Last year, I had the privilege of reviewing the results of a cyber security health check with the managing partners of a mid-sized management consulting firm based in Georgia. Like all consulting firms, they prided themselves in the trust that they earned from their clients during their projects. Their clients were referenceable, and their primary source of new customers was through referrals. The firm had requested the external review as they were increasingly concerned about the reputational damages that would be caused by a breach.
Although the health check results I reviewed were for a mid-sized company, the risk of a breach at professional services firms spans industries, market share, and practice areas. According to a recent news article, a small accounting firm with ten Certified Public Accountants in Washington State recently disclosed they had been breached. In that case, bad actors filed fraudulent tax returns on behalf of the firm’s clients and accessed tax returns for prior years. Clients see incidents like this as a breach of trust and a failure on the part of their service provider to take reasonable precautions.
The results of a breach can have long-lasting effects on a firm. According to the 2017 Annual Cybersecurity Report by Cisco, more than a third of companies that were subject to an attack lost 20% or more in revenues. Additionally, nearly 25% of companies that had suffered an attack lost new business opportunities. Losses may be considerably more significant in a reputation-based industry like consulting or professional services.
The health check for the Georgia management consulting firm revealed that they had deployed only the traditional defenses for cybersecurity. They updated their software regularly, malware protection was in place on laptops and servers, and they had a reasonably configured corporate firewall at their office. Coincidentally, the results of their health check largely resembled the 2016 Cyber Security Breaches Survey produced by the UK Government. Five years ago, these rudimentary measures would have been considered adequate. However, while the traditional defenses were in place, the health check showed that the management consulting firm could not verify the identity of users accessing their systems. There was also no consolidated view of employee privileges, and sensitive systems were protected only with passwords rather than multi-factor authentication mechanisms.
Understanding User Identity and Privilege
The primary finding of the health check was that the firm could not guarantee that the user accessing a corporate resource – whether on-premises servers or cloud-hosted services – was who they claimed to be. A related finding was the lack of a consistent provisioning and de-provisioning process for employees and contractors. This is a clear and present danger for consulting firms that have a mixture of employees and contractors accessing a variety of internal and customer data.
When the firm hired a new employee, the employee would be given an account in Active Directory. This account allowed them access to their email, some shared project folders at the company headquarters, and the ability to print while at the company office. These accounts were protected by passwords, and the firm had a reasonable password complexity policy in place.
However, the firm had numerous systems that were not consolidated for user authentication. The firm had deployed an on-premises Professional Services Automation (PSA) system for resource management, time sheets, and expense reporting. This PSA required a separate username and password and did not have a password policy in place — users could choose “password1” for their password and never be required to change it. Although the PSA included some delegation functions, the accounting team responsible for timely payments of expense reports found it more convenient to share a single user account and password. From a compliance perspective, this meant that it was not possible to see who had authorized billing to clients and payment to employees or contractors. Finally, there was no de-provisioning process in place; several of the senior partners reported that this was a good thing, as they expected that departing staff members would return at some future date. In practice, this meant that someone who was no longer employed by the consultancy could still file expense reports and potentially be paid due to a lack of oversight.
Employees accessed the on-premises PSA through a Virtual Private Network (VPN) when they were working at client facilities. This VPN also required a separate username and password, and the IT consultant who had set it up had created a simple password complexity policy. However, users needed to request access to the VPN, and there was no process in place for revoking user access to the VPN upon employee termination.
The management consulting firm had a small dedicated sales team in addition to the senior partners. They had chosen to deploy SalesForce.com for tracking prospects and sales opportunities. Junior practice members were granted access to SalesForce.com to enter information from business cards collected at events and meetings with prospects. When users were given access to SalesForce.com, they were given a new username based on their email address and a new password, which they needed to change when they logged in. However, the health check found that there was no policy in place to periodically review who at the firm had access to SalesForce.com. Similarly, there was no user de-activation or de-provisioning process in place, meaning that a departing partner would be able to continue to access their sales prospecting lists and client lists after their last day of employment.
Regrettably, these three failures of managing user identity reflect only a subset of the seventeen distinct systems identified with security issues. In all cases, the security problems could be traced back to the user being granted a new account on each system. The firm lacked a process to review who had access to systems. Finally, they did not have manual or automated cleanup processes to remove or disable the accounts of employees or contractors who had left, and so de-provisioning was handled on an ad hoc, best-effort basis.
Based on the IBM 2016 Cyber Security Intelligence Index, “60% of attacks were carried out by those who had insider access to organizations’ systems”. This includes both malicious insiders, such as disgruntled current or former employees, as well as “inadvertent actors” who mistakenly create security breaches through poor security hygiene.
The External Threat of Credential Stuffing
The 2016 Year End Data Breach QuickView Report by RiskBased Security showed that 3.2 billion passwords were impacted as a result of breaches of public and private websites in 2016 alone. Although that is a sobering statistic, those stolen passwords are just the tip of the iceberg for cyber security. Bad actors have a thriving marketplace of technologies that can leverage those stolen credentials.
One of the health check findings was that many of the systems lacked a password expiration policy. To put this in context, consider how many employees your firm hired and how many contractors had access to your systems between 2013 and 2016. A non-zero percentage of those new employees may have used their Yahoo! password as their first password when they joined your company and were granted access to basic services like email and printers. As they have been granted access to additional systems like SalesForce.com or DropBox, they may have continued to use that Yahoo! password, if only because it was convenient for them. Bear in mind that Yahoo! was repeatedly hacked between 2013 and 2016, and bad actors acquired more than a billion Yahoo! passwords. Although Yahoo! notified end users to change their Yahoo! passwords, how many consulting firms required their employees and contractors to change all their passwords across all systems just in case one or more of those employees was using their Yahoo! password on a corporate system?
Criminals know this and so have built credential-stuffing tools to identify password re-use. At a high level, in a credential-stuffing attack, a villain purchases a database of usernames and passwords — and sometimes answers to knowledge-based authentication questions (who was your first elementary school teacher?) for a fee. They then rent a botnet from a criminal gang. The computers in the botnet try each of the usernames and passwords from the breach against common services, like DropBox, SalesForce.com, Replicon, PayPal, NetSuite OpenAir, Wells Fargo, Chase, and others. Unfortunately, as this is a massively distributed attack, most organizations just see a single failed login attempt from an unusual location, but this is lost in the day-to-day noise. Once the credential-stuffing attack is finished, the villain can then either re-sell credentials to corporate assets or choose to launch additional attacks using those credentials. In the latter case, they can effectively impersonate the affected user at your organization.
A password policy is the standard security best practice to mitigate the risks of credential stuffing. Most password policies require some level of complexity including special characters and numbers. More effective password policies also prevent incremental changes to passwords, where users just append a number to their password (“password1” becomes “password2”). The best password policies prevent password recycling so that a user cannot intentionally set their password to the same password that was part of a hack at some time in the past.
The challenge, however, is that typical users have as many passwords as systems that they can access. Each of those systems could conceivably have a different password policy. Having numerous passwords for on-premises and SaaS services also requires the individual user to log in regularly to those systems, if only to change their password
Starting an Identity and Access Management Program as a Threat Response
It’s important to differentiate between a product and a program. A product is something that you can buy, and there are many different Identity and Access Management (IAM) products available from a variety of vendors today. At Integral Partners, we have learned that our most successful clients instead launch and operate an IAM program. A program requires executive leadership and management support to succeed and is not an overnight solution. Rather, an IAM program is based on a pragmatic approach to mitigating cyber threats to the business by securing user identities.
A hallmark of a practical IAM program is that each user has a single user account stored in one location. At many companies, that is Active Directory, but that is not a technical requirement — the philosophy of one user equals one account transcends technologies. With a single account, consulting firms can require a consolidated password policy, including password expiry and preventing password recycling.
The best IAM programs are also well-connected. In the health check results, the management consulting firm found that users had multiple duplicate accounts across a diverse array of on-premises and SaaS solutions. In an IAM program, all on-premises and SaaS apps instead contact a central authentication provider to verify a user’s identity. For example, the management consulting firm could choose to use Active Directory as their authentication provider. When a user logs into Replicon, they could use their Active Directory credentials for authentication, rather than having to maintain a second username and password for Replicon. Other systems, such as Office 365, NetSuite, DropBox, and the user’s Apple MacBook could similarly use the user’s Active Directory username and password.
