GABEY INFORMATION
By Prasanna Abeysekera
Identity systems play a crucial role in the digital era by enabling seamless access to the digital realm and verifying our online identities. It is of utmost importance to prioritise the security and accuracy of our online presence to facilitate the seamless operation of contemporary society. Hence, identity systems must possess robustness, reliability, and efficiency qualities. These systems enable the engagement of individuals in online activities such as e-commerce, social media, and online banking, which have become indispensable in contemporary society. In light of the growing significance of the digital realm, the role of identity systems has acquired paramount importance. As we increasingly depend on the digital domain, the relevance of these systems is only set to rise further. Thus, it becomes crucial to recognise their importance and ensure their seamless integration into our digital lives.
Listen to this page:
In the context of the digital era, identity systems pertain to intricate and dynamic structures, technologies, and procedures employed to oversee and verify the digital identities of individuals, organisations, devices, and organisations within online and electronic domains. These systems safeguard the digital domain's security, privacy, and access control. The following is an elaborate explanation:Identity systems represent individuals, entities, or devices in the digital world. These information systems house many sensitive data, encompassing personal particulars, biometric records, email addresses, and usernames. They are also responsible for verifying the authenticity of digital identities using various methods such as username and password verification, biometric scans like fingerprint or facial recognition, multi-factor authentication, and others. These processes ensure that entities claiming an identity are legitimate.
After verifying an identity, identity systems manage authorisation and access control. This involves determining what actions or data the authenticated entity can access or perform within a digital ecosystem. Access levels can vary based on an entity's roles and permissions, which administrators can adjust to their liking.In today's digital age, privacy concerns are paramount. Identity systems must comply with data protection regulations and best practices to protect users' personal information and prevent unauthorised access or data breaches.
Regarding digital identities, different systems and ecosystems need to work together seamlessly. This is known as interoperability and ensures that technical differences don't prevent using digital identities across various applications and platforms. It is necessary to establish interoperability standards to integrate digital identity systems into different environments easily.One way to simplify the user experience and improve security is through Single Sign-On (SSO) functionality. This allows users to access multiple services and platforms using a single set of credentials, reducing the need to remember multiple passwords.
Modern identity systems utilise blockchain technology and decentralised identity frameworks to improve security, control, and privacy. These systems empower users to have greater control over their digital identities and reduce their reliance on centralised authorities. Additionally, advanced identity systems are implementing adaptive and risk-based authentication methods that assess the level of risk associated with a login attempt and adjust authentication requirements accordingly. This approach strikes a balance between security and user convenience.
The concepts of Decentralised Identity (DID) and Self-Sovereign Identity (SSI) are transforming our perception of digital identities. Decentralised identity is a secure and user-controlled solution that manages digital identities using blockchain and cryptography. This approach empowers individuals and organisations to take ownership and control of their identities, offering protection against potential misuse. The idea is that information about one's identity should be kept private, controlled, and easily transferable. This objective is accomplished by utilising fundamental elements, including decentralised identifiers and attestations.
Identity systems are responsible for managing the complete lifecycle of digital identities, from initial registration to deactivation or deletion when necessary. Additionally, these systems must comply with legal and regulatory requirements for identity verification, data protection, and privacy. Examples of such regulations include GDPR (General Data Protection Regulation) in Europe and HIPAA (Health Insurance Portability and Accountability Act) in the healthcare industry.
The strength of modern identification systems plays a crucial role in maintaining the security, privacy, and convenience of our digital identities across various online platforms. These systems are regularly updated to keep pace with the ever-evolving landscape of the internet and its associated risks and technologies.
One of the prevalent challenges in safeguarding identity systems is the reliance on conventional usernames and passwords. Individuals and organisations focusing on cybersecurity, such as 'white hat' security researchers, software providers, and bug bounty programs, play a crucial role in identifying vulnerabilities. Unfortunately, attackers can sometimes exploit newly discovered flaws or zero-day vulnerabilities before security experts can address them. In 2023, attackers could compromise conventional username and password systems due to several weaknesses in their security. This has resulted in numerous data breaches that have impacted businesses of all sizes and across different industries. Personally identifiable information, such as names, dates of birth, addresses, emails, passwords, and usernames, can be at risk during a data breach. Major companies, including Twitter, Meta, and Apple, have all experienced cybersecurity incidents in the past year.
The presence of an authentication bypass vulnerability (CVE-2023-38035) enables unauthorised individuals to gain access to sensitive APIs. This access can then be utilised to manipulate configuration parameters within the administrator portal (MICS).
In versions before KeePass 2.54, an analytical observation reveals a vulnerability that allowed the retrieval of the master password in clear text from a memory dump. This vulnerability persisted even when a workspace was locked or no longer active. Vulnerability CVE-2023-32784 raises concerns as it can enable unauthorised access to a user's KeePass vault.
