Human Factors / How can bug bounties secure identity services?
How can bug bounties secure identity services?
17 September 2018
Vendor View: Aaron Zander, Security Engineer, HackerOne
Digital identities are the credentials users will use to gain access to corporate networks and private sites on the internet. Identities normally come in two forms – a username and password – and if they are not managed correctly, they can provide an unauthorised person with unrestricted access to critical systems.
Two of the key steps organisations can take to help secure digital identities is education and understanding "desire paths". A good city planner actually utilizes them to help make the city better. Some go as far as looking at these paths, or lack there of when it snows to help make the city more efficient, smoothing out corners, or adding more space when it can be used.
A good IT and security team should do the same. Observe these paths, and update them over time. People follow security procedures the same way they follow a path in the park; as long as the path is going the most direct route, they will follow it, but as soon as it takes a turn or twist too far they cut across the corner. The same goes for security, “why create a new password I have to remember when I can reuse one I know” or “if I have to create a new password I’ll write it down on a post it”. It is therefore up to security teams to enable and empower users and build a better more direct path.
Why do users have a dozen critical passwords? Why not one or two? Using single sign on, password managers across an entire corporation, and enabling and educating employees helps strengthen the weakest links.
Companies often deploy identity access management (IAM) tools to help with their security. The main role of these tools is to enable the right individuals to access the right resources at the right times for the right reasons while aiming to prevent the wrong individuals from accessing the wrong resources at any given time. A good IAM tool also increases authentication security with centralized multi-factor authentication (MFA), which boosts security and decreases confusion.
However, given the important role IAM systems play within organisations and critical information they can hold, they are also often a target for attackers. The recent HealthEquity data breach and research around "credential stuffing" are proof of the damage that can occur when digital identities are not properly secured.
Last month, Microsoft announced it was placing a bounty on the responsible disclosure of identity services vulnerabilities. Microsoft is offering ethical hackers between $500 to $100,000 to be exact. Thus signaling the value of finding identity services vulnerabilities before they are exploited by criminals.
By crowdsourcing to an external body of skilled and incentivised researchers, with a variety of strengths and hunting experience, the internal security team can dedicate more time and resources to reducing attack surfaces by resolving vulnerabilities.
In the fight against widespread and persistent threats to identity data, a concerted and collaborative approach is required to protect them as best as possible, within and across all domains. The best way to figure out if you can be hacked, is to ask a community of over 200,000 to try. Interacting with the wider cyber-community through a bug bounty program creates a symbiotic environment in which discoveries of vulnerabilities, and ways of finding them, are shared, learned and improved upon.
IAM platforms are an important feature of modern security and an important part of employee success teams (also known as IT, HR, security teams, etc.), but with the scale of identity services in big corporations and the sensitive data they have access to, these systems will always be a key target for attack. By crowdsourcing security and incentivising the hacking community, the risks will be significantly reduced.