Security Experts:

The Emergence of Identity as an Enterprise Attack Surface

In spite of heroic efforts, many companies today offer attackers no shortage of vulnerable points for entry into their networks. Whether it’s cloud services unknown to the corporate security team, or a web server that is 10 patch revisions behind, or an application that never underwent proper security or code review – the options are plentiful.

Once an attacker gets in, they have to achieve their objectives. They need to move around, understand your organization’s layout and find exploitable weaknesses to accomplish their mission. Or they could completely bypass all that by assuming the identity of one of your administrators and (likely) have free reign of everything. Complicating this further, attackers don’t just come at you from the ‘outside.’ Sometimes, they’re existing employees seeking to exploit your organization’s weaknesses to steal information without anyone noticing and leave for a competitor.

Enterprise Identity ManagementThis is the stuff of nightmares for security leaders, and fact is, it’s all too real.

As more and more companies start to take security seriously-board-level seriously—the obvious opportunities for attackers diminish. The result is attackers looking for more creative ways to gain entry and foothold without having to potentially set off alarms and get caught. That strategy has them more and more exploiting identities.

The reason for this change is quite simple – for a long time companies have struggled with managing identities and access. Local administrator rights are rampant. Shared administrator accounts are still fairly common, and the definition of roles in any given organization still leaves something to be desired. So the result is that the identity has become part of the attack surface. Identities are something attackers go after, attempt to exploit and misuse for their nefarious means.

If you doubt the danger that identities pose to your organization, you should conduct a simple test. Pick any given user in your organization—an administrator or generic user—and investigate the power their identity has on your network, systems and applications. In most companies, when a new user is on-boarded they are given rights to the network, systems and applications they need to do the job they’re assigned. Over time, that scope creeps and spins out of control.

Over the course of a few months to a few years many of these identities never lose the old access requirements they had when they were hired. They move from role to role and acquire new access requirements. Before you know it, individuals have got access to servers, shared folders, applications and loads of other things to which they don’t need access. Processes for clean-up and audit are becoming more pervasive, but still not commonplace, even as identity stores grow over time. It’s an effort that requires deliberate focus and attention.

As a result of not having clear definition of what various identities in our organizations are supposed to have access to be able to do, we struggle to monitor and create baselines. The result is that it’s nearly impossible to tell when someone is doing something they shouldn’t be – because we don’t actually know what they should be doing.

Getting a handle on the identities within our corporate walls is a bear of a task. Disparate identity stores still exist for a number of reasons. While a vast majority of new applications are designed to leverage a centralized Lightweight Directory Access Protocol (LDAP) identity store, policies and integrations practices within an organization keep these from being implemented.

Additionally, the explosive adoption of cloud-based Software-as-a-Service (SaaS) applications ensures that consolidation isn’t guaranteed. Think about the way you work today, and how many different identities (username/password pairs) do you have on your own network? A half-dozen? More? The goal of consolidation seems logical, but it’s much easier said than done. The effort before identity and access management (IAM) program owners is monumental and never-ending.

Attackers are exploiting these issues in the corporate identity stores with greater frequency. Once they’re “in” they leverage identities and accounts that have access to roam free across the network, data stores and applications until they find what they want and exfiltrate it. Then they’re gone. And you probably can’t tell whether Mike in the mail room actually went rogue and stole next quarter’s financials, or if someone named Olga from Russia infiltrated your network, stole Mike’s virtual identity and made off with the data.

The identity is absolutely, definitively part of your attack surface, and it’s time you start treating it that way. If you haven’t managed IAM from a programmatic viewpoint you should start, soon. If you don’t have an effort to consolidate identity stores, create policies for setting up, managing and decommissioning identities across your various platforms, what’s the hold up? If you haven’t set up a comprehensive set of policies, roles and processes to set up, manage and decommission your corporate identities including privileged access management, privileged user management and privileged identity management – then you probably haven’t defined what privileged means and, therefore, are struggling.

Start with strategy.

Strategy includes setting up the framework, operational goals, stakeholders and requirements. Having a strategy means having an understanding of what you want to achieve based on what is reasonable and proper for your organization. These things are important, and must be thought out carefully. Identities aren’t just usernames and passwords. They’re gateways into our networks, systems, data stores and applications. They must be carefully defined, managed and monitored. Organizations across market verticals continue to strive to make their achievement in IAM more measurable and more mature. You too should strive to show demonstrable maturity and success in your IAM programs.

Related Reading: Is Your Identity and Access Management Out of Control?

view counter
Rafal Los is Managing Director, Solutions R&D within the Office of the CISO for Optiv, which was created in 2015 from the merger of Accuvant and FishNet Security. Los leads a team developing research-backed guidance addressing key program challenges for enterprise security leaders. Prior to joining Optiv, Los served as principal, strategic security services at HP Enterprise Security Services. Previously at HP, Los served several diverse roles including security strategist of enterprise security products where he advised customers on implementing practical solutions. Los also held various positions at GE entities and various other start-ups. Follow Rafal on Twitter: @Wh1t3rabbit.