Tag: identity

Guest Blog: 5 Key Takeaways from One Identity’s Identity Security Survey

Posted on by Kernel

Identity management is reaching a tipping point. In 2022, we commissioned a survey of over 1,000 top IT security professionals for our 2022 Identity and Security Survey. This exploration into the state of the identity security market revealed that:

  • More than 89% of respondents have been impacted by an identity-based attack within the last 12 months
  • 96% utilize multiple tools for their identity management
  • 70% believe they’re not even actively using all the tools they’re paying for

These results point to an under-funded, overworked identity and security management workforce. We just had to know if our customers, prospects and partners had/are experienced/ing the same thing. So, we put together a survey for the attendees of our annual user and partner conference, Resilience 2022 (now known as One Identity UNITE), with the goal of gaining a deeper, more nuanced understanding of how the current state of identity management and security is impacting their teams, and what steps could be taken to remediate their issues. Here’s what we found.

Password resharing remains the key security threat for 31% of respondents

Much to the disdain of the security industry, passwords remain a key issue for the customers and partners we surveyed at our conference. However, it is by no means the only issue. An additional 20% of respondents indicated that their biggest security threat is that ex-employees still have access to the organization’s systems and data. Another 20% are worried about ‘malicious or unintentional data breaches’ by employees. 

The mental health of security teams is a key issue

The issue of burnout is one that is widely discussed in the security industry, and the customers we polled gave us tangible evidence that identity security teams are not exempt from this. The majority (63%) of respondents say that their security team is overworked. Another 22% don’t know if their teams are overworked or not. Only 15% said that their teams are currently able to manage their workload appropriately. Overworked identity security teams have the potential to cause, and exacerbate, a myriad of issues, including: 

  • Negative effects on the mental and physical health of the security teams
  • Employees considering leaving the organization, leading to the difficulties replacing them
  • The fact that it’s not easy for overworked people to complete their job function at a high standard, meaning the security team may actually become a security hazard

83% believe that complexity is holding them back from implementing the appropriate security controls

Using multiple identity management solutions and managing more identities than ever before is a problem for security teams, according to our partners. 65% of those surveyed believe that a unified identity security model could reduce identity management complexity. Furthermore, over 70% both understand and are implementing Zero Trust models at their organization. 

Funding is the answer

The problem of overworked security teams is a complex one, but our customers and partners broadly identified a simple solution: better funding for their activities. 62% suggest that more staff and greater funding could make a serious difference when it comes to improving the mental health – and therefore, the resilience – of security teams. Another 29% suggest that a more technical approach (better integration of cybersecurity solutions) could also help. However, better integration requires resources. 

Unified security approaches could keep your security teams well

While funding is a key solution to consider, another to keep in mind is strategy. Many respondents say that a radically different approach is needed to overcome the system of complexity and fragmentation that is currently dominating the identity management space. 58% of those surveyed believe a unified approach would help their team’s mental wellbeing. An even greater percentage (60%) say that a unified approach could, in turn, provide significant results for the entire company, since the mental wellbeing of the security team effects security at the company as a whole. 

Conclusion: Fund and Unify

Security teams are the last line of defense for both internal security issues and external threat actors who might wish your organization harm. By unifying your approach to identity security and ensuring your teams are given the resources and support they need to do their job to the best of their abilities, you can send a message to these threat actors (and to your own organization) that you’re taking security as seriously as the teams you employ to undertake it. 

The post Guest Blog: 5 Key Takeaways from One Identity’s Identity Security Survey appeared first on IT Security Guru.

Identity Thieves Bypassed Experian Security to View Credit Reports

Posted on by Kernel

Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experian’s website allowed anyone to bypass these questions and go straight to the consumer’s report. All that was needed was the person’s name, address, birthday and Social Security number.

The vulnerability in Experian’s website was exploitable after one applied to see their credit file via annualcreditreport.com.

In December, KrebsOnSecurity heard from Jenya Kushnir, a security researcher living in Ukraine who said he discovered the method being used by identity thieves after spending time on Telegram chat channels dedicated to the cashing out of compromised identities.

