Connect with us

Hi, what are you looking for?


Identity & Access

A False Sense of Security: Who is Using Your Accounts?

With most cyber-attacks, the damage is done long before any corrective actions can be taken.

With most cyber-attacks, the damage is done long before any corrective actions can be taken.

Managing identities and their access is an essential part of any security program. Yet even when identity and access is well-managed and user activity is within policy, do the credentials and the behavior make business sense? If you can’t interpret user activity with the context of identity and what is normal behavior, your organization may be living with a false sense of security, providing a significant window of opportunity for attackers.

Hard-to notice threats

Security was once focused on “walling off” sensitive data, but today’s threats follow a less linear path.

In 2009, a Gmail account belonging to a Twitter employee was compromised. Usually this wouldn’t be a corporate problem, but that personal breach was used to infiltrate the employee’s Google Apps account and other employee accounts. And remember, don’t allow yourself to criticize too harshly – file sharing using personal cloud apps is common practice.

Twitter was using Google Apps as a way to share sensitive corporate documents and information, so accessing the documents was not out of policy for the compromised user accounts. However, Twitter lacked the ability to detect abnormal activity, as the hacker gathered information for three months. It might have been longer had he not revealed his own activities as a way of highlighting concerning security practices.

These types of long-duration harvesting attacks using hijacked credentials have become increasingly common. In January of 2013, the New York Times reported that hackers had infiltrated its networks in an attempt to discover the sources of an unflattering story about relatives of China’s then Prime Minister. The initial attack is believed to have been launched by a targeted spear-phishing campaign, which allowed the attackers to plant remote access tools (RATs) in order to facilitate further access. The New York Times was able to detect the attacks and let it run for four months to study the attacker’s methods as part of a story they prepared.

Advertisement. Scroll to continue reading.

Further examples aren’t difficult to find. Even the highly-publicized Target attack from last year started with a malware-laced email phishing attack sent to employees at an HVAC firm that contracted for the nationwide retailer, three months prior to the discovery of the breach.

Casino-style security?

These threats thrive where credentials can be compromised by social engineering.

As we consider how best to respond, perhaps we should seek our inspiration by looking to the masters of mixing security and social access – Las Vegas.

The ceiling of every casino is studded with hundreds of electronic sentinels – cameras that watch everyone – guests and employees alike. And of course, there are employees paid to watch the employees, who themselves watch the guests. If you’ve ever wanted an example of layered security designed to defeat an insider threat, take a stroll across a gaming floor.

But despite all the security, Las Vegas is hardly a place that springs to mind when we think “security.”   It’s possible to have a wild time in a casino and remain blissfully unaware of the cocoon of monitoring around you because, in the end, the job of the security team is precisely to make sure that you have fun – that you get what you came for – within certain parameters. However, step outside those parameters, and your fun will come quickly to a crashing stop.

The approach they take is simple – provide guard rails, set expectations, monitor for anomalous behavior and to respond quickly. Guests aren’t constantly aware of security saying no – far from it, yet at the same time casinos are extremely safe places (assuming you don’t mind losing your shirt on the blackjack tables). Security is present, effective, and for the most part, transparent – a model that many enterprise security teams (and users) would welcome.

Andy Garcia in Ocean's Eleven, Warner Bros. 2001, courtesy of

Andy Garcia in Ocean’s Eleven, Warner Bros. 2001, courtesy of

Automation is critical

Rapid responsive action is easier said than done. Critical breaches can happen so fast that you can’t rely on human intervention to respond in a timely manner. Automation is critical to making real-time threat response possible.

Ideally, a set of policies can be established so that a system can constantly monitor behavior and immediately identify and alert on abnormal activity. For example, if an employee who normally works from an office begins downloading a database or other sensitive files at 2 am from a university in a nearby city, that activity should be flagged as abnormal and escalated to a security operations team.

But how are policies created? Security teams can’t be expected to consider every possible threatening scenario and create rules to respond to them all. So for automation to become feasible, to make it worth the investment, it must go further to detecting trends of normalcy by identity. This is where the future of research and development must make progress.

In an ideal world, your security system should be able to identify unusual actions and shut them down automatically, in real time. So regardless of who is using your accounts – insiders or someone who has hijacked their credentials, your sense of security doesn’t have to be false.

Automated identification of anomalous behavior holds significant promise for reducing the time that compromised accounts can be used to harvest your sensitive information.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.