We must fundamentally transform our approach to security – Identity is the perimeter.
“Only amateurs attack machines; professionals target people.”
Hello security community! Members of the Microsoft Security Community, Gary Green, Rick Sasser, Scott Brondel, John Rodriguez, Rick Bergman,andJared Poeppelman collaborated on this blog entry.
The purpose of this blog is not to announce a new vulnerability or predict a particular imminent compromise. We are not offering a stunning analysis as a result of connecting the dots or deep analysis of big data. It is abundantly clear we as a profession are not succeeding in protecting our enterprises and individuals from attack and we need to change our approach.
Schneier, Bruce (2000-10-15). Semantic Attacks: The Third Wave of Network Attacks. Schneier on Security blog.
Schneier wrote this fifteen years ago. Even way back then everyone already knew it. It’s a great article with good insights but the premise was as controversial as claiming water to be wet. Amazinglythere was almost no action to correct flaws in our approach to security nor even the operational definition of security. This deficit persist to this day. There is a reflexive equating of security to mean network security. Perhaps you add antivirus and patching but most see security as primarily consisting of firewalls. This is a fallacy. The days where you could put a perimeter firewall between you and the world and feel safe are as far gone as my father’s remembrances of not locking the front door of the family home in the small farming town in which he grew up.
The network team and their firewalls can no longer be inferred to be the primary means of defense. Firewalls reduce SURFACE AREA,but they are not in and off themselves security. Many firewall implementations are security theatre that add little real value. The first security paradigm that we can discard is the idea that the network is the perimeter.
The landscape has gotten progressively worse since Schneier work. We now have to deal with Advanced Persistent Threats (APT’s).
The bad guys are really bad. APT’s are not just individuals looking for a quick easy score (there are plenty of these) but APT’s are well-funded, fully staffed, well organized, highly skilled professional organizations that are collecting data on you, your business and everything else for no good. They keep this data and build quite the meta file on individuals and organizations. They look for what’s there, collect it, keep it and take the time to connect the dots. Then they can execute sophisticated attacks – they get in and stay. They persist within your organization, computer, and phone.
Changes that make APT’s a reality:
Information is ubiquitous
Everyone is connected
There is a financial incentive
If that’s not enough to keep you awake at night please read the Kaspersky Equation White Paper. APT’s are interdicting shipments to pre-load malware/Trojans/backdoors. Wow, just wow.
Identity and all the goodies you can get to if you have the right identity (let’s say yours) is the real target. Technology can only be a part of the solution. Solving security problems with technology alone is a fallacy. You can configure two factor authentication to be required (recommended – very good thing to do), but if the user takes a sharpie to write their pin on the Smart Card and pass it around well what was the point? Your worse off than if you had a complex password which is actually insufficient by itself. You can design and implement the most secure system possible but if all the controls are disabled and processes are not followed, it will become as vulnerable as if none of the work was done to secure it.
Thinking you checked the security box when you passed the audit is a fallacy. All of those big organizations where credit cards and identities were stolen in bulk passed their audits too. Minimum compliance is not enough.
Rationally, you know the probability of compromise is almost certain and it will be disastrous. The bad guys go after everyone. They are always trying 24/7. Saying it won’t happen to you or your business is the weakest and most transparent of all the lies we tell ourselves. Defending ourselves from today’s cyber threats may mean you actually have a bottom line to worry about, a home to come home to, a job, money – all the things that matter to you. It’s worth the effort and it needs to be the highest priority, but you know that. So we need some new rules of the road to internalize.
Identity is the new perimeter. We have to focus on protecting Identity.
Identity is something that is transmitted with every transaction, extends the perimeter beyond the corporate boundaries…so our protection of it must also extend beyond those boundaries.
Proposed rules of Identity:
1. If a bad guy can persuade some company to believe they are you, then they have access to all your data stored at that organization and potentially any other organization that trusts them.
2. If a bad guy can alter the password on your account, then they have access to all the data accessible by that account.
3. If a bad guy can steal or social engineer the password of your account, then they have access to all the data accessible by that account (and all accounts using the same password) and potentially any other customer that trusts the account provider.
4. If the bad guy can get answers to your security questions from social media, your accounts aren’t yours anymore, and therefore they have access to all the data accessible by accountswhere you used those security questions.
5. If the bad guy can access your password or hash of your password, it isn’t your account anymore, and therefore they have access to all the data accessible by that account (and all accounts using the same password).
6. Multi Factor Authentication (MFA) is not a panacea; it protects against PASSWORD theft, not CREDENTIAL theft. If the bad guy has admin/root access on the machine where you logged on with MFA, then they have access to your account (and you are back to Rule #1).
7. MFA without credential protection (for example. Anti-Hammering, User Notifications, or Active Auditing) means that if the second factor is obtained, the attack we’re back to brute-forcing the password. If bad guy then brute-forces the password, then they have access to your account (and you are back to Rule #1).
My sincere hope is that in another fifteen years we will be talking about the bad old days when identity/credential theft was commonplace. Where to start?
We have to start with the individual who the identity represents. You establish a cyber-identity as an employee, bank customer, citizen, credit card holder with an implied if not explicit responsibility. Ultimately you will bear the brunt of a compromise of your identity. The compromise of one identity can result in a cascade effect – think of the loss of the email account that you send password reset mails. Security is not just the job of a team of people at work who impose onerous requirements which you have to reluctantly comply with and circumvent when no one is looking. It isnot ok to write your password on a piece of tape on the bottom of your keyboard. Think. Be careful. Be conscientious. Work at it. Take it seriously. You lock your doors, look both ways before you cross the street, check your bank statements and watch your kids to keep them safe. This is your responsibility. It is your job, duty and the way you have to live your life. Make this clear to the members of your organization that the management and security of their identity is their responsibility as much as it is yours.
Next, the structure of how security is implemented in an organization is critical. As above, the network team cannot be the security team. The security team is the security team. They need the resources to implement and maintain an effective holistic solution appropriate to your organization and the voice to ensure necessary compliance.
The chief information security officer should report to the CEO and interact with the board of directors. Security has to be part of the management ‘dashboard’. Big change I know.
As an industry, we know what we need to do. It is incumbent upon us all to take ownership of driving this change in perspective.
- Gary Green