The Bad Guys Return To Basics With
Jonathan Sander, VP Product Strategy
If you’re just the right age, grew up in the
US, and were naive enough, then you probably
spent some time in AOL chat rooms when you
were younger. One thing you’re sure to
recall is the constant messages sent out by
the system saying “no real AOL employee will
ever ask you for your password.” AOL knew
then what many are learning the hard way
now: any system where a human has access can
be exploited by – or through – the human. In
most cases, the human will be the weakest
link in any security system.
Facing a wave of fraud, the Financial Fraud
Action UK (FFA UK) has found themselves having
to give the same advice to everyone
today that AOL did back then. Criminals
pretend to be from some trustworthy company
– a person’s internet provider, bank, or
finance company – and then get individuals
to hand over control of their online
banking. The AOL fraudsters were just
looking to steal your identity, but these
folks are going right for your money.
Anything you can do to mitigate the human
factor will certainly improve security.
People make mistakes. People can be fooled.
People are likely to cut corners. Sometimes
these things can be a virtue. A programmer
who finds a way to cut corners in some task
can save you millions in recouped time – and
maybe get themselves a nice exit on Wall St.
Security is about creating ways to ensure
that some corners cannot be cut so that
things stay safe. Often this means cutting
out the humans all together and automating
tasks. But sometimes it does mean making
people do things just the right way.
Nothing Is So Secure It Can’t Be
A good case study on how a breach can happen
comes from the recent events at Securus
Technologies, a leading provider of phone
services inside US prisons and jails. The
scale of this breach is massive, as reported
by The Intercept:
“The materials — leaked via SecureDrop
by an anonymous hacker who believes that
Securus is violating the constitutional
rights of inmates — comprise over 70
million records of phone calls, placed by
prisoners to at least 37 states, in
addition to links to downloadable
recordings of the calls."
The reporting about this incident focused on
two aspects of the story – not just in this
article but everywhere. First, they focused
on the possible violations of
attorney-client privilege. That’s entirely
appropriate, and we won’t deal with that.
They also focused on the apparent conflict
of claims from Securus that their system was
very secure and yet it was still breached.
This shows a major misunderstanding of what
it really means to be secure.
Securus promised that only authorized users
of their platform would be able to access
the data in the system. Like so many other
applications, it seems Securus built a great
set of controls around the good guys walking
through the front door, but it’s likely this
breach was about bad guys sneaking in the
back. Did Securus practice safe coding every
step of the way? Did they ensure that any
administrative functions for the application
were as secure as the user interface used by
the lawyers, law enforcement staff, and
government officials? The blame may not even
be with Securus. Securus could have built an
amazingly secure platform, but poor IT
operational processes around that may have
exposed it to exploits. If it was set up on
systems or databases with unchanged default
passwords (all too common) or being run on
unpatched systems, then all the application
security in the world may not have helped.
Any Access a Human Has Is a Threat
In the end, the real threats are identical
to the number of access points that exist in
a system. The classic comment about how to
make a computer secure still holds true: you
can only make it fully secure by unplugging
it. What’s clear is that this breach in the
Securus system is ultimately about a human
using access or the mistakes of other humans
to compromise the security of the data. It
doesn’t matter if the human is a senior
citizen on the phone with a scammer
unwittingly giving away his bank account
information or an expert who is doing
everything right except the one thing the
bad guys will exploit. The results are the
Interestingly, the folks at Securus are now
pointing to the human factor as well. Recent
comments indicate that it may be the work of
“At this preliminary stage,” the company
wrote, “evidence suggests that an
individual or individuals with authorized
access to a limited set of records may
have used that access to inappropriately
share those records.”
This, of course, begs the question: why
should any one human have access to that
much data to do that much damage at any one
time? Anywhere a human has access is a
threat. Any time a human needs to touch this
much of a system’s data, access controls are
needed. We may never get to a point where we
can protect every human from being tricked
into giving away his or her access over the
phone, but we already have the means to make
sure no one person can wield this kind of
power in a system unchecked. We just need to
make it happen.
What do you think?
Email me: firstname.lastname@example.org.
Follow me on Twitter: @sanderiam
Connect with me via LinkedIn.
What's New in
Featured commentary on our Identity
Week Blog this month
Questions To Ask About Your Enterprise
Security And Compliance.
Inside your datacenter, the system
administrators and IT managers hold the
power. They control everything from employee
access to the confidentiality of private
customer data. So much power in the hands of
a few individuals ought to be a scary
prospect to organizations that depend upon
IT to keep the business running and data
Cyber Security Guidelines For Electric
Utilities Are A Good Start.
The National Cybersecurity Center of
Excellence’s (NCCoE) recent cyber security
guide Identity and Access Management for
Electric Utilities identified a serious
security concern within the energy sector,
and if people follow the advice in this
guide they will be have a better overall IT
Know The Time For Cyber Security Is Now.
The message coming out of the recent MSP
World Conference was very clear – security
needs to become part of the way you operate
or you will lose business...
Press / Analysts
Identity & Access Management Summit.
December 7-9, 2015. Las Vegas, NV.
Join us at this premiere IAM event. Visit
our booth, attend our speaking session and
enjoy professional magicians in our
Certified Professional Program.
NA/LATAM Timezone. December 8-10,
2015 8am-2pm PDT.
Online. Open to all customers
and authorized partners at no
cost. This is an instructor-led course
that will utilize an interactive environment
and will require a remote desktop
connection. Register Today.
Stop insider attacks with these 6
powerful tools. Network
World. Independent review of
Lieberman Software’s Enterprise Random
Password Manager proves that there is more
than one way to achieve good Privileged
guidelines for electric utilities get it
mostly right. Energy
Central. The National
Cybersecurity Center of Excellence’s
recently released draft of the NIST
Cybersecurity Practice Guide, "Identity and
Access Management for Electric Utilities,"
addresses information technology (IT) and
operational technology (OT) convergence.
NCCoE has absolutely identified a serious
security concern within the Energy sector,
and if people follow the advice in this
practice guide they will be have a better
overall security posture.
Hat attendees 'naïve' on advanced
persistent threats. SC Magazine UK.
A new survey of 150 security professional
from Lieberman Software Corporation has
suggested that 83 percent of participants do
not believe Advanced Persistent Threats
(APTs) are over-hyped. The study was carried
out at Black Hat Conference 2015 which was
held in Las Vegas in August.
pressures on today's CIOs and what they
mean for the future of IT.
CIO. From aligning
business and IT needs to dealing with rapid
industry shifts and implementing the latest
technology trends, there's clearly a lot
riding on the modern CIO. Here are five of
the top pressures faced by CIOs today, and
how they are changing the shape of IT.
super-defenses against super-user
World. The core of the Lieberman
solution is its Enterprise Random Password
Manager (ERPM), a powerful tool which can
randomize thousands of passwords in just a
few minutes as a result of an alert or
simply on a set schedule to ensure that even
in the event of a captured password, it
won’t be valid for very long.
Tip of the Month
Enterprise Random Password Manager (ERPM™)
helps you enforce temporary escalation of
privilege so that individual users are
granted administrative access only to
designated machines for a limited time. This
eliminates the disclosure of potentially
shared credentials, so that users or their
compromised computers can't reveal passwords
that attackers could exploit to gain lateral