“I want to try and help to put a stop to it and make it more difficult for [ID thieves] to access, since [Experian is] not doing shit and regular people struggle,” Kushnir wrote in an email to KrebsOnSecurity explaining his motivations for reaching out. “If somehow I can make small change and help to improve this, inside myself I can feel that I did something that actually matters and helped others.”

Kushnir said the crooks learned they could trick Experian into giving them access to anyone’s credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian’s identity verification process.

Following Kushnir’s instructions, I sought a copy of my credit report from Experian via annualcreditreport.com — a website that is required to provide all Americans with a free copy of their credit report from each of the three major reporting bureaus, once per year.

Annualcreditreport.com begins by asking for your name, address, SSN and birthday. After I supplied that and told Annualcreditreport.com I wanted my report from Experian, I was taken to Experian.com to complete the identity verification process.

Normally at this point, Experian’s website would present four or five multiple-guess questions, such as “Which of the following addresses have you lived at?”

Kushnir told me that when the questions page loads, you simply change the last part of the URL from “/acr/oow/” to “/acr/report,” and the site would display the consumer’s full credit report.

But when I tried to get my report from Experian via annualcreditreport.com, Experian’s website said it didn’t have enough information to validate my identity. It wouldn’t even show me the four multiple-guess questions. Experian said I had three options for a free credit report at this point: Mail a request along with identity documents, call a phone number for Experian, or upload proof of identity via the website.

But that didn’t stop Experian from showing me my full credit report after I changed the Experian URL as Kushnir had instructed — modifying the error page’s trailing URL from “/acr/OcwError” to simply “/acr/report”.

Experian’s website then immediately displayed my entire credit file.

Even though Experian said it couldn’t tell that I was actually me, it still coughed up my report. And thank goodness it did. The report contains so many errors that it’s probably going to take a good deal of effort on my part to straighten out.

Now I know why Experian has NEVER let me view my own file via their website. For example, there were four phone numbers on my Experian credit file: Only one of them was mine, and that one hasn’t been mine for ages.

I was so dumbfounded by Experian’s incompetence that I asked a close friend and trusted security source to try the method on her identity file at Experian. Sure enough, when she got to the part where Experian asked questions, changing the last part of the URL in her address bar to “/report” bypassed the questions and immediately displayed her full credit report. Her report also was replete with errors.

KrebsOnSecurity shared Kushnir’s findings with Experian on Dec. 23, 2022. On Dec. 27, 2022, Experian’s PR team acknowledged receipt of my Dec. 23 notification, but the company has so far ignored multiple requests for comment or clarification.

By the time Experian confirmed receipt of my report, the “exploit” Kushnir said he learned from the identity thieves on Telegram had been patched and no longer worked. But it remains unclear how long Experian’s website was making it so easy to access anyone’s credit report.

In response to information shared by KrebsOnSecurity, Senator Ron Wyden (D-Ore.) said he was disappointed — but not at all surprised — to hear about yet another cybersecurity lapse at Experian.

“The credit bureaus are poorly regulated, act as if they are above the law and have thumbed their noses at Congressional oversight,” Wyden said in a written statement. “Just last year, Experian ignored repeated briefing requests from my office after you revealed another cybersecurity lapse the company.”

Sen. Wyden’s quote above references a story published here in July 2022, which broke the news that identity thieves were hijacking consumer accounts at Experian.com just by signing up as them at Experian once more, supplying the target’s static, personal information (name, DoB/SSN, address) but a different email address.

From interviews with multiple victims who contacted KrebsOnSecurity after that story, it emerged that Experian’s own customer support representatives were actually telling consumers who got locked out of their Experian accounts to recreate their accounts using their personal information and a new email address. This was Experian’s advice even for people who’d just explained that this method was what identity thieves had used to lock them in out in the first place.

Clearly, Experian found it simpler to respond this way, rather than acknowledging the problem and addressing the root causes (lazy authentication and abhorrent account recovery practices). It’s also worth mentioning that reports of hijacked Experian.com accounts persisted into late 2022. That screw-up has since prompted a class action lawsuit against Experian.