The Microsoft May 2023 Security Update was subjected to a review by the Australian Cyber Security Centre (ACSC), which operates under the Australian Signals Directorate (ASD). The Security Update has addressed 40 vulnerabilities by providing necessary patches. It is suspected that two vulnerabilities have been successfully exploited. Six vulnerabilities have been assigned a 'Critical' rating. Several critical vulnerabilities have been identified, including Network File System (NFS) Remote Code Execution (CVE-2023-24941), Outlook Remote Code Execution (CVE-2023-29325), and Lightweight Directory Access Protocol Remote Code Execution (CVE-2023-28283).
In June 2023, the Australian Cyber Security Centre (ACSC) identified active exploitation of a vulnerability affecting Barracuda Email Security Gateway (ESG) appliances. The vulnerability with identifier CVE-2023-2868 is currently being exploited due to traditional username and password system weaknesses.
There has been news of yet another severe flaw in Citrix Products' NetScaler ADC and NetScaler Gateway. The flaw allows a malevolent attacker to remotely execute code without requiring authentication.Several software vulnerabilities, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing, were fixed by Microsoft's August 2023 Patch.Over the past few months, several data breaches have been reported. A data breach occurred in Ontario's birth registry systems, affecting the Better Outcomes Registry & Network (BORN), an organisation overseen by the Ontario government. The breach occurred in May 2023 and impacted around 3.4 million individuals, mainly those seeking prenatal treatment and newborns born in Ontario. Cybercriminals duplicated The personal health records collected from a network of medical providers, primarily in Ontario. They copied data on fertility, pregnancy, neonatal, and child health care stored on a server between January 2010 and May 2023.
Topgolf Callaway, a US golf club manufacturer, also suffered a significant data breach that impacted over one million customers. Additionally, the systems of the non-profit organisation Freecycle were breached, potentially affecting seven million of its users. Finally, multinational technology company SONY reportedly suffered a data breach by ransomware group Ransomware.VC.
Cyber insurance providers estimate that there will be an average of 1,900 critical Common Vulnerabilities and Exposures (CVEs) per month in 2023, a 13% increase from 2022.
While some aspects of lateral movement can be automated, attackers or groups still often orchestrate it. This method involves the lateral movement of an attacker through a network after gaining initial access to a system or device. It is an intricate process that requires coordination and precision, so it is often carried out by skilled attackers with a deep understanding of network architecture and security protocols.
The presence of these vulnerabilities underscores the significance of incorporating robust security measures and consistently updating systems to safeguard against potential threats.
The prevalence of cyber threats in the digital landscape has witnessed a substantial rise. As per a report published by McAfee Enterprise and FireEye(now known as Trellix), 81% of global organisations encountered heightened cyber threats amidst the COVID-19 pandemic. According to a recent report from Check Point Research, there has been a significant rise in global cyberattacks, with a 38% increase observed in 2022 compared to 2021. The numbers underscore the increasing significance of implementing robust defence mechanisms within Identity Protection systems.
Identity protection systems serve a pivotal role in the identification and mitigation of breaches that are driven by the compromise of personal identities. The primary objective of these security measures is to safeguard all identities present within an organisation, encompassing both human and machine entities, regardless of their location (on-premises or hybrid) and classification (regular or privileged).
In cybersecurity, "lateral" refers to the direction of threats or attacks within a network or system. Specifically, it describes the side-to-side movement of a malicious entity or attacker within a compromised network. Notably, lateral movement occurs after establishing an initial foothold.
Different access levels are available for users in a corporate setting, such as B2B (business-to-business), B2C (business-to-consumer), and public access. These allow personnel, partners, and clients to access applications, resources, and APIs while separating everything logically. This user access level lets end users access the data and workload.
In hacking scenarios, breaching established defence mechanisms and bypassing access hierarchy is challenging unless the attacker discovers a weakness and can avoid the based administration model. After infecting an endpoint with malware, attackers can move laterally across the network and gain privileged credentials using various methods and tools.If an attacker encounters a misconfigured system during an attack, it can speed up the extraction of credentials. Poor control and management plane separation, often due to a weak administration model, can have devastating consequences when attackers exploit vulnerabilities.
In order to inflict serious harm, attackers need to obtain higher levels of access within the network by escalating their privileges. If they only have access to a standard user account, their ability to cause damage is limited. The level of risk and impact of an attack can vary based on the strength of the network's security measures. It's essential to recognise that with a weaker security posture, lateral movement by attackers can still result in harm.
When an attacker tries to obtain higher access rights in a network, it's called Vertical Movement or Privilege Escalation. This means they want to become an administrator or superuser. The more access they have, the more damage they can do to the network. Attackers with these privileges can access essential resources and have more power to bypass security measures.
Recognising the severe consequences of attackers traversing the identification hierarchy is crucial. The primary objective of an identity system's defence mechanism is to obstruct adversaries from engaging in vertical mobility. Businesses and academic institutions should implement robust administration models prioritising security and risk management. Such models should ensure proper control and management plane separation to prevent unauthorised access and potential breaches. Failure to do so can severely damage an organisation's reputation, lead to the loss of confidential information, and have financial implications.
Do individuals with administrative privileges within your organisation perform routine user tasks while logged in as administrators?Organisations often overlook the concept of least privilege
Do individuals with administrative privileges within your organisation perform routine user tasks while logged in as administrators?
Administrators should not use high-level accounts when accessing corporate email since it goes against the principle of least privilege. The principle of least privilege (POLP) is a crucial cybersecurity concept recommending granting individuals or systems the minimum access or privileges required to perform their designated tasks or job functions. Implementing this principle aims to reduce the harm that can result from unintended or deliberate actions by users or administrators.
You have been granted temporary administrative privileges, which will be valid for a duration of two hours, subject to the nature of the task. Please clarify if there are any restrictions on the number of administrators who can log in simultaneously. Ideally, having no more than two is preferable, but a maximum of three can be considered acceptable in certain situations.
You have been granted temporary administrative privileges, which will be valid for a duration of two hours, subject to the nature of the task. Please clarify if there are any restrictions on the number of administrators who can log in simultaneously.
I'm sorry, but I request that Admin rights be available 24/7. Please explain the reason behind your statement. To have administrative privileges on this computer and on-site, you must be a blue, red, or SOC team member. If you need to check your work email, complete your timesheet, or attend a meeting, please log out and log back in on your corporate laptop.
I'm sorry, but I request that Admin rights be available 24/7.
The continuous advancement of lateral movement detection and defence mechanisms is imperative to counteract the ever-evolving landscape of contemporary threats effectively.
The term "lateral movement" pertains to the methodologies cyber assailants employ to systematically navigate a network while seeking out valuable data and assets that serve as the primary objectives of their assault endeavours. The term "lateral movement" describes the action an attacker takes as they traverse laterally, or sideways, from one device to another within a network, typically targeting different applications or systems. Nevertheless, the objective is to progress in gaining access to more extensive or in-depth information.
To stay ahead of increasingly intelligent cyber threats, the methods for detecting and defending against lateral movement are evolving. As threat actors develop more sophisticated attack strategies, cyber defenders use lateral movement to their advantage by identifying attackers and strengthening their defences accordingly.
Lateral movement refers to cyber attackers' techniques and tactics to navigate within a compromised network, usually after gaining an initial foothold. The goal is to move stealthily from one system or device to another while avoiding detection.
The video below explains how attackers use lateral movement, demonstrates it with mimikatz, and shows how to mitigate it.
The subsequent instances delineate lateral movement paths (LMPs) that malevolent actors may potentially undertake within a compromised system:
Pass-the-Hash (PtH): Adversaries employ pilfered password hashes to authenticate themselves on other systems.
Pass-the-Ticket (PtT): This approach resembles the Pass-the-Hash (PtH) technique but entails the illicit acquisition of Kerberos tickets for authentication.
Over-pass-the-Hash: Hackers utilise stolen login details to modify a user's password and acquire prolonged entry.
Remote Desktop Protocol (RDP): gaining access to other systems by abusing RDP.
SSH Tunnels: Creating tunnels for lateral movement with SSH.
Malware Propagation: The process of infecting a computer system with malicious software.
Lateral movement detection and defence mechanisms are critical components of modern cybersecurity strategies. They focus on identifying and mitigating threats that have breached the initial layers of defence and are attempting to move laterally within a network, often in search of valuable assets or to escalate their privileges.
Criminals have various methods and tools to carry out lateral movement. However, regardless of the specific approach, the attack generally consists of five primary stages. The process starts by infecting the system with malware. These stages provide a structured approach to understanding attack anatomy and help organisations develop effective strategies to prevent, detect, and respond to attacks.
The movie is based on a real-life case. It depicts how a particular company became the target of foreign actors and highlights the actions taken by the FBI to assist in the situation.
Did you find the video presented above to be informative? It covers various aspects of reconnaissance.
Our next post will delve into the topic of Lateral Movement Detection, including its approach and associated tools. It is worth noting that attackers often conduct reconnaissance before launching a ransomware attack. One could consider implementing a honeypot as part of their network security strategy to gain insights into possible reconnaissance activities. We will examine this topic in greater detail in our forthcoming post.
Legal Disclaimer