Category Archives: Identity & Access

You Don’t Have to Sacrifice Security for Convenience to Establish Digital Trust

Let me just start by saying, “I’m sorry.” That’s right, you heard me. “I’m sorry.”

If you continue to read this, you are bound to see some industry buzz words sprinkled about: phrases like digital transformation, data breach, frictionless user experience, machine learning and — wait for it — blockchain. I’m not proud of it. But at the same time, I don’t want to lead you on. I want to be honest with you.

I mean, let’s face it, if I wasn’t honest, how could you ever trust me?

Establishing Digital Trust in a Distrustful World

In today’s world, it is more difficult than ever to establish digital trust with people — the people who work for you, the people you partner with, the people you do business with and even your own customers. Nearly every organization is embarking on a journey of digital transformation and, more often than not, we are trying to get to know who people are without the benefit of physical interaction.

In the past, we would try to establish the digital identity of a person by asking security questions such as:

  • What was the first car you owned?
  • What is your mother’s maiden name?
  • Which street did you live on in 1997?

But those questions don’t provide any level of assurance anymore. That approach is so, well, 1997. We are living in a world where there is a significant data breach seemingly every few months. In fact, since 2013, 1.1 billion identities have been exposed due to data breaches. With this amount of personal information available on the Dark Web, the only people who answer these security questions incorrectly are the legitimate users.

Imagine the frustration for a legitimate user when he or she gets these questions wrong. How long do you think the user will keep trying to answer the questions correctly before simply giving up? For an existing user, the best-case scenario is that he or she will call your help desk, which can drive up operational costs. But what if this is part of your new account creation process? You may have just lost the opportunity for a new customer, which could cost you real money.

Maintaining a Seamless User Experience

IBM Security’s recent “Future of Identity Study” found that respondents actually prefer security over convenience, particularly for their financial apps and accounts. Moreover, younger generations expect stronger inherent security from their providers and are more likely to switch providers in the aftermath of a breach. Still, users expect a frictionless user experience, and organizations need to be able to establish digital trust without sacrificing convenience.

The good news is that cybersecurity vendors have been crafting new ways make your digital channels more secure without putting your users through a poor user experience. So whether you work in the office of the chief information security officer (CISO), the digital experience team or the fraud management team, it is in your best interest to know what to look for to build a digital trust platform. Consider these three key components:

  1. Multilayered view of the user. People are engaging with your business across multiple channels, such as the web, mobile platforms, a call center or even a physical location. A multilayered view helps you correlate a user’s activity to protect against sophisticated attack methods while still delivering the best user experience.
  2. Expertise augmented with artificial intelligence (AI). Machine learning can help security teams detect anomalous behavior and sniff out zero-day attacks. Organizations often lack the resources and skills to keep track of and protect against emerging threats. Leveraging industry expertise in AI can help maximize your protection and free up your staff to innovate.
  3. Extensible and scalable cloud platform. Cloud-based solutions offer many potential benefits, such as lowering operational costs. To establish digital trust, you must be able to take advantage of common data sources and shared insights, which is often not feasible in the on-premises world. You need the flexibility to rapidly update your protections, whether that is implementing new risk policies or enabling new authentication methods to satisfy customer preferences.

Laying the Foundation for a Trusted Digital Identity Network

Another trend starting to gain traction is the concept of a trusted digital identity network. A lot of progress has been made in the last 12 months: Practical, real-world use cases are underway, and new open standards and communities, such as the Sovrin Alliance, are emerging.

In addition, technologies such as blockchain are laying the foundation to give the ultimate control of identity back to the people. Self-sovereign identity and business identity networks promise to improve the level of assurance that organizations have with all people they engage with, establish that much-needed digital trust and support the ultimate end-user experience. How you choose to establish digital trust will be critical in this next phase of your business.

Please join us at the Security and Resiliency Campus at IBM Think 2018 to continue the conversation, and don’t forget to share your thoughts on Twitter or LinkedIn with the hashtag #IBMDigitalTrust.

Learn More About Think 2018

The post You Don’t Have to Sacrifice Security for Convenience to Establish Digital Trust appeared first on Security Intelligence.

IBM Identity Study Shows Security May Be Financial Services Firms’ Best Defense Against Disruption

“The currency of the new economy is trust.” — Trust researcher Rachel Botsman, TED 2012

Between years of stepped-up regulatory oversight, low interest rates, identity theft and competition from everything from cryptocurrency to crowdfunding, the historically stable and conservative financial services industry has recently become a cauldron of instability. But banks and other financial institutions do have one asset in their favor that upstart competitors can’t match: customer trust. It may turn out to be their most valuable competitive advantage.

Inside IBM’s ‘Future of Identity Study’

IBM’s new “Future of Identity Study,” which queried nearly 4,000 consumers across the globe, offered some reassuring news for financial services executives. When asked which types of organizations people trust most to protect their biometric data, 48 percent of respondents cited major financial institutions. That dwarfed major healthcare and health insurance providers, which came in second at 29 percent.

Figure 1: Types of organizations people trust MOST to protect their biometric data (global perspective)

Read the complete IBM Study on The Future of Identity

One objective of the study was to document changing patterns of trust at a time when cyberbreaches, identity theft and online account hijacking are at an all-time high. The good news is that respondents ranked financial applications as their most-treasured online resources, with banking, investing and budgeting applications comprising the top three types of accounts that people care most about protecting.

Figure 2: App or account types respondents cared most to protect (global perspective)

The financial services industry seems poised for seismic change. In a recent Accenture survey, bank executives listed their industry as one of the three most-primed sectors for digital disruption, along with high-tech and automotive. In addition, nearly 4 in 5 financial executives fear disruption from data-driven competitors, according to a survey by NewVantage Partners.

When it comes to money, however, customers invest in institutions that they have come to rely upon. Retail banking churn rates are at historic lows of around 15 percent, but those numbers conceal some more troubling trends. Accenture found that nearly half of bank customers are open to switching to an institution they enjoy doing business with, even if it isn’t a conventional bank. That number rises to 70 percent among consumers aged 18 to 34.

Experience Is Job One

Those statistics underlie the importance of customer experience, an area that financial institutions are focusing on with experimental features such as virtual tellers and branches redesigned to resemble coffee shops. However, peace of mind may be at least as important a factor in customer satisfaction as a mocha latte.

The IBM survey found that 70 percent of consumers rank security as their top priority for financial applications, compared to just 16 percent who chose privacy and 14 percent who cited convenience. That indicates that security-focused customer experience efforts can pay big dividends.

Customers also said they’re increasingly willing to use technologies that enhance security. Nearly three-quarters said they would be willing to use more than one password for authentication, and nearly 9 in 10 are open to using biometric security in the future. In fact, the majority of respondents across every age group stated that they would not use a less secure authentication method, even if it saved them a few seconds, and that they would never trade security for convenience.

Figure 3: Trading off security for time or convenience (global perspective)

Most bank websites are already pretty secure, but customers may not understand the hard work that goes into protecting their money. For example, identity theft is a problem that affected 15.4 million U.S. consumers in 2016. Financial institutions can tap into their existing relationships with credit agencies and law enforcement and leverage mobile applications to make it easier for customers to immediately know when their accounts may have been compromised. They can also become a central control point for issuing fraud alerts and locking down at-risk accounts.

Another opportunity is the $31 billion credit card fraud problem. Consumers are frequently inconvenienced by credit transactions that are declined by programmatic fraud detection algorithms. Artificial intelligence is now making major strides in using behavioral analysis and pattern recognition to better detect fraudulent activity, reduce false positives and permit more legitimate transactions to go through.

Biometrics present an opportunity to improve the customer experience on mobile devices. Fingerprint readers, facial recognition and digital personal identification number (PIN) pads are now becoming commonplace on smartphones. Financial institutions should take advantage of these technologies to simplify the process of logging users in to their accounts and smoothly transitioning between, say, a bank account and a stock trading app. The IBM study showed that 44 percent of consumers perceive fingerprint authentication as one of the most secure forms of authentication.

