By Dr. Thomas P. Keenan, FCIPS, I.S.P., ITCP in collaboration with Ron Murch, I.S.P., IPCP – both with the University of Calgary.

Some of Canada’s leading Chief Information Security Officers spent an hour discussing the increasing vexing problems of  Identity Management.

In a session conducted by Derek Mankey, Chief of Security Insights, Fortiguard Labs, and moderated by Bobby Singh, CTO and CISO for the TMX Group, a group of CISOs tackled the latest issues in Identity Management, many of which have been emphasized by COVID-19.

MOVING TO A DISTRIBUTED WORK ENVIRONMENT.  Mankey noted that the sudden shift to working from home has created new kinds of attacks and opined that many companies “were not properly set up for the distributed enterprise models”.   Attacks have ranged from selling bogus COVID-19 drugs and counterfeit PPE to trying to steal data from biomedical and pharmaceutical companies.

Other scams include fake job offers, malware embedded in resumes, and lures to join money mule networks targeted at people who have lost their income because of the pandemic.

Without the cybersecurity envelopes provided in centralized work environments, many organizations struggled with how best to protect their remote employees as they moved rapidly to distributed, work-from-home arrangements.

EMAIL SECURITY.  One CISO observed that everybody is getting more paranoid about emails and sometimes legitimate ones are treated as suspicious.  Several companies noted that they flag emails that come from outside their organization, though this could be subject to hacking if the bad guys are crafty enough to tamper e.g. with an organization’s Active Directory.

The issue of doing surveys using SurveyMonkey attracted a lot of interest because tightening up email rules, both human and technical, can cause people to doubt their authenticity.  Putting links to surveys up on a corporate Intranet was suggested as one solution. Also, you can use verified emails to alert employees that a survey will be coming.

PHISHING SCAMS.  Phishing test campaigns are becoming popular, with appropriate feedback to people who click on bad links. One firm reported that if somebody fails their phishing test “we lock their account, and force them to change their password, and this has changed user behavior.”

Lawyers are a particular target of spearphishing because they usually provide very detailed personal credentials and contact information on their main websites.  This makes it easier to craft emails that look like they came from a partner or an associate in their firm. Also, there are vulnerabilities when they deal with clients ranging from man in the middle attacks to destination compromises, e.g. at “that cannabis company that doesn’t have a good I.T. department.”

One firm has a single point of approval (the CFO) for all wire transfers, ideally backed up by a phone call.

WHAT CONSTITUES IDENTITY.   Identity is often assumed to be associated with a human being.  However, it can be associated with other types of entities – an organization, a shopper who isn’t yet identified, or built from anonymized data.  Target built an identity for customers starting with just “we’ve just seen this debit card that we haven’t seen before” to asking for home address, tracking purchase history etc.  This led to the famous (and controversial) “Target knows teenage girl is pregnant before her father” New York Times story. Corporate directories on a website are a goldmine for obtaining identity and corporate structure data, and postings on LinkedIn can lead the bad guys to the person who can authorize a payment. Be careful what you reveal.

COUNTERMEASURES. Derek was asked if he used sites that monitor or blacklist traffic and if they were worth it.  He said, “we have reputation services and do content inspection as well as machine learning, human analysis and canary tokens” and that “it’s worth the overhead if you have the right infrastructure.”

PRIVILEGE ACCESS MANAGEMENT.  There are some subtle factors at work here, like cloud-based licenses where the company doesn’t want to pay for multiple seats.   This can lead to account identity sharing which can then cause problems.  With the move to the cloud, and distributed service providers, identity is moving away from on premise MFA to cloud based authentication, e.g. the Microsoft Authenticator app. Passwords are going away but not gone yet.

One company said they are “going through an identity exercise” where they try to identify customers, vendors, sister companies, and their policy for “identity zero” e.g. a customer coming in through a shopping cart before they provide identity information to execute the sale.

Another issue is data ownership.  According to one participant, “we’ve run into three cases where part of a third-party contract allows that company to resell analytics of our database.”

There is certainly interest in biometrics, e.g. some U.S. banks allow you to use your phone and face as “proof” of identity when creating or accessing accounts.

HIRING WHITE HAT HACKERS.  The consensus was that they have their place, but you have to be careful who you hire. Sometimes you just get pentesters running Metasploit and if they are unethical that can be a problem. Who’s guarding the guards? Kevin Mitnick, who calls himself “the world’s most famous (former) hacker” has a good book on this subject, Ghost in the Wires.

Good ideas, experiences, and stories were traded, and everyone agreed that identity management will be an ongoing source of both employment and concern for CISOs for a long time to come.

The next discussion is scheduled for June 12 and will continue the discussion into various aspects of Identity.