Real vs. Regulatory Risk

Posted by Venkat Rajaji on Thu, Apr 28, 2016

Risk is a word you hear every day and it has become common place across the security industry. What is risk? What does it really mean? And why is it so important? Most importantly, how should we think about the impact of these risks and how we mitigate it?

Riisk is composed of: Impact x Likelihood. 

Impact- The damage caused by the risk, criticality of the assets, the actual data in the systems, the liability associated with an audit finding

Likelihood - The probability that an event will occur. When we think about likelihood we think about usage patterns, access levels for individuals and accounts,and exposure or vulnerability of such systems.


Within the context of Information Security there are two types of risk that companies face, real risk and regulatory risk.


Regulatory risk is associated with not being complaint with any number iStock_000026774677_Large_1.jpgof regulations. The penalty for this might be financial penalties, incarceration or a drop in stock prices if said issues are "material" enough to require reporting. For example, compliance within the healthcare industry with data privacy and HIPAA, companies within the Financial Services industry and SOX compliance, or retail organizations or anyone else accepting credit cards who must adhere to PCI compliance. What regulatory risk calls for is the implementation of a governance process for which to ensure compliance.


When you think about real risk, you're thinking about things like customer and consumer data, credit card information, employee data, SSNs, and access to processes like the recent Iranian nuclear processing  centrifuges that were hacked into and then stopped and started over and over until they blew up.  Here, governance process is not enough. This is now about protection and the impact is far greater than just a fine. Reputational damage, brand image, liability, and other major financial damages will impact the company.


Compliance regulations have helped and have forced companies to put in place governance processes to mitigate some risk. However, this drive for compliance has led to a lot of rubber stamping. Reason being, there is too much data and we don't know what is important and what is just another request. So the compliance checks themselves often don't do enough to protect the companies or their customers.


cyber-311111.jpgWe need the ability to really understand risk within the constricts of impact and likelihood. In order to satisfy both regulatory needs and to mitigate against real risk we need solutions that provide context for these risks. Context might be things like access levels, known vulnerabilities to systems, criticality of business systems and the data stored in those systems. This helps us better understand our enterprise risk.  Done correctly, this automation and intelligence also dramatically improves understanding of how you are actually doing and how that is changing over time (read actually managing this stuff), efficiency (read cost savings) and efficacy (real and regulatory risk reduction).


To manage both real and regulatory risk, you need to deter bad touches (inappropriate access) to information and processes. Since motivated bad guys have proven that they still might find creative ways in, you need to detect when that happens, and ebook_Assessing_the_Risk.pngonce you do that, you better figure out how to remediate the issues really quickly. The Courion suite of solutions are designed to solve exactly this problem across both the physical (vulnerability management) and logical (access management) worlds.


Looking for more information on how to mitigate both real and regulatory risk? Download Assessing the Risk of Identity and Access to learn how to identify and remediate both your real and regulatory risk. 

Tags: risk management, security risk, cyber risk, risk

Trivia Crack promposals, hacked uber rides,"dislike" buttons and more in this week's #TechTuesday

Posted by Harley Boykin on Tue, Sep 29, 2015

Tags: cybersecurity, cyber risk, #techtuesday, hacker, cyber attack, risk, hackers, Cyberattack, Hacking, tech tuesday

Intelligent IAM for Risk Assessment

Posted by Steve Morin -Director, Product Management on Thu, Aug 20, 2015

Welcome to the last installment of our 3-part series exploring how intelligence improves identity and access management, or IAM. In part 1 we looked at how intelligence improves the provisioning portion of IAM. In part 2 we took a look at how intelligence improved the governance portion of IAM. In this segment we look beyond just provisioning and governance to address how intelligent IAM can help to reduce the top 5 most common elements of risk: identity, resources, rights, policy, and activity. 

