Mind the Gap: Enterprise-Insider Secrets and Passwords are a Risk Beyond SSO and Privilege

Review the Full Session Transcript

No time to watch the session? No problem. Take a read through the session transcript.

Speakers:

• Bryan Christ, Senior Sales Engineer, Hitachi ID
• Tom Field, Senior Vice President of Editorial with Information Security Media Group
  

Tom Field (00:07):

Hi there. I'm Tom Field. I'm Senior Vice President of Editorial with Information Security Media Group. Delighted to welcome you today to our session, which is entitled Mind the Gap. Enterprise Insider Secrets and Passwords are a risk beyond SSO and Privilege. Your presenter today is Bryan Christ, senior Solutions Sales Engineer with Hitachi ID. But before I bring Bryan onto the screen, let me share some background on the topic we're going to discuss here today. The recent rising threat of organizational insiders being paid to help in cyber attacks combined with notoriously bad secret and password hygiene and an individual level is a cause for cybersecurity leaders to be concerned. While IT teams focused on implementing strong SSO password management identity, and even privileged access management solutions, the work from Home World has caused shadow IT to explode with each employee too often, reusing personal secrets for professional access across sensitive files, social media databases and applications, not onboarded to your IAM or PAM program. There's a gap in enterprise cybersecurity postures. So in this session today, you'll learn how to make it easy for employees to inherently practice good cybersecurity and password hygiene to decrease risk of assisted or unassisted cyber attacks. Why even frequent password management training does not solve the decentralized secret and password problem and what secret and password best practices should be.

(01:45):

As some background on Information Security Media Group, we just turned 16 years old. We're a global education and intelligence firm. Our headquarters is in Princeton, New Jersey. You may be most familiar, where one or more of our media sites, we have 34 of them across the world, including bank info, security gov, info security, and data breach. Today, our audience is over 1 million security leaders globally, and we give them a daily diet of news analysis, research events, and educational programs just like this one. A few notes of housekeeping, if you have any questions for Bryan during the course of this session, you can submit them anytime by the chat window on your screen. We likely won't be able to get to every question, but for those that we can answer within the course of this session, we will get responses back to you via email. Should you encounter any technical issues while viewing today's webinar, please write down the email address on your screen. If you write to webinars@ismg.io, we do have technical support staff standing by to help. Also, today's webinar is copyrighted material. It's meant for today's session and individual study purposes only. If you'd like to use any of the information presented today or if you're looking for customized training materials, please contact us.

(03:01):

Delighted to introduce our sponsor today. Hitachi ID Hitachi ID Systems delivers identity and access management solutions to organizations globally, including many of the Fortune 500 companies. The Hitachi ID Bravura Security Fabric is a fully integrated solution for managing identities, security entitlements, and credentials for both business users and shared privilege accounts on premises and in the cloud. The Hitachi ID brand is well known in the marketplace for high scalability, fault tolerance, a pragmatic design and low cost total cost of ownership. Hitachi ID is recognized by customers and analysts for industry leading customer service. To introduce our speaker today, Bryan Christ, again, he is senior solutions sales engineer with Hitachi ID and he specialized in security and access governance for more than 20 years. He's focused on open source and software development with an emphasis on project management and executive oversight. Bryan is also an experienced virtual chief information officer in the Greater Houston area and was recently published in cybersecurity, a peer reviewed journal. With that, let's bring onto the virtual stage, Bryan Christ. Bryan. Chris. Bryan, pleasure to be here with you today.

Bryan Christ (04:18):

Hey, Tom, thanks for the introduction. Appreciate it. With that, let me go ahead and share my screen here.

Tom Field (04:28):

Beautiful. As you do that, Bryan, there's a question I want to start with to open our conversation. I teed this up a little bit talking about secrets and passwords, but as you look at the landscape and what your customers tell you today, what are the crime trends that most concern you regarding secrets and passwords?

Bryan Christ (04:50):

Yeah, so I don't think it's going to be any shocker here. I've got it up on the visual organized crime ransomware. It's big business. I recently came across this statistic that said the number of phishing attacks, the social engineering one organization I think was pushing out over 30,000 solicitations a day. And you say, well, that's a lot of effort going into it, but realistically, if somebody pays just one victim takes a bite of that hook, the payday on that is well worth it for them. So what I've got up here is just some statistics. I read the Verizon report annually, definitely it's not for the faint of heart, but I would encourage everyone to do it, and it bears out the simple truth that ransomware is big business year over year. It continues to be the number one form of attack, and again, no shocker organized crime is behind it.

(06:07):

Along the same lines, I do want to just introduce the audience as well. I'm thinking about ransomware attacks as the largest or most significant risk that the organizations are facing. I want to talk a little bit about an attack, what it looks like just to sort of set the stage. I think that a lot of people have the belief that attacks are novel and they can be, I'm not saying that there aren't some out there, but if you really take the time to unpack what an attack looks like, they're almost cookie cutter in the way they're structured. And in fact, I would argue because you have some services out there, you have software stacks that you can download that automate. So what was once novel becomes automated and put into a script, and then anybody can really execute it. So the anatomy of attacks really sort of is very simple.

(07:09):

It's gain a foothold. And again, I go back to that point I made a minute ago where you're blasting out 30,000 phishing emails or whatever, and you're just trying to get that foothold. So eventually you're successful, you gain that foothold, and if the account that you manage to get into is sufficiently privileged enough, you can often deploy some sort of command and control, which allows you to sort of establish a spot from which you can gain access back into the system. You don't need to go through all that phishing again, but it also gives you a tool, a toolkit to do reconnaissance. So they'll do reconnaissance. They're not really interested in that low level victim's account, typically, it's just a spot to springboard from. So they conduct reconnaissance, they look around in the organization for maybe somewhere else they can jump to. We call that moving laterally, and hopefully by moving laterally, I gain additional permission so I can access new systems that I didn't have before. And so there's sort of this rinse and repeat cycle. Keep doing that until eventually I get to the keys to the kingdom, and once I get to the keys to the kingdom, it's game on. Take that data offsite, hold it hostage, encrypt what's left behind, and then demand payment. So that's really what a ransomware attack looks like. Again, I'm not discounting that there are some novel approaches out there, but again, on the whole, these things become very predictable, almost prescriptive in a way, in terms of executing these.

Tom Field (09:00):

Bryan, it's scary stuff that you have portrayed here. Now, I know you recently conducted some research related to the topic as well. What did you learn?

Bryan Christ (09:08):

Yeah, let me pull this up here. It was certainly eyeopening in one sense. It confirmed what we had known all along, which is on the whole organizations are doing what they think is sound. They're putting their employees through good password training, oftentimes more than once a year. But the reality is that even though they've been trained on good hygiene, good practices, you can see here from the statistics, 46% are still using a shared office document or stickum notes to share these secrets. I'll never forget one time I was on a Facebook thread of all places, and I was watching this teacher lament how it was the start of the next school year, and they were just so upset that they had to change their passwords, and they literally said, well, you know what I do? I just take my password and put it on a sticky note and attach it to the monitor, and you're just like, oh, wow. That is the quintessential bad example of password hygiene. So despite the fact that the people are going through the training, organizations are mandating it, they're still doing really bad stuff.

Tom Field (10:34):

Well, I hate to say that any of this is surprising, but really it isn't. Question, I love to ask when there is research, what did surprise you?

Bryan Christ (10:44):

That it was as bad as it was? I mean, you would think that if organizations had put that much time into the training and the education that you were still going to get. I mean, if you add up these two despite there's 30% were offered used to company password manager, but more the majority, well over 50%, were still doing really bad things. I mean, you expected it. I just didn't expect that number to be as high.

Tom Field (11:14):

Sure. So I want to dive into the research a bit here in the topic. Let's start here. What are decentralized secrets?

Bryan Christ (11:22):

So this really kind of gets into the meat of what we're talking about. Let me just advance the slide here a little bit. So decentralized secrets are sort of an interesting set of, and I'll use the word secrets. We'll predominantly be talking about passwords as we go through the rest of the conversation today because passwords are probably the most prevalent. But decentralized secrets are those things that they're assets that belong to the company. There many times can be shared in the organization. I'll give you a couple of examples of a decentralized secret, and I also want to back up and also frame this in terms of what does a company do about a decentralized secret? So decentralized secrets sort of fall into this interesting spot between privileged access, so privileged access being those keys to the kingdom that the attacker wants to get. The organization typically recognizes the sensitivity of those, and they'll stick 'em in a privileged access solution like Bravura privilege that we offer, and they'll vault 'em and they'll randomize them and they'll build access controls around these secrets and they'll ensure that there's an audit trail and that people are only getting to them when they have a legitimate reason to access 'em.

(12:49):

The problem is, so you have those kinds of things, but they're typically pervasive in the organization, and it makes sense to go through the effort of putting those in something like a privilege access management solution. But you have these other kinds of secrets that are also dangerous, but you can't justify the expense of a vaulting them. And these would be things like, let me give you a great illustration. I go to a lot of trade shows, and typically in order to go to a trade show, I have to register an account with the expo provider. And what's really tempting, and we'll talk about this a little bit, is to use the same login and password on that registration portal that I use elsewhere, maybe specifically within the company. Another really kind of common form of decentralized secrets are things like API accounts. So you've got maybe a DevOps team, maybe they're creating some new tool, and so they need a register with a third party service, which means you need an API key.

(14:05):

And so to register for that developer account, again, the temptation is I'll use the same username or email address and password that I use in the corporate environment. So again, these are corporate in nature because I'm not going to that event outside of my employer. I'm doing this project because of my employer. So it's really an asset that belongs to the company. We call it decentralized, really no governance there at all. Right? And then there's other kinds of secrets, like a shared credit card in an organization where you need to purchase something. So a manager may have access to a company credit card that would also be considered a decentralized secret.

Tom Field (14:49):

Boy, it raises lots of questions. Let's start here. What are the risks associated with decentralized secrets?

Bryan Christ (14:55):

Yeah, I don't think there's going to be any shocker here. Again, if you just spend a few minutes in front of the Verizon report, you'll see that year after year, lost or stolen credentials are the number one culprit of data breaches. And so is that's the goal, right? To get at these credentials. Going back to that anatomy of a ransomware attack, it's that foothold and these decentralized secrets. They become exposed in typically two ways. One is the model that I've already talked about, which is employees decide to reuse these credentials on, like I said, an expo portal, maybe some sort of training portal, whatever, something that is again, not used frequently enough that it warrants vaulting. And so then that organization experiences the breach, and all of a sudden they now, because you use the same set of credentials externally that you use internally, they now know what your credentials are within the organization, and they've gained that foothold.

(16:11):

The other way that this happens is interception. So maybe breaking into somebody's Office 365 account on the surface doesn't sound like, oh, okay, you broke into the email. The problem is, and if this was in front of a live audience, I would certainly ask for a show of hands, but I guarantee you, most people at one point in their lifetime have emailed a set of credentials to someone else. So I get into an email account and then all of a sudden I sift through it and I find out, oh, there's a set of credentials in here because I did something bad with one of these decentralized secrets, I emailed it to someone else. And there's a legitimate case for needing to share these. If you go back to that DevOps illustration I gave earlier, you may have a team working on a project, and so all of the members of that team need to be able to log into that developer portal, get access to the documentation to help 'em create their program or whatever it is they're working on. So there's a business need there. There's a justified reason for needing to do this. The problem is to use really bad mechanisms like email to do that. And of course, if the email gets breached, then big passwords get intercepted, and then ultimately you get a data breach because of it.

Tom Field (17:28):

So Bryan, go ahead, Liz.

Bryan Christ (17:32):

No, I was just going to, you asked me what the risks were. There was kind a second part to this, if you don't mind. I just want to share that real quick.

Tom Field (17:45):

You've already overwhelmed this.

Bryan Christ (17:50):

Yeah, so the other part of this is sort of on the flip side, you think about users who, so you're not vaulting these, you don't have any governance on 'em, but the employees have gone out and they've registered all of this stuff, and there's a business continuity element to this. Again, I'll go back to that developer illustration. Let's say that there was a guy that was working on a project and he registered this API key, and he's working on this project. All of a sudden he leaves who knew the credentials to that? This is sort of a benign illustration. This is the guy that left, he didn't think to share the information with his colleagues when he left. And so now they're stalled. They can't continue working on this project because they can't get into the developer portal. So that's kind of a benign illustration.

(18:42):

But you could have a malicious, they could have registered this account and now they could do bad things with it. They could tank the API key on a large, if they've gone live with this application, maybe it's got thousands of users in it, they could trash it. And so that's bad. And we asked, in that same survey that we looked at earlier, we asked the question, well, hey, when your employees leave, are you sure they're not taking this stuff with them? You can see here that they weren't right. They didn't have any really high degree of confidence that employees weren't walking out the door with these secrets. So there's really the two risks. There's the breach, and then there's also this business continuity component of it as well.

Tom Field (19:32):

So it does beg the question, what do you see organizations doing about this issue with decentralized secrets today and the reason why we're here? Why isn't it working?

Bryan Christ (19:42):

Okay, yeah. So that's kind of a multifaceted question. Lemme just flip over to the next screen here. Let me kind of unpack this a little bit. So first of all, some organizations, they actually recognized this problem, and you brought this up in your introduction. I was really glad you did. You used the word shadow it. That's exactly what we see happening. We'll have conversations with folks and they'll say, oh, well yeah, we're using KeyPass to deal with these. It's great, but it's not an enterprise class solution. I love open source. It's great open source project, but it tells me something. It tells me that there's an understood need in those organizations. They picked up on this idea that there's a problem. They don't have a tool to plug the problem with, and so they've gone out and done their own thing. And so you have the rise of shadow it. And in some of our survey results, we get these variety of answers about how you can read between the lines and see that they've plugged the holes in this way. And when we get on calls with folks, they'll just straight up tell us we've used KeyPass or whatever. So that's sort of important to know that there are organizations that have recognized the problem. The other issue here is you said, well, why isn't it working? Or what they're doing isn't working? This sort of goes a little bit to human nature.

(21:12):

If you think about why did the person that registered that account with the expo hall, why did they choose to use their existing username and password with the organization? The problem is that, and I've got some statistics here from a recent survey that was conducted that reinforces the behavior that we already know, which is high degree of password reuse across sites, and then this other piece is really key to relying on their memory. So you can't reasonably expect, most people can't. I know I struggled beyond six to seven digits. If you just rattle it off to me, I'm probably not going to remember say, Hey, wait, hold on, I need to jot that down, or whatever. But just human nature, we have a tough time remembering things. And so if I enforce a password policy that says, well, it's got to be 16 characters, long, uppercase, lowercase, got to have some special characters, and there's no way you're going to remember that, especially if you have to do that on dozens of websites, you're just not going to remember it.

(22:19):

So human nature is to try to pick something that you'll remember, and that's what the statistic, it bears out. There's also another component of it that's related, and I think it has to do with this idea that I'm going to also make sure that I know it because I want to always have access. I don't know when I'm going to be called upon to have this password. Am I going to be traveling? Am I only going to have my mobile device? So I want to ensure that under all circumstances I have access to or know that password. So why isn't it working? I would say the human element of this is a large part of it. And then there's also organizations that simply flat out haven't really recognized the problem space.

Tom Field (23:11):

So next side of that, then, Bryan, we know what's not working. What should organizations and individuals be doing to protect these secrets?

Bryan Christ (23:20):

Yeah, so big picture here, what I've got up here for folks to take a look at is zero trust model. It sort of begins with this idea that I have passwords everywhere. I haven't really done anything about it. And just a small number of processes that you can put in place, like I talked about, privilege, access management, vaulting the keys to the Kingdom, providing single sign on, single sign-ons, great because you're reducing the amount of things that people have to log into if they've logged into one, and we can federate into others, but really kind of the highlight of our conversation is the decentralized secret. So a first step in sort of a good zero trust journey would be to tackle these things, including decentralized secrets in your zero trust journey. So if you're not thinking about zero trust, start thinking about it and make this part of your journey.

(24:28):

It's an easy step to take. It's a quick win. And so we would say do that. But also what's really interesting about the Zero Trust journey is that one of the things that it also does is it really improves your operational maturity. So if I were to be able to lay these slides out side by side, you would see a strong correlation between my progression, my maturity is an organization, and also my progression down that path. What we've done here for folks on the line is we've sort of mapped that to kind of our solution set in terms of operational maturity. How do your organization move upward on that journey? And so we do that through a set of components in what we call the Bravura Security Fabric, a safe being one of those really first and easy steps to take. Bravura Pass being another piece that I talked about, like single Sign-on Federation.

