If ever I’m asked how a general home network user can drastically improve their security posture, my first recommendation is “use Quad9 for DNS”. Quad9 runs a completely free global public recursive DNS resolver, that goes a huge way towards stopping malware and phishing attacks. By simply changing your default ISP provided resolvers to 188.8.131.52, you can dramatically improve things. There are very few true easy wins in internet security, but Quad 9 is one of them.
Quad9 is now, a Swiss public not-for-profit foundation, with the mission of improving security and maintaining privacy. Most unskilled in our art, don’t realize how critical and potentially vulnerable the whole Domain Name System is. You type a name in the browser and the resolver decides which actual server to send you to. Bad resolution, bad target, bad result, its as simple as that. Quad9 does an amazing job of actually doing something good and blocking the bad guys – for free!
This post highlights the crazy situation going on in Germany right now. In summary, Sony Music thinks its Quad9’s fault that bad guys are stealing their IP and pirating their media. Sony took out an interim injunction (310 O 99/21) at the Hamburg Regional Court to require Quad9 to implement network blocking on their behalf. The trouble is, this is just not how the system works AND it introduces a frightening precedent that if upheld, allows corporations to make DNS providers responsible for for just about everything bad that happens on the internet. It probably means the end of their awesome service and a step back to the dark ages for the rest of us.
Fortunately, most sane people that understand what’s going on here agree that Sony should just drop it. Quad9 already have the support of the GFF – the German-based Gesellschaft für Freiheitsrechte e.V. – a Germany specific version of the EFF – the Electronic Freedom Foundation that I’m a member of. BTW, if your not a member/supporter of GFF or EFF – go subscribe and get an awesome t-shirt.
The GFF is helping pay Quad9’s legal bills. “If non-profit IT security projects like Quad9 must bear the costs of combating copyright infringements, they can no longer offer their services in Germany in a way that covers their costs,” said GFF project coordinator Julia Reda. “As a result, everyone’s IT security suffers.”
“We view this case with Sony Music as a much bigger issue outside of Quad9’s mission to keep the Internet safe. This eventual final outcome of this ruling will set a precedent for European cybersecurity and policy,” said John Todd, Managing Director of Quad9. “This isn’t just about Quad9’s DNS recursive security capabilities; we believe it has a much broader application to a wide range of internet services, and service providers should understand the implications of either outcome of the case.”
More detailed information on the case and this issue is available on the Quad9 website at https://quad9.net/news/press/german-court-rules-against/. If you care about security and understand what services like Quad9 do, write to someone, post a blog, or go join the GFF/EFF and help them fight off a bad ruling with potentially hugely damaging implications.
I gave a virtual presentation last week at the Kuppinger Cole CSLS event. My title was “Old Dog New Trick: Musings on Enterprise Identity Governance in a Cloud-First Zero Trust Ecosystem”. The thesis of the session was how to apply old-world identity governance thinking to solve new-world security objectives. I wanted to pull out a couple of the key points here to hopefully, promote a little wider thinking and debate.
Cloud-first & Zero Trust are key enterprise security topics, so the question posed by the session was exactly how does governance & provisioning support them both and what does that look like in deployment?
As I’ve done before in the past, I offered three specific things that provisioning and governance can do to support a Zero Trust approach: implementing true least privilege, building a policy-based lifecycle and embracing something I’ll explain here as temporal entitlement. In the rest of this article, I’ll explain all three and let’s open the debate.
Implementing True Least Privilege
I think most people these days understand what least privilege means. To me, it means only giving people the access they need to get the job done. The question is how do you apply this to a cloud-first ecosystem?
Inventory & Visibility
And the answer starts with inventory and visibility. Here, the old mantra that “you can’t manage what you can’t see” has never been truer. If you don’t know who has access to what and why they have it least privilege has no chance. So, before you can adopt Zero Trust for cloud, you must deliver on what are basically old-dog security and governance tricks. It means you must aggressively manage a full inventory of all cloud apps and access. Of course, this must cover all AWS, GCP and Azure resources, plus your complete DevOps lifecycle footprint.
Least privilege for cloud also means Least Access. By that I mean, thinking differently about providing access in the first place. We’re often all focused on providing the most access we can, but we need to flip that and think least or minimum access instead.