1. Identity: In part 2 of our series, we discussed how human resources were the most dynamic risk facing security teams today. The reason behind this is that you are constantly managing changing identities. Who are you? What is your role? What do you need access to? These are questions constantly being asked by our system and can equate to hundreds or even thousands of access requests a year. 

describe the image
With intelligent IAM, all roles are built into the system along with the basic applications that they need access to. For example, when a marketing manager was hired, they would be led through the system to request access to their email account, marketing file share folder, and marketing automation software because those are typical of their role and inside their peer group. All requests that fall within the boundaries of their peer group they would be automatically approved for. However, if they wanted access to, say the sales folder, they would have to request special access. This solution gives the user guidelines rather than the all too common shopping cart approach where they are requesting items that they don’t really need and creating a backlog of requests while the approver decides if they really need that access.

2. Resources: With so many business applications, servers, mobile devices, etc. do you know which assets are critical and must be protected? Do you know which seemingly innocuous applications tie back to a server that needs to be protected?

Governance certifications exist to monitor access to the most sensitive information, applications, and servers. Intelligent IAM governance will not only monitor your most sensitive data, but will send up a flag, or an alert, when a high risk event takes place. When accounts are created outside of the provisioning system or high risk applications are granted outside of a role or peer group they will be flagged as a "critical risk". 

3. Rights: Who really needs access to what? Before intelligent IAM all provisioning and governance had to be audited to make sure that the right people had the right access to the right things. The issue was that those rights were always changing. Some applications are not as high risk and can be audited on an annual or semi-annual basis. However, there are other applications that are highly critical and must be assessed on a monthly or weekly basis. Doing this manually for all employees would be impossible. 207H

By using intelligence, your IAM system can review rights as needed and ask for re-certification for sensitive applications. For example: an email account can be automatically re-certified each month as long as the employee isn't terminated. However, the payroll system may need a monthly manual re-certification to make sure that only the right people have access.

4. Policy: What business rules must be enforced in your company? What segregation of duties do you rely on? This is another risk taken care of, somewhat automatically, by the assignment of roles within the organization. Segregation of Duties is an easy addition, especially when set initially. Managers should not be able to both post and approve their own time cards, nor should they be able to place and approve a purchase order. Governance certification and approvals as well as segregation of duty assignments will help to mitigate this risk rather easily.

time 273857 12805. Activity: Who is doing what? And when? Visibility into all of your applications and systems is an extremely difficult task and without an automated system is basically impossible. Much like with the alerts sent by your high risk resources, you can use intelligent IAM to see what your users are doing with real time monitoring and be alerted to any inconsistencies. This real time look into your system shows you what is happening with approvals as well as risk assessment and can take away the need for annual or semi-annual auditing. With an automated system you will be able to see sensitive updates monthly, weekly, or as needed instead of having to wait 6 to 12 months for an audit.

While the idea of an Identity and Analytics system is not new, we believe that the use of intelligence in IAM is revolutionizing the industry. With the use of real-time data and information backed automation systems, you are able to have visibility into your system at any time rather than waiting for an audit. Your decisions will be made based on the most accurate and up to date information.

Want to know more about how Intelligent Identity and Access Management can help you mitigate risk in your organization? Download our eBook, Improving Identity and Access with Intelligence, and learn about: 

- What is Intelligent IAM? 

- Intelligence for Provisioning

- Intelligence for Governance

- Intelligence for Risk 

- And More! 

         describe the image        


Tags: risk management, intelligence, cybersecurity, security risk, cyber risk, IAM, cyber security, risk, intelligent IAM, identity, identity and access management, IAI, Identity & access management

Assessing the Risk of Identity and Access

Posted by Ashley Sims - Marketing Manager on Thu, Jul 16, 2015

Here at Courion, our mission is to help customers succeed in a world of open access and increasing threats. We want to make sure that the right people have the right access to the right resources and that they are doing the right things with those resources. The question becomes, how does an organization assess those threats and gauge the risk it faces from both internal and external forces? Moreover, how do you plan for that risk and put in place processes to help detect, identify and manage the risk?

