This week, we have a different style of article. In this post, folks step back and look at "big picture" strategy rather than the technical/tactical details of IT operations. This broadly collaborative effort about Identity and Security was developed over a long period of time with input from many people across MCS, PFE and the Cybersecurity groups within Microsoft. Enjoy!
This article is not intended to lead to an end of discussion on security, rather, it is intended to be the start of a conversation on security in which we acknowledge certain operational realities. In this instance, we acknowledge that the current paradigms on security are not netting results.
Identity has to be an important focus for security
Identity is something that is transmitted with every transaction and extends the perimeter beyond the corporate boundary, so our protection of it must also extend beyond those boundaries. In the spirit of the ten immutable rules of security, we introduce the following rules of identity for consideration and community review:
Proposed rules of Identity:
1. If a bad guy can persuade some company to believe they are you, then they have access to all your data stored at that organization and potentially any other organization that trusts them.
2. If a bad guy can alter the password on your account, then they have access to all the data accessible by that account.
3. If a bad guy can steal or social engineer the password of your account, then they have access to all the data accessible by that account (and all accounts using the same password) and potentially any other customer that trusts the account provider.
4. If the bad guy can get answers to your security questions from social media, your accounts aren't yours anymore, and therefore they have access to all the data accessible by accounts where you used those security questions.
5. If the bad guy can access your password or hash of your password, it isn't your account anymore, and therefore they have access to all the data accessible by that account (and all accounts using the same password).
6. Multi Factor Authentication (MFA) is not a panacea; it protects against PASSWORD theft, not CREDENTIAL theft. If the bad guy has admin/root access on the machine where you logged on with MFA, then they have access to your account (and you are back to Rule #1).
7. MFA without credential protection (for example. Anti-Hammering, User Notifications, or Active Auditing) means that if the physical factor is obtained, we're back to brute-forcing the password. If bad guy then brute-forces the password, then they have access to your account (and you are back to Rule #1).
"Only amateurs attack machines; professionals target people."
Schneier, Bruce (2000-10-15). Semantic Attacks: The Third Wave of Network Attacks. Schneier on Security blog.
Schneier wrote this fifteen years ago. It's a great article with good insights but the concept of identity-based security was already generally accepted. However, there was almost no action to correct flaws in our approach to security nor even the operational definition of security. This deficit persists to this day. There is a reflexive equating of security to mean network security. The days where you could put a perimeter firewall between you and the world and feel safe are gone, if they ever existed.
The network team and their firewalls can no longer be inferred to be the only means of defense. Firewalls reduce SURFACE AREA, but they are not in and of themselves security.
The landscape has gotten progressively worse since Schneier's work. We now have to deal with Advanced Persistent Threats (APT's).
The bad guys are really bad. APT's are not just individuals looking for a quick easy score (there are plenty of these) but APT's are well-funded, fully staffed, well organized, highly skilled professional organizations that are collecting data on you, your business and everything else for no good. They keep this data and build quite the meta file on individuals and organizations. They look for what's there, collect it, keep it and take the time to connect the dots. Then they can execute sophisticated attacks – they get in and stay. They persist within your organization, computer, and phone.
Changes that make APT's a reality:
- Information is ubiquitous
- Everyone is connected
- There is a financial incentive
If that's not enough to keep you awake at night please read the Kaspersky Equation White Paper. APT's are interdicting shipments to pre-load malware/Trojans/backdoors.
Identity and all the goodies you can get to if you have the right identity (let's say yours) is the real target. Technology can only be a part of the solution. Solving security problems with technology alone is a fallacy. You can configure two factor authentication to be required (recommended – very good thing to do), but if the user takes a marker to write their pin on the Smart Card and pass it around, well what was the point? You could be worse off than if you had a complex password. You can design and implement the most secure system possible but if all the controls are disabled and processes are not followed, it will become as vulnerable as if none of the work was done to secure it. Security is a process, not a tool or a destination.
Thinking you checked the security box when you passed the audit is a fallacy. All of those big organizations where credit cards and identities were stolen in bulk passed their audits too. Minimum compliance is not enough.
Rationally, you know the probability of compromise is almost certain and it will be disastrous. The bad guys go after everyone. They are always trying 24/7. Defending ourselves from today's cyber threats may mean you actually have a bottom line to worry about, a home to come home to, a job, money – all the things that matter to you. It's worth the effort and it needs to be the highest priority, but you know that. So we need some new rules of the road to internalize.
Our hope is that in another fifteen years we will be talking about the bad old days when identity/credential theft was commonplace. Where to start?
We have to start with the individual who the identity represents. You establish a cyber-identity as an employee, bank customer, citizen, credit card holder with an implied if not explicit responsibility. Ultimately you will bear the brunt of a compromise of your identity. The compromise of one identity can result in a cascade effect – think of the loss of the email account where you send password reset mails. Security is not just the job of a team of people at work who impose onerous requirements which you have to reluctantly comply with and circumvent when no one is looking. It is not ok to write your password on a piece of tape on the bottom of your keyboard. Think. Be careful. Be conscientious. Work at it. Take it seriously. You lock your doors, look both ways before you cross the street, check your bank statements and watch your kids to keep them safe. Now you need to add protecting your digital identity to this list.
Guard your digital credentials the same way you would guard your Social Security Number. Use multi-factor authentication whenever possible. Don't provide personal information on Facebook or Twitter that could be used to answer security questions about you. If you have privileged accounts, use them wisely, meaning don't log into your Internet-connected work machine with your domain admin credentials. Protect yourself and your employer by employing proper credential hygiene.
This is your responsibility. It is your job, duty and the way you have to live your life. Make this clear to the members of your organization that the management and security of their identity is their responsibility as much as it is yours.
Technology can only be part of the solution. A seatbelt is only useful if it is buckled – even if it wrinkles your clothes. People and processes have to actively adjust and evolve against the current threat landscape.
- Gary Green, Scott Brondel, Richard Sasser, Jared Poeppelman