Let me give you a practical example of what I mean. How many of you, when you see cloud access in an access review, think revoke by default? Or when you’re delivering role mining and “birthright access” are you really focusing on the least amount of access possible? So, the closest peer-grouping, the highest match criteria, and the smallest access profile.
Because to really support Zero Trust provisioning and lifecycle management, it means giving out less entitlement by default. Giving out less by default requires no new technology capability being delivered by some magical new cloud services either, it’s a simple philosophy, delivered by word of mouth if needs be.
Self-service @ Center
And giving out less by default only make sense when it’s supported by first-class self-service and delegation. You must deliver intelligent self-service to your users that includes effective delegation and highly automated provisioning and approvals. If you focus on understanding patterns of access, instead of delivering them directly via birth-right provisioning (by default), you’re getting there. It requires making the self-service capabilities you deliver easy to use and available “on request”, or maybe “just-in-time”, something I’ll come back to in a moment.
I’ll say it again, none of the things I’ve mentioned here so far are rocket science or anything new. Good inventory, minimal birthright access and delivering self-service are all achievable with pretty much any old provisioning and governance tooling. Or maybe you just need the right delivery partner, with the right philosophy in mind.
Building a Policy-based Lifecycle
The second pillar for supporting cloud-first Zero Trust is a policy-based lifecycle. This one’s important for Zero Trust, but it really is something much bigger that crosses over the access management, provisioning, and privilege management boundaries.
Building a policy-based lifecycle starts with putting well known and well understood Governance models at the center of the access lifecycle. Yes, that often does mean Role Based Access Control, so building roles and maintaining their lifecycle, but it also means building other models too. Models that capture the policy of the “desired state” for access and entitlement usage.
Sometimes governance models are simple things like ownership and approval definitions that overlay responsibility and stewardship for all the things we care about. Sometimes they are manual or automated change control policies that carry out known actions when Identity, attribute and resource states change.
Or maybe sometimes that governance model is as simple as a clean set of requestable units of access – so self-service available to the right people to request the right access at the right time. These are all the models that drive a governance-based approach to identity and ultimately to best support a Zero Trust approach. We must commit to model and govern these policies prior to usage if we plan to minimize the risk.
If a policy-based lifecycle means developing core governance models, it also means understanding and implementing embedded controls. We must take the checks and balances of business best practice and embed them in the request and provisioning flow.
Again, no new trick here. Embedded controls are what we’ve been talking about in identity for 15 years now. But it’s still our job as identity specialist and IAM thinkers, to “evangelize” and to make sure that embedded controls like preventive Separation of Duty (SoD) are absolutely required for cloud-first zero trust.
Attributes Driving Access
Lastly, a policy-based lifecycle means understanding exactly when and where attributes drive the access. I know this sounds a bit esoteric but when I say Attributes Drive the Access I mean when any system makes an access policy decision based on identity data, or any verifiable credential, controls need to be in place to govern it.
To explain what I mean let me provide an example. When an AWS access policy picks up an attribute like manager from an Identity Provider (IdP) and embeds it in an S3 access control policy, the attribute drives the access. How do you run govern that? How do you define and implement the controls and where is the governance? Who manages the Attribute providence, are these attributes accurate and up to date and who verified them? Does the IdP know that this attribute is driving access down-stream, and are these dependencies being reviewed and audited?
These are very important questions. So, I foresee a cloud-first Zero Trust future where the providence and assurance of identity attributes and runtime access policies will be a key governance control. As we edge ever closer to a world of verifiable credentials and self-sovereign distributed identity, composing, delivering, and validating verifiable credentials will be a key focus for the access governance of the future.
And so, onto the third and final element of Identity Governance supporting a cloud-first Zero Trust ecosystem, Temporal Entitlement. Like most of the things I’ve highlighted in this article, this can be achieved with old-school provisioning and governance. But what does it mean?
So, imagine if you will, a world where everything provisioned was temporal, time based and non-permanent. Imagine a situation where every entitlement and credential hit a pre-defined “sun-set” date and was simply suspended, revoked, or removed. Now that really would be least privilege, wouldn’t it? Maybe you only get access to Salesforce for day, or a week, or a month and then you must ask to retain it. I appreciate that this may sound unrealistic, but with the capabilities of just about any reasonable provisioning tool, this is very doable. To prove my point let me walk you through a scenario.