With an increasing number of computers and other devices and an increase in the ways in which users access resources, access rights and the monitoring and managing of complex user access rights becomes harder every day. The stresses and strains of access can come from all over but the most common offenders are: 

infrastructure change

-  Routine changes such as hiring, promotions or transfers 

-  Infrastructure changes such as mobility, cloud adaptation, system upgrades, or  new application rollouts. 

-  Business changes such as reorganizations, the addition of new products, or new partnerships

In addition to the stresses from business change, there are an increasing number of government regulations that require compliance, regardless of industry. From healthcare to banking, these regulations climb into the hundreds and assuring that you are fully compliant is more difficult than ever. This increase in regulations along with the increase in complexity of access rights makes identity and access governance a red hot priority.

Want to know more about how Identity and Access Governance can help lessen your risk? Read more by downloading our eBook and learn about: 

-  How to remain compliant with an IAM solution
-  Preparing for an attack
-  Automated provisioning
-  And more  
ebook assessing the risk

Tags: governance, cyber security, provisioning, cyber attack, risk, compliance

Assessing the Risk of Identity and Access, Part 2

Posted by Venkat Rajaji on Thu, Jun 18, 2015

Venkat Rajaji VP of Product Management & Marketing

In part one of this blog, we shared reasons why your security team may not be able to sleep at night: risks to your information technology infrastructure that may be caused by risk from identities and their access. We discussed the most common access risks—from the routine to those caused by changes in the business—and provided some reasons why you may want to look inside, and not just invest in perimeter security. If you haven’t yet read part one, you can do so here.

So now that we know what the risks are, let’s discuss ways to mitigate these access risks and gain visibility into your organization.

Identity and Access Management Controls

When we look at provisioning identities or certifying access for governance, it quickly becomes a rubber-stamping process. You want to make sure the right people have the right access but what if you don’t know what that person needs for his or her job? Do you reject or approve? Other than a slowdown in productivity, there is no bad outcome if you don’t approve access, but instead request additional sign-offs. After all, with hundreds of thousands of people and identities, access rights and roles, policies and regulations, actions, and resources, you have trillions of access relationships to manage.

In a survey conducted by Courion about the access risks that cause the most anxiety, number one on the list—at 46 percent—was privileged account access; that is, accounts such as those used by administrators that have increased levels of permission and elevated access to critical networks, systems, applications, or transactions. Other anxiety-causing access issues that accounted for 31 percent were unnecessary entitlements and abandoned or orphaned accounts. What this tells us is that over half of the anxiety in your organization is based on provisioning.

To effectively address this issue, we need to start looking at not just passing our audit at the end of the year but also at the true impact of risk created through increased or inaccurate access credentialing on an ongoing basis.

But what if with each request you received you also knew the perceived risk of approving or rejecting it? What if you could take a look at all of your credentials across your system and see who was the greatest risk? That’s where an intelligent or risk-aware identity and access management tool comes in.

With risk-aware IAM you have the ability to automate your provisioning process to keep your backlog at a minimum and still ensure that you are provisioning the correct access to your employees without just rubber-stamping an approval. With intelligence driving your provisioning and governance you can see risks long before you have an issue. Imagine if you were able to log in and see access credentials listed like this:

Risk Aware IAM Table

We need to understand these access risks on a scale from low risk to high. Provisioning today includes a request, a policy evaluation, and a quick approval or rejection of the request. At Courion, we see things differently. If the request is seen as a low risk item, then it gets passed through and fulfilled in our automated system.

Provisioning Tool

But for other access requests which may represent some risk, the access request will require an approval or both an approval and a micro certification.

This micro-certification, or risk-based certification review, provides holistic context around the information being examined, thus allowing an IS manager to make an informed decisions on whether a user’s access is suitable or not before granting access. By performing these narrowly focused, micro-certifications, organizations can reduce access risk in a smarter more efficient way on the front end of the request to guard against over- or under-privileged accounts

 Provisioning Stystem

Intelligent IAM is the next-level evolution of traditional IAM. Each process is led with intelligence with front end approvals and risk assessments that allow near real-time decisions that manage and mitigate risk to the company. According to Gartner, “By year-end 2020, identity analytics and intelligence tools will deliver direct business value in 60 percent of enterprises, up from less than 5 percent today.”

Through continuous monitoring and analytics applied to your provisioning and governance activities in real time, you are able to see the most up-to-date information thus allowing your company to truly make data-driven decisions. With intelligence driving policy, provisioning, and access decisions, you can mitigate risk in real time and have better visibility into your organization.

Are you looking for more visibility into your company’s identity and access risk? With a Quick Scan assessment of your organization’s access risk we can help you take a quick look into your security measures and provide you with a plan of what you can do to mitigate those risks. If you would like more information on what a Quick Scan can do for your company, contact us today at 1-866-COURION or at  

Tags: venkat, risk, access intelligence, rajaji, Identity & access management

Assessing the Risk of Identity and Access

Posted by Venkat Rajaji on Wed, Jun 10, 2015

describe the imageHere at Courion, our mission is to help customers succeed in a world of open access and increasing threats. We want to make sure that the right people have the right access to the right resources and that they are doing the right things with those resources. The question becomes, how does an organization assess those threats and gauge the risk it faces from both internal and external forces? Moreover, how do you plan for that risk and put in place processes to help detect identify and manage the risk?

Most Common Risks

With an increasing number of computers and other devices and an increase in the ways in which users access resources, access rights and the monitoring and managing of complex user access rights becomes harder every day. The stresses and strains of access can come from all over but the most common offenders are:

• Routine changes such as hiring, promotions or transfers

• Business changes such as reorganizations, the addition of new products, or new partnerships

• Infrastructure changes such as mobility, cloud adaptation, system upgrades, or new application rollouts.

Routine vs Business vs Infrastructure Change

In addition to the stresses from business change, there are an increasing number of government regulations that require compliance, regardless of industry. From healthcare to banking, these regulations climb into the hundreds and assuring that you are fully compliant is more difficult than ever. This increase in regulations along with the increase in complexity of access rights makes identity and access governance a red hot priority.

What is Identity and Access Governance?

Identity and access governance tools establish an entire lifecycle process for identities in an organization, providing comprehensive governance of not just the identities but also their access requests. These lifecycles decisions are developed through real time intelligence and are informed by an organization’s processes. When we are preparing for an audit we have to ask questions we had never been asked before: Who has access to what? What does that access allow them to do? And why do they need that access? IGA helps to answer those questions up front to ensure that every identity has the right access, to the right things, at the right time.

When the internet was brand new, an organization had one room with only two to three people having access to resources. As a result, there was a pretty low risk of anyone hacking their way in. Now, our data centers are everywhere from a server room in a remote location to the cloud of everywhere-ness.

The result is that we have a broader and ever exploding attack surface and diversity of infrastructure. You’ve heard of the “Internet of Things” and these “things”, that is, Internet-enabled devices and resources, such as a building thermostat or a household appliance, have increased the attack surface tenfold.

Unfortunately, we also are faced with e a super sophisticated attacker ecosystem. Hackers are now working collaboratively, looking for weaknesses in your infrastructure and are armed with increasingly sophisticated and specialized tools and services. It may only take a hacker a few minutes to get into your system, but now they know that the payoff is worth waiting days or even months for the perfect time to strike.

The Issue of Compliance

If you look at the most recent Verizon PCI Compliance Report you will see that the average organizational compliance is at 93.7%. However, when you break that number down into the number of fully versus partially compliant firms, you will see that only 20% are ‘fully’ compliant. So if as organizations we collectively are compliant at 93.7%, then why have the total number of security incidents detected increased 48% since 2013? The answer is that we need more visibility into our systems. The top audit findings for the reasons behind these attacks are:

• Excessive access rights

• Excessive developers’ access to production systems and data

• Lack of removal of access following a transfer or termination

• Lack of sufficient segregation of duties

The biggest risk here is credentials. The number of stolen credentials is no surprise when you consider the number of transfers and terminations and accounts with excess access to sensitive systems that may remain active.