Figure  4: Authentication methods perceived as most secure (global perspective)

Building Trust Through Technology

Financial institutions have long been leaders in the adoption of IT, but to this point, most of their efforts have been focused on the back office. These organizations now have unprecedented opportunities to apply technology to address customer concerns about privacy and security.

For more insights about changing views on user authentication and advice about how organizations can adapt, download the full “IBM Future of Identity Study.”

Read the complete IBM Study on The Future of Identity

The post IBM Identity Study Shows Security May Be Financial Services Firms’ Best Defense Against Disruption appeared first on Security Intelligence.

Where Is Your Sensitive Information and Where Is It Going?

Who is responsible for determining who can access sensitive information? Is it the role of the database or system administrator, or the data owners from lines of business (LOBs)? Maybe the permission oversight varies when data content includes sensitive information. Should your privileged users and admins have actual access to the content? If so, how much control to you have over preventing bad behavior?

Fighting Alert Fatigue

Organizations typically rely on volumes of logs to forensically identify who accessed what data at what time and assess whether the access was appropriate or constituted a policy violation. Administrators may consider flowing the database or data access logs to the organization’s security information and event management (SIEM) solution to correlate and assist in determining policy violations. The problem is that large volumes of logs collected and evaluated by the SIEM cause significant overhead and performance degradation, and require extensive human oversight to achieve. Analysts tasked with quickly reviewing these massive logs tend to become desensitized since many alerts end up being false positives or otherwise irrelevant. Unfortunately, this means real risks are often overlooked.

An effective approach to this challenge is to front-end the information landscape — including databases, mainframe data and files — and move the analysis overhead away from the critical systems. A database, for example, is considered structured data since contents are stored in structured tables, columns and rows. When calls to the data are evaluated off of the critical systems themselves, there is an opportunity for real-time evaluation based on appropriate permissions to block, redact and mask content before disseminating it.

It’s also possible to leverage out-of-the box governance frameworks. Data privacy requires knowledge of who is accessing data, when, whether it’s appropriate and whether sensitive information was accessed. Many governance controls also determine the number of failed logins and whether these attempts are eventually successful.

Controlling Access to Sensitive Information in Real Time

By conducting this monitoring seamlessly outside of the actual database server or system, security teams can eliminate the overhead and let the databases, data repositories and SIEM tools to do what they do best. In fact, these systems can synchronously scan and monitor the entire IT landscape and categorize information according to policies. These methods easily facilitate outgoing data according to controls and may even terminate connections that attempt to violate policies.

Best of all, this is relatively easy to incorporate, given the right tools. Solutions that include comprehensive out of-the-box governance models are already equipped to look in the right areas, and groups of users with varying levels of access permissions can be imported from the actual databases groups or from external files and data structures. These groups can then be quickly aligned with the controlled data classifications and granted appropriate access and permissions. As for unstructured data on these servers, advanced data security solutions can perform the same monitoring and provide real-time controls to protect sensitive information.

The bottom line is that it’s crucial to understand where the organization stores its data, who is accessing it and whether that access aligns with established security policies. Without this visibility, threats are bound to slip past the weary eyes of overworked security analysts, and sensitive data is bound to slip into the wrong hands.

Learn More About Strong Data Security

The post Where Is Your Sensitive Information and Where Is It Going? appeared first on Security Intelligence.

Dispel Launches Election Security Platform

Dispel, a U.S.-based company that specializes in secure communication and collaboration systems, on Thursday announced the launch of a new product designed to help protect elections against malicious cyber actors.

read more

Establishing Trust With Identity Governance Intelligence

Many organizations do not keep well-documented records of where all their data is housed. This is a serious problem with so many new regulations requiring companies to be more accountable for protecting information.

Does your organization know exactly who its users are, what they’re entitled to access and where the information they’re accessing is stored? Perhaps more importantly, do you trust the people who are providing access permissions?

Addressing Identity Governance Challenges

As organizations grow, the responsibility of making appropriate access decisions often falls to line-of-business (LOB) managers. This decentralization of access management and employees’ frustration regarding these processes are some of the top headaches related to identity governance and access management.

However, business managers are increasingly expected to recertify their employees’ access, ensuring that they have the proper entitlements to business resources. They are the ones IT counts on to raise the red flag when, for example, an employee can both issue a purchase order and distribute a check — a clear segregation-of-duties (SOD) violation. Identity governance and access management play crucial roles in monitoring SOD and complying with emerging regulations.

Speaking the Language of Business

The identity and access management (IAM) tools many organizations have in place are often not well-understood by the very people tasked with governing access. Users need to be able to communicate in plain business language, but when asked to recertify access, LOB managers are often handed a report with technical lists of resources that are mostly unintelligible to a business user. As a result, recertification gets a rubber stamp and the user is left with a toxic combination of permissions and excessive entitlements. When identity governance is compromised, the organization is left vulnerable to security and compliance violations.

Companies can solve this problem by investing in identity governance and intelligence (IGI) solutions that address the business requirements of LOB and compliance mangers, auditors and risk managers. IGI provides a business activity-based modeling approach that simplifies the user access and roles design, review and certification processes. With this approach, you can establish trust between IT and business managers around business activities and permissions, making workflows understandable for nontechnical users.

It’s just as important to invest in solutions that provide silent security, which works in the background to connect users, applications and people to the information and applications they need, standing in the way only when bad actors are detected. This helps minimize user frustration with access management processes.

Simplification Is the Key to Data Security

IGI solutions enable security teams to leverage powerful analytics to make informed decisions about identity, give users the applications and the flexible data access they need, and help to ensure compliance with ever-evolving regulations. Security leaders can use these tools to manage access certifications, onboarding and offboarding processes, and restrict access based on each user’s ongoing, demonstrated need — also known as the principle of least privilege. Even if recertifications fall squarely on the shoulders of business leaders, managers can use solutions that communicate in terms they can understand, and IT can establish trust that end-user certifications are indeed valid.

With a comprehensive identity governance solution that offers controls and visibility from a single application, security professionals can verify users’ identities and determine whether they have the legitimate access they need. They can also implement an identity and governance solution that seamlessly integrates with even the most complex business platforms, including SAP, mainframe and midrange systems.

Tighter IT governance requirements are making security operations more difficult, but security solutions that work in the background enable organizations to strengthen their security posture and compliance footing in the face of new and upcoming regulatory requirements. With identity governance, simplification is the key to keeping resources safe while enabling business managers to do what IT needs to trust them to do.

Learn More about identity governance and intelligence

The post Establishing Trust With Identity Governance Intelligence appeared first on Security Intelligence.

IBM Study Shows Consumers Don’t Trust Social Networks With Identity Data

These are difficult times for social media services. Between the co-opting of conversations by armies of automated bots and concerns about identity theft and bullying, some of the best-known online gathering spots are being forced to make some tough choices about how they rebuild the public’s trust.

IBM’s new “Future of Identity Study” provided another indication of the issues they confront. The survey of nearly 4,000 adults from around the globe found that social networks fare poorly in customer perceptions about their ability to safeguard identity data.

For example, asked what types of institutions they trust most with biometric data used to access sensitive services, only 15 percent of respondents — and 12 percent of U.S. respondents — cited social media networks, compared to 48 percent who said they trust financial institutions with such data. Healthcare and insurance providers, along with online shopping sites, fared significantly better than social media providers on this question.

It’s not that people expect enterprise-grade identity protection from every site they visit. Respondents also said they’re more inclined to trade off security and privacy for convenience when using social media than in any other category.

The Risks of Collecting Identity Data

Some social networks house a lot of personally identifiable information (PII), including names of family members, employment history, home addresses and school affiliations. When combined with a password or Social Security number, fraudsters can use this information to steal a user’s identity or compromise sensitive accounts.

Many people now also use their social networking accounts to authenticate to other applications and services, which may contain credit card numbers, purchasing histories, street addresses, phone numbers and records of relationships with other people. That means an attacker who compromises one social network can potentially break into other protected sites as well.

All of this puts social networks in a tenuous position regarding security. Their bread and butter is member activity, so providers are understandably reluctant to put up any barriers to a seamless experience. For that reason, many either don’t support two-factor authentication (2FA) or leave it as an optional feature.

In addition, most networks make money by collecting detailed information about their members and using it to create profiles for targeted advertising. The more information users volunteer about themselves or disclose through their activity, the more advertising dollars social networks can charge, so they aren’t going to stop collecting identity data anytime soon.

The IBM study suggested that balancing these factors will be increasingly difficult. If member trust declines, people will be less likely to volunteer private information, which ultimately impacts the network’s bottom line. Lowering barriers to membership may boost activity, but it also increases the incidence of fraudulent accounts, account theft, impersonation and the use of bots to boost follower numbers. All of that adds up to declining trust.

Related to this Article

Re-Establishing Customer Trust

Social networks should take the results of the IBM research into account as they evolve their security practices and the ways in which they collect identity data. The bottom line is that they need to focus on re-establishing trust, even if it means sacrificing some speed and convenience.

Fortunately, the study indicated that users may be more tolerant of visible security features in their digital experiences: Nearly three-quarters said they’re willing to use multifactor authentication (MFA) for additional security, despite the minor inconvenience it introduces. Another 87 percent said they’re open to using some form of biometric security in the future.

Following a year in which social networks took some body blows, gaining back trust should be a high priority. Making a few modifications to existing identity practices is a good start.

For more insights about changing views on user authentication and advice on how organizations can adapt, download IBM Security’s “Future of Identity Study.”

Read the complete IBM Study on The Future of Identity

The post IBM Study Shows Consumers Don’t Trust Social Networks With Identity Data appeared first on Security Intelligence.

Why Device ID May Not Be Enough to Stop Fraud

Protecting your organization against fraud is a continuous game of cat and mouse. It seems like as soon as you implement a detection mechanism, the bad guys find a way to get around it.

Device ID — the ability to uniquely identify and later recognize a user’s device — was one of the first tools enterprises used for authentication and fraud detection. Using regular and Adobe Flash cookies, you could tag a device and use that as the “something you have” component of the authentication process, thus replacing onerous hardware tokens. If a device was unknown, the enterprise could step up authentication measures.

Modern device ID solutions have become significantly more sophisticated than these early cookie-based solutions. They collect information on myriad device characteristics, both static and dynamic, including browser, operating system, internet connection and other properties. This allows security teams to create a unique fingerprint of the device, which can be used to authenticate customers or detect suspicious interactions.

While device ID remains an important and sometimes effective tool in the enterprise fraud detection arsenal, it is not nearly enough to constitute a complete fraud detection solution. Why is this?

Read the white paper: How digital banking is transforming fraud detection

Fraud Has Caught Up With Device ID Techniques

When device ID was first developed, bad actors quickly learned that they could copy cookies and use them on other devices, enabling them to appear legitimate. As the technique evolved to include things such as IP address and the type and version of browser and operating system, bad actors have reverse engineered device ID solutions and created increasingly detailed spoofing techniques to fool security algorithms.

Many malware strains today collect not only credentials, but also the data used to create a device ID. Bad actors can then manipulate their own device to appear to use the same browser extension, OS attributes and more to further impersonate their intended victim. This practice is known as device ID spoofing. Modern device ID solutions should include spoofing detection capabilities. Moreover, to keep up with the pace of sophisticated fraud activity, device ID spoofing detection must be updated daily based on ongoing research and threat intelligence.

RATs and Social Engineering

The eruption of remote access Trojans (RATs) and other similar threats has resulted in a new way for bad actors to avoid device ID-based fraud detection. An attacker using a RAT is actually using the victim’s device, which completely sidesteps any fraud detection capabilities based on device ID.

In addition to RATs, threat actors constantly develop schemes that take advantage of the weakest element of security strategy — humans — using social engineering tactics. Social engineering attacks such as business email compromise (BEC) target employees with access to company finances and trick them into making wire transfers to criminal bank accounts. In these cases, the fraudulent action comes from both the right device and the right user, something that a device ID-based fraud detection solution would be unable to detect.

Of course, the attacks that circumnavigate device ID-centric solutions are not yet simple enough to be conducted at scale. Fraudsters must invest significant time and research to complete these attacks successfully, but that doesn’t mean they should be overlooked. In fact, bad actors who employ these techniques generally target an institution’s highest-value accounts, making every successful attack potentially catastrophic.

Best Practices for Improving Fraud Strategies

What should an enterprise look for when implementing a fraud detection strategy? It should still include complex device ID as an integral feature, but it should be paired with a strong device ID spoofing tool that includes ongoing threat research and automatically adapts to new threats.

Perhaps more importantly, enterprises should think of device ID as just one tool in a multilayered identification toolbox. Device ID solutions should include additional indicators of fraudulent activity relative to the user, device, behavior or session. These can include behavioral biometrics, malware detection, phishing detection and global identity networks exposing repeated usage patterns over the multitude of these perspectives. It’s also important to consider ongoing transaction monitoring to identify accounts that might be compromised by social engineering.

From a wider security perspective, enterprises should always be wary of one-trick pony solutions. Any solution that uses device ID, biometrics or malware detection exclusively will never be enough to prevent fraud. Multilayered security solutions provide the depth needed to defeat the bad actors of today and tomorrow because they are infused with many layers of cognitive fraud detection and analytics to help prevent digital identity fraud.

In addition to highly complex device ID tools with spoofing detection, these solutions include ongoing global threat intelligence research, behavioral biometrics, malware detection, RAT detection and more. The security layers are pre-integrated, both on the technical level and on the derived risk balancing level, which helps organizations avoid the potential pitfalls of device ID-based fraud protection so they can offer their customers a seamless user experience.

Read the white paper: How digital banking is transforming fraud detection

The post Why Device ID May Not Be Enough to Stop Fraud appeared first on Security Intelligence.

January’s Top Cybersecurity News Stories: Jackpotting, Cryptocurrency Mining and Other Emerging Trends

Below is a roundup of the biggest cybersecurity news stories from the past month.

January is over, and it’s time for security professionals around the world to sweep up the confetti and start digging in on their New Year’s resolutions. During the first month of 2018, we saw everything from a CPU vulnerability to advanced Internet of Things (IoT) exploits, physical ATM attacks and new cybercriminal trends driven by the cryptocurrency gold rush.

Let’s take a closer look at how these stories are shaping the cybersecurity landscape as the industry gears up for another year of escalating threats.

Taking Stock of the Top Cybersecurity News Stories From January

On Jan. 9, a Ponemon Institute report titled “What CISOs Worry About in 2018” revealed that chief information security officers (CISOs) are less confident than ever about their susceptibility to cyber risks. According to the study, two-thirds of security leaders believe their organizations will suffer a cyberattack or data breach this year, and many fear that third-party partners will be the vulnerability point. In addition, 70 percent of CISOs cited lack of competent staff as their top challenge. Their concerns are understandable considering that cybercriminals stole $172 billion from 978 million consumers in 20 countries last year, according to Symantec.

January also saw an explosion of cryptomining attacks. In recent weeks, threat actors made off with $400 million worth of a digital currency by penetrating Japanese cryptocurrency exchange Coincheck. That news came just days after Ernst & Young estimated that nearly $400 million worth of funds raised in initial coin offerings had been lost or stolen. That’s more than 10 percent of the proceeds.

Cryptocurrency has become a playground for attackers, who have recognized that they can score bigger payoffs by turning users’ computers into nodes on a massive coin-mining network than they can by attacking users individually. In fact, SiliconANGLE reported that ransomware attacks are on the decline as criminals seek safer and more lucrative returns in mining.

One such attack has been ongoing for more than four months, affecting an estimated 30 million users around the globe. In most cases, victims don’t even know they’ve been compromised. Miners can use rogue JavaScript controls to hijack a system from an open browser window. Some attackers even buy their ads legitimately before replacing the contents with malicious code.

Top Exploits of 2018 So Far

In cybersecurity, there’s always something new to worry about. This month’s headache is jackpotting, a physical compromise scheme in which thieves hijack ATMs and force them to spit out cash. Brian Krebs first exposed the phenomenon, which encompasses a variety of techniques, such as using an endoscope — a device used by doctors to look inside the human body — to locate ports inside the machine where a crook can attach a cable that syncs with his or her laptop.

Voice-activated assistants have also found themselves squarely in cybercriminals’ crosshairs. According to Communications of the ACM, sound waves can be used to rewire circuits in IoT devices to deliver incorrect readings, cause control systems to malfunction or even execute commands using voice instructions hidden in music. Because the threats use analog media, they aren’t easily combated with digital protection.

Emerging Malware Trends

One thing that defines every January is predictions for the year ahead. What trends will define the security landscape in 2018? The IBM X-Force team has a few ideas.

  • Botnet attacks will become more frequent as cybercriminals exploit vulnerabilities in IoT devices. Last summer, a consortium of technology firms took down a botnet that compromised tens of thousands of Android devices using exploits in seemingly legitimate apps from the Google Play store. Any device can now potentially become a participant in a distributed denial-of-service attack (DDoS).
  • Failure to patch known vulnerabilities continues to be the primary culprit in large-scale attacks. Less than 1 percent of vulnerabilities in 2016 were considered zero-day, according to the IBM X-Force vulnerability database. Applying patches has never been more important.
  • Cloud services are presenting new attack vectors as misconfigured permissions or simple oversight leaves data exposed. Cloud databases leaked over 2 billion records in 2017, and the X-Force team asserted that server misconfigurations were responsible for 70 percent of them.
  • Thieves are increasingly extorting large ransoms for stolen high-value data. Victims in 2017 included a popular video streaming service from which preproduction versions of popular shows were stolen and several plastic surgery clinics whose photos of celebrity clients were held for ransom. With ransomware becoming a hit-or-miss proposition, attackers are focusing more on big money opportunities.
  • Phishing attacks will become more sophisticated as perpetrators use spear phishing to target individual victims, often spoofing their email accounts and writing style with personalized messages.
  • As noted above, cryptocurrency theft will soar with the growing value of blockchain-based digital money.

Risk Management Resolutions

Failure to patch is only one of the five epic security fails we outlined this month that put organizations at increased risk. Another is the tendency to become complacent once compliance is achieved on paper and neglect to update certifications and skills. A third major blunder is failure to centralize data security, which can impede efforts to keep up with the constantly shifting threat landscape.

Organizations that do not assign responsibility for data put themselves at even further risk. After all, if no one owns the data, no one is likely to protect it. Finally, failure to monitor data access enables cybercriminals to simply walk in through the front door, so to speak. It’s important to shut down access privileges immediately once an employee is terminated or otherwise leaves the company.

Consumers Warm Up to Security

IBM Security’s new “Future of Identity Study,” which surveyed nearly 4,000 adults from around the globe, revealed that consumers are beginning to prioritize security above convenience. Respondents ranked security as their top priority, over both convenience and privacy, when logging in to the majority of applications, especially apps dealing with money and financial transactions. The survey also found that biometrics are becoming mainstream, with 87 percent of consumers saying they’ll be comfortable with the technology in the future.

In addition, the study noted that although millennials have grown up with information technology, they aren’t as careful as their elders about passwords. Young people are less likely than other groups to use complex passwords and more likely to use the same password many times. However, they are also more inclined to use password managers and biometrics, which can help provide additional security layers without adding extra passwords to memorize.

Read the complete IBM Study on The Future of Identity

Gearing Up for Six More Weeks of Winter

With the new year in full swing, the start of February is an excellent time to take stock of the past month’s cybersecurity news headlines and trends, and gear up for whatever threats will emerge in the coming weeks. It’s a lot to take in at once, but awareness of the latest shifts in the threat landscape can go a long way toward helping enterprises and individual users steer clear of the cybercriminal flavor of the month.

The post January’s Top Cybersecurity News Stories: Jackpotting, Cryptocurrency Mining and Other Emerging Trends appeared first on Security Intelligence.

Using Machine Learning to Make Faster, Smarter Decisions About Insider Threats

Chances are you already have an established process for identifying attackers and blocking external threats. You’ve taken steps to reduce the likelihood of an attack by exercising good cyber hygiene and following key identity and access management (IAM) best practices, such as adhering to the principle of least privilege.

But what about threats from within your organization? According to Verizon’s “2017 Data Breach Investigations Report,” 89 percent of security incidents are caused by insiders. Insider threats stem from both careless or malicious employees and external actors who have broken through the perimeter. Once they are inside, however, they all look the same, making them increasingly difficult to detect.

A Comprehensive Approach to Detecting Insider Threats

Security professionals need a way to analyze user activity and make intelligent decisions on a case-by-case basis. Traditional approaches to remediating suspected insider threats typically rely on technological solutions, such as blocking a user’s firewall access. This may or not be sufficient, since the user may still have access to resources beyond the firewall. If an insider is suspected of suspicious activity, why not employ tools that help you determine exactly which accounts, data stores and other enterprise resources a particular user can access? IAM solutions provide this information and enable security professionals to block threats fast with a more comprehensive approach.

Before you can make smarter decisions about user access, you’ll need a user behavior analytics (UBA) solution to monitor user activity and assign risk scores to individual profiles. A UBA tool works by examining patterns of user activity while employing machine learning to detect anomalous behavior that could indicate a potential threat. This technology can detect and alert you to behavior that violates security policies, such as attempting to log in multiple times or doing so from an unfamiliar location or at a suspicious time. Machine learning can identify sophisticated breaches in which attackers dwell in the network and gradually move laterally to escalate privileges over time. You’ll know exactly which user is in question and what offenses were committed. This enables you to gain more insight into the incident, automatically suspend the account and revoke access through IAM.

Once you’ve narrowed in on a user exhibiting suspicious behavior, how can you stop him or her? This is where IAM comes into play. Once UBA detects behavior that is out of policy, an identity governance and intelligence (IGI) solution automatically suspends that account. This immediately stops the user during the investigation, blocks him or her from accessing any more information and cuts down on dwell time. That part is critical, since longer the dwell time, the greater the potential for extensive damage. Automation saves crucial time during the investigation and eliminates the need for manual user-centric threat mitigation processes. It can even communicate directly with the impacted user to ask authentication questions via a mobile app. This approach is more comprehensive and effective than blocking firewall access.

Every Second Counts

By using UBA in conjunction with IGI to centrally and securely manage user identities, you can visualize insider threats and automatically control what resources each user can access based on previously established security policies. Depending on the risk score, you can use IGI on a per-resource basis to suspend or shut down access completely.

When responding to insider threats, every second counts. By implementing IAM tools that can automatically respond to suspicious activity, organizations can help minimize damage while security analysts conduct their investigations. The combination of UBA and IGI enables security teams to manage user access with an approach that works silently in the background, only taking action when necessary to minimize disruptions to legitimate business activities.

To learn more, watch this demo video of QRadar UBA + Resilient + IGI integration:

The post Using Machine Learning to Make Faster, Smarter Decisions About Insider Threats appeared first on Security Intelligence.

IBM Study: Consumers Weigh in on Biometrics, Authentication and the Future of Identity

The technology and security headlines of 2017 foreshadow big changes on the horizon in the world of identity and access.

Rumors of the death of the password may have been exaggerated in the past, but major data breaches have removed any doubt that our email addresses, passwords and personal information, including Social Security numbers, are no longer sufficient to protect our identities online. At the same time, options for using more unique data, such as biometrics, for authentication are gaining popularity, with fingerprint scans already pervasive on personal devices and facial recognition moving into the mainstream with the latest smartphone models.

