Sony getting hacked shouldn’t surprise anyone. Not because it is Sony, but rather because its just an exclamation point to 2014 already being “the year of the hack”.
Personally, several things standout as to what is and is not unique, and lessons we can take away.
First, Sony is not unique, companies get hacked every day. We just don’t hear about it since there are really weak disclosure laws here in the US. This is, if the hackers get caught. Much of the time however, hackers aren’t caught. Keeping this in perspective is healthy. Threat reports mean little as they can only extract metrics from known variables. So if we just look at the headlines for weighing risk (as scary as they have been), we’re doing it wrong.
Second, how many times do we have to see all of these hacks (that we do know about) to learn that many involve stealing credentials that involve passwords before we finally concede that as a matter of best practice for security, passwords are now officially antiquated and a downright hazard to protecting anything deemed to be secure? Then, if organizations are to argue that passwords can be secure (I know some people that will argue this, and respectfully disagree) why not take other measures such as security awareness training to educate users on improving their behavior that typically exposes them to falling prey to giving up their passwords (such as spear-phishing, social engineering, poor storage of credentials, etc.) which have all been key elements to many attacks (such as Target, RSA, and others).
Now we get to the point where I am also critical of the security vendor community. Learning now that attackers had exploited administrator credentials is not surprising as that is the aim of most attacks (to elevate privileges to gain greater access and control while perhaps even covering one’s tracks). What surprises me is that as common as it is, I know we will hear nearly every identity credential vendor and provider use Sony as an example – blogs, marketing material, presentations, and even on news sites like MSNBC, CNN, etc. *cringe*. Yes, part of their message will be in alignment with my message to get rid of passwords where security is expected. However, the often miss the point.
We seldom hear vendors even mention privilege passwords or how attacks typically occur by accessing low level credentials and working their way toward elevated. Rather we hear just generic “replace passwords” generally aimed toward average end users or no mention at all of elevated. The fact is, most vendors are either unaware of the differences, and challenges, in applying strong authentication to privileged accounts. They function differently and there are inherent limitations to taking approaches that are similar to those taken in the general user population: Some (but not all) examples:
1. Many admin credentials are shared between other administrators since by design of the application and cannot easily be segregated.
2. Many credential management systems wisely have hard coded rules to only allow one set of credentials for a given user. an admin would need sort of a dual level credential since they hold two distinct roles in the organization and for some applications their most elevated role should not apply.
3. Some systems don’t play well with strong authentication solutions.
So I would challenge the credential vendor and marketeers to include the privileged audience in context in all of their responses and discussions on the Sony hack – not just leading with half of the story that doesn’t quite solve what we are really seeing.
I would like to mention that it is fair for me to point out that there are some organizations that tirelessly talk about the privileged problem such as Phil Lieberman (go read his spot-on and entertaining posts – could not say it any better) and his competitors for fair mention such as Cyber-Ark and Hitachi. But then again, there is another side to it. While they do a great job at solving the challenge of user segregation and password management for privileged accounts, they similarly do not take equally seriously the fact that the password is a weakness and stronger credentials are needed.
I would say that the PUPM (privilege user password management) solutions space is evolving to include options for stronger credentials, the two kindred markets should be in full alignment via solution offering and integration beyond form factor point solutions leaving it to thew other. It takes full awareness of the organization that this needs to be addressed, and both PUPM and stronger credentials to address what we are really seeing out there. Otherwise it is just media fodder.