Perhaps hardest of all, they have to affect the behavior changes in the organization to support the new program. And, of course, they have to get the technology wired up to make it possible. Once that’s all in place it’s easy to push a button at the right time as an automated response knowing you have the tools and the talent all lined up. That’s when you can make automation your ally instead of your enemy.

What do you think?
Email me: jsander@liebsoft.com.
Follow me on Twitter: @sanderiam
Connect with me via LinkedIn.
What's New in Identity Week

Featured commentary on our Identity Week Blog this month includes:

Top Privilege Management Trends In 2015. 2015 gave us the Ashley Madison hack, the US Office of Personnel Management (OPM) data breach, and a heightened interest in securing privileged access against cyber attacks and insider threats. We saw this interest reflected in the readership of IdentityWeek in 2015...

Privileged Accounts Are Your SIEM Blind Spot. Event log management tools have evolved over time into a proactive solution set called security information and event management (SIEM). SIEM solution have enabled IT to better correlate data provided by security software and appliances across the network. Properly leveraged, the data presented by SIEM systems has been a game changer for IT security teams. Now, many regulatory compliance initiatives require organizations to deploy SIEM...

Running IPMI Lights Out Management Without Putting Out Your Own Lights. Intelligent Platform Management Interface (IPMI) technology underpins lights out management (LOM) in IT departments around the world. LOM allows an IT administrator or IT security manager to manipulate and manage servers using remote control – even switching on the machines when they are ‘off’...

How GRC Measures Security And Accountability. Governance, Risk Management and Compliance (GRC) involves integrating and managing IT operations that are subject to regulation. It enables organizations to manage risk, enable effective information sharing and reporting, and generally operate more efficiently...
Events / Press / Analysts

Online ERPM Certified Professional Program. EMEA Timezone. February 9-11​, 2016​. 11am-5pm​ GMT. Online. Open to all customers and authorized partners at no cost. This is an instructor-led course that will utilize an interactive environment and will require a remote desktop connection. Register Today.

Online ERPM Certified Professional Program. NA/LATAM Timezone. February 23-25​, 2016​. 8am-2pm​ PDT. Online. Open to all customers and authorized partners at no cost. This is an instructor-led course that will utilize an interactive environment and will require a remote desktop connection. Register Today.

RSA Conference. February 29​ - March 4​, 2016​. San Francisco, CA. Connect with the technology, trends and people that will protect our digital world. Visit Lieberman Software in the South Expo, Booth #1907.

Infosec World Conference & Expo. April 4-6​, 2016​. Lake Buena Vista, FL. Over 100 industry experts will share hands-on, practical advice on a range of security topics, including a presentation from Lieberman Software: "When Firewalls Crumble - Cyber Defense Beyond the Perimeter". As a Platinum Sponsor of this year's event, we invite you to visit us in the Exhibit Hall.

Beyond compliance: Why we need to move past tick-box security. Information Age. 61% of IT professionals have deployed IT security products purely to meet compliance regulations rather than to increase security. But simply complying with IT security regulations doesn’t necessarily make you more secure.

Review: Best password managers for the enterprise. Network World. We reviewed Enterprise Random Password Manager (ERPM) two years ago and it is still the gold standard for setting up massive password collections to protect large local server infrastructures.

ICS/SCADA researchers leak default passwords of popular industry systems. SC Magazine. Russian Industrial Controls Systems Supervisory Control and Data Acquisition (ICS/SCADA) researchers posted a list of industrial products that ship with default passwords in an effort to urge vendors to implement better security controls, a move some feel could cause more harm than good.
Tech Tip of the Month

Account Pooling

Among the most difficult privileged accounts to change are the service and process accounts present in services, tasks, COM applications, SharePoint, IIS, databases, line-of-business applications, and many other places. That's because failing to change interdependent accounts’ credentials in the proper order could lock out an account and bring down critical IT processes.

Fortunately, an exclusive privilege management technology from Lieberman Software called Account Pooling gives you a new kind of safety net. As an ERPM administrator, you can configure an account pool containing any number of accounts you choose. From then on, whenever your password change job runs it advances through the accounts in the pool—leaving the previous passwords in the pool unchanged until it’s eventually their turn to be re-randomized and propagated.

Learn More.