But while these new authentication methods are certainly picking up steam, the path to a completely passwordless world will be a long journey and, ultimately, users will lead the way.

Preparing for a New Era of Authentication

As we reach this crucial turning point in the authentication landscape, IBM commissioned a broad consumer study to better understand global and generational consumer preferences around biometrics, passwords and multifactor authentication.

IBM Security’s new “Future of Identity Study,” released today, surveyed nearly 4,000 adults around the globe. Below are some of the top findings.

  • Security is beginning to outweigh convenience. People ranked security as the highest priority, over convenience and privacy, for logging in to the majority of applications, particularly when it comes to money-related apps.
  • Biometrics are becoming mainstream. Sixty-seven percent of respondents are comfortable using biometric authentication today, while 87 percent say they’ll be comfortable with these technologies in the near future.
  • Millennials are moving beyond passwords. While 75 percent of millennials (respondents between the ages of 20 and 36) are comfortable using biometrics today, less than half are using complex passwords and 41 percent reuse passwords to access numerous accounts. Older generations showed more care with password creation, but were less inclined to adopt biometrics and multifactor authentication.

Taking a closer look at these trends, the future of identity may be closer than we think.

Read the complete IBM Study: The Future of Identity

Millennials Accelerating the End of the Password Era

Generational differences that emerged from the survey results showed that younger adults are putting less care into traditional password hygiene but are more likely to layer access with multifactor authentication, use biometrics for speed and convenience, and use password managers to secure their accounts. This could be an indication that younger generations have less confidence in passwords to begin with, thus looking to alternative methods to secure their accounts.

With millennials quickly becoming the largest generation in today’s workforce, according to a study by ManpowerGroup, these trends may impact how employers, service providers and technology companies provide access to devices and applications in the near future. Below are some additional findings on generational authentication trends.

  • Only 42 percent of millennials use complex passwords that combine special characters, numbers and letters (versus 49 percent of respondents who are 55 and older), and 41 percent reuse the same password multiple times (versus 31 percent of those aged 55+).
  • On average, people 55+ use 12 passwords, while Generation Z (ages 18 to 20) averages only five passwords. This could indicate a heavier reuse rate across a growing number of accounts.
  • Millennials are two times more likely to use a password manager (34 percent) than people over the age of 55 (17 percent).
  • Millennials are more likely to enable two-factor authentication in the wake of a breach (32 percent versus 28 percent of the general population). They are also more likely to delete an account held by a breached service providers and move to a competing one.
  • Seventy-five percent of millennials were comfortable using biometrics today, compared to 58 percent of those over age 55.

Security Trumps Convenience, Especially for Money-Related Apps

While conventional wisdom may hold that consumers value speed over all else, the survey found that consumers ranked security as a higher preference than privacy or convenience for the majority of applications, particularly for money-related applications.

The one exception to this was social media apps, where convenience took a slight edge over security, revealing a potential blind spot when it comes to protecting personal data stored on those apps.

Users' top priorities when logging into various applications

Figure 1: Users’ top priorities when logging into various applications

Preparing for the Future of Identity

How can organizations adapt to shifting user preferences? Companies should adapt by taking advantage of flexible identity platforms that provide users with choices between multiple authentication options — for example, letting users toggle between a mobile push notification that invokes fingerprint readers on their phone and a one-time passcode.

Organizations can also balance demands for security and convenience by incorporating risk-based approaches into their access schemes. When risk levels rise, additional authentication checkpoints can be triggered, such as when behavioral cues or connection attributions, such as device, location or IP address, signal potentially abnormal activity.

Leveraging data from the survey can also help reshape security processes for an evolving workforce. As millennial and Generation Z employees begin to dominate the workforce, organizations and businesses can adapt to younger generations’ proclivity for new technology by allowing for increased use of mobile devices as the primary authentication factor and integrating approaches that favor biometric methods or tokens in place of passwords. As always, users should follow best practices for securing their digital identities.

For additional details on the study and advice to help companies prepare for the future of authentication, download the full report.

Read the complete IBM Study on The Future of Identity

In an era where personal information is no longer private and passwords are far from unbreakable, the future of identity is now everyone’s personal business.

The post IBM Study: Consumers Weigh in on Biometrics, Authentication and the Future of Identity appeared first on Security Intelligence.

SecurityWeek RSS Feed: Seagate Patches Flaws in Personal Cloud, GoFlex Products

Seagate recently patched several vulnerabilities discovered by researchers in the company’s Personal Cloud and GoFlex products, but some weaknesses impacting the latter remain unfixed.

GoFlex Home vulnerabilities

read more



SecurityWeek RSS Feed

SecurityWeek RSS Feed: Gemalto Licensing Tool Exposes ICS, Corporate Systems to Attacks

A significant number of industrial and corporate systems may be exposed to remote attacks due to the existence of more than a dozen vulnerabilities in a protection and licensing product from Gemalto.

read more



SecurityWeek RSS Feed

Misconfigured Jenkins Servers Leak Sensitive Data

A researcher has conducted an analysis of Jenkins servers and found that many of them leak sensitive information, including ones belonging to high-profile companies.

London-based researcher Mikail Tunç used the Shodan search engine to find Jenkins servers accessible from the Internet and discovered roughly 25,000 instances.

read more

The Risk Modeling Gotcha: Roles Are Like Hammers to Screws

Why do organizations continue to struggle with entitlement risk modeling? It boils down to risk being aligned to roles and role-based access. The irony is that roles were never intended to be risk models. They were once low-hanging fruit, a logical way to provide an early means of grouping users to entitlements and later associating risk to such groupings.

The Problem With Role-Based Risk Modeling

Let’s briefly step back and distinguish the difference between groups and roles. Groups are typically bundles of individuals or entitlements that can be managed together within a single system, application or common system framework. Roles extended such groupings can span across both common and dissimilar enterprise systems and applications. The purpose of roles and groups was once to boost efficiency in managing entitlements and improve oversight of common members. Somewhere along the line, they became common tools for risk modeling.

Ultimately, security teams must determine whether each entitlement is in conflict, toxic or nontoxic, to another entitlement. This would be a tall order. The unfortunate problem with using roles for risk modeling is that each time an additional entitlement is added or removed from a role, the enterprise is forced to evaluate whether a new risk has been introduced.

To further complicate things, roles frequently contain multiple entitlements and even subroles with many contents. The role contents must constantly be evaluated for direct or indirect conflicts with business rules, policies and regulations that determine requirements for segregation of duties (SOD). Roles will, of course, be modified and consolidated as a common practice, and role contents will be added and removed.

The maintenance required to constantly evaluate and mitigate potential SOD risks each time a role is modified with a new or removed entitlement is impossible to effectively manage. It’s no wonder that organizations rarely achieve maturity in their risk models when they are based upon roles. The constant nature of role maintenance totally contradicts any risk maturity when specifically aligned to roles.

A Smarter Approach to Risk Modeling

A more effective approach is to separate risk models from roles — in other words, just let roles be roles. By aligning risk to static business activities, the roles can remain dynamic without disrupting risk models and resume their intended purpose of driving efficiencies in provisioning, user management and recertifications/attestations.

Business activities that largely remain unchanged are best defined by the lines of business (LOBs) or auditors, and they are easily modeled from common business process management frameworks. In fact, there is an open standard model of industry-specific business processes and even a generic cross-industry model available from an open community led by the American Productivity and Quality Center (APQC). The APQC community refers to these standard models as process classification frameworks (PCFs). Most business process management solutions leverage the open standard APQC PCFs and LOBs are usually very familiar with industry-specific PCF models. LOBs and auditors commonly use these frameworks in business process management, benchmarking operations and auditing.

At this point in time, only IBM Security Identity and Access Governance can successfully separate risk modeling from past role management, embrace the APQC PCF model and accommodate an organization’s own business activities. The solution was designed from the ground up to leverage this more effective business activity risk modeling approach. This allows security professionals to use roles the way they were originally intended instead of introducing inefficiencies into the risk management and modeling strategies.

Read the white paper: How Identity Governance became a key compliance and risk control

The post The Risk Modeling Gotcha: Roles Are Like Hammers to Screws appeared first on Security Intelligence.

Secure and Seamless? Building Great Consumer Experiences With Silent IAM

Line-of-business (LOB) managers understand the importance of creating simple and positive digital experiences for consumers. Making it easy to do business with your company helps build loyalty and drives sales. In the identity and access management (IAM) space, this means facilitating user onboarding and logins from any device anywhere — and keeping those processes as smooth and simple as possible, free of stepped-up authentication requirements such as one-time passwords (OTPs).

Balancing Security and Convenience With Silent IAM

Internal users handle digital experiences differently than consumers. While a business’s internal users are mandated to use certain systems in their workplace, consumers can opt in or out of whatever services they please. Here, your IAM strategy becomes essential to your relationship with your users.

While your internal users may become frustrated when faced with OTPs, consumers will simply abandon your site without hesitation. Therefore, you must make the digital experience pleasant or run the risk of losing out to the competition. Case in point: One recent study revealed that consumers who find authentication processes easy to use leverage digital services 10 to 20 percent more than customers who are frustrated by them.

Even so, organizations must put security measures in place to safeguard both customer data and organizational resources. In fact, according to Forrester, customer identity and access management (CIAM) is expected to be one of the fastest-growing areas of IAM in 2018.

We’ve seen CIAM implemented effectively in a customer-pleasing way when companies enable users to log in via their social network credentials. Simply sign on from any device, and you’ll never have to re-enter your password. Customers have come to expect such hassle-free digital experiences.

Successfully deploying an IAM solution that achieves strong security and delivers an excellent digital experience requires close collaboration between the chief information security officer (CISO) and the LOB executive. Yet too often LOB executives, in their race to create an excellent customer experience, drive CIAM without the CISO’s involvement. Security is left as an afterthought.

Use Strong Security, But Keep It Silent

How are the leading consumer-facing businesses of the world striking a balance between security and a great customer experience? In all likelihood, they’re leveraging silent security. Simply put, silent security works in the background to connect people to the information and applications they need, intervening only when bad actors are detected.

You don’t have to sacrifice security for a great digital experience. IBM IAM solutions provide silent security, working in conjunction with other security tools to verify and protect user identities. You’ll be able to offer near-frictionless authentication for your customers with features such as single sign-on for the one-password logins customers expect, as well as user self-service features for password resets and more. Plus, users can leverage social network identities for fast registration and developers can directly integrate strong authentication.

With IBM IAM solutions, access management and identity governance are applied consistently, regardless of resource type, and access decisions are backed by analytics for speed and efficiency. As a result, LOB managers and IT professionals can partner to make better access decisions, and you can provide the experience that internal and external users have come to expect without changing the applications being secured.

IBM IAM can help you achieve your digital transformation, making your CIAM initiatives successful for LOB executives and the CISO with silent security that both protects the business and helps it grow.

Discover how IBM Identity and access management solutions provide strong security by going silent

The post Secure and Seamless? Building Great Consumer Experiences With Silent IAM appeared first on Security Intelligence.

Meeting Identity and Access Management Challenges in the Era of Mobile and Cloud

Organizations are flocking to cloud services and mobile devices to cut costs and boost productivity. Despite the benefits, these technologies exacerbate the challenge of verifying identities and managing access to applications and data by consumers, employees and business partners from multiple devices and locations.

Let’s take a look at some of the most common identity and access management (IAM) challenges and how organizations can resolve them without compromising employee productivity.

Common Identity and Access Management Challenges

Organizations struggle to vet identities and approve access requests because the data resides in various locations and business units. Requesters often encounter roadblocks when seeking access, leading them to escalate requests to upper management and override the proper vetting process. Furthermore, those tasked with approving requests lack sufficient insight into which employees require access to confidential data.

The lack of a centralized, authoritative identity repository for users makes reconciliation another significant challenge. Additional problems arise when privileges on systems either exceed or lack access levels that were previously granted and provisioned.

When it comes to certification and accreditation, examiners may have insufficient knowledge of access needs. Not to mention, processes tend to be manual, cumbersome and inconsistent between business units. This task becomes even more difficult when examiners must conduct multiple, redundant and granular validations.

Provisioning and deprovisioning identities can pose a critical challenge when manual provisioning processes are ineffective. Organizations that fail to remove improper IAM privileges or resort to cloning access profiles will face similar struggles.

Failure to segregate duties and monitor administrators, power users and temporary access privileges can further impede enforcement. Other issues include lack of support for centralized access management solutions, such as directories and single sign-on, outdated or nonexistent access management policies, and failure to establish rule-based access.

Finally, compliance concerns arise when performance metrics do not exist and/or do not align with security requirements, such as removing identities and access privileges automatically upon an employee’s termination. Laborious and time-consuming audits only make this problem worse.

The CISO’s Role in Resolving IAM Issues

Chief information security officers (CISOs) must meet these challenges. Their teams must vet identities, approve appropriate access entitlements, and grant or revoke user identities, access and entitlements in a timely manner. Security leaders must also provision proper access to applications, data and resources for users who need it and examine identities and the corresponding access privileges periodically to realign with users’ job functions.

Enforcing compliance in accordance with the organization’s IAM policy is another key responsibility of the CISO. A strong IAM strategy also requires security leaders to define performance metrics and implement periodic or real-time automated auditing tools.

Considerations for Mobile and Cloud

Today, many organizations have gone mobile with bring-your-own-device (BYOD) policies, enabling employees to access corporate data remotely. IAM serves as a foundational security component in environments that connect to mobile platforms.

Cloud services have also added daunting complexity to the IAM equation, forcing organizations to operate their capabilities on-premises and integrate with similar capabilities delivered by a cloud service provider (CSP). While these cloud platforms increase reliance on logical access controls, they also reduce network access controls.

Federation, role-based access and cloud-based IAM solutions exist to address these requirements. For example, the need to access apps hosted on the cloud goes hand in hand with the need to manage identities to protect personally identifiable information (PII).

Identity-as-a-service (IDaaS) is another effective solution to accelerate IAM deployments in the cloud. IDaaS supports federated authentication, authorization and provisioning, and it is a viable alternative to on-premises IAM solutions. When it comes to return on security investment, IDaaS eliminates the expense of implementing an on-premises solution.

It’s important to understand the need for IAM capabilities that effectively govern access to internally hosted apps. In a hybrid cloud IAM model, the IDaaS solution will need agent APIs or appliances that operate within the IT infrastructure to completely outsource the function. Securing these agents and interfaces represents a new source of risk for most organizations, and this risk must be managed.

Integrating Identity Management With Data Loss Prevention

It’s common for security professionals to provide identity information from an IAM tool to a data loss prevention (DLP) solution that continuously monitors sensitive data and correlates events to minimize the risk of losing sensitive data. The events are also correlated with analytical artificial intelligence and machine learning tools that analyze historical access behaviors to detect potential fraud.

Both IAM and DLP solutions must be leveraged to address insider threats and emerging threat vectors. Behavioral analytics and incident forensics tools provide additional monitoring capabilities. By integrating both of these solutions, organizations can handle the fast pace of emerging IT trends and threats with mobile and cloud computing.

Securing Social Media Identities

Organizations often leverage social media to interact with their customers, increase brand awareness and create a common identity repository. But if these social identities are breached, companies can face legal, regulatory, operational and reputational risks that may lead to the loss of customers.

Social media services must deploy strong IAM solutions to protect corporate accounts. These solutions include multifactor authentication (MFA) and notifications to alert users of multiple failed login attempts or attempts to authenticate from anomalous geographic regions. Awareness programs to educate employees about social media security must be an essential ingredient. CISOs should also inquire with legal to ensure that service-level agreements (SLAs) with social media providers account for proper IAM practices.

