IAM: Identity and Access Management on the Move

It was impossible not to notice the plethora of breaches that occurred throughout 2013. According to the Open Security Foundation’s “Data Breach QuickView” report, 2,164 incidents were responsible for compromising 822 million records in 2013.

While identity and access management (IAM) failures were not responsible for all of these incidents, “hacking” caused 1,293 incidents, which accounted for over 592 million compromised records. Fraud or social engineering accounted for 152 incidents that exposed over 102 million records. These areas saw attacks originating both internally and externally; when an insider breaks trust, they have the potential to cause significant damage.

Social Engineering and Hacking

There are well-documented and publicized cases of social engineering in which an individual obtains the security credentials of a colleague and engages in data acquisition in the unsuspecting colleague’s name. This is precisely what happened in the Edward Snowden case: He used his social engineering skills to persuade his colleagues to share with him their log-in credentials, which expanded his access beyond his privileges to that of his colleagues. We know how that turned out. With hacking causing 1,293 of the total incidents in 2013, resulting in the exposure of more than 592 million records, it is safe to assume that IAM capabilities have room for improvement regardless of company size or sector.

IAM should have deterred or prevented many of these events, and no doubt those conducting the damage assessments will be reviewing who accessed what, and how, which is at the heart of identity and access management.

  • Who is accessing my system? User identity with certification, be it password or password with two-factor authentication, is an essential component of security best practices. The key is to be able to tell who your users are: Are they part of the active directory associated with the enterprise network? Are they coming into the network via an external gateway, an extranet connection or within the intranet? Has access been authorized for these individuals?
  • Are they coming from an expected IP address? Is the IP address from which the individual has an established pattern of usage the same IP address with which the individual is currently accessing the network or data stores? If not, the IAM should invoke additional security protocols, pulling from either knowledge-based questions or additional challenges from the support team. While this check might be “spoofable,” it can also serve as an early indicator that an individual’s credentials are on the move.
  • Are they using the device I expect? Indexing the devices (laptops, tablets, smartphones, etc.) with which users access the network so that they can be identified and associated with a specific user or group of users adds a level of security by providing the opportunity to challenge or permit access based on the review of additional information (e.g., IP address).
  • Are they arriving at the expected time? Schedules or activity windows should be relatively predictable, though some are more eclectic than others. If you know that employees normally only access the network during the 9-5 workday, seeing them log in during “off hours” should trigger an anomaly. Checking the anomaly may be as simple as verifying the IP address and device identity.
  • Are they accessing permitted areas? Are individuals using their credentials to enter areas within the enterprise to which they have been granted access? Are they attempting to access areas to which their privileges have not been extended? Following these failed attempts, does the individual continue to “probe,” or do they engage the protocol to acquire permitted access to the restricted data?

All of the above is possible, though it does beg the question of whether our identity and access management systems are obsolete.

Identity and Access Management: Obsolete or Evolving?

IAM are not obsolete, but they are certainly evolving and are on the move. Convenience trumps security with regularity, and if the anomaly checks cause undue inconvenience, both those securing the system and those being regulated will develop work-around methodologies. Therein lies part of the conundrum: Ensuring that the identity of the individual goes through the necessary verifications and validations while not unduly causing a degradation in the experience. While some steps may add a slight degree of latency, the key to garnering acceptance by those most affected — the users — requires assurance that the users understand the “why” behind the IAM challenges and access checks; the 822 million compromised records in 2013 is a good conversation starter.

More from Identity & Access

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

What is the Future of Password Managers?

In November 2022, LastPass had its second security breach in four months. Although company CEO Karim Toubba assured customers they had nothing to worry about, the incident didn’t inspire confidence in the world’s leading password manager application. Password managers have one vital job: keep your sensitive login credentials secret, so your accounts remain secure. When hackers compromise these software applications, the entire industry of identity and access management (IAM) takes notice. As an alliance of tech giants leads a global push…

Beware of What Is Lurking in the Shadows of Your IT

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security. IBM Security X-Force responds…