By Brad Pierce, Structured Managing Director of Security, CISSP/CISA/PCIP —
Last week in the news were reports of more than a billion accounts being leaked online from just two sources (Facebook (533M) and LinkedIn (500M)). The data is still being validated, but the source seems to largely be public information that has been aggregated, bundled and sold. In this case, it is not passwords or private information but the combination of public information that is the concern.
From the Facebook leak: “The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India,” according to Insider. “It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and — in some cases — email addresses.”
From the Linkedin leak: “The leaked LinkedIn data set contains member IDs, full names, email addresses, phone numbers, genders, job titles, workplace information, and potentially other identifying data.”
These are identities. These are the kinds of data that can be combined in creative ways by resourceful adversaries. Whether this information turns out to be fresh or stale, it is yet another reminder that the information provided to these services is to be done with caution and awareness of the security settings made available.
One of the biggest challenges we face in information security today is that of validating legitimate credentials. Far too often, threat actors steal legitimate identities and use them to launch advanced, pervasive attacks. While these Facebook and LinkedIn breaches may not have provided the direct information of a credential breach, they provide all the building blocks for a successful campaign to acquire those credentials.
Identity management is key to all aspects of information security as it is what allows access to our most critical assets and information. With the sheer magnitude of modern leaks, breaches, and hacks (just in recent memory) it is critically important that we secure our identities — both business and personal.
This means validating that your users are who they say they are, and that they can access only what they should be able to access, often known as least privilege. It means enabling Multifactor Authentication (MFA) everywhere possible and enabling conditional access and geographic controls to manage the origins of the authentication requests. Finally, it means creating accounts with correct access and permissions and removing them when they are no longer required.
Securing Identity is hard, but with the tools and practices available today, it is possible. It is time to put identity management at the forefront of your information security strategy and practices.