Digital identity compromises are a growing concern and have been tied to massive hacks such as the Colonial Pipeline ransomware incident and the Reddit breach last month.
Coupled with an uptick in reliance on digital transformation and the ubiquity of cloud platforms, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) believe it is time to push framework guidance on identity access management (IAM).
On Tuesday, the two agencies released recommended best practices for infosec professionals who manage digital identities. The 31-page report outlines business processes, policies, and technologies to help shore up government and private-sector security postures. The practice guide, part of the NSA's Enduring Security Framework initiative, was developed through a public-private partnership to help thwart threats facing critical infrastructure and national security systems.
“America’s critical infrastructure is a prime target for a broad spectrum of threat sources including advanced and ongoing attacks from nation states and terrorist organizations attacks,” according to the paper. “IAM weaknesses are frequently exploited in the most insidious threats, APTs, which have led to catastrophic data breaches.”
Citing the 2022 Verizon Data Breach Investigation Report, the paper notes that 80% of web applications attacks and 40% of breaches leverage stolen credentials, a tactic used by a wide range of threat actors, including nation-state hacking groups, terrorist organizations, hacktivists, and individual operators. In addition, identity management company Okta reported record-high credential-stuffing attacks in its 2022 State of Security Identity Report, detecting almost 10 billion credential-stuffing events across its Auth0 access management platforms in the first 90 days of 2022.
To counter the growing risks, the IAM framework provides practice guidance and mitigations to address threats related to the following five areas: identity governance, environmental hardening, identity federation/single sign-on, multi-factor authentication and auditing and monitoring around identity access and management tools.
Grant Dasher from the office of the technical director for cybersecurity at CISA, said the release of the practice guide is "a valuable first step to aid critical infrastructure organizations' effort to assess and strengthen their IAM solutions and processes," and plan for further collaborations to improve the IAM ecosystem.
Besides the Colonial Pipeline incident, there have been several recent and notable attacks that highlight the importance of addressing the digital identity threats against critical infrastructure.
In February 2021, an attacker compromised a computer system in a Florida water treatment plant and tried to increase the levels of certain chemicals in the water supply which would have posed serious public health and safety concerns. In 2022, a ransomware gang leveraged stolen credentials and targeted another water treatment plant in South Staffordshire, UK, affecting 1.6 million customers and 35,000 businesses.
While SSO and MFA are widely adopted to strengthen and simplify the authentication process, Murali Palanisamy, chief solution officer at AppViewX, said that critical infrastructure should take extra precautions when monitoring implementations as a compromised SSO system in one area can make it easier for an attacker to gain access in other parts of the network.
"This is especially true for critical infrastructure where you would need access using Secure Shell to troubleshoot an access failure. Leveraging Privilege Accessed Management and SSH access using SSH certificates instead of passwords or keys enables the out-of-band authentication for admins and security teams," Palanisamy said.