Sen. Wyden said the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) need to do much more to protect Americans from screw-ups by the credit bureaus.

“If they don’t believe they have the authority to do so, they should endorse legislation like my Mind Your Own Business Act, which gives the FTC power to set tough mandatory cybersecurity standards for companies like Experian,” Wyden said.

Sadly, none of this is terribly shocking behavior for Experian, which has shown itself a completely negligent custodian of obscene amounts of highly sensitive consumer information.

In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.

A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.

It’s bad enough that we can’t really opt out of companies like Experian making $2.6 billion each quarter collecting and selling gobs of our personal and financial information. But there has to be some meaningful accountability when these monopolistic companies engage in negligent and reckless behavior with the very same consumer data that feeds their quarterly profits. Or when security and privacy shortcuts are found to be intentional, like for cost-saving reasons.

And as we saw with Equifax’s consolidated class-action settlement in response to letting state-sponsored hackers from China steal data on nearly 150 million Americans back in 2017, class-actions and more laughable “free credit monitoring” services from the very same companies that created the problem aren’t going to cut it.

WHAT CAN YOU DO?

It is easy to adopt a defeatist attitude with the credit bureaus, who often foul things up royally even for consumers who are quite diligent about watching their consumer credit files and disputing any inaccuracies.

But there are some concrete steps that everyone can take which will dramatically lower the risk that identity thieves will ruin your financial future. And happily, most of these steps have the side benefit of costing the credit bureaus money, or at least causing the data they collect about you to become less valuable over time.

The first step is awareness. Find out what these companies are saying about you behind your back. Keep in mind that — fair or not — your credit score as collectively determined by these bureaus can affect whether you get that loan, apartment, or job. In that context, even small, unintentional errors that are unrelated to identity theft can have outsized consequences for consumers down the road.

Each bureau is required to provide a free copy of your credit report every year. The easiest way to get yours is through annualcreditreport.com.

Some consumers report that this site never works for them, and that each bureau will insist they don’t have enough information to provide a report. I am definitely in this camp. Thankfully, a financial institution that I already have a relationship with offers the ability to view your credit file through them. Your mileage on this front may vary, and you may end up having to send copies of your identity documents through the mail or website.

When you get your report, look for anything that isn’t yours, and then document and file a dispute with the corresponding credit bureau. And after you’ve reviewed your report, set a calendar reminder to recur every four months, reminding you it’s time to get another free copy of your credit file.

If you haven’t already done so, consider making 2023 the year that you freeze your credit files at the three major reporting bureaus, including Experian, Equifax and TransUnion. It is now free to people in all 50 U.S. states to place a security freeze on their credit files. It is also free to do this for your partner and/or your dependents.

Freezing your credit means no one who doesn’t already have a financial relationship with you can view your credit file, making it unlikely that potential creditors will grant new lines of credit in your name to identity thieves. Freezing your credit file also means Experian and its brethren can no longer sell peeks at your credit history to others.

Anytime you wish to apply for new credit or a new job, or open an account at a utility or communications provider, you can quickly thaw a freeze on your credit file, and set it to freeze automatically again after a specified length of time.

Please don’t confuse a credit freeze (a.k.a. “security freeze”) with the alternative that the bureaus will likely steer you towards when you ask for a freeze: “Credit lock” services.

The bureaus pitch these credit lock services as a way for consumers to easily toggle their credit file availability with push of a button on a mobile app, but they do little to prevent the bureaus from continuing to sell your information to others.

My advice: Ignore the lock services, and just freeze your credit files already.

One final note. Frequent readers here will have noticed that I’ve criticized these so-called “knowledge-based authentication” or KBA questions that Experian’s website failed to ask as part of its consumer verification process.

KrebsOnSecurity has long assailed KBA as weak authentication because the questions and answers are drawn largely from consumer records that are public and easily accessible to organized identity theft groups.

That said, given that these KBA questions appear to be the ONLY thing standing between me and my Experian credit report, it seems like maybe they should at least take care to ensure that those questions actually get asked.

The state of Identity Security: Widespread attacks, wasted investment and identity sprawl

Posted on by Kernel

Identity management is in dire straits, according to a recently conducted survey by identity security firm One Identity. Surveying over 1,000 IT security professionals, the results showed that 96 percent of companies report using multiple identity management tools, with 41 percent deploying at least 25 different systems to manage access rights. However, 70 percent of companies reported they’re paying for identity tools they’re not actively using. This investment in multiple disparate identity tools is having a direct impact on their overall security posture.

Companies have acquired multiple identity tools to deal with the surge in digital identities (or digital profiles accessing enterprise data and applications), creating identity sprawl that weakens their cybersecurity postures. More than half of companies (52%) manage more than 10,000 identities, which include access rights given to employees, devices, machines, digital identities,  and customers. For over half of UK respondents, this indicates the identities they manage have more than doubled over the past two years

“Legacy approaches to identity and access management have caused organizations to adopt multiple identity solutions, and the lack of interoperability between these tools has a direct business and security impact,” said Mark Logan, CEO of One Identity. “Our research shows that organizations see the negative impact that multiple, fragmented identity tools have on their business. By shifting security professionals’ mindset from a disparate, tool-based approach to a platform approach, businesses can improve their identity security defenses to protect against the modern threat landscape.” 

Elsewhere, other key findings from the survey include:

The need for shoring up identity-based defenses is significant. Nine in 10 organizations were hit by an identity-based attack in the last year, with almost 70 percent of companies experiencing a phishing attack. According to 80 percent of respondents, better identity management tools could have prevented the impact of many such attacks.

Essentially all companies (99 percent) report that identity tool inefficiencies have a direct cost on their business. In fact, 42 percent of businesses report that those inefficiencies are costing businesses over $100,000 per year. This kind of loss is further outweighed by spending on these tools, which 61% of UK respondents placed at between £50 and £50,000.

The deployment of multiple identity management tools impacts security posture and drains productivity. Consider that for those with multiple tools:

  • 44% reported increased risk due to potential gaps in coverage
  • 46% reported IT admins are spending too much time managing redundancies
  • 46% reported IT admins are managing too many tools to gain in-depth expertise in any of them
  • 41% report that IT team’s productivity is lower because they have to learn similar tasks across multiple systems

The good news is that companies are looking to improve their identity security, with an overwhelming 90 percent of companies surveyed planning to consolidate their security or identity management tools. Of that 90 percent, more than half plan to do so in the next year. More than half (54%) of respondents also believe that a unified identity platform for access and identity management would benefit their organization’s identity management strategy.

A free executive summary and key findings of the survey results announced today is available online here.

The post The state of Identity Security: Widespread attacks, wasted investment and identity sprawl appeared first on IT Security Guru.

Case Study: Getting ahead of Convergence with One Identity and B. Braun

Posted on by Kernel

By Alan Radford, Global Identity and Access Management Strategist at One Identity, and Andreas Muller, IT Project Manager at B. Braun

According to Gartner, converged Identity & Access Management (IAM) platforms will be the preferred adoption method for Access Management (AM), Identity Governance & Administration (IGA) and Privileged Access Management (PAM) in over 70% of new deployments by 2025, driven by more comprehensive risk mitigation requirements. These predictions are well understood by One Identity, recently positioned as a Leader in the 2022 Gartner Magic Quadrant for PAM.

One Identity’s Alan Radford and Andreas Muller of B. Braun came together with other authentication professionals to discuss how to get ahead of this issue.

The Challenges:  Managing size, complexity and diversity

B. Braun is a German medical and pharmaceutical device company, working across 60+ countries, with the help of over 60,000 staff. According to Muller, “Our main challenge, from a technical perspective, is consolidation across teams. We are working across several disparate geographies and teams with different owners. All these teams need to pull together in the same direction.”

This structural complexity is further compounded by the strict restrictions in place on medical manufacturing, which needs to be supported by security and Identity & Access Management policies. Restricting access to the data hosted on the B. Braun servers is crucial to ensure it remains compliant.

B. Braun needed a more effective way to manage user accounts and protect data. Andreas Mueller, IT project manager at B. Braun, says, “We had too many manual processes, which increased the time to create or delete a user account. Overall, there was too much risk of unauthorized data access and, therefore, a failure to comply with data security regulations.” Beyond automation, B. Braun also wanted an identity management solution that could drive digital transformation. “We’re moving some of our IT to the cloud,” says Mueller, “so we needed a solution that could talk to our on-premise infrastructure and cloud services, such as Office 365.” B. Braun hired One Identity to launch a proof of concept (POC) for Identity Manager. “Identity Manager delivered all the features we wanted,” says Mueller, “including cloud connectivity. What’s more, the technical sales team at One Identity offered to support a POC that integrated with our internal infrastructure. No other provider would go this far.”

The Results: Automation and support

B. Braun was able to work on improving its security policies by automating account provisioning and deactivation to ensure that Identity & Access Management is not an element of their policy, which is overlooked across multiple geographies. This has also ensured that company data is protected in its hybrid environment, featuring cloud and on-premises systems, both of which were still necessary in its environment.

For more than five years now, B. Braun has been successfully using One Identity’s Identity Manager solution to achieve support for both the company’s internal systems and extranet used by customers. “All the right people have access to what they need now that account creation and termination are automated with Identity Manager,” explains Mueller. “There’s complete transparency and greater protection of company data. Everyone knows the position of their requests within the workflow at any given time. There is also less chance of errors.”

Conclusion: Flexibility and responsibility 

B. Braun’s issues and challenges are a telling insight into the role of IAM partners.

B. Braun looked to their IAM partner to ensure that they could retain the flexibility that a hybrid offering allows for, while bringing together disparate identities across different teams, regions and operational areas, while reducing friction and without compromising its security posture. One Identity was able to offer this, harnessing its years of IAM experience in automated authentication to work on the ‘principle of least privilege’ for both internal and external stakeholders.

Looking forward, B. Braun is hoping to continue to enhance its password management policies, automation programs for Identity & Access Management and to continue its focus on ensuring compliance and security standards are upheld.

 

About One Identity

One Identity delivers unified identity security solutions that help customers strengthen their overall cybersecurity posture and protect the people, applications and data essential to business. Our Unified Identity Security Platform brings together best-in-class Identity Governance & Administration (IGA), Access Management (AM), Privileged Access Management (PAM) and Active Directory Management (AD Mgmt) capabilities to enable organizations to shift from a fragmented to a holistic approach to identity security. One Identity is trusted and proven on a global scale – managing more than 500 million identities for more than 11,000 organizations worldwide.

The post Case Study: Getting ahead of Convergence with One Identity and B. Braun appeared first on IT Security Guru.

Study highlights surge in identity theft and phishing attacks

Posted on by Kernel

A new study from behavioural risk firm CybSafe and the National Cybersecurity Alliance (NCA) has been launched today and it highlights an alarming surge in phishing and identity theft attacks.

The report, titled ‘Oh, Behave! The Annual Cybersecurity Attitudes and Behaviors report’, studied the opinions of 3,000 individuals across the U.S., the UK and Canada towards cybersecurity and revealed that nearly half (45%) of use are connected to the internet all the time, however, this has led to a surge in identity theft with almost 1 in 4 people being affected by the attack.

Furthermore, 1 in 3 (36%) respondents revealed they have lost money or data due to a phishing attack. Yet the study also revealed that 70% of respondents feel confident in their ability to identify a malicious email, but only 45% will confirm the authenticity of a suspicious email by reaching out to the apparent sender.

When it comes to implementing cybersecurity best practices, only 33% of respondents revealed they use a unique password for important online accounts, while only 16% utilise passwords of over 12 characters in length. Furthermore, only 18% of participants have downloaded a stand-alone password manager, while 43% of respondents have not even heard of multi-factor authentication.

