James Thew - Fotolia
Growing concerns over nation-state attacks and cyberterrorism have led enterprises to put more of their cybersecurity eggs in the identity and access management basket.
During the 2016 Cloud Identity Summit in New Orleans earlier this month, attention was focused on the growing fears of sophisticated threat actors preying upon weak passwords, inadequate access controls and compromised credentials. Specifically, security experts talked about how nation-state cyberattacks and cyberterrorism have heightened awareness of IAM security.
Alex Simons, director of program management for Active Directory for Microsoft's Identity & Security Services Division, described one such nation-state attack during his keynote address at the event. Simons told the audience that Microsoft recently detected a huge increase in account lockouts and failed logins for a school.
"As we were bringing on a new set of algorithms in learning mode [for Azure Active Directory], we discovered they had a ton of compromised accounts," Simons said, adding that the logins were from an IP address in another country. "This was probably a state-sponsored attempt to hack into this school."
Based on the suspicious IP addresses and login patterns, Microsoft's machine learning system quickly detected the malicious logins and began failing them, despite the credentials being correct, Simons said. He warned that this type of attack on login credentials is common today and said the industry needs to work together to improve IAM security. "This is the kind of thing that happens all the time," he said. "Enemies are evolving very quickly, and we need to keep evolving with them."
By now most enterprises have heard the stories about the Target breach and OPM hack being tied to compromised account credentials. Karl McGuinness, senior director of identity at enterprise SSO firm Okta, said incidents like those – and the resulting consequences for management – had already brought attention to the risks of poor password hygiene and inadequate identity and access controls. But the growth of advanced persistent threats, along with the increased adoption of public cloud services has raised the concern level over IAM security even higher.
"There's the fear of getting breached and getting fired," McGuinness said. "The threats have changed. You have things like nation-state attacks and large-scale cloud attacks now. There's a lot of risk in the cloud if your credentials aren't protected."
Todd Peterson, senior product manager and identity and access management evangelist at Dell Security, said enterprise fears of attacks from nation-states and advanced persistent threat groups have brought more attention to IAM security. "Identity and access management used to be a boogeyman for enterprises because the products were expensive, clunky and not user-friendly," Peterson said. "Now that's changed. Identity continues to get investments where other security areas are flattening. It's much sexier than other security areas."
During his talk at the Cloud Identity Summit, Gen. David H. Petraeus compared the "very nefarious, very skilled, very persistent" cyberthreats enterprises face today to the adversaries the U.S. Armed Forces faces across the globe and highlighted how groups like ISIS have moved to the digital world to expand their reach. "Make no mistake about it: the internet -- and social media -- is a whole new domain equivalent to land, sea, air, sub-sea and space," Petreaus said. "And now you have cyberspace."
Even something seemingly as innocuous as social media can be exploited by cyberterrorism groups and nation-state attackers, said Ori Eisen, founder and CEO of Trusona, an authentication startup based in Scottsdale, Ariz. Eisen said the Syrian Electronic Army, which hijacked the Associated Press' Twitter account in 2013, showed how much damage that simple act can do to global financial markets. The hackers behind the attack used the AP account to tweet a false report that two explosions had occurred at the White House and that President Barack Obama had been injured.
That single tweet sent financial markets into disarray and caused the Dow Jones Industrial Average to plummet approximately 145 points. "That was $136 billion lost in about 90 seconds," Eisen said. "One fake tweet and that's all you need to short some stocks."
Ori Eisen, founder and CEO of Trusona
Three Syrian Electronic Army hackers were later identified by the U.S. Department of Justice and charged in connection with the Twitter hack with an array of computer crimes including illicit possession of authentication features, access device fraud and unauthorized access to, and damage of, computers. In the announcement of the criminal complaint, which had been sealed prior to March of this year, the DoJ detailed how the group used spear-phishing attacks to steal usernames and passwords and then use the stolen credentials to take over accounts, websites and IT systems. The DoJ added that the three hackers "repeatedly targeted computer systems and employees of the Executive Office of the President (EOP)" in 2011 but never successfully.
Trusona advisor Frank Abagnale of "Catch Me If You Can" fame, who spoke at the Cloud Identity Summit, told SearchSecurity that the Syrian Electronic Army attack was indicative of how nation-state and cyberterrorist attackers can use stolen credentials to bypass authentication systems and steal millions of dollars and damage financial markets. "That's where it's going," Abagnale said. "Where it was used by cybercriminals, now it's becoming more of a terrorist tool."
Eisen agreed and pointed to another recent incident as proof – the cyberattacks on the SWIFT banking system, which led to the theft of millions of dollars from financial services firms. The attackers obtained credentials to impersonate valid users, and create and approve fraudulent SWIFT messages. Eisen said targeting account credentials and weak IAM systems is nothing new, but now nation-states and cyberterrorism groups know they can use such attacks to earn millions of dollars just like cybercriminals.
"The chessboard is the same. It's logins to an account," Eisen said. "There are reports the North Koreans are behind the SWIFT banking attacks. If it's really true that a nation-state is stealing money from banks to support itself, why do you think it's going to stop?"
Read more on why cloud app credentials are a weak spot for security
Find out what the best ways to secure cloud credentials are
Discover how the "LostPass" attack can steal LastPass credentials