According to the Verizon Data Breach Investigations Report, 2015, when asked if their organization is able to detect if access credentials are misused or stolen, 42% of companies surveyed in the report said they are not confident in their ability.  Even worse, according to CSOOnline, 66% of board members are not confident of their companies’ ability to defend themselves against any cyberattack.  For those of us on the information security team, that shows a lack of boardroom trust in our capabilities.

Why do board members have so much trouble trusting our cybersecurity measures? Consider the fact that in 60% of cases, attackers are able to infiltrate the system within minutes and it typically takes information security around 225 days to find the breach. Just recently, the U.S. government Office of Personnel Management was hacked and more than 4 million current and former government employees may be affected. While investigators have known about the breach since April, they are still trying to determine what was hacked and what information was leaked since it could have been up to six months since the attackers initially gained access into the system.

Preparing for an Attack

This attack makes us think about the elements of an attack and where our federal government’s systems may have broken down. The elements of an attack are:

Data Breach Lifecycle

While we have anti-virus and anti-malware to fend off some of these attacks, and DLP and SIEM processes in place to fend off or detect others, we do not have the ability to fully defend against access targets and lateral movement once access is gained. What this means is that even though we are spending money, sometimes up to 85% of our budget on defending the perimeter, we have little to no security on the inside stopping hackers once they have penetrated our networks.

Are you ready for an attack on your system? Do you have a plan for internal and external breaches? Do you know your current risk? In part 2 of “Assessing the Risk of Identity and Access” we will discuss ways you can measure your perceived risk and ways to monitor your access rights to ensure true compliance.

Want to know your risk? Contact us today for an Access Risk Assessment of your system to identify your risks today.

Tags: venkat, access, governance, assessment, risk, breach, identity, rajaji, data

Connect with Courion at Conferences in D.C. & San Diego June 8-11

Posted by Ashley Sims - Marketing Manager on Mon, Jun 01, 2015

Ashley SimsSummertime. If the baseball teams are traveling, so are we!  Connect with Courion as we hit the road for two of the information security industry’s most popular events.

From Monday June 8th through Thursday June 11th, you can find Courion at the Gartner Security & Risk Management Summit in our nation’s capitol, Washington, D.C. Do let us know if you are attending so we can connect with you.

And while we don’t possess Hermione Granger’s Time Turner from the popular Harry Potter series, you can also find us some 2,685 miles away at the Cloud Identity Summit in San Diego, which also runs from June 8–11.hermiones time turner closeup

If you will be at Cloud Identity Summit, make sure to attend the session on "Assessing the Risk of Identity and Access" on Wednesday June 10th at 9:45 a.m. PDT led by Courion VP of Marketing & Product Management Venkat Rajaji.

Venkat’s session will share how you can enhance traditional governance and provisioning with continuous monitoring, analytics, and intelligence so your organization is more risk-aware, even in a world where the mix of cloud and enterprise legacy applications and resources may present an identity and access management challenge.

So whether you are on the east or west coast or somewhere in-between, we hope you will make the time to connect with Courion.

Tags: Gartner, Ashley, summit, venkat, cloud, risk, security, identity, management, Sims, assess, rajaji

Risk-aware IAM: A Hot Topic for a Cold December

Posted by Nick Berents on Thu, Dec 11, 2014

Nick BerentsAt last week’s Gartner IAM Summit in Las Vegas, it was fascinating to see how the conference has grown. Over 1,200 attendees made this the largest Gartner IAM event to date, which says there is a huge amount of interest in identity and access management. Many were there to understand the basics, but there was plenty for IAM professionals looking to strategize for the future and who are seeking to maximize their IAM investment.

The highlights for Courion were two presentations that attracted close to 200 attendees. One was a case study featuring our own Kurt Johnson and Mark Teehan, an IAM Program Manager from Harvard Pilgrim Health Care.