Consider Dave, your company’s #1 DevOps pipeline delivery guy. He spends all week working with the access he needs to get his job done. Whenever he needs access to an image or a test suite, or he needs credentials to check in code, the governance engine is squarely in the loop. That means all access entitlements and their connections are either recorded in, or delivered by, the centralized tool. Again, no new trick here, the primary goal of any provisioning system is to track and manage the connections between people access and data.
Then the following week Dave goes on vacation for two weeks and arrives back in the office early on a Monday morning. While he’s been gone, his access and his entitlements have simply dissolved away – and all he’s been left with is a basic network account, an SSO launchpad, and the ability to request more access.
Now I can already see the help desk folks reading this rolling their eyes and shaking their heads but, trust with me this can and does work. With just basic provisioning and governance capabilities, it is trivial to simply put all his access back in place, maybe before he even knows it went away!
Using basic integration between SSO and provisioning, you can catch Dave’s actual access event and trigger a provisioning response. Based on his attribute and credential providence and his documented access history, we know we have the right guy trying to make the right access to the right applications. We can run automatic approvals, kick off dynamic provisioning and enjoy the protection of embedded controls; in short, we can put the right least privilege back in place, Just in Time.
With just a little bit of Old Dog infrastructure and just a little bit of new trick thinking, we really can make cloud-first Zero Trust a deployment reality TODAY.
In today’s work-at-home, socially distanced world, we’re increasingly reminded of the importance of proximity and the critical nature of physical access. As someone who’s worked in the logical world of enterprise security for so many years, it’s easy to forget that the fastest DOS attack ever, is a hammer swung violently at your physical storage array! And with the Corona virus on everyone’s doorstep, physical proximity has become an issue in every walk of life. For COVID-19 it’s social distancing and the now extensively accepted elbow bump. In software security it’s proximity to the hardware and control over physical access that underpins everything we do.
I’m reminded of this critical dependency by the recent announcement that nearly all Intel processors have yet another critical security flaw, that is “rooted” in the ability to touch the hardware. It now appears that anyone with machine access is able to bypass all platform security measures, including the full and unmitigated exploitation of the Trusted Platform Module (TMP). Anyone that’s tracked the long and intricate history of cryptographic “root of trust” fully understands the magnitude and implications of this statement.
The March 5thposting from Positive Technologies, titled “Intel x86 Root of Trust: Loss of Trust”, outlined a newly discovered critical flaw in the Intel CSME (Converged Security and Management Engine). The Intel CSME provides the cryptographic foundation for all hardware security technologies developed by their TMP, DRM, TPM and Intel Identity Protection system. Their report states that this newly discovered vulnerability “affects the Intel CSME boot ROM on all Intel chipsets and SoCs available today other than Ice Point (Generation 10). The vulnerability allows extracting the Chipset Key and manipulating part of the hardware key and the process of its generation. However, currently it is not possible to obtain that key’s hardware component (which is hard coded in the SKS) directly. The vulnerability also sets the stage for arbitrary code execution with zero-level privileges in Intel CSME.”
The report goes on to say that “this vulnerability jeopardizes
everything Intel has done to build the root of trust and lay a solid security
foundation on the company’s platforms”. They further state that “The larger
worry is that, because this vulnerability allows a compromise at the hardware
level, it destroys the chain of trust for the platform as a whole.”.
This latest news means that all Intel
processors released in the past five years have an unpatchable vulnerability
that is, once again, rooted in physical access protection. If
you’ve got physical access, you’ve got a vulnerability. Today, in the
shadow of the COV-19, just writing those words feels so old and yet so new.
Everything we thought was safe is only safe if it’s physically
secured, social distanced and wrapped in the unsettling reminder that
trust is transient and when lost, so very hard to regain.
There has been a lot said in the IT press lately about people burn-out in cyber security. To that point, it appears that the tenure of an average CISO continues its downward spiral, now trending towards 20 months or less. Twenty months is a crazy short time for anyone to be in such a critical business role. Most organizations need 20 months to accept the scope of the problem and fund a basic plan to move forward. There’s no way 20 months is enough time to understand business impact or enact lasting change.
