| Subcribe via RSS

The Problem of Non-User IDs in Organizations Today

February 4th, 2016 | No Comments | Posted in General Idm/IAM, IdM Engagement

identities(The contents of this article are captured here and reflected back in response to an article posted on SailPoint’s Identity Quotient Blog article entitled “Third-Party Contractors: The Target Breach’s Bulls-eye.” I recommend reading that article to establish context for this article.)

It is fairly well known and pretty much public knowledge that the Target breach took place leveraging 3rd party credentials that were phished from an associated Heating Venting and Air Conditioning (HVAC) vendor.  This was the initial point of entry into the Target network.

However, the HVAC credentials were primarily leveraged only for initial access. Credit card data was not being accessed and syphoned using that specific HVAC ID. Nevertheless, controls around time of access and other metadata information that could be policy driven within SailPoint IdentityIQ around that 3rd party access are still cogent to the discussion as per the aforementioned SailPoint article.

What isn’t mentioned in the article is that SailPoint IdentityIQ and ideally any IdM product could and should have a very big part to play in the gathering of and providing governance around Non-User IDs (NUIDs) — testing IDs, training IDs, B2B FTP IDs, generic admin IDs (that should be privileged access managed anyway), application IDs (huge!), etc.

Organizations typically have thousands, tens of thousands and yes, even millions of orphaned and ungoverned NUIDs, in terms of overall access, proliferated, orphaned and laying dormant on end-point servers and systems…

To an attacker, an ID is an ID is an ID. Any ID will suffice in order to establish a beachhead on a system and then begin trying to “walk” systems, ideally though the elevation of access. This is typically how deep penetration and spanning of internal networks has taken place in a lot of recent breaches. When attacking a system and attempting to establish access, it doesn’t matter to the attacker whether the initial ID used is technically a normal and established user ID (with or without governance around it) or a NUID that typically is not being properly tracked and governed within organizations. In fact, NUIDs represent an ideal target due to the fact they don’t have visibility and normal and established governance around them in many organizations.
More »

Tags: , , , , ,

Two Years Later: Reflections from “The Breach”

November 6th, 2015 | No Comments | Posted in Data Security, IT Industry, Security

target-100221410-largePresident and CEO of Vormetric, Alan Kessler, blogged earlier this week concerning the far-reaching impacts of the Target breach – reflections from almost two years later. Alan remonstrated in his article that the Target breach was the most visible mile marker in 2014, a year full of breaches and continuing into 2015, and he went on to discuss and reflect on some of the other specific breaches.

In this article, I would like to reflect on some of the industry-wide changes that have taken place since the Target breach.

“The Breach”

The Target breach was so significant that for at least the first year afterward, it was referred to, especially in security circles and even on the news, as simply “The Breach.” And as Alan has already detailed, that breach was merely a harbinger of things to come with major breach after major breach taking place after the Target breach.

But what has been the impact of all these breaches? As one would expect, reactions and responses to “The Breach” by organizations have been all over the map.  Some have, as the saying goes, not “let a good crisis go to waste” and have become better companies as a result. Others have not fared or reacted as well.

While “The Breach” and the major breaches afterward has led most major retailers to reevaluate their data security approach, the retail edition of the Vormetric 2015 Insider Threat Report shows that retailers still have a long way to go. Over 51% of retail respondents reported being very or even extremely vulnerable to insider threats – the highest rates measured in the study. Many of these organizations continue to invest in security and utilizing traditional approaches that have proven over the last two years to be insufficient.

While the threat obviously still remains high and a number of organizations still admit they have a long way to go, positive changes have taken place since “The Breach” (hereafter referred to simply as the breach) that are moving the retail industry and other industries along in a positive direction.
More »

Tags: , , , , , ,

Data Is The New Gold: Getting Data Security Right in Retail

August 28th, 2015 | No Comments | Posted in Data Security, Security

+44 (0) 7710 787 708 images@adamparker.co.uk

Traditional security has always been metaphorically tied to the medieval castle building of old: building thicker walls and drawbridges, creating multiple perimeters, raising larger armies, you know – the whole nine yards. This paradigm extends into the modern world, which maintains its fascination with sophisticated perimeters. For exhibit A, witness the recent Mission: Impossible Rogue Nation Hollywood blockbuster where sophisticated perimeter security was the primary obstacle to overcome.

A Data-Centric Approach Is Needed

But imagine changing that mindset from traditional perimeter-based security to data-centric. A data-centric approach, cast against the metaphorical medieval art of castle building, would result in thieves penetrating outer defenses, only to find the pot of gold actually filled with worthless tokens or paper notes.

Throughout the movie, traditional approaches didn’t stop Ethan Hunt (the protagonist, manipulated by the antagonist into doing his dirty work) and they won’t stop Ethan Hunt-like hackers from infiltrating retailers’ networks.

Data Is The New Gold

As the world progresses from a mere “information age” into an age of “big data,” it’s simple – the volume, granularity and sensitivity of individual data is growing exponentially. With this growth comes severe risks and consequences of losing valuable data.
More »

Tags: , , , , , , ,