So, you’ve just been breached. Now what? Many questions come to mind. Is the breach contained? Who was behind it? Were they internal or external? How did they get in? What did they get? Depending on your organization’s level of sophistication in response to such incidents, a number of processes, controls, and workflows will be initiated and checked.
Some of these processes involve changing account passwords. You will likely scramble your IT division to delegate action plans and call a post-breach forensics organization to try to assess and contain the incident as much as possible before having to alert end-users and possibly shareholders (gasp!).
If you have not done so by now, you will also take a step back and try to figure out how you got to this point. How did it happen? Did you not have the proper controls in place? After the forensics report returns, you will most likely discover that you were infiltrated by misuse or abuse of a privileged or elevated account.
There are a number of ways this can happen. The breach might have originated with an insider who had access to the accounts, or a contractor who was issued one of the accounts, or a hacker who obtained one of the accounts through any of a myriad of infiltration techniques. Whatever the source, the risk of a breach due to privileged account abuse can be greatly reduced through identity and access management (IAM). However, IAM projects are often put on the back burner in favor of more immediate priorities.
As an IT executive, you have to make the most effective decisions based on the information at hand. You have to consider budgets, CONOPS, and immediate needs, sometimes getting buy-in from a steering committee, and generally doing what’s best to keep the IT infrastructure churning to support the mission. As such, the long-term view and strategic initiatives, especially “luxury” or preventive measures such as IAM solutions, take a back seat. This is especially true if you are not part of a regulated industry that gets audited on such things on a regular basis. Unfortunately, the “no news is good news” mantra is not an advisable tack to take. Let’s face it: getting breached is really a matter of when, not if.
If recent high-profile breaches have taught us anything, it’s that you have to take care of the obvious things first. Yes, there are potential vulnerabilities throughout an organization, but without the development, implementation, and practice of proper cyber hygiene, you might as well make these vulnerabilities a part of your company’s tag line. In addition to the general best practices and “healthy” behavior that users should be periodically trained on, you must make sure that your internal processes are well-established, understood, and, preferably, automated.
This is most pertinent to those processes that involve joiner, leaver, and mover functions — that is, the adding, moving, and changing of user credentials. These seemingly innocuous functions are performed daily by just about every organization, but are typically the most misunderstood, ignored, and disjointed processes. As such, they are also some of the most readily attacked vulnerabilities. If you don’t know for certain who is accessing what and why, you are not addressing the need for IAM.
Stay tuned for Part 2: Where do we go from here?