(25:38):

Bravura Pass plays a strong part in that. And so with our software stack, you can move very easily in by deploying these pieces, you can move up that maturity model. And again, Bravura Safe helps you do that specifically. Okay, so I'm talking about Bravura Safe, but I haven't really said why. What does Bravura Safe do for you? I've introduced a lot of problems, but what are the solutions? What does Bravura Safe do for you? Well, one, it's going to, I need to switch slides here. One is going to allow your users to generate strong passwords. So making sure that these aren't predictable, that they're not the same credentials that you're using on other sites, especially within your organization, and vaulting those with strong encryption. But here's the other piece of it. Remember that I said that there's an idea, that idea that you want to have access to these credentials at all times, and that's part of the reason people are wanting to pick something that's easy to remember.

(26:53):

Well, what we've done with Bravura Safe is we've eliminated that fear. So Bravura Safe is literally available on all platforms that you can think of. So it works on Mac, it works on Windows, it works on Linux. We have apps for Android, we have apps for iPhone, we have plugins for all the major browsers and the desktop apps and the mobile apps. They even work when you're offline. So we were just talking with someone here recently that's looking at the product because they have field agents. They go off to these remote areas to work on SCADA devices where they have no connectivity. So it was really important. So this product eliminates that idea that the fear that I'm not going to have access to my secrets when I need it. Lastly, the other thing that the product brings to the table is a way to securely share secrets with colleagues.

(27:52):

So I can create a team just like I would do in Skype or Microsoft teams, like you would think a channel maybe I can invite colleagues to it. I can stash our secrets in there, I can put permissions around them, and then only those people that are in that team get access to those secrets. And if it's just a one-off type situation where, think back to that illustration where we've all done this really bad thing where we emailed credentials to someone. We've provided a way to do that that's far more secure. So you can take a secret, it could be something like a simple set of username and password, but it could be a file. And so that file or that set of credentials can be securely stored in the brera safe encrypted crypto vault, and then I can put strong controls around it. So I'll get a link, copy and paste that to users, but I can put a password on it right now.

(28:57):

I'm not talking about a password that you drop in an email that would be defeating the purpose. You would pick up the phone or call 'em and say, Hey, look, here's a password for it. Drop it on their voicemail. If you have to send them a text message, it has burn after reading capabilities. So you say, well, you can only access this thing twice and then it disappears. Set a time limit. So strong controls around sharing and collaborating with these credentials. And then lastly, there was that sort of the business continuity piece of it. So within the product is an enterprise construct for providing emergency access. So heaven forbid, maybe somebody that was working on that project and had the secrets, maybe they get into a car accident and get laid up. If they've done the right thing and they've designated emergency contact, you can initiate a process to bring those credentials back and reduce the impact to your organization. And so maintain that business continuity. So hopefully that gives you a good idea of how Bravura Safe really tackles both strong, providing strong controls for the end user and really making it far more difficult for would be attacker to exact those kinds of ransomware attacks that we talked about at the beginning of this.

Tom Field (30:25):

Yeah. Bryan, terrific overview, and you covered a lot in this short period of time. Any summary comments you want to offer as key takeaways for our attendees, just to sort of bring to a head the issues we've talked about here?

Bryan Christ (30:36):

Yeah, I would simply say this, if you liked what you heard today, there's so much more that we don't have the time to go into here at Hitachi ID, we would absolutely love to invite you a demo of the product. So we'd be glad to get in front of you and your team, walk you through these same challenges, but give you a tour of the product and do it sooner than later. So if you recognize this problem space, you said, you know what? I know we have this problem. This is really easy to get going on. We can get a solution in place for you in a matter of days. So please reach out to us. We'd love to help you.

Tom Field (31:24):

Well said. Bryan, thanks so much for your time and insights. I've enjoyed doing this session with you.

Bryan Christ (31:28):

Yeah, thank you. Appreciate having me.

Tom Field (31:31):

I want to thank our attendees as well. We know you took time out of your day to attend this session. We don't take that for granted. We're grateful for that. I do hope that today's discussion provides some excellent new insights and new data points to enable you and your organization to be even better prepared to tackle security challenges we discussed here today. I look forward as always to see you and again at one of our upcoming events. Until then, for Information Security Media Group, I'm Tom Field. Thank you for giving us your time and attention today.

GET INSPIRED

Hear from experts and get inspired. Learn how Bravura Security is innovating in the data protection world.

GET INFORMED

Learn from industry experts and expand your knowledge with a deep dive into what our solution can do for you.

GET READY

Learn how our customers are having success with Bravura Security and ask questions about your own security.