Santa Claus, PAM and Access Control

A few years ago, data was printed and stored in folders and drawers, rooms with confidential information were locked with keys, which were held by only one employee. 

Today, all this is very different, most of the data is stored and travels in technological means.

In a way, this has made all activities involving the use of information and data much easier but has significantly increased the number of credentials (users and machines) for accessing these assets and the complexity of systems.   

Perhaps, the biggest issue today is ensuring that only the right users and the right software can access and use these data.

Therefore, let’s look at three techniques practiced for years by a good old Gift Giver’s organization, and how they can help minimize many security risks. 

Access Vulnerability

As mentioned, organizations have a large number of credentials that are used to access organizational data and information. However, this does not mean that access is legitimate, as the number of exposed or leaked credentials available on the dark web is at least 1.4 billion.   

Criminals can easily use legitimate user credentials to perform malicious actions such as accessing information, installing software and other things undetected, but this can be avoided by using the two working methodologies from one of the Western culture’s most famous characters: Santa Claus. 

“Santa Claus,” that guy who delivers gifts to well-behaved children on Christmas Eve uses three methods to “do” his job: “Behavior Analysis,” “Naughty vs. Nice List,” and “Gifts list”.

Behavior Analysis

According to legend, Santa Claus often has a list of names of children who misbehave during the year and who do not deserve to receive gifts.

Probably, Santa has some tool that monitors the behavior of children throughout the year and separates them into nice or naughty.

In the organizational environment, this should be no different, as one needs to monitor the behavior of credentials and assess whether they are making good use of the data or not. 

It is the organization’s sole task to determine what is abnormal behavior and what is not. Credentials that access a particular type of information, often outside of business hours, for example, can be considered as a “naughty behavior”. 

Once abnormal credential behavior is noticed, it is best to block its access to that data or information immediately, or take other action that may prevent unwanted behavior from continuing, as this may indicate an invasion or theft of credentials. 

Blacklist x Whitelist – Naughty x Nice List

Following the logic, Santa Claus knows which are the naughty children who will not receive gifts, which in our context could be translated into the data or information, ie there is a list of items that cannot have access to the data because they are associated to malicious behavior. 

In the cybersecurity universe, this technique is called “Blacklist“.

A Blacklist is a list of items that are associated with some kind of malicious activity and cannot have access to a system. There is also a “Whitelist“, which is similar to a “Blacklist” but is made up of items that are allowed to access the system and information. We can demonstrate this with some examples:

These lists can go beyond emails, applications, and IPs. You can include sites, commands, users, and passwords as well in your denials or permissions. 

The latter, for example, is very interesting to create, as many companies do not consider creating a “blacklist” that blocks the use of common, insecure or leaked passwords like “123456” or “iloveyou”.

In addition to these two lists, there is also the”Graylist“, which is made up of items that have not yet been determined to be malicious nor secure. Typically, items in this list need to be assessed before they can be authorized or denied. 

There is, however, a big question about which of the lists to use. In fact, this will depend on the level of restriction and security your business wants. 

A Whitelist is the most recommended list type for open and public systems that require a high level of security, since anything not on the list is considered not secure and blocked. 

While a Blacklist is the most permissive type, since everything not on the list is considered secure. It is, therefore, the most recommended type of list for systems, applications, and infrastructures that will be used internally. However, one should always update this list, as a new virus can be considered secure just because it is not mentioned in the list.

There is no reason not to use both lists. The benefits of using them are many, including these: lowering the risk of the system being infected with malware and viruses and helping strength security tools such as firewalls and IDS/IPS.

Who can access the information: Gifts List

The legend also describes how Santa knows exactly what each child wants to receive and delivers the gift in the right house. For a magical character, this may not be a problem, but for a system administrator with thousands of users, it is virtually impossible. 

As stated, each user needs specific information, and it should only be given to him. If it is shared with someone else, confidentiality will already be compromised. 

It should be taken into account that even with the use of Blacklists and Whitelists, each gift, or rather, each data and information must be delivered to those who actually need access. 

In this case, keeping a list of users and every information they can access is, at a minimum, impractical for an organizational system that needs access decisions to be made quickly and dynamically. 

A user who has access to information they do not need can result in activities or runs they should not do and cause a system problem, even to the organization’s image. 

A PAM solution, for example, is almost a Santa Claus because it can assist in managing access requests, delivering the information that each user needs and can access. 

It can also help in adopting application, credential, and command control in which only these and other whitelisted items can be run, installed and accessed by a user; as well as blacklisting for items that should never be run, accessed, or installed, even if the user has privileges.

In addition, a PAM solution can also assist in behavior analysis by:

• Identifying suspicious accesses or queries.
• Analyzing user sessions based on behavior records.
• Identifying different behaviors with abnormality alerts.
• Using audit trails to detect nonconformities.
• Segregating roles in the environment.

The decision to implement credential behavior analysis, create black and whitelists, and deliver access to the users who really need it in your organization is yours. Maybe not all of these tips are aligned with the vision and goals you want for your system.

However, if you know that these items will increase the security level of your environment but need help, then ask Santa for a PAM solution this year, or better, contact us and find out how senhasegura can help you.