The question that most boards are asking is why, why does’t that CISO stick around? Well Nominet, the UK DNS folks put out an interesting cyber report last week that may help point to an answer. They interviewed over 800 CISO’s from the USA and UK and concluded that extreme levels of stress are a prime factor. Sadly 48% of those questioned said that work stress was having a detrimental impact on their mental health. OMG, 48% and metal health in the same sentence! Even allowing for lies-damned-lies-and-statistics, that’s a crazy number that casts a troubling shadow over the future of security programs everywhere. The Nominet report seems to conclude that far too many security leaders feel the stress of being out-gunned in a unwinnable war – or as Gary Hayslip calls it a “Cyber Cold War”. And worse, most reported feeling underfunded and miss understood by their fellow executives and by their governing boards – ouch! And although Nominet only surveyed high-ranking exec’s, this problem likely crosses the security hierarchy and affects practitioners at every level. Just imagine being a threat analyst or a security tester when you are constantly under attack by a sophisticated adversary – it’s a psychological nightmare. Or take a tour of duty on a security incident response team and you’ll quickly see how totally consuming, exhausting and relentless the cyber defense and response game can be.
The Nominet numbers might seem staggering to anyone looking in from the outside, but if you’ve been part of a large security program you know the pitfalls. Building and sustaining a comprehensive cyber program is as much art and psychology as it is tools and computer science. Not every leadership team or governing board of directors even knows what to ask their CSIO to deliver, let alone how to measure their success. There’s plenty off tools and methodologies out there, but are they making the job of the CSIO any less stressful? If not, pass the hammer and order me a new monitor please…
My book on Identity Attack vectors is finally in print at Apress and available from Amazon here. It was fun writing this with Morey – his third book in a series. I’m glad he asked me to join him on the book, it turned out to be a really fun project and overall experience. If you know Morey, he’s a pleasure to work with and super smart guy, so I had it easy!
The book covers where and how Identity management technology (and more specifically Identity Governance and Privileged Account Management) are an attack point AND how this key security technology can be used as a significant point in prevention, detection and mitigation of attack. Chapter 7 covers a pretty decent breakdown on the Identity Governance process. It covers what IGA is and how best to approach it – soup to nuts.
We’re doing a book release webinar on February 4th and a book signing event during RSA on Thursday 27th at the Thirsty Bear at noon in San Fransisco. I’ll re-post a link for the signing event as soon as I have it.
In the midst of the holiday season and as we get ever-closer to the new year (and 2015 tax filing), it’s important to remind ourselves how to stay safe online. Just because it’s a time of giving (and hopefully receiving) fun new electronics, toys and other goodies, it doesn’t mean that those who would steal your personal information and do you harm are taking time off. Luckily, there are some easy ways to help keep your information safe and guard yourself against potential attacks.
With all the deals going on and the potential for presents to be shiny and electronic in nature, a good number of us will probably receive a new phone, tablet, or other piece of tech in the next few weeks. But before you simply throw away or sell any of your old devices, keep in mind that most of us practically live on our devices and a lot of information naturally collects there. Pictures, GPS data, calendar events, emails, contacts… the list goes on and on. Unfortunately, though your latest cooking achievement may not be of much import to hackers, there is a real and growing market for buying used devices solely for harvesting personal information.
Whenever selling or simply detaching yourself from an electronic device, it’s incredibly important for you to perform a full factory reset. While the process varies depending on model and manufacturer, the general idea is to format the phone and erase any possibility of the retrieval of data. If it’s an old device and not worth much money, it’s much safer to simply submerge it in some water or treat it like the printer from Office Space.
Now, when it comes to setting up your shiny new device, there are a couple things to keep in mind. Use disk or device encryption whenever possible and choose a good password. This means straying from your pets and relatives’ names, birthdays, or anything else that could be easily guessed after reviewing your social profiles.
