Updated a Potentially $ Trillion Cyber Security Algorithm Last Week

Folks,

My sincere apologies for the unintended lapse in sharing thoughts via this blog, which has primarily been on account of us having received a "seemingly" simple request late last year, the fulfillment of which required my involvement and time.

 

We Need to Know, NOW

A few days after I penned my last blog entry, we received a request from a rather prominent U.S Government agency (i.e. one with a 3-letter acronym ending in A) that happens to have a rather large and complex Active Directory environment.

The request was seemingly simple – we were requested to try and do our best to enhance the performance of Gold Finger’s unique administrative access assessment/audit capabilities, so that Gold Finger could help them “swiftly” identify exactly who had what administrative powers (aka the “keys to the kingdom”) in their environment.

 

By “swiftly” I mean, within a matter of minutes.

Gold Finger could already identify and reveal paramount administrative access/entitlement insight like Who can effectively reset the password of any user in the organization to instantly login as him/her, within minutes in most deployments. It was in complicated environments that it could sometimes take an hour or more. An hour's not that bad at all, considering the sole alternative, which is to try and do the same manually (using basic tools), which could easily take months, if not years. 

 

But I suppose they needed Gold Finger to be able to do the same in their "complex" AD deployment, within minutes.

 

 

Why they needed this is not ours to question. (We don’t question - we only deliver.) But if I had to guess, I'd say its probably because they understood the risk associated with an insider being able to identify and exploit unauthorized access grants in their Active Directory to gain access to and subsequently tamper, divulge or destroy virtually any IT resource he/she wanted to, at will, and may have thus felt the need to attain and maintain least-privileged access (LPA) in their foundational Active Directory at all times, given that access provisioned in AD is always changing, even if by a little.

Anyway, this was, as I said a "seemingly" simple ask.

I say "seemingly" simple because as the architect of Gold Finger, I'll be the first to tell you that the only thing harder than making something as sophisticated as Gold Finger, is trying to make it much faster. Here’s why -

When you press the Gold Finger button, almost half a million lines of code go to work in a magical black box, and within minutes, they reveal completely accurate, instantly actionable and mission-critical effective access insight in plain English.

 

 

 

For instance, when you select a report like Who can reset user account passwords across a domain of say 50,000 users, Gold Finger literally determines effective permissions on 50,000 user accounts in a single shot. That's no easy task. To begin with, it involves retrieving almost 5 million ACEs, doing the relatively easy stuff (resolving 1000s of SIDs, expanding 1000s of direct/nested/circular group memberships, etc. etc.) and then the difficult stuff (assessing millions of access grants taking into account over a dozen factors), to ultimately identify and reveal exactly who can reset whose passwords. There’s also a lot that can go wrong at any point so you have to be able to deal with virtually every potential unknown.

In essence, there are over a 100 different inter-dependent logical functions that operate in unison to do at a touch of a button, what is generally considered almost impossible to do. In other words, there’s just so much complexity involved that trying to make the smallest change, let alone trying to accomplish even a 10% performance gain, can be quite difficult.

So, although this seemed like a simple ask, what was required to deliver on it was in fact a combination of deep subject matter expertise, utmost discipline, world-class software-engineering, and of course comprehensive testing.

After months of highly disciplined work (some of which was already in progress), our Engineering teams ultimately achieved what was no easy feat - making Gold Finger faster. Not just a little faster, but up to 5 times faster.

The result was Gold Finger 6.0 - http://finance.yahoo.com/news/paramount-defenses-one-worlds-top-173000714.html

 

Gold Finger 6.0

Gold Finger 6.0 embodies our patented cumulative access entitlement technology and is the culmination of over half a decade of innovative cyber security research and development. It is not only the world's fastest cyber security solution that can accurately identify and reveal the identities of all individuals who effectively possess (any level of) administrative / privileged access in Microsoft Windows Server based IT infrastructures powered by Active Directory, it may possibly be the world's ONLY cyber security solution that can do so.

