Microsoft Workplace Join Part 1: The Security Timebomb

By Chris Higgins, Technical Support Engineer, Bitglass

timebomb countdown to Workplace Join infosecurity riskIt’s no secret that enterprise users wish to access work data and applications from a mix of both corporate and personal devices. In order to help facilitate this mix of devices, Microsoft has introduced a new feature called Workplace Join into Azure Active Directory, Microsoft’s cloud-based directory and identity service. While the intent of streamlining user access to work-related data is helpful, the delivery of this feature has resulted in a large security gap—one that can’t easily be disabled. This is another example of an app vendor optimizing for user experience ahead of appropriate controls and protections—demonstrating the basis for the cloud app shared responsibility model and the need for third-party security solutions like cloud access security brokers (CASBs).

According to Microsoft, “…by using Workplace Join, information workers can join their personal devices with their company’s workplace computers to access company resources and services. When you join your personal device to your workplace, it becomes a known device and provides seamless second factor authentication and Single Sign-On to workplace resources and applications.”

How does it work?

When a user links their Windows machine to “Access Work or School,” the machine is registered in Azure AD, and a master OAuth token is created for use between all Microsoft client applications as well as Edge/I.E. browsers. Subsequent login attempts to any Office resource will cause the application to gather an access token and log in the user without ever prompting for credentials. The ideology behind this process is that logging in to Windows is enough to identify a user and give them unrestricted access to all Office 365 resources.

In plain language, this means that once you login to Office 365 from any device (Grandma’s PC, hotel kiosks, etc.), you, and anyone accessing that device, are logged in to Office 365 automatically moving forward.

Why is this such a big security issue?

Workplace Join undoes all of your organization’s hard work establishing strong identity processes and procedures—all so that an employee can access corporate data from Grandma’s PC (without entering credentials). Since Grandma only has three grandkids and one cat, it likely won’t take a sophisticated robot to guess her password—exposing corporate data to anyone who accesses her machine. Making matters worse, user accounts on Windows 10 don’t even require passwords, making it even easier for data to be exfiltrated from such unmanaged devices.

Workplace Join is enabled by default for all O365 tenants. Want to turn it off? You’ll have to wait for the next blog post to sort that out.

In the meantime, download the Definitive Guide to CASBs to learn how cloud access security brokers can help secure your sensitive data.

Bitglass Security Spotlight: LinkedIn, Vector, and AWS

By Jacob Serpa, Product Marketing Manager, Bitglass

man reading cybersecurity headlines while eating breakfastHere are the top cybersecurity stories of recent weeks:

—LinkedIn security gap exposes users’ data
—Vector app reveals customers’ information
—AWS misconfiguration makes LocalBlox user information public
—New malware steals data via power lines
—Banking apps deemed the most unsecured

LinkedIn security gap exposes users’ data
LinkedIn’s AutoFill functionality was recently discovered to be easily exploitable. The feature allows users to have fields on other websites automatically populated with information from their LinkedIn accounts (for rapid registrations and logins, for example). Researchers quickly realized that this could be exploited by malicious websites that initiate AutoFill, regardless of where visitors click, in order to steal information.

Vector app reveals customers’ information
New Zealand energy company, Vector, developed an application designed to update users on the status of their power; for example, by providing estimates on when power might return during outages. Unfortunately, the app didn’t provide the functionality that the company originally intended. Additionally, it made all of its users’ information (including home address) accessible to anyone who downloaded the app.

AWS misconfiguration makes LocalBlox user information public
Another AWS misconfiguration has exposed the personal information of various individuals – 48 million of them. LocalBlox, which gathers information from public online profiles, was recently found to be leaking Twitter, Facebook, and LinkedIn information through an unsecured AWS S3 bucket. Leaked information included email addresses, job histories, and even IP addresses in some cases.

New malware steals data via powerlines
PowerHammer, a new type of malware, can steal data in a variety of complex, frightening ways. For example, through computers’ power cables. To learn more about the ins and outs of PowerHammer, click here.

Banking apps deemed the most unsecured
A recent study found that banking applications are typically the most vulnerable type of cloud app. Despite the fact that these services are used by hundreds of millions of people, they consistently hold security flaws that leave them open to the advances of hackers.

Learn more about cloud access security brokers (CASBs) and how they can help you secure data in our cloud-first world with the Definitive Guide to CASBs.

Neuroprivilogy: The New Frontier of Cyber Crime

By Shlomi Dinoor, vice president, emerging technologies, Cyber-Ark Software

Is your Neuroprivilogy vulnerable? The answer is most probably yes, you simply have no clue what Neuroprivilogy is (yet)…

The first step of this discussion is defining a fancy term to help educate and describe this new phenomenon:  Neuroprivilogy.  As the name suggests Neuroprivilogy is constructed from the words neural (network) and privileged (access), and can be defined as the science of privileged access points’ networks.  Using the neural network metaphor, an organization’s infrastructure is not flat, but instead, a network of systems (neuron=system).  The connections between systems are access points similar to synapses (for neurons).  Some of these access points are extremely powerful (i.e. privileged) while others are not.  Regardless, access points should be accessed only by authorized sources.

In nearly every IT department, discussions about virtualization and debates about moving to the cloud usually end up in the same uncomfortable place, bookended by concerns about lack of security and loss of control. To help create a realistic risk/reward profile, we must first examine how the definition of privilege, in context of the identity and access management landscape, is evolving.  We are no longer just talking about controlling database administrators with virtually limitless access to sensitive data and systems; we are talking about processes and operations that can be considered privileged based on the data accessed, the database being entered, or the actions being taken as a result of the data.

