Pratum Blog

Why companies should consider implementing Identity and Access Management in their information security strategy.

Why companies should consider implementing IAM as a part of their defense-in-depth strategy

We’ve all seen this scenario. Bob hires on as an ERM System Administrator, performs well and is promoted to Senior IT Administrator. He excels and is promoted to managing 15 IT employees. Eventually he discovers his love for project management and transfers to become a Project Manager. Yes, Bobs are talented individuals!

Often employees move from job to job, department to department, all the while accumulating access to systems, applications, and data they need to perform their job. But how often do managers remember to remove access from their previous position? Answer ... not as often as they should. Their employees aren't going to complain as they enjoy having their previous access. Little do managers know how much additional risk they adding to the business.

Climbing the corporate ladder while accumulating access to systems, applications, and data.
As employees climb the proverbial corporate ladder, they gain access to different systems, applications, and data. Proper Identity and Access Management should remove access to systems, applications, and data no longer part of the employee's responsibilities.

Identity Access Management solutions help enable proper provisioning to reduce the risk associated with an account becoming compromised. Eddy-the-hacker should not be able to access the ERM Application or IT Support Share using Bob’s credentials, if his access had been properly removed during his move up the career ladder. All too often during breach investigations we discover how much access individuals truly have as security consultants comb through the labyrinth of accumulated access. This can easily manifest itself into breach notifications as the number of compromised records and data elements continues to grow. In our example above, Bob would have had administrator level rights to key applications, personally identifiable information for all his employees, and in-depth knowledge of projects within the company.

It surely doesn’t take much imagination to realize the treasure trove of data Eddy-the-hacker just stumbled upon (Darn those Eddys).

Flash forward a couple of years. Bob leaves the company, and his manager hires a worthy replacement, Alice. During the onboarding process his managers submits an IT request for the new employee's access, modeled after Bob's account. Wait, did you catch that? If this were a magic show, you just missed the trick. Now Alice has all the access Bob had, including ERM admin rights, access to personnel files, project file information, etc. Imagine if part of Bob's career path had been in payroll!!!

IAM - Too much access.

A proper IAM solution associates one main role to each individual, based on duties associated with their job function. This requires time, analysis of what their employees do, and implementation of Roles associated with those job duties. Managers need to periodically review access their users have, and last but not least, Information Technology (IT) has to collect and correlate data from all the critical applications across the company and present it in way that makes sense to even the most newbie of managers.

Is IAM worth it? The resounding answer is YES. In the long term, your company will:

  • Have a clear understand of the security associated with each job function.
  • Increase the efficiency AND reduce costs for your security department through faster provisioning with increased accuracy.
  • Be better prepared for audits as your roles will already be defined and documented.
  • Improve user experience with fewer approvals and one-off provisioning.
  • Reduce inaccuracies within application security. A fun side effect is during the IAM process, you'll have the opportunity to tune and clean the accounts and roles within each application.
Contact Pratum
Pratum Celebrates 10 Year Anniversary as Iowa's Cybersecurity Leader

We are celebrating Pratum’s 10-year anniversary

In 2008, in the middle of a national financial crisis, I set out to establish an information security consulting company. I wasn’t sure how quickly we would grow or how large we would become, but I knew we could serve our clients well and help them solve information security challenges based on risk, not fear.

As I reflect on the past 10 years, one thing is certain, Pratum’s strength and vibrancy is not due to my shear will and determination. Our success is directly linked to our employees, the team of consummate professionals who serve our clients day in and day out. Whose tireless efforts ensure our clients achieve the right balance of information security.

From our beginnings, we have strived to bring together the best people who enjoy working together to solve problems. This teamwork and cohesive working environment is seen and felt by the clients we serve. I’m humbled by and thankful for the people who make up this amazing team.

Dave Nelson, CEO and President at Pratum
Dave Nelson, CISSP - CEO and President

Pratum also owes its success to you, our clients. You entrust us with your most sensitive information. You rely on us to help grow your business. Our teams work side by side to implement creative solutions to improve information security, without breaking the bank or strangling your business operations. I’m thankful for the trust you place in us and love watching your accomplishments.

As we celebrate this 10-year anniversary, it is only fitting we do so as we dedicate our new headquarters in Ankeny, IA. This new facility enables us to continue to grow our team here in Iowa and offers a great place for people to work and raise their families. It provides us the opportunity to serve our existing clients and a place where we can meet our future customers.

Pratum Building Interior and Exterior
Pratum headquarters at 1551 SW Prairie Trail Pkwy, Ankeny IA

My family and I thank all of you for this amazing journey. We were confident Pratum would succeed, but this level of success only comes from surrounding yourself with great people. So, we say thank you to the great people both on our staff and those on staff with our clients.