 

 

A Potentially Trillion $ Algorithm 

As you may know, in most organizations worldwide today, the compromise of a single administrative / privileged account could be sufficient to inflict colossal and often irreversible damage to the organization, so the need to know exactly who has what administrative access in Active Directory (which stores and protects the keys to virtually every lock in the kingdom) is paramount. 

 

For those, to whom this seems overstated or far fetched, there’s just one name to mention – Edward Snowden.

In our efforts to fulfill this request, not only were we able to help one of the world’s most important government agencies, we have also been able to (now) empower virtually every organization worldwide to finally be able to know within minutes with complete accuracy, exactly who has the proverbial keys to their kingdoms.

With over 85% of all government and business organizations worldwide running on Active Directory, including virtually the entire Fortune 1000, even we’re not sure how to value an algorithm that can uniquely and instantly help determine exactly who’s got the keys to the(se) kingdom(s).

 

 

All we know, and care deeply about, is helping organizations worldwide attain and maintain least-privileged access (LPA) in their Active Directory deployments, because we believe nothing is more important than “defending the keys to the kingdom”.

 

Alright, back to work.

Best wishes,

Sanjay

PS: Sadly, it takes just ONE malicious or coerced insider with admin/privileged access to inflict colossal damage.

NSA Contractor Edward Snowden Leaked Secrets - A Classic Example of Cyber Security Risks Posed by Trusted Insiders

Folks,

Edward Snowden needs no introduction, and I'm not about to opine on his actions.  What I would like to share my 2 cents on is the nature of this "security incident", and what government and business organizations worldwide can learn from it.



A Trusted Insider

This incident was a classic case of "unauthorized information disclosure" by "a trusted insider" with unrestricted access.

In this case, the "insider" seemingly had virtually "unrestricted" access to information, and the nature of information he accessed and divulged was so highly "sensitive" that the impact of its disclosure was colossal enough to cause a national government and a clandestine agency, potentially substantial harm, and embarrassment.


Risks to Cyber Security from Trusted Insiders

Unlike a traditional cyber security incident, involving an attack from an outsider, such a security incident is much harder, but not impossible, to protect against, because it involves a "trusted insider."

The threat of a security compromise from an insider always exists. However, few organizations take it seriously, perhaps because they perceive the "likelihood" of it to be low, or because they "perceive" the damage to being usually manageable, in that your average insider does not have administrative access and thus the extent of confidential information to which they could obtain access is usually limited.

However, in situations, wherein a highly trusted IT/Systems Administrator is involved, the damage can be substantial, as was the case here, because such admins almost always have unrestricted access to virtually the entire IT infrastructure, and are trusted with the great responsibility of safeguarding the organization's information assets.

So, when a highly trusted administrator turns malicious, there is very little you can do to stop him/her from inflicting substantial damage to the organization. That is because he/she can access, tamper, divulge and destroy virtually any organizational information asset he/she likes at will.

For example, should an accountant at a defense company leak the earnings numbers before their scheduled disclosure time, the impact would be limited to legal fall outs, but should a systems administrator leak the entire set of confidential blue-prints of the next supersonic plane the company was working on, such a breach could effectively put the company out of business.

This is why it is of paramount importance to ensure that organizations minimize the number of highly trusted administrators to an ABSOLUTE bare minimum. The importance of this elemental cyber security measure cannot be over-stated.

A Trusted Administrator

I know a thing or two about this, because I authored Microsoft's 400-page official white paper on delegating administration in Active Directory deployments, which deals with this very subject i.e. how to minimize the number of highly privileged administrative personnel to a minimum by delegating administrative authority based on the principle of least privilege.

Just one more thing. The method/system that NSA (and 20K+ organizations worldwide) would most likely have to use to find out who has what administrative powers in their IT infrastructures is protected by a patent, that I happen to be assigned.

(But I digress.)