Internet Access while Traveling
During the holiday season, a good number of us will find ourselves working from home or from remote locations. While the locale may be a nice change of pace, you must consider the security of the networks to which you connect. One easy way to secure your connection to the world-at-large is through a VPN. Some companies provide this to their employees, but you can also find several commercial and free VPN services (just be sure it’s a reputable company and if you really care about data privacy check their logging policy first!). If a VPN isn’t available to you, a good alternative is to simply use your phone’s data connection. Many plans nowadays allow tethering your phone to your other devices to provide a mobile hotspot, and taking advantage of this can provide you with one of the most secure connection mechanisms available. But of course, check your rates and plan restrictions first.
On a more general note, it’s always a good idea turn off your Wi-Fi and Bluetooth when not in use. This will not only save some battery life, but it will also prevent your phone or laptop from inadvertently connecting to unknown Wi-Fi hotspots. This is particularly important with a modern smartphone: most people walk around broadcasting their current location and arbitrarily connecting to networks everywhere they go. Unfortunately, the bad guys now put out their own public Wi-Fi hotspots specifically to catch the unaware. If your device supports it, turn off the “automatically connect to networks” option, and always make your connections to a Wi-Fi hotspot a considered and deliberate action.
Last May, the IRS suffered a large-scale data breach, and in the resulting forensics analysis it was found that there were not only direct attacks on the IRS systems themselves but also social engineering attacks on individual taxpayers. This means that while you should always be on the lookout for unsolicited calls from anyone asking for personal information, you need to be especially cautious during the upcoming tax season. These calls may ask to “confirm” personal info such as social security numbers and addresses, and usually will end up asking for tax filing fees to be paid via credit or debit card.
Also be on the lookout for phishing emails posed as e-file confirmations. Just like you would under normal circumstances, don’t respond to links in these emails or call the phone numbers provided. Contact the IRS using their publicly published contact methods if you have any concerns. If you’ve ever been the victim of identity theft or if your personal info has been leaked in a data breach, you may also be at increased risk of having a false tax return filed in your name. If your information has been exposed (you can check using haveibeenpwned.com), keep an eye out for any suspicious activity in this area.
Hopefully these tips can help to make sure your holiday season goes off without a hitch… at least where your online security is concerned.
The National Institute of Standards and Technology (NIST) is once again considering the death and eradication of the traditional password. NIST’s senior standards and technology advisor Paul Grassi recently stated that the agency is debating updating the password usage requirements set forth in NIST guide 800-63 to recommend stopping the use of passwords in both government and private enterprise systems.
Grassi notes that a driving factor for the shift is that passwords are becoming increasingly vulnerable to attack. Poor end-user password practices and weak administrative system policies continue to make password-authenticated systems the subject of brute-force attacks.
But the question remains, is a world without passwords truly an achievable goal?
The simple answer – in a perfect world – is yes. What would be ideal is for every app, website and SaaS vendor to subscribe to a common standard of strong authentication and/or federation which would eventually make passwords obsolete.
However, given the current enterprise landscape (even into the near future), I’d caution executives not to hold their breath. The world we live in is imperfect, and legacy vendors are slow (if ever) to adopt standards around authentication. In addition, newer applications, including SaaS and mobile, are more focused on delivering functionality than on delivering secure solutions.
Another challenge is the lack of a common, non-password-based standard. It’s one thing to support initiatives to make passwords a thing of the past, but it would be wise to also pragmatically recognize that for the vast majority of enterprise systems, passwords remain a reality with which we must cope. With the presence of this current paradigm, enhanced password management and governance are of paramount importance.
We continue to hear that password management is a pain point for most organizations and ultimately, their end users. With the right tools in place, organizations can enforce enhanced practices including: robust password policies like password strength, complexity and expiration, and easy to use end-user password management tools. With these capabilities in place, organizations can ensure that all users have more secure passwords across all applications – reducing the risk of a data breach
On December 3rd the public beta starts for Let’s Encrypt. When it does, I’ll be the first on the list for a free digital certificate and (hopefully) this site will become HTTPS only. The EFF kicked off this effort last year, and the fruit is ready to eat for the December holidays.
Anyone that’s administered a web domain with TLS knows that the process of obtaining a digital certificate to HTTPS secure your site is 100% manual and somewhat costly. That’s basically the reason why blogs and public content like this site is not encrypted . Let’s Encrypt provides a simple protocol that automates most if not all of the process. It lets you obtain a browser-trusted certificate, sets it up on your web server, keeps track of when it’s going to expire, and automatically renews it for you. It also handles revocation should that ever becomes necessary.
