Identity and credential appropriation are increasingly common features of successful cyberattacks. As a result, identity represents a massive risk area that needs to be addressed
Understanding and mitigating risk is a core component of a security leader’s remit. While organizations classify risk in many ways, identity is one of the most fundamental aspects of any cybersecurity program.
Identity and credential appropriation make up a massive portion of cyber-related incidents and breaches. Verizon’s 2021 Data Breach Investigation Report suggests that 25% of breaches involved the use of stolen credentials, making it the second most common breach action variety after phishing.
One of the most highly publicized breaches in recent memory was that of ITSM software SolarWinds early in 2020. A bad actor gained access to production code which was then deployed to the supply chain of its users’ companies.
“Unlike some vulnerability exploits, this breach didn’t start with a patch. It started with privileged elevation into those systems. A person was able to usurp another person’s credentials in order to transact as if they belonged to that company and get into those production systems, it was identity at its core,” says Ping Identity Head of APAC and Japan, Ashley Diffey.
In May 2021, Colonial Pipeline in the United States, which carries gasoline and jet fuel along 8850km servicing states between New York and Texas, suffered a ransomware attack that resulted in its operations being suspended for several days.
In June, Reuters reported that Colonial Pipeline CEO Joseph Blount revealed the hack was facilitated via the exposure of a single password.
It is important that cybersecurity leaders think about identity from a risk intelligence and management perspective, and have in place adequate governance, technologies and practices to complement this approach.
From an identity perspective, risk intelligence refers to increasing the probability – using monitoring, validation and governance – that users accessing organizational networks and systems are the users those privileges were assigned to.
Further context at a local level around risk intelligence can be gleaned by understanding how cybersecurity leaders in Australian organizations think of risk through an identity lens in their own security strategies.
The Identity Risk
For Ping Identity Head of APAC & Japan Ashley Diffey, establishing certitude that an identity perfectly matches its authorized user is a foundational control on risk.
“All risk that exists inside of a company’s four walls can in large part be tied to the lack of a strong connection between an identity and the information, data resources and assets that it’s allowed to have access to,” he says.
The way cybersecurity leaders and their organizations think about and share risk is foundational to how effectively it can be managed.
Krishna Kasi, VP of Audit, IT and Risk at BNP Paribas says he starts calculating risk in terms of the potential impact relative to the probability of occurrence.
“The actors, adversaries and internal threats we’ve seen recently, that’s all with reference to identity,” he says. “If we don’t have appropriate levels of authorization, at the end of the day your risk definitely grows.”
Kasi defines appropriate authorization as satisfying who you are; what you know, and what you have.
“From these three perspectives you can enhance and strengthen the means of authentication of individuals within an organization,” he says.
“For example, take a person who has joined a specific company and received a laptop to connect to the network. The first thing is they have probably got a username and password. Is that sufficient? Probably not, because how do you ensure that the person joining or logging in is the person whom you have actually given the username and password to?”
He continues: “Identifying the sensitivity of the employees, identifying who should access what, and to be able to assess and properly authorize by setting certain roles that a person needs based on the activities that they perform, that’s the key part which I would run.”
Queensland Department of Education Chief Information Security Officer Steven Woodhouse says there are some 650,000 education identities in the state, accessing systems every day. With more than 1200 school sites in the state, the risk landscape is huge.
“From a risk perspective, it starts at enrolment,” he says. “We have to make risk mitigation considerations at each stage of an identity lifecycle from enrolment onwards with respect to what access those identities get, who manages it, and if it could be exposed.
“We run dashboards and monitor identity and see threats coming in from all over the world,” he concludes.
Kostas Kyrifidis, President of the Victorian Security Institute, says from a board-level perspective, identity is increasingly being dimensioned as a top business risk.
“Identity security is so important to let our teams and various stakeholders easily and securely access our systems through a variety of end devices,” he says. “Having risk intelligence built into identity policy and governance gives boards confidence that their security teams can manage the threat landscape.”
“Managing this risk starts from the top, you have to educate the board, in my view. You need compulsory education throughout your organization to strengthen your posture,” he concludes.
Risk Awareness and Change Appetite
In 2020 the Australian Institute of Criminology reported that one in four Australians surveyed reported having been a victim of identity crime at some point in their lives, with personal information most often obtained through hacked or stolen devices used to steal money from bank accounts.
The percentage of unaware identity theft victims is likely to be even higher. The threat that identity theft poses at this very personal level means staff within organizations should take seriously the identity risk to businesses as well as themselves.
Queensland-based QSuper Chief Information Security Officer Jason Anderson says his team has worked to decouple security thinking from a purely technological perspective to a cultural one.
“In risk, a lot of organizations, especially when you talk about things like identity, it gets to be a technology owned or driven area, which I don’t necessarily agree with,” he says. “All cyber risk, including identity, must be seen as a business risk and be pushed out across the whole business.”
He continues: “I strongly believe that cyber risk is a business risk and should be treated like any other business risk. It is essential that organizations go through a process of centralizing risk and making sure there’s accountability out through the business for those risks. All business leaders need to buy in to make sure they have some level of accountability for it.”
Anderson adds that the importance of identity security is becoming more recognized at the individual level, laying the foundation for positive changes to move away from traditional identity control.
“It’s frustrating when you look at the rate of helpdesk calls and the majority of them are around lost or forgotten passwords and resets. It’s wasted time and effort from my perspective. We need to make it better for people,” he says.
He continues: “People are using facial recognition on their phones, using one-time passwords, authenticators on their phones, they are accustomed to verification texts to verify their identity.”
“We, as an industry, are starting to change and people are becoming more adaptable to different types of technologies to move away from conventional password authentication. Having a better experience than passwords might mean there is a little more pain upfront, but once systems are in place, they are significantly easier to work with,” he concludes. “Getting that balance right between the use of technology and awareness is important.”