I’ll leave you with one final quote from Winston Churchill, which I think captures Pratum’s future perfectly.

Now this is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning.

Winston Churchill

We at Pratum are just getting started and the future is exciting!

Thank you,

Dave Nelson, CISSP
President and CEO

You Are Invited!

Open House Ribbon Cutting Celebration

We are celebrating our new headquarters and 10-year anniversary!

Date: September 13, 2018

Time: 4:00pm - 6:30pm (Ribbon Cutting at 4:30pm)

Location: 1551 SW Prairie Trail Pkwy, Ankeny, Iowa 50023

Join us as we celebrate our 10 years of information security services and our brand new headquarters. Enjoy hors d'oeuvres and a beverage as you talk with our staff, network with local professional, or relax on the second floor patio overlooking The District.

Contact Us

Phishing attack via a text or SMS message.

When people think about social engineering in 2018, the two most popular forms that come to mind are email phishing and pretexting phone calls. For years, individuals have been on the receiving end of targeted and widespread social engineering campaigns, primarily through the two vectors described above. However, social engineers are constantly changing their tactics and looking into new ways to solicit information from people. A third category of social engineering that is quickly gaining popularity is phishing through SMS text messages, or SMiShing for short. This attack vector is increasingly dangerous because text messaging is so personal; we are more apt to respond to and trust a text message, even if it is from a random number, than we are to open a suspicious looking email.

My Recent Experience with an SMS Message Phishing Attack

Recently, I received a text message from an unknown number containing my full name and asking the simple question of “how are you?”. Well, this is quite an interesting text message to receive, especially since it contained my full legal name. Already a little suspicious, I responded with “Hello, who is this?” to validate that it wasn’t someone I recently met. The conversation that ensued between myself and a “Mr. A Morgan” was very clearly an engagement with a social engineer. Not a bot, but a real human. I knew and understood immediately that this text message was not legitimate, but I proceeded with the conversation to accomplish a few objectives: consume this person’s time from targeting other individuals and learn how social engineers are trying to steal money/information in 2018 via this avenue of communication.

SMS Text Message Phishing - SMiShing
Image: Screenshot of actual SMS Message Phishing Attack sent to Matthew McGill's phone.

Keep an Eye Out for These SMiShing Tactics

Social engineers will use many tactics to try and coerce information out of us, attempting to catch our eye through tempting offers or the use of fear. The following points are a series of tactics that social engineers may employ to obtain such information.

  • Social engineers know how people work and operate, so they very clearly and intentionally craft attacks to play on some of our biggest psychological fears and wants. They also understand that not everyone will “buy into” their scheme, so they tend to stay broad in their language. Avoid ambiguous texts that fail to mention specific locations, organizations, websites, names, etc.
  • Mention of Western Union. For whatever reason, payments through Western Union tend to be the most popular form of money transfer in such attacks. If a text message says to “wire money” via Western Union, this should cause you to raise an eyebrow.
  • Never click on links or navigate to unknown websites as prompted by an attacker. Websites pose a much greater risk to you and your personal information.

Response to SMiShing and Other Forms of Social Engineering

How are we to respond if we feel like we’ve received a suspicious text message, phone call, or email? Here a just a few ways to respond to such attacks, including actionable steps to lower your risk and ensure personal, private information is never leaked.

  • Responding to an SMS message does not inherently put you at risk. However, this is to be avoided at all costs; the less conversation that is sent back and forth, the less likely you will fall into some sort of trap.
  • If you are ever suspicious about a text message you receive, block the number immediately. There are websites and online tools, such as the FTC Complaint Assistant ( https://www.ftccomplaintassistant.gov/#crnt&panel1-1 ) website, that allows you to report unwanted and unwarranted phone numbers.
  • Always attempt to validate the identity of the individual you are communicating with. No financial institution or software company will ever contact you and request information. It never hurts to ask further questions about who you are speaking with. Never give out personal or digital information unless identity has been established.

Conclusion

Social engineering is nothing new, and yet it continues to be one of the most attempted and successful ways attackers obtain information. It is important to stay alert to these attacks and their evolution in an ever-increasing digital age. Knowing the risks associated with personal forms of communication can help you stay ahead of the curve and avoid leakage of proprietary business intelligence. It is very important to take a proactive, risk-based approach to social engineering and the various phishing attack vectors. Pratum offers a suite of services ranging from security awareness training to the actual execution of ethical social engineering campaigns to address these concerns and help your organization mitigate its overall risk.

Contact Pratum
Get our blog posts delivered to your inbox: