Written by CloudTalent – published 9 March 2016
In my last few blogs on identity management I’ve touched on security a little. This time, I want to delve further. I know this is a really big subject and there’s only so much we can cover, but I would like to get you to think about the vulnerabilities that attackers exploit.
Ultimately security really boils down to one – trust!
Why? Well, we put all our faith in a device or person to protect us and trust they won’t be compromised in any way. After all, we have to trust something or someone otherwise we’d never communicate or work together.
In the not-so-distant past, things were more straight-forward. We put all our effort into protecting the boundary of our organisation with sophisticated firewalls, scanners and other devices to make sure that our precious data wasn’t the target of unscrupulous adversaries. But there were still inherent weaknesses in this model. Today things are very different! We operate in a much more diversified way – BYOD, Cloud Services, Internet facing servers… making our boundaries more vague.
This means we can no longer rely on simple boundary protection. Security now is all about authentication and authorization.
When we discuss security, we always talk in layers – there is no single answer to protecting your data, it’s all about layering the protection and mitigating every eventuality. For this post, we are talking the innermost layers; privileged access!
If you look at the diagram below, you can see the areas we are talking about. Remember, an adversary can control a target object if they can take control of something within that object.
I visit a lot of different clients, and because of the nature of work I perform, I am able to see the real health of a customer’s infrastructure. I’ll be honest, it frightens me at just how much unconscious risk taking I see.
Many organisations assign wide-scale privileged access to their staff and allow them to use this all day, every day. These employees browse the internet and manage their employers most prized access control (Active Directory) using the same account on the same computer that they have just spent their lunch accessing the internet! Let’s not forget the phishing emails too! And it doesn’t matter how aware you are, everyone at some point will be caught out. No? Remember that word trust? You get an email from your friend saying have a look at this! You trust your friend, after all, why shouldn’t you? Ugh, except they never sent the mail. Their account was hacked and they unwittingly became a bot-net because an internet site they visited was compromised.
So now, you, the administrator for your company has an infected client. Your account has full access to all Active Directory services. The attacker now has full access to all your data and will use this undetected for weeks, months, maybe even years. Or they may just decide that destruction is more fun and unload some denial of service (DOS) attack on the whole of your organisation! If you look at that diagram again, you will see the most common attack vector used in this type of attack– lateral traversal. I’ve even seen this in situations where the user was not a domain administrator, but had admin access to the local machine which just so happened to share the same passwords as other devices.
As you can see, it doesn’t take much to bring down an organisation, and that’s why attackers try many different approaches – some are easier than others.
You will see this subject take on even more emphasis over the next year or so. Microsoft are putting more effort into security than ever before! Windows Server 2016 and Windows 10 feature more ways to protect your data through the Securing Privileged Access principle. Also, we talked about this in one of our earlier IDAM blogs: MIM Privileged Access Management, which allows you to assign just in time administration – privileged access on a timed basis as opposed to permanent access and then monitor that use.
Does this strike a chord? I will be interested to know what you think.
“Tradition becomes our security, and when the mind is secure it is in decay.”
― Jiddu Krishnamurti