In the presentation Mark described how his organization, a health benefits company that serves more than 1.2 million members, expanded its IAM program to reduce access risk across the organization by constantly monitoring and analyzing data generated by its IAM systems. The company has moved beyond provisioning and certification by implementing tools and processes to proactively identify and remediate the access issues that lead to business risk. For example, the organization has reduced orphaned and abandoned accounts and established a management process for system and non-human accounts, and has reduced accounts with privileged capabilities and those with unnecessary access. The session really resonated with attendees, judging by the number of questions and post-session conversations that occurred.

I held a lunch session that described how to assess risk before an IAM implementation. I reviewed how an Identity and Access Intelligence solution can help diagnose access risk in any organization and how an organization can take the findings frwatchfuleyeom that diagnosis to formulate an actionable remediation plan. I spoke with a number of attendees who are working on the basics of IAM but who can clearly see the value of being more proactive. These attendees confirmed their desire to eventually deploy a continuous monitoring solution to address access risk.

For conference attendees who missed either session, or anyone who is interested in the topic, I highly recommend tuning into our upcoming webinar:

Tim Callahan, CISO of Aflac, and Kurt Johnson, VP of Strategy for Courion will present, Keep a Constant Vigil: Risk-Aware IAM on Monday December 15th at 11:00 a.m. Eastern.

This webinar will help an IAM professional at any level. I hope you can tune in!

Tags: Gartner, Harvard Pilgrim, Webinar, Berents, IAM, healthcare, Nick, risk, insurance, Aflac

Unmanaged & Unused Service Accounts: Your Unseen Access Risk Problem

Posted by Josh Green on Tue, Sep 30, 2014

Josh GreenWe all have skeletons in our IT closets that we'd rather forget about. In nearly every organization’s network, there is a legacy application or old piece of infrastructure that is bound to reach the end of its useful life at some point, yet plans for removal of obsolete technology typically do not exist. What we often fail to consider, however, is the fate of our service accounts associated with these aging applications and infrastructure. Unmanaged or unused service accounts represent a qualified, and in the case of Target Corporation, hugely quantifiable, risk to any organization. Continuous intelligence-based pattern recognition and monitoring using an identity and access analytics product like Courion Access Insight is the easiest and most effective way to mitigate such risk.Service Accounts and more

Service accounts are accounts on a system that are intended to be used by software in order to gain access to and interact with other software. Correspondingly, It is common practice that passwords for such service accounts are not frequently changed so that the loss of this interconnectivity can be avoided. These accounts are also frequently highly privileged, allowing a large number of activities to be integrated between systems.

How is this a risk if the accounts aren't meant for humans?

The Target breach was no more complicated than the hacks often seen on the news when someone has altered the message displayed on a road construction sign: an attacker finds or knows of a default service account and password that exists on the system and exploits it to gain access.

The Target breach was only slightly more complicated: attackers were aware of a service account laid down automatically by the installation of BMC software. The attackers were able to leverage that service account to elevate the privileges of a new account they created for themselves on the network, and the rest is history. The attack cost Target an estimated $2.2 billion, and highlighted that some common IT practices may not be "best" practices at all.

How can this threat be managed? How does one even identify a service account?

When the service accounts have been purposefully created, identification of these accounts can be straightforward. Naming conventions within your IAM system can be applied that mark an account as a service account. However, too often, there's no such obvious clue. This is where the pattern and trend recognition provided by an identity and access intelligence solution like Access Insight becomes key. The intelligence engine acts like a detective. It uses the circumstantial evidence about an account's activity and history to determine its purpose. The engine analyzes things like password reset history, login history, privilege patterns, ownership, and more to determine accounts that may be service accounts and which may represent a high risk of compromise.

We have quarterly compliance reviews, surely that will catch the risks, right?

Modern access governance is critical, but there are some gaps that modern attackers have learned to exploit. The biggest gap is speed. The typical organization will perform compliance reviews quarterly. These compliance reviews are great for looking back in time and reviewing what has happened, but they're not timely enough to catch an attacker red-handed.

