Fighting the Good Fight

Currently I’ve been toying with the security implications that can be imposed on an organization around authentications based on your phones proximity and push client features. Not saying that it shouldn’t be done, I’m simply suggesting that maybe we should think about the risks and mitigations before we just jump into bed with it. It’s the usual cat and mouse game that happens in many organizations. The users push for easier use, management is pushing lower costs and to keep the users quiet, and security is scrambling to put a solution together that will make everyone happy while not leaving the front door wide open. Unfortunately, the security side of the house loses out in most organizations as they compromise on security concerns to put forth a reduced cost solution or just succumb to the power of the users. It’s a delicate dance and there are strong arguments for each side and I’m sure we all get it. Programmers/Security Experts/Engineers have a finite amount of time to push out solutions; attackers have all the time they need. From the looks of Mandiant’s M-Trend’s annual threat report we’re still missing the basics. While discovery has reduced dramatically over the years (146 in 2015 to 99 in 2016) it’s still not good enough. As it notes in the report, their Red Team typically can obtain access to domain admin credentials within roughly 3 days of gaining initial access. Hopefully, that is as scary to you as it is to me. Despite sharing this information, I still find it difficult to sway popular opinion on golden cow projects, which is likely due to some executive picking up a magazine while waiting to get their haircut and reading an article saying that other companies are doing it so you should too. The thought of not doing it becomes inconceivable to some and thus the golden cow project is born and you better be on board with it! For instance, reducing personal highly privileged accounts or eliminating them completely is not a popular idea from a user’s perspective, but just imagine the amount of noise that the SOC/CIRT get; it’s like drinking from a firehose. Reducing the attack surface and putting in a basic layered security approach to me isn’t even an option, you just do it because it’s a no-brainer and collectively we should all be way past this point. I think of it this way, if you have fewer things to monitor, you should be able to monitor those things more heavily. Imagine the amount of analytics that could happen on 500 accounts versus 500,000 accounts. While I may be biased on the shared account model, I think it’s important for an organization and their users to understand. While within your organization, your account does not belong to YOU, it still belongs to the organization and you get to use it. That delineation is not easy for some to digest but a shared account approach certainly drives that home and imposes greater security rigor (password rotation, complexity, audit trails, etc.). Thus my rant concludes, hopefully this inspires others to keep fighting “the good fight”.