The Best of Both Worlds

In our increasingly mobile and connected world, IAM is more crucial than ever. To remain competitive, businesses around the world must embrace technologies and policies that enable employees to be as productive as possible.

However, it only takes one major data breach to negate all the benefits of that productivity. With a strong IAM program that proactively monitors user behavior for potentially malicious activity and periodically realigns access privileges with shifting job roles, organizations can have the best of both worlds: an empowered, productive workforce and a robust data security strategy.

Read the white paper: Deploy silent security to protect identities and future-proof your IAM

The post Meeting Identity and Access Management Challenges in the Era of Mobile and Cloud appeared first on Security Intelligence.

Shared Accounts Increasingly Problematic for Critical Infrastructure: ICS-CERT

Assessments conducted last year by the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) showed that boundary protection remains the biggest problem in critical infrastructure organizations, but identification and authentication issues have become increasingly common.

read more

Don’t Leave Your Keys in the Ignition — Safeguard High-Value Data With Privileged Access Management

User access credentials are prime targets for cyberthieves. Phishing and other social engineering attacks are all about obtaining access, and the advice you read about strong passwords and two-factor authentication is all about preventing bad actors from gaining access to your organization’s network.

But all user access is not created equal. What attackers really want is privileged access, such as administrator status. This access is what gives fraudsters the keys to the kingdom, which makes privileged identity management (PIM) a critical key to security. Unfortunately, according to recent data, organizations are not doing a good job of safeguarding these credentials.

Leaving the Keys in the Ignition

A study by One Identity revealed almost laughably bad practices regarding privileged access management. Nearly 1 in 5 organizations (18 percent) use paper logs to manage privileged credentials, while more than one-third (36 percent) rely on spreadsheets.

It gets worse: The vast majority (86 percent) of survey respondents indicated that they do not update privileged account passwords after using those accounts. Additionally, 40 percent said they leave default admin passwords for systems and infrastructure unchanged from the factory settings. For cyberthieves, this is roughly the equivalent to leaving your car with the keys in the ignition.

Keeping Sensitive Data Out of the Wrong Hands

Infosec Island noted that “the most severe breaches inevitably stem from powerful credentials (typically those logins used for administration) falling into the wrong hands.” The article detailed the key principles of privileged access management and outlined several things that organizations should be doing to keep credentials out of fraudsters’ hands, including:

  • Eliminating sharing of privileged credentials;
  • Holding individuals accountable for safeguarding these credentials;
  • Following a least privilege model for daily operations; and
  • Auditing the use of privileged credentials.

It’s important to note that the overwhelming majority of your users neither want nor need privileged access. In fact, most users don’t even know that administrator credentials and similar privileged accounts exist, let alone how to use them.

Your employees and other authorized users hate being barred from accessing websites and being prompted to come up with strong passwords. However, they normally don’t mind being denied privileged access because the last thing they want to do is mess with the system technically — they are happy to leave that stuff to IT.

Privileged Access Management Is Key to Robust Security

This is not to say that properly handling privileged access management is easy or free. Doing it right means taking time to think about how privileged access is handled. Large or complex networks might require a significant investment in tools to handle the mechanics and provide an audit trail, but improving privileged access management is one of the most critical steps organizations should take to minimize the risk of a serious, costly data breach.

Read the white paper: Protect your organization from the people you trust

The post Don’t Leave Your Keys in the Ignition — Safeguard High-Value Data With Privileged Access Management appeared first on Security Intelligence.

Identifying Named Pipe Impersonation and Other Malicious Privilege Escalation Techniques

Privilege escalation is one of the key components of any attack that involves penetrating a system. If threat actors have limited access due to a current user’s privilege levels, they will naturally aim to escalate their privileges before expanding the scope of the attack. How can security professionals detect malicious escalation techniques before adversaries get a chance to compromise critical systems and sensitive data?

There are several ways to do that, but let’s focus specifically on one of the tricks most commonly employed by malware developers and attackers: the named pipe impersonation technique.

Named Pipe Impersonation

One of the most well-known penetration testing frameworks is called Metasploit. Although designed for testing purposes, attackers can — and often do — use concepts from this framework maliciously to escalate their privileges on a compromised host to a system account, which is a high-privilege account type on Windows-based endpoints. Named pipe impersonation is a technique used in the Metasploit platform to escalate these privileges.

The legitimate named pipe technique is built into the Windows OS to facilitate communications between processes. The pipe technique uses a file to exchange messages between the two processes. For example, if one process wants to contact another, it can send a message over the network or by using a file, where one process writes the message to that file and the other one reads it.

Pipes are also used by various malware codes for covert communications. In the NotPetya ransomware attacks, for example, the malware reportedly spread through organizational networks. To move from one user to the next, it needed credentials, and it needed to obtain them stealthily. To do that, NotPetya typically started a new process to dump the victim’s credentials, and then used a named pipe to communicate between the NotPetya process and the credential-dumping process. This enabled it to covertly collect the dumped credentials.

But what do we mean by impersonating a named pipe? How do attackers use it to escalate their privileges to a system account? This malicious action goes back to the concept of privilege levels.

Let’s reflect by means of the following example: Let’s say I’m a service provider, you are my client and you ask me to execute a database query. As a provider, I may have full access to that database, but you, as a client, may have limited access that corresponds to the rights attributed to you as a user.

Since you are a user/client, I can use your credentials to execute the query on your behalf — if your access rights allow you to perform that database query. You will then receive the results, also according to the rights level. If the results cannot be provided to you as a user, it could mean that you don’t have sufficient access.

But what if you, as the client, somehow have higher privileges than the service provider? You can pass those escalated rights to the service provider by letting it use privileged credentials. In such a case, what if the provider should impersonate or abuse the client’s privileged account to perform malicious activities?

The same idea can be applied in the named pipe context. If a process creates a pipe, this process will be the pipe owner or the pipe server. When another process connects to this pipe, it will be called the pipe’s client. Once connected, the pipe server can use the pipe client’s privilege level, the client’s security context or the client’s access rights. This is a Windows feature that helps perform activities based on the client’s privileges, since the server may have full access, but the client typically has more limited rights.

This feature can be exploited by creating a pipe server with limited or low privileges and then attempting to connect a much more privileged client to that pipe server. When that happens, the pipe server can abuse the client’s elevated privileges to perform activities based on those access rights.

Metasploit facilitates and automates the abusing process and allows penetration testers to perform it by executing a single command. Behind the scenes, the tool creates a pipe server with limited privileges, then configures a Windows service (the client) to connect to that pipe.

Abusing the Named Pipe Feature by Using Metasploit Meterpreter

The tool commonly used to test the potential of impersonating a pipe is the Metasploit Meterpreter module. Meterpreter is a modular part of the Metasploit penetration testing framework. It is an advanced, dynamically extensible payload that uses in-memory Dynamic Link Library (DLL) injection stagers and is extended over the network at runtime. This tool is typically used in schemes that bear on communications between Windows processes, which makes it useful to an attacker looking to impersonate a legitimate named pipe.

Now let’s say a threat actor executes a malicious process called myLove.exe under user MARY, who has limited privileges on the compromised host. This malicious process will connect back to the attacker’s host and can allow the threat actor to remotely execute other commands via MARY.

The malicious process starts out with MARY’s limited privileges, but the attacker’s goal is to escalate his or her privileges from MARY’s level to a system-level user. By executing a getsystem command, myLove.exe will create a pipe with a random name. In our example, that random name was “dqwfqx,” but it could have been another name as well. This pipe is originally created with MARY’s user privilege level.

Meterpreter session showing the malicious process created a reverse connection to the attacker's host
Figure 1: Meterpreter session showing the malicious process created a reverse connection to the attacker’s host

By executing a getsystem command, myLove.exe will create a pipe with a random name. In our example, that random name was “dqwfqx,” but it could have been another name as well. This pipe is originally created with MARY’s user privilege level.

