Lockheed DHS Whistleblower — Most organizations are avoiding critical best practices on purpose!
This is why Equifax, Yahoo, OPM, Anthem, FedEx, Blue Cross Blue Shield and others were hacked. And why most organizations and companies have already been hacked, do not know it, or will be. Hacks will never be significantly diminished until this practice and all the underlying issues keeping it from happening, are fixed.
My name is Michael DeKort. I am a former engineering manager for NORAD, a lead C4ISR systems engineer for DHS and a software project manager for an Aegis Weapon System baseline. I also worked in counter-terrorism at the US State Department and in Commercial IT. I received the IEEE Barus Ethics Award for whistleblowing regarding the DHS/USCG Deepwater program post 9/11. (That included cybersecurity issues not mentioned in most articles).
The overwhelming majority of companies and government organizations are avoiding the most critical cybersecurity practice of all. Dealing with Privileged Account security. It’s the biggest dirty secret in cybersecurity. Which is extremely unfortunate because virtually every hack on record was accomplished by someone gaining access to a privileged account then moving through the system. This usually occurs due to a successful phishing expedition. (Of which 22% are successful. Keep in mind only one is needed). Also most hackers are in a system for almost 6 months before being detected.
Of the small fraction of companies that even say they deal with this area and purchase products few of them actually use the products they purchase properly. Many install them then slow roll actually using them to any significant degree for decades. Often this is meant to purposefully deceive C-Suite and regulators. This puts everyone at risk. (Note — cloud data, including emails over 6 months old, are not protected by the 4th amendment in the US).
Here is how bad things are. CMU CERT is the premier authority on cyber-security best practices. Especially for DoD. I found out that CMU CERT has no solution for themselves in this area. They actually defer to CMU IT for their own security and they have no solution in this area. Shouldn’t the organization responsible for telling others what best practice is use best practices for its own security?
Why is this happening? IT leaders have no problem with firewalls, anti-virus or monitors of any systems except privileged accounts etc because those things are additive, don’t cause them to drive cultural habit changes or expose massive best practice issues. That leaves huge cybersecurity best practice gaps.
Examples include having 4X more accounts than people. Non-encrypted password files or spreadsheets and emails with passwords. Software programs with passwords hard coded in them and many not knowing where they all are. As a result of this many passwords are not changed for decades. Especially for applications or databases. There is also the problem of having local admin permissions available on laptops and end points and not knowing where they all are either. Fixing those issues would also require forcing the masses to do things differently. Few have the desire to be part of any of that. In spite of “continuous process improvement” etc.
Governing bodies and regulators mean well but they don’t help much either. They try to avoid being too specific to let the industry figure out best practices, do what is right for them or avoid government being too involved. Most of it is nonsense. This gives organizations far too much room to wiggle. Which they have no problem exploiting. Most companies and organizations doing the least amount possible.
This is not a technical issue. Or even one of money since it cost more to not fix this given the hiring of way too many cybersecurity people to work around best practices. It’s one of Courage. Courage to admit the problems exist and to deal with the culture and lead them to fix them. And to not sacrifice customers or the public to protect egos or let the bean counters justify it’s cheaper to harm customers than the bottom line.
Core and Ancillary Practices in Privileged Account Management (PAM)
1. Least Privilege — The more folks who have system wide or broad access the worse off you are. Where possible limit access by role. This means not having more account than there are people and having accounts not used or unaccounted for.
2. End Point Protection — Never allow admin privileges on user devices. Know where they all are and have their access actions monitored.
3. Password Protection/Vaulting — Passwords should not be on spreadsheets or in emails. Worse case if they are they should be in a Vault with a proper identity and access process. (Same for SSH keys)
4. Password Updating — Passwords should be updated often especially in response to events like employees leaving etc.
a. Note — A password manager is best. Which facilitates unique, non-shared passwords. However, for individuals with no manager it has been determined that using phrases and not changing them is actually safer. (Phrases that are not obvious with good practices.)
5. Passwords Hard Coded in Software — Passwords should not be hard coded in software. There should be a process for programs to get a password when needed and to not store it in any manner.
6. Monitor all System and Privileged Account actions — Account access and what people or systems are doing with access should be monitored for actions or access that go outside what is specified of intended.
7. Jump Server — Minimized Knowledge of System Passwords — This process puts a middleman in the loop. Users provide their identity and personal password to the jump server. That system verifies access then uses another password to log the user on to the system. This keeps most people from ever knowing system passwords. It also makes updating system passwords often far less of a hassle to users.
8. Identity — Two factor identification should be utilized.
While PAM products are not needed to effect most of these (not counting the Jump Server) they make the process far easier. Especially for companies of any size and complexity.
Here is an where a professor states exactly what I have been saying about the importance of this best practice area (Root credential=Privileged Account) — University labs put cybersecurity under the microscope
“(Professor Shiu-Kai Chin of Syracuse University) Chin — whose area of expertise is mission assurance — agrees that cybersecurity needs to be included in the design process, as well as part of the organizational culture.
“I hate blaming users for problems they didn’t create because we did not design these particular systems with authentication and authorization in mind from the very start. Users are unprotected and they have to think at this level. That really can’t be the ultimate state of affairs,” he said.
Chin said cyberthreats are continually evolving with the technology, but are especially troubling when it comes to the increased focus on capturing what are called “root credentials” — basically, an organization’s master key. Whether obtained through social engineering methods, like phishing, or direct hacks, once those credentials are in the open, it becomes harder to contain the attacks.
“Once you have lost the guarantee of integrity, your entire organization is at risk,” he explained. “What that really means is people at the very top, if they get phished or harpooned or spearphished, however you want to say it, then an organization is in deep trouble.”
Here is an article stating the exact level of apathy I have been talking about
Cybersecurity is becoming a problem people can’t ignore, hackers say — http://www.chicagotribune.com/bluesky/originals/ct-bsi-cwi-cybersecurity-20171019-story.html
“Micah Zenko focuses on the present to fight threats. As a Whitehead Senior Fellow at the think tank Chatham House, Zenko puts himself into the mind of potential adversaries to identify vulnerabilities within an organization.
The biggest problem he thinks organizations have? Apathy.
“The biggest threat to cyber is not Russia, is not North Korea … it’s not any malicious actors, it’s basically people who decide that this isn’t a significant problem to deal with,” he said. “A lot of firms know about vulnerabilities … and they don’t do anything about it. And the reason they don’t do anything about it is because the criminal penalties are so minimal and their ability to be sued by their customers or by their suppliers is quite low and the risk insurance that they can buy makes it all quite tolerable.”