Managing Risk Posed by Trusted Insiders with Unrestricted Administrative Access

The risk posed by a privileged trusted insider can almost never be completely eliminated because you will always have at least ONE person who will need to have (/ be able to obtain) unrestricted administrative access across the organization's IT infrastructure.

 

However, in most cases, the "likelihood" of this risk being materialized can be substantially minimized by reducing the number of highly privileged administrators, and by ensuring (to the extent possible) that those who do possess such unrestricted access are highly trustworthy and understand the serious implications of the misuse of their unrestricted administrative power.

Practically speaking though, if I were to share with you just how dismal the state of excessive administrative access entitlements is in most business and government organizations worldwide, you might fall out of your chair!

For instance, you'd be surprised if I told you just how many companies out there have 100s of Domain Admin accounts. In fact, in one company we came across, over 700 individuals had the ability to reset the password of the CEO's account, and login as the CEO on-demand within seconds. The only thing more scary is that no one including the CEO or these 700 admins knew about this. (Interestingly, one of their employees used Gold Finger Mini to figure this out in 30 seconds.)

(Anyway, I digress again, so back to the point at hand...)


What Can Organizations Do To Minimize The Risk Posed by A Malicious Trusted Insider?

The #1 thing organizations can do to minimize this risk is to understand and acknowledge just how serious and damaging a single such security incident can be for the organization.  (ONE such incident is all it takes to inflict substantial damage.)

Executive Management

Specifically, what is needed is for executive management to require and demand the enactment of adequate security risk management measures aimed at reducing the number of insiders who have unrestricted access to the IT infrastructure i.e. Domain Admins, Enterprise Admins and the like, i.e. folks whose job titles read "Infrastructure Consultant" etc.

Without executive support, this problem can almost never be adequately addressed.

Executive support is necessary because without it, the organization's IT group may not be able to drive the changes necessary to accomplish the reduction in the number of administrative accounts.

The #2 thing that organizations can do once executive support is in place, is to assign a high-priority IT project aimed at identifying the list of all individuals who have unrestricted or widespread access across their IT infrastructure.

Administrative Access Audit

This list should then be vetted out to understand the business requirements that drive/necessitate the provisioning of such unrestricted access for the identified individuals.

The vetting process must involve an analysis of why each of the identified individuals currently possess and require unrestricted administrative/system-wide access, and for each case wherein such access is not actually required, actionable steps must be identified to reduce/revoke such unrestricted administrative access, such that individuals only possess the least amount of access they need to fulfill their responsibilities.

The #3 thing organizations can do, is enact the steps identified in #2 above to minimize unrestricted administrative access to a bare minimum, by leveraging delegation of administrative responsibilities based on the principle of least privilege.

In other words, administrative access should be locked down based on the principle of least privilege.


Maintaining Security Post Initial Risk Reduction

It is not sufficient to minimize the number of privileged account holders, and then forget about it, because, unchecked, business requirements will invariably cause this number to get out of control again.

Thus it is imperative that all subsequent access provisioning requests be fulfilled in adherence to the principle of least privilege. This takes effort and time, but it is the harder right.

Also, to maintain security, on an ongoing basis, organizations should also periodically audit administrative access to ensure that the number of folks with unlimited /unrestricted system-wide access (as well as delegated access) is in line with what is expected, approved and authorized (i.e. not in violation of established business policy.)

It is also important to institute additional protection and monitoring measures to protect all accounts that have all-powerful administrative / unrestricted / system-wide access. In addition, it is equally important to establish policies that clearly state the ramfications of abuse of administrative power, and to communicate them to all powerful administrators. This deterrence measure is necessary.

If organizations enact just these 3 simple measures listed above, they could substantially reduce their attack surface, and thus reduce the likelihood of a successful "security breach" by a trusted insider.

For instance, you could use these measures to reduce the number of individuals who have unlimited administrative access from say 400, down to 40. Now, 40 is still 36 too many, but it is 360 less than the existing and unacceptable level of 400. (The number 400 is arbitrary, albeit representative of many large organizations, and primarily used to make the point.)


Time's Up

Given additional time, I could elaborate further, and provide additional and detailed guidance, but for now my 10 minutes are almost up, so this will have to be it.

My apologies if my 2c above is not proof-read by an editorial staff. Given my role at Paramount Defenses, I only have a few minutes each month to spend on "blogging", so this will have to be it.

Best,
Sanjay.

PS: There's no dearth of commercially motivated advice out there that seems to suggest the deployment of certain access management solutions in such situations. I'll add just this much - no software solution "in and by itself" can reduce this risk as much as the single fundamental step of actually reducing the number of individuals who possess unrestricted privileges can, because you cannot protect a system from the administrator of the system, because the administrator is, by definition, a part of the system's TCB (Trusted Computing Base.)

PS2: Here's something to think about in light of Mr Snowden's actions - http://www.sanjaytandon.com/integrity.html

The Temperature Is Rising - Cyber Security Threats Abound

Folks,

If you've been following the Cyber Security space, then you know that cyber threats are increasingly becoming a serious threat to national and corporate security worldwide. Over the last few weeks, we've all seen a steady increase in cyber security attacks, and we've also seen governments move to make cyber security a national security priority, as it rightly should be.

Last week, U.S Representative Dutch Ruppersberger of Maryland, top Democrat on the House Permanent Select Committee on Intelligence, said on CNN’s State of the Union program - “We have attacks right now. Wall Street has been attacked. We have the capability of other countries, including Iran, for destructive attacks, to knock out our grid system, to attack some of our banks. We have got to stop this.”

A few months ago, I had alluded to the fact that the Perfect Storm may be brewing for organizations worldwide. I believe that a perfect cyber security storm is ahead of us, and it may be around the corner.

 

Based on what we're seeing, we believe that the temperature is rising, and that in months to come, the number and severity of cyber attacks on organizations is unfortunately only going to increase.

Based on what we're seeing, I also continue to believe that inspite of the rhetoric, most organizations worldwide, including numerous government organizations hardly have a clue as to some of the world's most serious cyber security risks today. (For now, the seem busy trying to figure out how to prevent themselves from kiddish DDOS attacks, which frankly, are merely an annoyance.)

There's no dearth of rhetoric when it comes to Cyber Security. There is only the dearth of the enactment of well-thought out, prioritized risk mitigation measures aimed at ensuring that organizations are adequately defendable from not just kiddish DDOS attacks to their front doors, but also adequately defendable from advanced cyber threats that could very well be launched from on the inside, once malicious perpetrators have found a way to deliver a well-crafted payload to the inside.

In essense, what is needed is that organizations understand just how paramount the importance of cyber security is, and that they swiftly enact measures aimed at ensuring that their digital assets are adequately and comprehensively protect from risks. A high-priority, well-funded, organization wide cyber security risk assessment and mitigation initiative

At Paramount Defenses, we're helping organizations obtain a deeper understanding of some of the most critical of such advanced threats that have the potential to cause swift, irreversible, wide-spread damage to the very foundation of their cyber security defenses.

We wish all organizations well, and we hope that understand the gravity of the situation, because the temperature is certainly rising, and the perfect storm may unfortunately be around the corner.

Best wishes,
Sanjay

Cyber Attacks a key threat to U.S. National Security, according to a Report. (Unimpressed. This is just Common Sense.)

According to the U.S. intelligence community's recent worldwide threat assessment, cyber attacks are a key threat to U.S. national security, as reported by CNN – http://www.cnn.com/2013/03/12/us/threat-assessment/index.html

I’m surprised that this is news or that it takes a threat assessment to deduce this – this is common sense!
 

 

Why you ask?

 

Well, its no surprise that the United States is one of the most technologically advanced countries in the world, and as a consequence, virtually all aspects of its economy and security are digitally powered i.e. underlying most of its business and government organizations are mission-critical IT infrastructures that play an elemental role in facilitating the digital operation and control of large parts of these organizations.

