Aujas US

An IDG Ventures Company

Converged Identity and Access Management – Final

Final in the series “Converged Identity and Access Management”

ID and access managementThe IT infrastructure is the backbone of a converged solution, allowing key business data to be shared across systems. For example, a company’s physical security system typically does not have critical business data such as employee status, whereas the HR department’s IT system has such knowledge.

Converging physical security with IT security isn’t easy, but the extra effort it requires can be beneficial, especially for financial, healthcare, and defense organizations. Convergence affords organizations the opportunity to align security with overall business goals, streamline business processes such as provisioning and investigations, and centralize security operations and policies.

Developing common protocols for managing access to company assets and data enables more efficient provisioning and management. Different physical and logical security systems should leverage extendable interfaces of identity management solutions and thus stay in sync. The key benefit is that security personnel continue to use tools best suited to their jobs and HR personnel continue using HR tools. Converged security systems therefore allow users to improve Return on Investment (ROI).

Key Steps for Convergence

To bridge the organizational gap, the physical security department should work directly with the IT security team to identify:

  1. Authoritative sources of key data used to determine whether a person has permissions to use a resource or access an area.
  2. Compliance or audit needs.
  3. Any business or security concerns that are unique or are especially important to an organization.
  4. Various business processes such as on-boarding, off-boarding and the responsibilities of different systems.
  5. Policies for managing employees who doesn’t have any logical accounts, e.g., cleaning staff, caterers, etc.
  6. Privacy and security policies that clearly define what personal information is to be collected, how the information will be used, who can access the information, how the information will be protected, and how the individual will control its use and provide updates to the information over time.

Effective Convergence through Events Correlation

With converged access control, organizations can correlate disparate physical and IT security events. For example, it may not seem suspicious for an employee to use a computer. However, physical/logical correlation might ensure the employee is able to access logical resources, only after he has swiped his ID card at the entry door. Or, some of the logical resources can get locked for a user as soon as he leaves the premises by using his card at the door.


The convergence of Identity and Access control systems is helping enterprises better protect their intellectual property, monitor the access to restricted areas and comply with regulations. It improves the operational efficiency of existing physical security systems and resources. How organizations choose to implement this is should be aligned with their business strategy and security and compliance requirements.

November 8, 2010 Posted by | identity and access management, IT security, Risk management | , , , | Leave a comment

How I Hacked My Car Manufacturer

There are very few articles that I would consider ‘rerunning” in Risky Business however this is one that is worth repeating. 

How-I-HackedWhen I read there was going to be a social engineering competition at this year’s Defcon (the annual hacker gathering held every summer in Las Vegas) I knew I had to enter. It was the perfect chance to hone my sweet talking skills in a judged and neutral setting, and also to test my hypothesis that not only is social engineering a risk to regular end users in an enterprise, but that even corporate InfoSec teams are not immune from the threat.

Social engineering is essentially “pretexting” yourself into getting people either to divulge sensitive information or getting into areas you otherwise shouldn’t be in. You’re a sprinkler inspector who shows up unannounced at the front desk or the harried internal auditor racing to meet a deadline who calls an employee seeking information about their computer system. Given most people’s inherently trusting and helpful nature, social engineering attacks are surprisingly successful, which is why most corporate information security training programs address the threat. One would assume this would mean the InfoSec groups should be aware of any such attempt. As Gershwin would say, “it ain’t necessarily so.”

For the Defcon contest, each entrant was randomly assigned a major corporation as a target. Mine just so happened to be the manufacturer of my car. Sweet revenge. The first task was to create a dossier on the target company, solely from information gleaned from the Internet and public sources. There were to be no pre-contest calls, visits to the company’s headquarters, or contact with the company in any way whatsoever.

After crawling various search engines for email addresses, phone numbers, addresses, press releases, and other valuable information, I moved onto social networking sites like LinkedIn and Facebook. Soon I had accumulated almost 1,000 email addresses, hundreds of recent press releases, and a couple of employee handbooks as a good starting point. Next, any email addresses not correlated to a name were cut, as were any that couldn’t be verified as current or recent employees. The remaining email addresses were then fed into the various search engines to pick out only employees that worked in my target’s information security group. These were in turn fed back into the search engines to see if anything interesting fell out; information like hobbies, school affiliation, etc.

Soon the file was whittled down to approximately 75 people that I had gathered at least two points of information with which I could engage them during my pretexting in order to gain an elevated level of trust. If the target person had an interest in flying, I’d be sure to work a local air show into the conversation. Building any sense of familiarity or commonality with a target boosts the success rate of a social engineering attack exponentially.

