When hackers thought to be working at the whim of Russian president Vladimir Putin cracked the Democratic National Committee’s network, they achieved their goal using stolen credentials.
There was no logic bomb, no interdiction efforts slipping backdoors into hardware en route to Washington, DC, but rather slick phishing emails that harvested staff logins. More accurately, it was hundreds of the electronic messages targeted at bureaucrats, contractors and think tanks, in a bid by Moscow to steal privileged accounts, that America’s chief intelligence agencies say ultimately helped Trump into office.
History’s biggest hacking story is one yet to be fully told, but it is a narrative comprised in no small part by the same routine tactics that every year help criminals compromise enterprises, government agencies and local businesses around Australia.
Criminals phish credentials with ease, all too often gaining excessive access to areas of the corporate network. Think about your work computer: are there restrictions in place stopping you from downloading and running an application? From accessing directories?
Perhaps. But the reality is that attacks are successful because it is far easier to hand staff access-all-areas rights than to understand the specific places and platforms they need to access in order to do their jobs. Security researchers reckon 60-85 percent of critical vulnerabilities could be mitigated just by eliminating administrator rights.
Clunky passwords and security challenges that interrupt time-poor staff and customers are not the answer, and are already dying a swift death as enterprises and governments flock to the slicker security of identity and access management (IAM).
And you are?
Andrew Latham is on something of a mission for the ultimate frictionless authentication experience. Now regional director of customer engineering at ForgeRock, Latham has spent more than two decades dealing with identity and authentication within banks and large organisations, in roles, including penetration testing, that have given him an appreciation for the role identity plays in attackers’ tools, tactics and procedures.
For Latham, the main challenge is in external rather than internal identity management; specifically, in helping businesses to push frictionless authentication to customers. “It is essentially the same problem we had 20 years ago, and now focus has shifted from internal identity to external, and from auditing to customer experience,” says Latham of customer IAM. “It is about providing the right level of authentication to trusted customers.”
It is a multi-tiered approach in which scale and ease of use are king. Latham speaks of systems that request chunks of identity material, rather than risk sparking the ire of a more privacy-conscious world and requesting a whole slab. The reasons why items of identity must be better explained too, and not demanded on the back of boilerplates.
Privacy is not the only driver. Users now engaged with Facebook, Twitter and Google are used to frictionless authentication and intolerant of clunky login systems. “You can’t treat customers like you do staff,” Latham says, speaking of the leeway in deploying and testing authentication across internal-facing systems.
As customers build their relationship with the business, more information can be requested. “Customers really own their identity,” Latham says. “You can ask for more information in order for customers to access more value-add channels, but the first interaction has to be very low-friction.” This is progressive profiling, and it allows for users to more quickly interact with the business on meaningful levels. “Say Facebook authentication is level one, and customers can receive marketing data and open an account, but if they want to perhaps transfer money, they’ll need to provide a mobile phone number or similar that meets an increased level of assurance.”
He draws comparisons to the ease of Facebook, something that has come to represent the baseline expectations of frictionless identity management. The statistics differ depending on whom you ask, but conservative figures reckon north of 60 percent of users will leave when they encounter a complex or clunky registration hurdle.
With identities established, customers will now seek the same friction-free user experience in other areas, including profile management and personalisation.
Throughout the process of building a relationship on easy, trusted, step-by-step identity management are opportunities for businesses to provide more targeted and personalised engagement of their now engaged customers.
It is an emerging area and something Latham reckons is well suited to resellers deeply involved in cloud services. It is also an area that does not permit set-and-forget deployments: “It is a brand new area,” Latham says. “There is no room for cookie-cutter approaches. How do you deploy Westpac’s solution to others? You can’t.”
The big banks, which have the most to win and lose from customer IAM, were early adopters, and are now on their second, third and even fourth attempts at deployment.
Administrator access is the end goal of your average enterprise hacker. With the highest privileges attained, attackers are free to explore the network, pivoting to more sensitive servers and installing backdoors to ensure they have persistence on systems. Infections from drive-by downloads that compromise administrator accounts could compromise entire networks.
Strong identity management can help eliminate this dangerous attack vector, and it works internally much the same as for customers. Here, staff are set peasant privileges and can request higher-access rights on a temporary or permanent basis.
“Organisations need to ask ‘what privilege does the user need?’,” says Niall King, senior sales director for Asia Pacific at Centrify. “They need the minimum read-only privilege, elevated at the right time.”
The Australian Signals Directorate agrees: the agency believes its top four mitigations for targeted intrusion will prevent 85 percent of breaches.
However, staff slapped with limited access rights may heap scorn on IT shops if the restrictions interrupt their work by preventing access to needed files and folders. “The rise of cloud adoption has blurred the perimeter, and sensitive information is moving beyond the firewall,” says Clarence Cheah, sales engineering director with Okta. “And you don’t want to be playing catch-up with apps staff want to use, which is where identity management comes in.”
Cheah says the wins do not total a mere simple drop in staff password requests: total resets can fall by 95 percent.
Staff can request elevation of their privileges, confirming their identities using a variety of second-factor authentication mechanisms. Time-limited URLs can grant administrator access for a short period, ensuring staff can do their jobs without risking the network should that one employee be compromised. “It locks [credentials] down, because we can tie it to an approval process that hackers cannot get past,” King says.
Latham, King and Cheah all agree industries are lining up. Government and finance sectors dominate the big player space, but much smaller businesses are cashing in. It makes sense they would; users are only increasing their diet of integrated seamless sign-ins that leave old-school registration forms for dead. Those who take on smarter, smoother identity management will reap the rewards.