EXECUTIVE SUMMARY: If your Enterprise has many several different systems controlled through a centralized authentication mechanism (a single username and password) and you do not have multi-factor authentication (receiving an SMS for example)... you are more then likely exposed far more then you think.
I didn't want to name any of the "cool" marketing terms we keep hearing, like SSO, and Federated Identity Management solution. These concepts are all great and bring a lot of value. What if parts of this introduced behaviour that was much riskier then we all think?
Having a single username and password to access everything is nothing new.
What if it was a terrible idea ?
What if this "idea" was meant to be used a certain way, and we all ain't doing it.
I know.... ain't ain't a word, so how can this be true....
Read on.... because a client asked my opinion on something and my answer simply wasn't... "go ahead.... it's fine". It came to mind that a lot of Enterprises are faced with this issue.
Awhile back, I did an intrusion test on a large brokerage firm that I happened to be a client of. The reason I tested it, was simple.... it smelt bad from the first welcome letter.
After compromising an administrator email account, I had access to everything.
When I contacted this company to explain to them that they had a major security flaw, the CEO and CIO did what they do best in traded companies... they ignored me.
I had to light a few fires to get them to assign some poor soul to call me back.
NOTE: Now lets be clear, I do not hack companies and then call them. In this case, I was the client, and I suspected many things smelt bad so I did my due diligence and hired a professional to test them out. The professional happened to be me.
When I finally talked to someone, they told me that under no circumstances had client data been exposed, that this was simply a breach of the company email system.
To this I replied as follows:
1) First off, your administrator had your websites new web certificate in his email including the private keys. He must have emailed it to himself to then retrieve and install on your servers. So you no longer have any security on your "transaction" servers which do host very sensitive information.
2) The administrator credentials I now have in my possession have the following characteristics which you might find of interest:
- This is an Active Directory admin account
- Your enterprise VPN is integrated into Active Directory
- Your Citrix remote access which is Internet facing is integrated into Active Directory.
Actually, now that I think about it, budget isn't really the issue. I think senior managers might be. I recall numerous times when senior management refused to do things the "secure way" because they find it unconformable. I don't want my workstation to lock me out when I don't use it for hours, this irks me. Fix it because I'm the boss.
This kind of attitude is what often bits companies in the ass.
Since when is letting someone decide who does not have the competence to make these decisions.
Oh wait.... that happens a lot doesn't it.
Food for thought.
Eric Parent is a senior security expert, specialized in coaching senior executives. He teaches CyberSecurity at l'Ecole Polytechnique and HEC University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.
Follow Eric on: