The Weakest Link(s)
As identity verification and access governance continues to tackle and prevent criminals from overtaking bank accounts, breaching workforce services or plainly preventing them from doing what they hoped to do, they have resorted to exploiting the IAM chain. And they are finding success! How so?
The Human Factor
What happens when you reach the point in your password reset process leaving you in an odd or incomplete state? Likely, you make a call to your workplace’s help desk. But to what extent does the help desk verify your identity? You may be asked to repeat back a one-time passcode sent to your mobile phone or provide some other type of detail no one else should know, which satisfies the identity verification step so you can proceed with your request for help.
But what happens when a criminal can con the help desk agent into urgently help them gain access using your identity?
This phenomenon is on the rise. To combat this, one of our clients engaged our security team to simulate a cyberattack. One of the key findings in their test results showed that were they able to circumvent the identity verification process with the client’s help desk. Not only that, but they were able to successfully submit an escalated and high priority request to provision our cybersecurity team a virtual machine because, “My laptop is running too slow, and IT won’t get to replacing it for weeks, and I am under immense pressure to meet an urgent deadline. Please help!”
So out of pure sympathy and the con of fabricated urgency, the client’s help desk agent was baited to comply. Not only was this particular link in the chain of links compromised, but so were the next three approval steps that led to the VM being provisioned (and as a result, yielding a foothold on the internal network), without any additional scrutiny on the true need. Our security team testers were able to bypass this client’s IAM defenses just like that.
The old adage, “a chain is only as strong as its weakest link,” really came true in this scenario. This was just a test scenario, but how many of these types of scenarios results in IP theft, ransomware attacks and other breaches?
Trust But Verify
We may joke about this concept of “ok, I trust you, but I still need to verify,” but in the ever-changing techniques for bypassing identity verification, whether via SSO or otherwise, it is so much more important to ensure that all access points, including people, understand how to verify the user. The premise of IAM is based on the customs and border protection practices to scrutinize the person entering, knowing that most are not criminals.