Next I had to develop the attack vector I would use. Since I was targeting the InfoSec group, I knew I couldn’t use the old standby of posing as an auditor for the company. That is such a commonly used ploy that most if not all InfoSec employees should be able to sniff that attack out a mile away. Instead, I settled on posing as a survey taker for CSO Magazine. That would give me cover for calling the security group and asking questions about their security environment.

Three weeks later I was in the soundproof booth at Defcon, dialing through my list of numbers in front of a live audience as I perused the list of “flags” the judges had given me to collect; essentially pieces of information useful for a hacker attack. The first number to answer gave me hope that my hypothesis might be wrong. The security engineer at the other end of the line was very hesitant to speak with me, and very quickly shut me down, refusing to answer any questions that would reveal any technical information about the company. That was a promising sign – perhaps training of InfoSec personnel was starting to become effective.

Not so much. My next target was another security engineer, who, although initially having misgivings about speaking with me, was quickly convinced to participate through both my pleading that I only needed 10 minutes of his time and that I was risking losing my job if I didn’t meet my daily target, but more importantly, that there was a $25 iTunes gift card waiting for him upon completion of the “survey”. Greed is always a good motivator. Within 15 minutes I had sweet talked the guy into revealing everything from the OS version and service packs installed, browser type and version, to his anti-virus engine and signature version. Basically anything needed to launch a successful targeted attack.

So much for training

In the end I had proven my point; InfoSec people are no different from other end users. While they may have more security awareness training than others, they are still susceptible to the same weaknesses of others; greed, a desire to assist, and a fear of getting in trouble or creating delays in “mission critical” tasks. More important is that they suffer from the same weakness that everyone seems to suffer from – the belief that they would know if they were ever being “snookered.”

So what can be done to protect against social engineering attacks? To prevent on-site attacks make this the golden rule that is *never* broken – “unannounced visitors aren’t let in if their corporate sponsor isn’t reachable to validate the visit.” To prevent general social engineering attacks focus your efforts on ongoing awareness training (once a year is not enough), routine testing of personnel to see how effective the training is, and most important of all, reducing information leakage. The amount of information that companies allow employees to post about their jobs and corporate environment is shocking (not to mention the information the companies themselves leak). Take an hour and peruse the various social networking sites liked LinkedIn and Plaxo and see what information you can glean about your employees, the projects they are working on, and what software they are using. Regularly run your company’s name through the various search engines to look for information coming from unlikely sources (it’s not unusual for contractors or suppliers to post information about dealings with other companies which inadvertently leaks helpful information to an attacker). Doing this exercise from the point of view of an attacker or competitor who knows nothing about your company will allow you to quickly see how many pieces of seemingly disparate information can eventually form a cookbook for a successful attack.

Train and monitor your staff, plug the leaks, monitor the web. Take these three steps and you will be on your way towards reducing (but never eliminating) the threat of social engineering attacks.

Shane MacDougall is a principal partner in Strategic Intelligence, a Canadian-based corporate intelligence gathering firm. He has been a professional white hat hacker, security consultant, and speaker since 1989.

November 8, 2010 Posted by | Risk management, Social Engineering, White Hat Hacking | , , , | Leave a comment

Number of Breaches Going Up and Up!

Identity TheftInformation management is critically important to all of us – as employees and consumers. For that reason, the Identity Theft Resource Center has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help us protect data and assist companies in their activities.

In issue 17 of Risky Business, I posted this brief article and supporting statistics for you to read.  I was curious to see in one month how the data changed, I assumed it would go up, but by how much.  You can see for yourself below in the last line.

The following data was collected from Identity Theft Resource Center® website

2005 Breach List: Breaches: 157 Exposed: 66,853,201
2006 Breach List: Breaches: 321 Exposed: 19,137,844
2007 Breach List: Breaches: 446 Exposed: 127,717,024
2008 Breach List: Breaches: 656 Exposed: 35,691,255
2009 Breach List: Breaches: 498 Exposed: 222,477,043
2010 Breach List (as of 10-5-10): Breaches: 533 Exposed: 13,517,866

2010 Breach List (as of 11-2-10): Breaches: 571 Exposed: 14,000,609

November 8, 2010 Posted by | Cyber Crime, identity and access management, Identity Theft, Risk management | , | Leave a comment