Commenting on the study finding, Oz Alashe, CEO and Founder of CybSafe, said: “One of the biggest misconceptions is the belief that people are the weakest link in cybersecurity. The combination of evolving threats coupled with more people accessing the Internet daily for work and recreation means people-related cybersecurity risk must be reassessed. It also makes education and implementation of fundamental cybersecurity practices more important than ever before. MFA, password managers and other ‘basic’ cybersecurity best practices have been shown to be incredibly effective in thwarting cyber criminals, yet adoption continues to be a big problem. We need to find a way to break through the age-old misperceptions that these steps are annoying or cumbersome and replace them with the facts: these tools can significantly lower the chances of becoming a cybercrime victim.”

The post Study highlights surge in identity theft and phishing attacks appeared first on IT Security Guru.

Guest blog: The death throes of the password? Key takeaways from the One Identity Infosecurity Europe survey

Posted on by Kernel

By Dan Conrad, AD Security and Management Team Lead at One Identity

Authentication is one of the hottest topics in cybersecurity right now. As biometrics, MFA, and a range of other authentication methods continue to threaten the password’s supremacy, we thought it was worth finding out what industry professionals thought about it all.

So that’s what we did. At InfoSecurity Europe 2022, One Identity surveyed more than 100 security and IT professionals to get a picture of how businesses and their employees approach passwords and authentication.

When asked what they consider the biggest security threat to their business and 56 percent of respondents said they believed it to be users sharing passwords for admin tasks. If that isn’t an argument for passwordless authentication, we’re not sure what is. This was followed by 25 percent of respondents believing that the biggest security threat was users clicking on malicious links or opening rogue attachments. Collectively, this means that 80 percent of respondents believe that human error poses the largest threat to an organization’s security.

Interestingly, while the majority (62 percent) viewed educating staff as the most important factor in preventing cyber-attacks, a rapidly growing segment (30 percent) stated that adopting a zero-trust model was more important.

Moving on to multifactor authentication, we are met with some heartening statistics. 99 percent of respondents told us that their company had adopted MFA for remote access and 97 percent said that it was mandated. This confirms what we already knew – that the password as a standalone authentication method is obsolete.

When looking into users’ connections to passwords, we see some interesting results. While just over a quarter of respondents had an emotional connection to a password (28 percent), the majority said they had a favorite password (84 percent). We can infer from this that while most people don’t reuse passwords for sentimental reasons, they likely do for practical reasons. It is concerning that IT and security professionals, people who are more aware than anyone of the dangers of reusing passwords, persist in this bad habit.

This is yet another mark against the use of traditional passwords – if those in the know aren’t following best practices, how can we expect the layman to? The reality is modern users have so many accounts that it is no longer practical to create and remember a new password for everyone they set up. We’ll chalk this one up as another point in support of modern authentication methods, which eliminate these problems.

While it’s clear that users are reusing passwords, it turns out that most respondents are at least adding complexity to their passwords depending on a system’s importance (96 percent). Perhaps unsurprisingly, 76 percent saw banking or financial services as requiring a top tier password, but only 7 percent thought that work emails were deserving of the same protection. This may be an understandable perspective but doesn’t bode well for organizations that routinely share sensitive information through email.

Finally, we make it to how IT and security professionals are storing their passwords. Here, at least, we get some more heartening statistics:

  • 65 percent of respondents said they used passwords managers, which is generally regarded as the safest and most convenient way to keep passwords
  • 23 percent said they wrote their login details down somewhere, which, while not ideal, is safer than using one password across multiple accounts

We did, apparently, come across some cyber-savants claiming they could remember all their login details, but if anything, this suggests that they are reusing passwords for an alarming number of accounts.

The key takeaway here is that the password is on the way out. These results serve as further proof that traditional passwords by themselves are no longer fit for purpose – even leaders in the IT security space fail to follow best practices simply because it isn’t convenient. We’ve seen that businesses are implementing and mandating alternative authentication methods en masse, and it won’t be long before this trend trickles down to the rest of society.

 

The post Guest blog: The death throes of the password? Key takeaways from the One Identity Infosecurity Europe survey appeared first on IT Security Guru.