Another benefit of an IAM program is that as the user has just a single account, there’s only one account to disable if the user’s account is compromised or if the user leaves the company. In the health check findings, the management consulting firm learned that former employees could continue view sales prospecting lists and draft Statement of Work documents long after their date of termination as there was no de-provisioning process. Under an IAM program, the user’s consolidated account (typically in Active Directory) would be disabled. This would lock the user out of the PSA, the VPN, email, SalesForce.com, their MacBook, and any other connected systems.
It is also notable that stating an IAM program is comparatively easier than getting full coverage across all employees, contractors, and systems. We have seen many instances where companies launch into an IAM program, typically due to an audit or a breach and only deploy the solution to the affected users or systems. These partial implementations rob the value of an IAM program, as they perpetuate the difficulty of reporting on user privileges.
A well-run IAM program should be able to show managing partners and directors who has access to key business systems on a regular basis. Partners should plan on reviewing that access to make sure that it is still valid. Consider the case of an associate being granted access to SalesForce.com to enter business card data from a single trade show. They should no longer have access to SalesForce.com six months later when they are working in a different practice area. However, this presupposes that all systems are connected to the IAM program so that a partner can run a single report to see which users have access to each system.
Unless your firm is in the business of cyber security, it is difficult to successfully launch your first IAM program. Although many product vendors will insist that their product has a rapid ROI and is non-invasive, an IAM program primarily requires a mindset and commitment on the part of executive management. If you use a firm for IT, your best course of action is to ask their recommendations of consulting firms that provide dedicated IAM program services.
Deploying Step-up Authorization to Increase Security
This article would have ended here if it had been written a couple of years ago. The bad guys also have criminal enterprises to run, though, and they continue to innovate. Having an IAM program was table stakes for the modern consultancy a couple of years ago.
The premise of an IAM program is one user, one account. The underlying rationale is that if that account is compromised, it can be centrally disabled. This helps to mitigate risks. However, this is based on the false assumption that firms can successfully and rapidly identify aberrant behavior by end users.
Consider the following scenario. Your managing partner takes the T and stops at Starbucks in the morning on the way to her office in Boston. While she is there, she logs into OpenAir. She then walks the rest of the way to her office, two blocks away. Upon arriving at the office, she opens her MacBook and logs into Office 365, and prints her presentation notes before a client meeting at 9 AM. At the same time, she logs in from Sydney, Australia and launches a KPI reporting dashboard in OpenAir.
A reasonable person can understand that it is not physically possible to be in Sydney at the same time as Boston. Unfortunately, computers do not see the world that way. If the managing partner’s credentials were stolen while she was at Starbucks, then a bad guy half a world away will be able to impersonate her, despite a management commitment to an IAM program. However, the 2017 Annual Cybersecurity Report by Cisco showed that 44% of security operations managers see more than 5,000 security alerts per day. Due to the sheer volume, it is entirely possible that this red thread would be missed by a dedicated team of cybersecurity professionals.
The latest generation of IAM programs incorporate contextual data as part of the user authentication process. In cases where something unusual is detected, the user can be prompted to provide a second form of authentication. Contextual data can include the user’s location, the time of day, the location of the user’s mobile device during the user’s last login, and it can detect if the user’s keystrokes are just a little too perfect, which would show that there’s a script running and not a user typing. The second form of authentication can include opening an authenticator app and typing in the key code, opening an app and pressing a button, or biometric authentication via fingerprints or facial recognition. Additional options include SMS authentication, but this is not recommended, as it is possible for bad guys to intercept SMS authentication on the phone itself via malicious apps; this is a common problem currently plaguing European Union banks.
This context and step-up authorization should be largely invisible to end users. If they are behaving normally, they should be able to log in using their username and password. When they get a new phone and log in, then they should be prompted once for that new device. However, when they get a new Android phone and log in from Australia when the system sees they are in Boston, the user in Australia should be prompted for that second factor of authentication. When they cannot provide it, they will move on to the next soft target that hasn’t deployed these technologies. After all, the bad guys have businesses to run, and your firm can protect itself by making their jobs more difficult.
Professional services firms stand to lose their reputations and their clients’ references due to a cyber security breach. Traditional defenses are no longer adequate to protect end users and corporate data. To succeed, modern consultancies should commit to an IAM program and philosophy that incorporates contextual data along with best practices for protecting user identities from impersonation by criminals.
Join Kayne on March 30, 2017, in an IEEE webinar, as he speaks on taking a proactive, risk-oriented approach to Cyber Security for Small Businesses and Consultants