BUT the best bit of all is that the certificates it provides are 100% FREE! So no reason not to encrypt EVERYTHING. It fully supports certificate transparency and so provides a truly enterprise-class HTTPS solution even for the web hobbyist like me 🙂
I recently recorded a webinar on putting IAM at the center of security. It covers how the seven core tenets of successful IAM help create a “governance-based approach to IAM and how this helps. The recording is available on youtube here.
It’s a long 50 minutes with the Q&A on the end, AND it’s a pretty technical look at what makes up a next generation IAM solution, BUT if you’re into what we all do, I think it’s well worth a listen…
While speaking at an industry event in DC last month I made a comment that “even my mother now understood the concepts of password entropy” because I had made the point of calling her in England to explain them. In recalling that conversation with my mother, I wanted to share the three things I told her she needed to do to securely use passwords on the internet.
My mum is a spritely 70 year old who lives in the UK. We stay in very good touch via Skype and email. She loves her iPad for the web and chatting to me, and especially likes the fact that she download and store endless amounts of Ukulele sheet music. Yes, my mother is one of “those”. The Ukulele Reformers. They’re like a cult; one that smiles a lot and puts on a gig at the drop of a hat whenever they can all stand together.
So our conversation that day had been about why she needed to be more diligent with passwords on the internet. To make things easier to remember, I gave her three basic best practices that would help keep her passwords safe. I wanted to share that advice here.
My first was that “long is strong”
I explained that, unfortunately, the longer and more complex the password the safer it will be. Twelve characters should be thought of as an absolute minimum. Avoid using dictionary words unless as part of a complex passphrase, and add special and mixed case characters wherever you can. She immediately said “so how do I remember my password then”? I explained a couple of simple mental models that can help, like using the first characters of a memorable phrase. The example I used was “Mary had a little lamb its fleece was white as snow 987654” would then become a password of “MhallifwwaS98754”. I explained how this created what we called “password entropy”, basically complexity, that made it hard for the bad guys to guess her password.
I also told her that writing down long passwords was better than using short ones just so she could remember them. Ironically if you’ve been in the security space for a while, you’ll recall how “the yellow password sticky note” was the cartoon joke of the late 90’s! Odd how things change but stay the same isn’t it?
My second was to “be unique”
To make things harder for the bad guys, the best thing she could do was to use unique passwords at every site. Again her reply was “so how do I remember them all?”. Again I said writing them down and keeping that list safe was ok, but explained that putting sites into mental groups (by value or name or something else) she could have fewer passwords and share them that way. I also explained that she could easily add something about the individual site to the middle or end of her “high entropy password” to create something unique for each site. So, for instance, her Google password would then become MhalGOOGLEifwwaS98754.
Fortunately there are, of course, good commercial tools and solutions that make this overall process much easier. As for me, I am lucky enough to have SailPoint’s IdentityNow solution to help capture, store and replay my complex passwords. Fortunately her US based tech support team (that would be me, by the way), was subsequently able to set her up with a consumer password management solution (she’s now a Lastpass user) so she had that benefit too.
My third was to “watch the road”
Basically this was to always be aware of where she was on the internet and to take specific note of anything and anybody that asked her to “login” or provide any of her “secrets” and personal information. Again her US tech support associate did have to show her how to setup strong, multi-factor authentication where it was available on her favorite sites. She does now understand the importance of HTTPS and what to do if there’s not a “little lock in the URL bar” – so she’s in much better shape than most.
On a slightly broader security note…
I should also point out that her US based tech support team, (again that would be me), had previously talked her through installing a browser-based web filter / adblocker (I’m a big fan of UBlock Origin) – so she had some degree of content protection. Plus we had, awhile back, had our “the birds and the bees of the internet” conversation – I distinctly remember telling her to “trust no one”. I recall she was a little disappointed by that statement. She said she was surprised that “you computer types hadn’t worked this security thing out yet!”. About all I could say was “Yes, I wish that too…”. She was a little annoyed, but not for long. After all it was already time to hang up Skype and take her iPad song-book and Ukulele to a local gig.