EXECUTIVE SUMMARY: If your Enterprise has many several different systems controlled through a centralized authentication mechanism (a single username and password) and you do not have multi-factor authentication (receiving an SMS for example)... you are more then likely exposed far more then you think.
---
I didn't want to name any of the "cool" marketing terms we keep hearing, like SSO, and Federated Identity Management solution. These concepts are all great and bring a lot of value. What if parts of this introduced behaviour that was much riskier then we all think?
Having a single username and password to access everything is nothing new.
What if it was a terrible idea ?
What if this "idea" was meant to be used a certain way, and we all ain't doing it.
I know.... ain't ain't a word, so how can this be true....
Read on.... because a client asked my opinion on something and my answer simply wasn't... "go ahead.... it's fine". It came to mind that a lot of Enterprises are faced with this issue.
Awhile back, I did an intrusion test on a large brokerage firm that I happened to be a client of. The reason I tested it, was simple.... it smelt bad from the first welcome letter.
After compromising an administrator email account, I had access to everything.
When I contacted this company to explain to them that they had a major security flaw, the CEO and CIO did what they do best in traded companies... they ignored me.
I had to light a few fires to get them to assign some poor soul to call me back.
NOTE: Now lets be clear, I do not hack companies and then call them. In this case, I was the client, and I suspected many things smelt bad so I did my due diligence and hired a professional to test them out. The professional happened to be me.
When I finally talked to someone, they told me that under no circumstances had client data been exposed, that this was simply a breach of the company email system.
To this I replied as follows:
1) First off, your administrator had your websites new web certificate in his email including the private keys. He must have emailed it to himself to then retrieve and install on your servers. So you no longer have any security on your "transaction" servers which do host very sensitive information.
2) The administrator credentials I now have in my possession have the following characteristics which you might find of interest:
- This is an Active Directory admin account
- Your enterprise VPN is integrated into Active Directory
- Your Citrix remote access which is Internet facing is integrated into Active Directory.
I then paused for effect and waited to see if the lights where on or if I was talking to myself..... after a longer pause then I was willing to wait for I asked "do you understand what that means", then the reply was both funny and frightening at the same time. "Why is that a big deal".
After a quick deep breath, I explained that since all their key technologies are plugged into A/D to validate usernames and passwords, that once an account is compromised on one application (in this case the email system), that the attacker can now use this account to access everything else that user has access to.....
So why does that effect most companies?
A simple list of reasons really. Simplicity & ease of access.
Add to that lack of budget for good form.
Everyone wants easy access to email.
Your company probably has webmail services.
Or minimally you can access your emails from your smart phone or tablet.
This means that an employee can use an insecure device (such as their own virus infested home computer, or better yet, an Internet Cafe or Hotel computer) and access corporate email.
This means that this users username and password could be captured by someone with malicious intent through several of these opportunities.
The reflex is always to think that "It's only email".
First off, after hundreds of investigations over the years, it is NEVER just emails. Emails alone expose a list of concerns as long as the pills Donald Trump should be taking.
But in so many instances it exposes the rest of the company through remote access connections or even web based applications that are available from the Internet from anywhere in the world, perhaps using the same username and password because it is all integrated within a centralized authentication system.
So we covered simplicity and ease of use.... what about budget?
The bottom line is that centralizing is indeed a good idea. Since it allows you to have more control.
The problem is we are not putting in place "more" control to the level that we need.
Think back, hundreds of years ago. You put your money at the bank because it was safer. You put your houses deed in a safety deposit box, because anyone with the papers essentially owns your house. You did this because the bank has controls that are safer then underneath your mattress. A simple example: safety deposit boxes require two keys and the role of the bank key is to vet that you are on the authorized access list.
So what about our username and password to access our sensitive corporate systems ? Where is the added security as we centralize all our applications into one pot of gold ?
Two factor authentication (also called strong authentication) is the missing link. Centralizing is fine IF you have strong authentication.
Without it, enterprises must realize that if they allow risky behaviour on some systems, this could allow access to more critical systems and assets...
So to summarize, if you have multiple systems and applications pulling authentication from A/D and also have web based systems (such as email or business portals, etc.) and any of your staff can access this from anywhere in the world.... you should be greatly concerned because without two-factor authentication it is just a matter of time before this attack vector becomes your Saturday morning discussion.
---
Actually, now that I think about it, budget isn't really the issue. I think senior managers might be. I recall numerous times when senior management refused to do things the "secure way" because they find it unconformable. I don't want my workstation to lock me out when I don't use it for hours, this irks me. Fix it because I'm the boss.
This kind of attitude is what often bits companies in the ass.
Since when is letting someone decide who does not have the competence to make these decisions.
Oh wait.... that happens a lot doesn't it.
Food for thought.
---
Actually, now that I think about it, budget isn't really the issue. I think senior managers might be. I recall numerous times when senior management refused to do things the "secure way" because they find it unconformable. I don't want my workstation to lock me out when I don't use it for hours, this irks me. Fix it because I'm the boss.
This kind of attitude is what often bits companies in the ass.
Since when is letting someone decide who does not have the competence to make these decisions.
Oh wait.... that happens a lot doesn't it.
Food for thought.
_______________________________________________
Eric Parent is a senior security expert, specialized in coaching senior executives. He teaches CyberSecurity at l'Ecole Polytechnique and HEC University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.
Follow Eric on:
Twitter @ericparent
LinkedIn : EVA-Technologies
www.eva-technologies.com
