Blog entry by Les Bell

Les Bell
by Les Bell - Thursday, March 23, 2023, 7:49 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


NSA, CISA Issue Guidance on Identity and Access Management

Last September, we brought you news of the Supply Chain Working Panel of the Enduring Security Framework (ESF) - a cross-sector working group operating under the auspices of the Critical Infrastructure Partnership Advisory Council. Now, as part of the ESF, the Cybersecurity & Infrastructure Security Agency and the NSW have released a new paper  advising best practice for Identity and Access Management (IAM). This is a major pain point for most defenders, since threat actors often exploit vulnerabilities in authentication and authorization services to compromise user credentials, achieve persistence by creating new accounts, and gain elevated privileges. Once they have achieved a toe-hold via compromised credentials, these techniques allow them to pivot and compromise additional systems in the victim network.

The paper discusses a number of mitigation techniques for these attacks:

  • Identity Governance - policy-based centralized orchestration of user identity management and access control and helps support enterprise IT security and regulatory compliance;,
  • Environmental Hardening - makes it harder for a bad actor to be successful in an attack;
  • Identity Federation and Single Sign-On – Identity federation across organizations addresses interoperability and partnership needs centrally. SSO allows centralized management of authentication and access thereby enabling better threat detection and response options;
  • Multi-Factor Authentication - uses more than one factor in the authentication process which makes it harder for a bad actor to gain access;
  • IAM Monitoring and Auditing - defines acceptable and expected behavior and then generates, collects, and analyzes logs to provide the best means to detect suspicious activity.

The paper is very detailed and prescriptive; for each of the techniques above there are examples of why it matters, implementation guidance and recommended immediate actions. Well worth while reading and following - I am continually amazed that since NIST's SP 800-63 was updated in 2017, so few people have followed its advice and are still recommending very weak practices.

CISA, CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management, alert, 21 March 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/03/21/cisa-and-nsa-release-enduring-security-framework-guidance-identity-and-access-management.

Uncredited, Recommended Best Practices for Administrators: Identity and Access Management, technical report, March 2023. Available online at https://media.defense.gov/2023/Mar/21/2003183448/-1/-1/0/ESF%20IDENTITY%20AND%20ACCESS%20MANAGEMENT%20RECOMMENDED%20BEST%20PRACTICES%20FOR%20ADMINISTRATORS%20PP-23-0248_508C.PDF.

BreachForums Shuttered

Yesterday we reported on the arrest of BreachForums owner/operator Conor Brian Fitzpatrick, a.k.a. 'Pompompurin'. The hacker site continued to operate, however, being taken over by another administrator under the handle 'Baphomet'.

But less than a day later came news that Baphomet had taken the site down. In a message posted to the BreachForums Telegram channel, he stated, "You are allowed to hate me, and disagree with my decision but I promise what is to come will be better for us all", implying that some replacement might emerge.

It is possible that the shutdown was prompted by the possibility that law enforcement may have gained access to the site's code and information about its users.

Lakshamanan, Ravie, BreachForums Administrator Baphomet Shuts Down Infamous Hacking Forum, The Hacker News, 22 March 2023. Available online at https://thehackernews.com/2023/03/breachforums-administrator-baphomet.html.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: