NSA, CISA publish Identity and Access Management recommended best practices for administrators

The National Security Agency (NSA), in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) and industry partners, rolled out Tuesday a guide providing actionable Identity and Access Management (IAM) recommendations to secure systems from threats better. Developed for system administrators, the paper identifies key mitigations to the top threats providing best practices and mitigations to counter threats to IAM related to identity governance, environmental hardening, identity federation/single sign-on, multi-factor authentication, and IAM auditing and monitoring.

To obtain leadership support, the paper is also accompanied by an IAM Educational Aid to support organizational technical leaders in explaining to decision-makers the benefits of a robust IAM program and the associated risks of not implementing one. It identifies that IAM weaknesses are frequently exploited in the most insidious threats, APTs (advanced persistent threat), which have led to catastrophic data breaches. Using SSO without a good MFA foundation and secure design selections exacerbates the damage of attacks that an organization may be vulnerable to such as password cracking and authenticator hijacking.

In its latest document titled ‘Identity and Access Management: Recommended Best Practices for Administrators,’ the NSA focuses on identifying mitigations for various techniques frequently used by bad actors. These include creating new accounts to maintain persistence, assuming control of accounts of former employees which were not suspended upon employee termination, exploiting vulnerabilities to forge authentication assertions, utilizing or creating alternative access points to systems, and exploiting or utilizing users with legitimate access. It also covers compromising passwords through a variety of tactics, such as phishing, MFA, bypass, credential stuffing, password spraying, social engineering, and brute force.

The NSA document also includes gaining system access and exploiting stored credentials, while breaching default passwords in built-in or system accounts, exploiting active attacks to downgrade, and exploiting deprecated encryption, or plain-text protocols to access credentials.

This paper intends to provide a clear understanding of how various mitigations counter the threats and to provide actionable recommendations on what organizations should do now. It includes assessing current IAM capabilities and risk posture; for areas that need improvement, necessary measures must be carried out; maintaining the appropriate level of security to manage risk during continued operations; and maintaining awareness of correct IAM usage and risks. 

“Malicious cyber actors attempt to hide their activity by exploiting legitimate credentials, either of authorized personnel or of the systems that act on behalf of legitimate users,” Alan Laing, NSA lead for the IAM working group, said in a media statement. “Rigorous Identity and Access Management allows an organization the ability to detect and thwart these actors’ persistent efforts to corrupt critical systems and access information of national importance.”

“IAM is a critical part of every organization’s security posture, and we must work collectively with the public and private sector to advance more secure by default and secure by design IAM solutions,” according to Grant Dasher, office of the technical director for cybersecurity, CISA. “The ESF’s best practices guide is a valuable first step to aid critical infrastructure organizations’ efforts to assess and strengthen their IAM solutions and processes.”

Identity governance process enables an organization to centralize the orchestration of its user and service accounts management in line with its policies. Identity governance provides organizations with better visibility of identities and access privileges, along with better controls to detect and prevent inappropriate access. It comprises a set of processes and policies that cover the segregation of duties, role management, logging, access review, analytics, and reporting. 

Environmental Hardening makes it harder for a hacker to be successful in an attack. Hardening the environment includes making sure the foundations and implementations of IAM are secured, assured, and trusted. The degree of hardening will vary depending on what is being protected. Hackers target IAM solutions because they can provide access to a significant amount of sensitive data, enable persistence, and be used for future malicious cyber operations. IAM solution components must be hardened to prevent footholds for attackers to pivot to more critical systems. 

For example, credential-issuing systems for cryptographic digital certificates or stores of passwords are more critical since they secure authentication for entire organizations. Implementation of cryptographic mechanisms must also be sufficient to provide the level of security assumed and needed by the system. 

The NSA document called for an inventory of all assets within the organization. If something is missing, or if there are additional assets that are unknown, determine the cause of the discrepancy. It also sorts to identify all the local identities on the assets to know who has access to which assets, understand what security controls are in the enterprise environment now and what security gaps persist in an organization’s enterprise environment, and develop a network traffic baseline that can be used to detect security anomalies in the network. Additionally, any compromise to any component in a network has the potential to threaten more critical enterprise systems, including IAM. 

Identity federation across organizations addresses interoperability and partnership needs centrally, while SSO allows centralized management of authentication and access thereby enabling better threat detection and response options, the NSA assesses. Identity federation using SSO within and/or between organizations, including the utilization of identity providers, mitigates risks by centrally managing differences in policies and risk levels between the organizations and eliminates wide implementation and dependence on local identities. 

“Without formally defining the policies and levels of trust and assurance between organizations or between multiple identity providers within an organization, the organization is susceptible to attacks based on weaknesses in each federated IAM,” the document said. “SSO provides a risk mitigation capability by centralizing the management and control of authentication and access across multiple systems and from multiple identity providers. Implemented properly, it can also raise the authentication assurance level required for initial sign-on and can control and secure the authentication and authorization information passed between systems.”

MFA is an approach to strengthen the authentication process by requiring the user to present multiple elements in different categories, or ‘factors,’ as part of an authentication attempt. These factors include ‘something you have,’ ‘something you know,’ and ‘something you are.’

MFA mitigates common attacks against passwords such as brute force guessing and credential stuffing as well as common misuse practices such as password sharing by requiring the presentation of another factor in addition to the password. Unless an attacker can defeat the MFA authentication mechanism, knowing the password by itself does not enable the impersonation of the user. In the case of passwordless authentication systems, passwords are eliminated as an attack vector.

The document calls upon organizations to determine the MFA solution best suited to their operating environment, implementing MFA as part of an enterprise SSO solution, while maintaining a robust inventory of the MFA authenticators deployed in the organization’s operating environment and routinely testing and patching the MFA infrastructure.

IAM auditing and monitoring checks for compliance, while also monitoring for threat indicators and anomalous activities. This includes the generation, collection, and analysis of logs, events, and other information to provide the best means of detecting compliance-related infractions and suspicious activities. Attacks such as the use of stolen credentials and misuse of privileged access by insiders would not be detected promptly, if at all, without an effective IAM auditing and monitoring program. 

These auditing and monitoring capabilities can be integrated with automated tools that orchestrate response actions to counter these IAM attacks. Effective reporting from auditing and monitoring also provides situational awareness of the security posture of an organization’s IAM. 

Organizations must establish baseline expectations of activity levels and policy and monitor privileged user behavior for both acceptable and suspicious activity. They must also avoid automatic response actions to suspicious behavior that could be important and legitimate, while including manual procedures to confirm the legitimacy of these actions before determining how to respond. 

Additionally, the NSA document calls for monitoring general user behaviors in both good and bad terms such as how many successful access attempts versus unsuccessful, what hours typically worked, whether remote access is allowed, what systems were accessed, and the amounts of data downloaded.

Earlier this month, the NSA published a Cybersecurity Information Sheet (CSI) that helps system operators mature identity, credential, and access management (ICAM) capabilities to mitigate certain cyber threat techniques. The initiative further discusses how these capabilities are integrated into a comprehensive Zero Trust (ZT) framework while providing system owners and operators the ability to identify, resist, and respond to various cyber intrusion techniques.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.