The US National Security Agency (NSA) has called on systems administrators to tighten up their Identity and Access Management (IAM) security hygiene or risk the fate of Colonial Pipeline – the pipeline provider that was shut down by a ransomware attack “because of a leaked password, an inactive VPN account, and a lack of multifactor authentication – all of which can be summed up as poor IAM” as the NSA and CISA put it this week.
In an important new 31-page IAM guide for systems administrators published this week, the two federal agencies detailed best practices and mitigations to counter threats to IAM related across five pillars: Identity governance; environmental hardening; identity federation/Single Sign-On; MFA; IAM auditing and monitoring.
NSA’s sysadmin IAM guide: Use the tools available!
On Identity Governance, the agencies emphasise (amid a glut of attacks that have exploited active credentials for long-gone employees) that “governance systems can automate the disablement and removal of accounts in response to separation actions in human capital management systems or other personnel systems.”
There are good tools out there that can help, NSA suggests, noting that “orchestration tools that are designed to link people, applications, data and devices, and allow customers to determine who has access to what, what kind of risk that represents, and take action in situations where policy violations are identified.”
(CyberArk, Forgerock, Microsoft, Okta, Ping Identity make the leader board in Gartner's Magic Quadrant for Access Management, for what it is worth. Numerous other startups are active in the space too.)
We broke down the report into its key simple checklists (lightly edited) for your convenience.
The “actions to take now” checklist
Environmental Hardening: The checklist
- Take an inventory of all assets within the organization and work to understand discrepancies.
- Identify all the local identities on the assets in order to know who has access to which assets.
- Understand what security controls are in the enterprise environment now and what security gaps persist
- Develop a network traffic baseline that can be used to detect security anomalies in the network.
SSO: The checklist
- Assess your organization’s cloud and on-prem apps/devices/platforms' ability to connect using SSO.
- Check if your tooling can collect user context during SSO logins like location, device, and behavior
MFA: The checklist
- Determine the MFA solution best suited in your operating environment.
- Implement MFA as part of an enterprise SSO solution.
- Maintain a robust inventory of the MFA authenticators deployed in your organization’s operating environment.
- Routinely test and patch your organization’s MFA infrastructure
Auditing: The checklist
- Establish baseline expectations of activity levels and policy and monitor privileged user behavior for both acceptable and suspicious activity. Avoid automatic response actions to suspicious behavior that could be important and legitimate (e.g. system administrator that flags as unusual activity due to logging in from a remote location on a weekend however could be responding to an emergency network problem).
- Include manual procedures to confirm the legitimacy of these actions before determining how to respond.
- Monitor general user behaviors in both good and bad terms such as how many successful access attempts versus unsuccessful, what hours typically worked, whether remote access allowed, what systems accessed
- Monitor activity between applications and systems and associated network traffic for changes in connectivity, level of activity, and types of data.
- Monitor external traffic that may include new interactions with previously unknown sites or different types and levels of interactions. Remember that data exfiltration attacks may be ‘low and slow’ so a change may be small, but ongoing. Be careful to not include this in an accepted baseline of activity.
As well as pointing sysadmins to steps like the above and urging them to make use of appropriate enterprise toolings [are there any obvious gaps or flaws in the solutions on the market that stand out? Vent to us here] the NSA points those with the bandwidth to initiatives like DARPA's Anomaly Detection at Multiple Scales (ADAMS) Project which it thinks provides "valuable information for organizations to use as a starting point when attempting to identify and remediate insider threats. The project developed an ... egine to detect malicious users and characterize anomalous behavior typical of malicious users, to support improved prediction-based actionable intelligence."
Sysadmins, The Stack would welcome your IAM deployment horror stories or lessons-learned from large projects, whether that's user or vendor-focused. Get in touch and bare all.