Thanksgiving is a wonderful American holiday. It involves being thankful for family, football, shopping and eating. For an idea of American’s love for celebrating this holiday, forty-six million turkeys are stuffed, eighty million pounds of cranberries sauced, forty million green beans casseroled, twenty million pounds of potatoes mashed, and fifty million pumpkin pies baked. Paradoxically, Thanksgiving also kicks off the season for cyber crime. When IT operations slow down, cyber criminals start to feast. To prevent a holiday disaster, we recommend avoiding these 12 identity management side dishes:
Stuffed Access Privileges
Stuffed access privileges consist of outdated authorization credentials that remain active. Job changes often result in grandfathering access privileges. When employees and contractors no longer use a system, revoke their access privileges. When employees transfer, remove their existing access. Grant only the privileges one needs for a new job. Audit user accounts on a regular basis to prevent access creep.
Caramelized passwords represent a weak password policy that is easy to breach. It sweetens inadequate password enforcement with an endless expiration date. Passwords, similar to food, become stale when they sit too long. Stale passwords represent a tasty treat for hackers. Change passwords regularly every 60 to 90 days. Access to mission critical data and high-risk systems should require shorter expiration periods and stronger strength restrictions.
Roasted User Accounts
Roasted user accounts stem from developers with privileged access to production systems. This access represents a common cyber criminal ingredient. Granted, when production systems go down, developers need access. Give developers temporary access. Once resolved, revoke their access. Similarly, change default passwords to network gear and routers once deployed. As more applications and equipment go into production, the probability of unauthorized access increases.
Mashed authentication refers to whipped help desk identity verification processes. By posing as legitimate employees, social engineers steal authentication credentials from call centers. To prevent this practice, fortify user accounts with multifactor authentication. Add another layer of security such as SMS authentication to your process. Help desk staff should receive training on how to detect password reset spoofs.
Creamed State Attacks
Sophisticated and persistent threats from foreign state-sponsored attackers can cream an organization. Security tools, like firewalls and intrusion detection systems, do not always block such attacks. Most organizations are prepared for low-level assaults and ill-prepared for state-sponsored persistent threats. Typically, these are highly personalized and target specific individuals. Deploy automated enterprise identity management solutions that secure and govern access to critical IT assets.
Glazed Security Awareness
Glazed security awareness spreads over your organization a culture where security is viewed as a waste of resources. Why should you invest in solid security practices when breaches are inevitable? Enterprises that track metrics for identity compliance, social engineering spoofs, and access governance attestation show improvement after implementing a security awareness program. Run security awareness campaigns continually to foster values that relate security to competitive advantage.
Old-Fashioned Incident Response
Old-fashioned incident response leverages processes from the past. Although retail giant Target received alerts identifying the malware from their security system, they failed to take immediate action. As a matter of fact, they took 17 days. The severity of Target’s attack was exacerbated by their good old-fashioned incident response process. In a modern kitchen when there’s smoke, take a look.
Sautéed Policy Enforcement
Sautéed policy enforcement results from poorly articulated security policies. Security policies define basic usage rules for password strength, access management, end-user acceptable use and compliance. Moreover, even when security policies are in place, without automation— real consequences for breaking rules does not exist. Users are seldom motivated to follow such policies on their own. Identity management and security automation goes a long way to help organizations improve security.
Vulnerability gratin occurs when vulnerabilities remain open giving your security a flakey mix of risks. When you run vulnerability scans to detect issues across your network, follow through by remediating the findings. Without taking remediation action, your issues remain. These tasty morsels give hackers crisp points of entry into your network. Commit time on remediation and quickly lower your risks.
Mobile casserole fails to add mobile and off-network users and their equipment to your security approach. For advanced threats such as zero-day attacks, your remote employees, contractors, partners and suppliers form a porous security risk. In B2B operations, remote users require access. Remote operations represent a perfect opportunity for advanced threats that target individuals and abandoned equipment.
Mixed IDs and Passwords
Mixed IDs and passwords stem from authenticating users to an ever growing number of applications. In this situation, users typically repurpose the same ID and password to the fullest. Once compromised, criminals can then gain access to every application the user accesses. Stop requiring users to remember an ID and password per application. Deploy a single sign-on app store to enable one strong credential.
Wild Compliance Reviews
Wild compliance reviews grow from increasing government regulations and complexity. To satisfy compliance requirements and properly protect identity data, organizations need to rapidly respond to information security risks. They must attest to system accesses, sign-off on regulations, and perform compliance reviews. Identity management technologies simplify satisfying audit reviews by automating the processes and reports required for compliance.
This holiday season don’t serve up your vulnerabilities. Prevent, detect and respond to cyber attacks and security risks. Next week, stop by booth 404 at the Gartner IAM Summit in Las Vegas. Get your caricature drawn. Schedule a demonstration of our proven side dishes. Maybe even win an iPad mini. For the most securelicious passwords, provisioning and governance, ask about our Michelin star identity management cuisine.
Get the Top 10 Identity Manager Migration Best Practices Workbook
Start your migration from legacy software with the Top 10 Identity Manager Migration Best Practices Workbook. Use this workbook to think through your information security risk before you transition to next generation identity manager software.