..."Islands of Authentication"... or "IoA" I've used this term for so long, I assumed that it must be part of the lexicon and the concepts well understood...and I am mistaken.
No one understands what I mean when I use this term, so I am claiming this term for "180A Consulting" and the "Secret CISO". Take that! Bembridge Scholars!
But...what you ask... are "Islands of Authentication" [IoA]?
IoA are technologies or software applications that are so critical, capable or high risk, that the risks of integrating them into centralized authentication capabilities / technologies are unacceptable.
# # # # #
Microsoft's Active Directory technology is a great boon to both Cyber Security and Convenience, however, it comes with risks that their marketing department would rather not talk about.
The internet is rife with stories about security problems with the "windows operating system", and make no mistake, Active Directory is a part of the Windows Operating System's DNA - you cannot remove it without crippling the operating system.
Don't believe me - take a look here... https://adsecurity.org/
This website is a rabbit hole the Cyber Security student could fall down and never emerge from. If you are a Cyber Security noobie and you can muddle thru this website, you will come out the other end a changed person.
# # # # #
Think about this...Ransomware.
Did your heart kind of skip a beat? Mine too...
# # # # # Disclaimer - the following is not FUD (fear, uncertainty and doubt), ask around...the following scenario is DRAMATICALLY simplified # # # # #
A timely example of why Islands of Authentication are "business critical".
SUNDAY: Your sysadmin "Sam" goes home over a long holiday weekend, he/she gets bored, surfs some porn and downloads some bittorrents, since she's/he's a knowledgeable and lazy professional, his/her laptop account is a "local admin". The malware he/she downloaded in his/her porn download (let's call it TINKERBELL) that is now sniffing around his/her laptop is now, also a "local admin".
MONDAY - 08:59: Sam walks into the office, plugs into your Corporate network and the malware (TINKERBELL) begins exploring your business network...
Next Sam, switches to his/her "elevated privilege" account "Sam-ADMIN" (catchy...who would want to crack that account...am I right?) and log's into your "backup" software system using Microsoft Active Directory.
MONDAY - 9:00 A.M.: Now Tinkerbell "owns" your backup's for all of your critical corporate systems, AND, since your backup software knows where your disaster recovery site is, Tinkerbell now knows.
MONDAY - 9:02 A.M.: Tinkerbell goes to work. Tinkerbell phones home for an encryption key to lock you out of your Disaster Recovery Site and backup data at your DR site. Since your using a SIEM and not a SOAR, your pricey SIEM will send you a report in a week about Tinkerbell phoning home for tools to destroy your business. Silly Wabbit! Tinkerbell has also been busy...
MONDAY - 9:03 A.M.: Tinkerbell used the "Sam-ADMIN" account to take control of your Microsoft Active Directory servers AND your AZURE Cloud infrastructure. Your IT staff is beginning to notice that something is amiss however your super dooper SIEM hasn't reported anything so no one is worrying (you never configured your SIEM to perform "real time alerting" because, "...that's hard..."), but that's not all!
MONDAY - 9:04 A.M.: Tinkerbell is getting ready to change the passwords on all of your "human-name-ADMIN" Microsoft Active Directory accounts (I mean, really? adding ADMIN to the USERID? Could you make it any easier?) I guess you could just post the USERID's and PASSWORDS on REDDIT, but I digress...someone should have told you about the concept of Privileged Access Workstation, but that's a topic for another episode...
MONDAY - 9:05 A.M.: Tinkerbell strikes.
- Your DR site backup copies are now encrypted - you can no longer use them to recover your business...
- Your routers and WAN routers are down (Tinkerbell used your RADIUS integration into Microsoft Active Directory to "own" your CISCO network too, clever girl!)
- Your AZURE Cloud systems now belong to Tinkerbell (you synchronized your on premise AD to AZURE for the sake of "convenience").
- Your HR systems now belong to Tinkerbell
- Your FINANCE systems now belong to Tinkerbell (where did all the money go?)
- Your SALES FORCE systems now belong to Tinkerbell (your "cloud single sign on" system was using the Sam-ADMIN account...oops!).
- Your VPN concentrators now belong to Tinkerbell
- Your VOIP Telephone Systems now belong to Tinkerbell
- Your public websites have been defaced, telling EVERYONE about Tinkerbell's takeover of your business!
- Your business partners have received an email from Tinkerbell announcing the takeover
- Your employees have received a courteous text message announcing the takeover and the terms of the Ransomware Attack
And...since all your systems are integrated into Microsoft Active Directory there is NOTHING that you can do, you cannot even log into any of your systems. Tinkerbell is the new CEO.
# # # # #
You get the idea...
In this day and age, convenience is one of the primary enemies of your Business - as far as Cyber Security, Risk and Compliance are concerned, not to mention the safety and security of your Intellectual Property and Trade Secrets...
# # # # # Disclaimer - the preceding is not FUD (fear, uncertainty and doubt), ask around...the preceding scenario is DRAMATICALLY simplified # # # # #
Talk to your CIO and your CISO, if they are "leveraging convenience", maybe you need a second opinion?
Give us a call here at the home of the Secret CISO....we can give you a trusted second opinion...
Copyright © 2020 by"the Secret CISO"
All Rights Reserved.
Great Article, we have been pushing clients to move to SSO with AD integration. Never thought of this risk scenario
ReplyDeleteThis is a DRAMATICALLY OVER SAIMPLIFIED risk scenario, yours could be / probably would be much worse.
ReplyDelete