The concept of “privilege” is defined by the risk of the data being accessed or the system being manipulated.  Virtualized and cloud technologies compound that risk, making traditional perimeter defenses no longer sufficient to protect far-reaching cloud-enabled privileged operations. Whether data is hosted, based in a cloud or virtualized, “privileged accounts and access points” are everywhere.

To gain a better understanding of the vulnerabilities impacting a privileged access points’ network, consider these Seven Neuroprivilogy Vulnerability Fallacies:

1. These access points have limited permissions

Most access points are granted privileged access rights to systems – systems use proxy accounts for inter-system interactions (e.g. application to database). Usually the most permissive access rights required are used as the common (permission) denominator.

2. Given the associated high risk I probably have controls in place

Does anything from the following list sounds familiar? Hardcoded passwords, clear text passwords in scripts, default password never changed, if we’ll touch it everything will break… The irony is personal accounts for real users have very limited access rights, while having stricter controls (even simple ones such as mandating frequently password change).

3. But I have all those security systems so I must be covered, right?

Existing security controls fail to address this challenge – IAM, SIEM and GRC are all good solutions, however they address the challenge of known identities, accounting for limited access to the organization’s infrastructure, hence lower risk. Accounts associated with privileged access points usually have limitless access, and are often used by non-carbon based entities or anonymous identities. Therefore, more adequate controls are required.

4. Privileged access points vulnerability is strictly for insiders

Picture yourself as the bad guy, which of the following would you target? Personal accounts with limited capabilities protected by some controls, OR privileged access points with limitless access protected by no controls? The notion of an internal access point is long gone; especially with the borderless infrastructure trend (did I say cloud?).

5. This vulnerability is isolated to my traditional systems

Some of the more interesting attacks/breaches from the past year present an interesting yet not an entirely unexpected trend. The target is no longer confined to the traditional server, application or database. Bad guys attacked source code configuration management systems (Aurora attacks), point of sale devices, PLC (Stuxnet), ATMs, Videoconferencing systems (Cisco) and more.

6. Adding new systems (including security) should not impact my security posture

That’s where it gets interesting. Most systems interact with others, whether of infrastructure nature (such as database, user store) or services. Whenever adding a system to your environment you immediately add administrative accounts to the service, and interaction points (access points) to other systems. As already mentioned most of these powerful access points are poorly maintained, causing a local vulnerability (of the new system) as well global vulnerability (new system serves as a hopping point to other network nodes). Regardless, your overall security posture goes down.

7. I have many more accounts for real users than access points for systems

Though this fallacy might sound right, the reality is actually very different. It is not about how many systems you have, but the inter-communication between them. Based on conversations with enterprise customers, the complexity of the network and magnitude of this challenge will surprise many.

When observing these fallacies and advanced persistent threat (APT) attacks characteristics, you realize Neuroprivilogy vulnerability is the Holy Grail for APT attackers. Cyber criminals understand the potential of these privileged access points’ networks and by leveraging these vulnerabilities they have transformed the cyber crime frontier, as seen with many of the recent APT attacks, such as Stuxnet.  It fits perfectly with APT characteristics – not about quick or easy wins, but about patient, methodological and persistent attacks targeting a well defined (big) “prize.” Working the privileged access points’ network will eventually grant the bad guy access to his target.

So, what options exist for organizations that must balance protecting against cyber criminals with the proven advantages of virtualization and cloud technology?  Let’s get down to some more details about network access points – how to find them and now to eliminate the vulnerability, or at least lessen the impact.

Discover – there is nothing you can do if you don’t know about it… To better secure network access points, including related identities, processes and operations, organizations must be able to automate the detection process of privileged accounts, including service accounts and scheduled tasks, wherever they are used across the data center and remote networks.  This auto-detection capability significantly reduces ongoing administration overhead by proactively adding in new devices and systems as they are commissioned, and it further ensures that any privileged password changes are propagated wherever the account is used.  It also increases stability and eliminates risks of process and application failures from password synchronization mismatches.

Control – don’t be an ostrich, take control! Another benefit of automation, particularly for those who fear loss of control, is that organizations are assured that password refreshes are made at regular intervals and in line with the organization’s IT and security policies. Having an automated system in place allows the company to have a streamlined mechanism for disabling these privileged accounts immediately, thus lessening the impact on business operations.

And yeah, Comply – from a compliance standpoint, regulations such as Sarbanes-Oxley, PCI, and Basel II require organizations to provide accountability about who or what accessed privileged information, what was done, and whether passwords are protected and updated according to policy.  Without the necessary systems in place to automatically track and report that access, compliance becomes a daunting, time-consuming, and often expensive process, especially in terms of employees’ time and potential fines.

It is true no single solution can prevent every breach or cyber threat that could impact a virtualized or cloud environment (multi layers of defence is important). However by adopting a Neuroprivilogy state of mind, organizations gain a more holistic view of infrastructure vulnerabilities.  The best advice is to “prepare now” by proactively implementing proven processes and technologies to automate adherence to security policies that are in place across the entire enterprise.  In doing so, enterprises can protect sensitive access points against breaches, meet audit requirements as well as mitigate productivity and business losses.

So, now that you know more, I’ll ask again: is your Neuroprivilogy vulnerable? If you aren’t sure, chances are there is a cyber criminal out there who already knows.  So now the real question becomes: what are you going to do about it?

# # #

About the author:  Shlomi Dinoor has more than 12 years of security and identity management experience in senior engineering management positions.  As the head of Cyber-Ark Labs at Cyber-Ark Software (www.cyber-ark.com), Dinoor is focused on new technologies that help customers prepare for “what’s next” in terms of emerging insider threats, data breach vulnerabilities and audit requirements.  To read more, visit his personal blog, Shlomi’s Parking Spot.