Display issues? View in browser. November 2015
Top of Mind

The Bad Guys Return To Basics With Great Results
Jonathan Sander, VP Product Strategy
Lieberman Software

If you’re just the right age, grew up in the US, and were naive enough, then you probably spent some time in AOL chat rooms when you were younger. One thing you’re sure to recall is the constant messages sent out by the system saying “no real AOL employee will ever ask you for your password.” AOL knew then what many are learning the hard way now: any system where a human has access can be exploited by – or through – the human. In most cases, the human will be the weakest link in any security system.

Facing a wave of fraud, the Financial Fraud Action UK (FFA UK) has found themselves having to give the same advice to everyone today that AOL did back then. Criminals pretend to be from some trustworthy company – a person’s internet provider, bank, or finance company – and then get individuals to hand over control of their online banking. The AOL fraudsters were just looking to steal your identity, but these folks are going right for your money.

Anything you can do to mitigate the human factor will certainly improve security. People make mistakes. People can be fooled. People are likely to cut corners. Sometimes these things can be a virtue. A programmer who finds a way to cut corners in some task can save you millions in recouped time – and maybe get themselves a nice exit on Wall St. Security is about creating ways to ensure that some corners cannot be cut so that things stay safe. Often this means cutting out the humans all together and automating tasks. But sometimes it does mean making people do things just the right way.

Nothing Is So Secure It Can’t Be Broken

A good case study on how a breach can happen comes from the recent events at Securus Technologies, a leading provider of phone services inside US prisons and jails. The scale of this breach is massive, as reported by The Intercept:

“The materials — leaked via SecureDrop by an anonymous hacker who believes that Securus is violating the constitutional rights of inmates — comprise over 70 million records of phone calls, placed by prisoners to at least 37 states, in addition to links to downloadable recordings of the calls."

The reporting about this incident focused on two aspects of the story – not just in this article but everywhere. First, they focused on the possible violations of attorney-client privilege. That’s entirely appropriate, and we won’t deal with that. They also focused on the apparent conflict of claims from Securus that their system was very secure and yet it was still breached. This shows a major misunderstanding of what it really means to be secure.

Securus promised that only authorized users of their platform would be able to access the data in the system. Like so many other applications, it seems Securus built a great set of controls around the good guys walking through the front door, but it’s likely this breach was about bad guys sneaking in the back. Did Securus practice safe coding every step of the way? Did they ensure that any administrative functions for the application were as secure as the user interface used by the lawyers, law enforcement staff, and government officials? The blame may not even be with Securus. Securus could have built an amazingly secure platform, but poor IT operational processes around that may have exposed it to exploits. If it was set up on systems or databases with unchanged default passwords (all too common) or being run on unpatched systems, then all the application security in the world may not have helped.

Any Access a Human Has Is a Threat

In the end, the real threats are identical to the number of access points that exist in a system. The classic comment about how to make a computer secure still holds true: you can only make it fully secure by unplugging it. What’s clear is that this breach in the Securus system is ultimately about a human using access or the mistakes of other humans to compromise the security of the data. It doesn’t matter if the human is a senior citizen on the phone with a scammer unwittingly giving away his bank account information or an expert who is doing everything right except the one thing the bad guys will exploit. The results are the same.

Interestingly, the folks at Securus are now pointing to the human factor as well. Recent comments indicate that it may be the work of an insider:

“At this preliminary stage,” the company wrote, “evidence suggests that an individual or individuals with authorized access to a limited set of records may have used that access to inappropriately share those records.”

This, of course, begs the question: why should any one human have access to that much data to do that much damage at any one time? Anywhere a human has access is a threat. Any time a human needs to touch this much of a system’s data, access controls are needed. We may never get to a point where we can protect every human from being tricked into giving away his or her access over the phone, but we already have the means to make sure no one person can wield this kind of power in a system unchecked. We just need to make it happen.

What do you think?
Email me: jsander@liebsoft.com.
Follow me on Twitter: @sanderiam
Connect with me via LinkedIn.
What's New in Identity Week

Featured commentary on our Identity Week Blog this month includes:

4 Questions To Ask About Your Enterprise Security And Compliance. Inside your datacenter, the system administrators and IT managers hold the power. They control everything from employee access to the confidentiality of private customer data. So much power in the hands of a few individuals ought to be a scary prospect to organizations that depend upon IT to keep the business running and data secure...

NCCoE’s Cyber Security Guidelines For Electric Utilities Are A Good Start. The National Cybersecurity Center of Excellence’s (NCCoE) recent cyber security guide Identity and Access Management for Electric Utilities identified a serious security concern within the energy sector, and if people follow the advice in this guide they will be have a better overall IT security posture...

MSPs Know The Time For Cyber Security Is Now. The message coming out of the recent MSP World Conference was very clear – security needs to become part of the way you operate or you will lose business...
Events / Press / Analysts

Gartner Identity & Access Management Summit. December 7-9​, 2015​. Las Vegas, NV. Join us at this premiere IAM event. Visit our booth, attend our speaking session and enjoy professional magicians in our Hospitality Suite.

Online ERPM Certified Professional Program. NA/LATAM Timezone. December 8-10​, 2015​ 8am-2pm​ PDT. Online. Open to all customers and authorized partners at no cost. This is an instructor-led course that will utilize an interactive environment and will require a remote desktop connection. Register Today.

Review: Stop insider attacks with these 6 powerful tools. Network World. Independent review of Lieberman Software’s Enterprise Random Password Manager proves that there is more than one way to achieve good Privileged Identity Management.

Cybersec guidelines for electric utilities get it mostly right. Energy Central. The National Cybersecurity Center of Excellence’s recently released draft of the NIST Cybersecurity Practice Guide, "Identity and Access Management for Electric Utilities," addresses information technology (IT) and operational technology (OT) convergence. NCCoE has absolutely identified a serious security concern within the Energy sector, and if people follow the advice in this practice guide they will be have a better overall security posture.

Black Hat attendees 'naïve' on advanced persistent threats. SC Magazine UK. A new survey of 150 security professional from Lieberman Software Corporation has suggested that 83 percent of participants do not believe Advanced Persistent Threats (APTs) are over-hyped. The study was carried out at Black Hat Conference 2015 which was held in Las Vegas in August.

Five pressures on today's CIOs and what they mean for the future of IT.  CIO. From aligning business and IT needs to dealing with rapid industry shifts and implementing the latest technology trends, there's clearly a lot riding on the modern CIO. Here are five of the top pressures faced by CIOs today, and how they are changing the shape of IT.

6 super-defenses against super-user attacks. Network World. The core of the Lieberman solution is its Enterprise Random Password Manager (ERPM), a powerful tool which can randomize thousands of passwords in just a few minutes as a result of an alert or simply on a set schedule to ensure that even in the event of a captured password, it won’t be valid for very long.
Tech Tip of the Month

Account Elevation

Enterprise Random Password Manager (ERPM™) helps you enforce temporary escalation of privilege so that individual users are granted administrative access only to designated machines for a limited time. This eliminates the disclosure of potentially shared credentials, so that users or their compromised computers can't reveal passwords that attackers could exploit to gain lateral movement. Learn More.