<img title="a windows sysmon event indicating a pipe has been created" src="https://securityintelligence.com/wp-content/uploads/2018/01/figure-2-a-windows-sysmon-event-indicating-a-pipe-has-been-created.png" alt="A Windows Sysmon e
Figure 2: A Windows Sysmon event indicating that a pipe has been created

The attacker’s challenge now is to convince a client with system-level privileges to connect to the new pipe. This is not hard to achieve, since Windows services can run as a system user and the attacker can install a new service or reconfigure an existing one to send any message to the named pipe “dqwfqx.”

Windows event indicating a service will be installed
Figure 3: Windows event indicating that a service was installed

The Windows Registry event shown below indicates that a service was installed and configured to connect to the named pipe “dqwfqx.”

Windows registry event indicating a service has been installed in the system
Figure 4: Windows registry event indicating that a service has been installed in the system

When the service starts, this time it launches cmd.exe as a system-level user and connects to a pipe created by MARY, which now leads to a system-level client connecting to a pipe server that was created by a lower-privileged user.

A new process has been created that will use cmd.exe to connect to the pipe
Figure 5: A new process has been created and the process will use cmd.exe to connect to the pipe

Detect It!

This malicious activity may happen relatively smoothly, but it can be detected by using an SIEM solution to look for a pipe creation event followed by a service that connects to the same pipe.

Screen capture from QRadar SIEM showing an alert about abuse of a named pipeFigure 6: Screen capture from QRadar SIEM showing an alert about abuse of a named pipe

This approach can be expanded by creating or modifying a scheduled task to connect to a lower-privilege pipe. In general, it’s important to check whether any service or scheduled task is configured to connect to a pipe and to examine the underlying activity’s source.

Exploiting Misconfigured Services to Escalate Privileges

There are many ways in which attackers can exploit misconfigured services to conduct privilege escalation schemes. Below are some of the most prominent ones I have worked with in the past year, as well as some tips that can be useful in detecting them.

Services With Unquoted Binary Paths

One of the easiest techniques to escalate privileges is to look for any service with an unquoted executable file location. For example, if we have a service and the service binary file is located in C:\users\MyCompanyService\myService.exe, then Windows will try to locate the service binary file and execute the following files:

  • C:\users\my.exe;

  • C:\users\my company.exe; and

  • C:\users\my company Service\myService.exe.

If an attacker can place a malicious file with the name my.exe in C:\users\my.exe, he or she may be able to escalate to the service user’s privileges during the next service restart. The Windows OS service will start to search for the service executable file after a reboot and, while doing that, will execute the malicious file my.exe.

A proactive way to identify this type of activity is to use rules to detect any new service with an unquoted binary file location. Another great technique is to baseline or profile the processes that can run at the endpoint level and then check for any new unknown processes.

It’s also important to profile and baseline the processes that can run with system-level privileges to trigger an offense in cases where any new process attempts to run with system user privileges. This enables the security team to detect any privilege escalation attempts, even if a zero-day exploit is being used.

Folder Access Control Lists

Attackers can also abuse the permissions assigned to the service executable folder, since a poorly written access control list (ACL) may allow local users to add or override these files. Threat actors can look for a service configured to run with higher user privileges. If they can override the service binary executable file with another malicious service executable file, then they can escalate their privileges to the service user level.

Security professionals can detect this technique by profiling and mapping the process name to the process hash. This enables security teams to identify known processes that start with unknown or unseen hashes.

Service Object Permissions

A misconfigured permission may allow a local user to change service attributes or reconfigure a service, which can allow an attacker to change the service binary location to another malicious executable. A common technique is to change the service binary location to a set of commands to add a new or existing user to the local administrators group. This can enable the attacker to escalate his or her limited privileges by hijacking the new admin user.

Security teams can detect such activity by looking for a service binary executable change followed by the addition of a new user to the admin group. They can also profile the service binary file attributes (e.g., name, hash), then trigger an offense if a known service starts with a new attribute (e.g., a new binary file hash or a different location for the service binary file).

Getting a Command Line Shell as a System-Level User — Hacker Style

In most privilege escalation attacks, threat actors attempt to get a command line with the highest privileges possible. In Windows, a highly privileged user is the system user. Normal endpoint users and even Windows administrators do not launch command lines as system-level users, so determining whether a command line is launched as a system user is a good place to start when it comes to detecting various privilege escalation techniques.

In a typical attack that uses Metasploit, attackers launch a command line as a system user after escalating their privileges. They may also opt to use legitimate Windows utilities, such as Sysinternal PsExec, which would help them execute processes as a system user on a local or remote machine.

Monitoring for command lines launched with system privileges is a great method to detect malicious processes. Another good approach is to profile the processes that can run as system and trigger an alert when a new unseen or unknown system-level process starts. View the X-Force Exchange collection for a list of legitimate Windows processes that do start with system-level privileges.

Getting a command-line shell as a system-level user using Metasploit
Figure 7: Getting a command line shell as a system-level user using Metasploit

Nipping Privilege Escalation in the Bud

Privilege escalation activity is often a precursor to a potentially devastating data breach involving the enterprise’s most sensitive data. Detecting the above techniques before they cause harm and using well-managed SIEM solutions to monitor pipe creation events and other suspicious activity, security professionals can save their organizations time, money and negative headlines.

Download the 2017 Gartner Magic Quadrant for SIEM

The post Identifying Named Pipe Impersonation and Other Malicious Privilege Escalation Techniques appeared first on Security Intelligence.

Multistep Authentication Is No Longer Enough for PCI Compliance

Payment card industry (PCI) compliance has been a major concern for banking and e-commerce users. Providers need to satisfy several requirements to put their systems in an acceptable state to handle regulated data.

The requirements and security assessment procedures published in April 2016 within Payment Card Industry Data Security Standard (PCI DSS) version 3.2 described several best practices that will become mandatory starting Feb. 1, 2018. These controls are not intended to be deferred for the next validation or assessment, but to be implemented by that date. One of those requirements, 8.3.1, states that businesses must “incorporate multifactor authentication for all nonconsole access into the CDE for personnel with administrative access.”

What Is Multifactor Authentication?

Multifactor authentication (MFA) is a mechanism that requires users to present separate pieces of information — typically related to knowledge (something the user knows), possession (something the user has) and innate qualities (something the user is) — to gain access to privileged systems or accounts. For the PCI requirement, all administrative access to the cardholder data environment (CDE) infrastructure, application or database requires at least two different modes of authentication, which is commonly known as two-factor authentication (2FA). This elevates the difficulty for an attacker to compromise a system, thereby reducing risk.

In February 2017, the PCI Security Standards Council released an information supplement that described industry-accepted principles and best practices associated with MFA. It also offered guidance for organizations that are evaluating, implementing or upgrading MFA solutions and explained why multistep authentication methods are no longer enough to meet PCI compliance.

Multistep Versus Multifactor

The PCI requirement became simpler but more restrictive, since all factors must be verified prior to the authentication mechanism granting the requested access. Furthermore, no prior knowledge of the success or failure of any factor should be provided to the individual until all factors have been presented. If an unauthorized user can deduce the validity of any individual factor, it doesn’t really matter if a different factor is used for each step.

Let’s say that a CDE administrator is trying to log in to a system by Secure Shell (SSH) using a username and password. Once successfully validated, the console prompts him or her for a second factor, such as a one-time password (OTP) token. This process would be considered multistep authentication.

To be considered multifactor, the administrator should be able to provide the username, password and token at the same time. If access is denied, the system should do so without disclosing which factor was entered incorrectly.

PCI Compliance Leads to Improved Data Security

There are other security controls that will become mandatory in February 2018, such as 6.4.6, which declares that all PCI DSS requirements must be implemented for all new or changed systems and networks. There’s also 11.3.4.1, which requires businesses to conduct penetration testing of segmentation controls every six months.

These new standards show that PCI DSS is going beyond the compliance-only approach, urging businesses to implement better security measures to protect their systems, data and customers.

The post Multistep Authentication Is No Longer Enough for PCI Compliance appeared first on Security Intelligence.