As an analogy, consider the robbery of a bank vault­. If it is discovered three months later, the knowledge of what happened doesn't really help much. But if an alarm sounds right away and summons the police, this will help. Similarly, Access Insight gives you the tools to sound that alarm immediately, so you can understand what is happening within your network so you can take steps to remediate it at that moment, not in three months when the hacker is long gone with your data.

The next biggest gap is complexity. Large organizations can suffer from data overload. A compliance review may or may not catch every single service account risk in the organization which may be hidden somewhere amongst the thousands of pages of mundane, normal accounts. They're easy to overlook, and hard to find after the fact. Access Insight uses built-in algorithms combined with risk weighting you tailor to your network. This provides you with a color-coded, prioritized view of your organization's risk.

How fast can the problem be tackled?

To assist with this problem, Courion now offers a Access Insight risk heat mapcomplimentary quick scan evaluation of access risk which leverages Access Insight, to help organizations gauge whether they have an ungoverned or unmanaged service account problem. This quick scan can often be completed in a single day and provides a prioritized view of where remedial action is needed most. Of course, fully deploying Access Insight on your network, regardless of what IAM suite you have installed, will give you the visibility, or insight, you really need through continuous monitoring to find and fix access-related risk, now and on an ongoing basis, not just at a point in time.

Tags: Josh, Access Insight, access, risk, Green, account, service

Same “Stuff”, Different Day

Chris SullivanOn August 20th, UPS Stores announced that they hired a private security company to perform a review of their Point of Sale (PoS) systems after receiving Alert (TA14-212A) Backoff Point-of-Sale Malware about a new form of PoS attack and, surprise, they found out that they had a problem. They released some information about which stores and the type of information was exposed, but little else. Freedom of Information Act requests have already been filed.

What followed was the predictable media buzz, where it was postulated that this was yet-another PoS breech similar to those that affected Neiman Marcus and Target. While there is some truth is this, there are interesting bits that make this case very different.

What’s different?

  • This was a brute force password attack against remote desktop applications (the list named in the Alert includes Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop, Pulseway, and LogMeIn).

  • Because UPS is a franchise, the PoS systems are not centrally managed, so each store was individually hacked. This might explain why the actual impact was low (1% of the stores effected) and why UPS is not completely certain what was taken.

  • At the time of the breach, the malware was not detectable with conventional tools.

What’s the same?

  • It was a Point of Sale PoS based attack using one of many PoS rootkits.

  • The initial compromise provided access to privileged accounts, enabling lateral movement and control of the payment systems.

  • Alert (TA14-212A) guidance on access related controls to reduce this type of risk is:

  • Define complex password parameters

  • Limit administrative privileges for users and applications

  • Assign strong password security solutions to prevent application modification

  • Implement least privileges and ACLs on user and applications on the system.

  • The official guidance fails to recognize that periodic reviews are done too infrequently and too superficially to prevent or, in most cases, even detect such activities.

  • European Union residents, armed with EMV protected cards, may feel they are immune to these problems. If this were the case, then why are we seeing a dramatic rise in the use of card scrapers throughout Europe? Perhaps that’s a topic for another time.

What can you do to deter a breach that takes advantage of vulnerabilities in your identity and access equation? Begin by practicing good hygiene by following the identity and access controls recommended in Alert (TA14-212A), the 2014 Verizon Data Breach Report and the SANs Security Controls Version 5 as outlined by mUPS Stores Logoy colleague Brian Milas in this blog post.

What can you to detect a breach as soon as possible? Brian points out in the same post that by using a intelligent IAM solution, you will be better equipped to minimize the type of access risk that leads to a breach by provisioning users effectively from the start, but also will be better able to detect access risk issues as they happen and remediate them on an ongoing basis by leveraging continuous monitoring capabilities.

The point is, regardless of the exact details and mechanisms employed in an attack, you can and should do what is under your control to minimize risk and equip yourself for early detection. Identity and access intelligence is a good place to start.

Tags: Chris, Sullivan, access, Verizon, UPS, risk, breach, identity, data, SANs