 

 
These mission-critical IT infrastructures play a paramount role in protecting the digital assets of these organizations, and given their digital nature, they do not enjoy the privilege of being protected by physical boundaries such as discrete and defendable geographical borders.

 

 

On the contrary, they are exposed to a vast and myriad attack-surface, as they can be attacked both from outside and from the inside, and since most of them are connected to the Internet, technically anyone from anywhere could potentially try to launch an attack against these IT infrastructures, and because the attack surface is so vast, the likelihood of an attack succeeding is rather high.

 

 

These cyber attacks can also vary in technical sophistication, and range from your vanilla kid-stuff throwing-stones-at-the-entrance DDOS attacks (which are so easy to carry out, and often glorified by an ignorant media) to advanced enterprise-targeted security privilege escalation attacks which require sophisticated technical expertise to carry-out and can result in a perpetrator gaining complete administrative control over an organization’s entire IT infrastructure.

The kiddish DDOS attacks so often publicized by the media aren’t even worthy of national news anymore, but unfortunately, the media doesn’t understand this stuff to well, so for them its news! What the media doesn’t understand well at all are advanced cyber threats which have the potential to take out entire organizations, (plausibly including many of these media organizations as well) within a day, by using the power of automation. Yes, these are very possible, but I don’t expect the media to shed light on these because they don’t have the faintest clue as to how such attacks might work, or just how much harm they can inflict.

That's the kind of stuff we worry about at Paramount Defenses; these advanced cyber security attack vectors, which often require deep technical expertise but can be automated by a single entity, such as a hostile foreign government, and one that can then be launched in a variety of ways to compromise an organization. What I’m referring to here is a Stuxnet like payload, crafted meticulously to take one or more organizations down. Such payloads, once written, can be disseminated and deployed in numerous ways, the simplest of them involving an organization’s own administrators downloading free IT tools/utilities.

Such advanced cyber security threats to organizations worldwide, not just in the U.S. are very real, and in our experience, we have found that most organizations are unprepared to secure and defend themselves from such attacks.

To make a long story short, this isn’t and shouldn’t be news to anyone, and shouldn’t require a formal threat assessment to realize – this is common sense, but I suppose, as they say, common sense isn’t that common.

That’s about all the time I have for blogging. Now if you’ll excuse me, I’ve got to get back to helping our customers secure and defend themselves from powerful, advanced cyber security threats, such as this.

Best wishes,
Sanjay

The Onus of Great Power... ... It's Finally Time

Folks,

The unabated increase of IT security incidents, including the latest high-profile incidents at Sony Corporation, Lockheed Martin and most recently Citibank validate the very premise upon which Paramount Defenses was established 5 years ago...

 

... IT security is mission-critical to business and national security today.

From the White House to the British Parliament, and from Lockheed Martin to Sony Corporation,at the very foundation of IT security at over 85% of organizations worldwide lies Microsoft’s Active Directory.

As former Microsoft Program Manager for Active Directory Security, and now as CEO of Paramount Defenses, I can tell you first-hand that the very foundation of IT security at most organizations worldwide is vulnerable to compromise.

The only matter more worrying is that most of these organizations do not know this, and very few actually even know how to adequately protect it. Others don't take it seriously enough, until of course, they become victims of a security incident.

Over the past five years, we have been silent, because we understand firsthand, that along with great power, comes great responsibility.

However, in light of the fact that today even some the most powerful nations in the world are publicly expressing concern, we will share our thoughts with the world in the best interest of the global citizenry.

Starting Friday, October 28, 2011, we will shed light on matters of paramount importance to global security, because organizational and national security, are a matter of paramount defenses.

If you'd like a head-start, google "The Paramount Brief"

Best wishes,

Sanjay

PS: Just one more thing – talk is generally cheap (aka Twitter), but our time is very valuable, so when we speak, we ensure that it’s worth the world’s ear and we make every word count.