Sign in Subscribe
Security

It's Always a Question of Identity

Pierre-Paul Ferland

5 min read
It's Always a Question of Identity

While I'm a GRC specialist, I'll always keep a fondness for Identity and access management. I love IAM for the same reason most hate it: it's embedded into organizational complexity, there's an infinite amount of edge case and messiness, and it requires fine people skills to handle angry customers who want their access yesterday for that $400/hr consultant.

Oh, and also: IAM is the main entry way of most cyber criminals.

I know pentest, AppSec, even Defense are cooler. But the money, as in all areas of life, is in the boring stuff. Let me share some real-world examples that highlight the vulnerabilities we face and why identity is at the root of everything.

🎓 DEF CON High Schooler: A Wake-Up Call

A high school senior Rick Rolled his entire school district thanks to default passwords in the school's spying software. I love this story because it brought me back to the roots of hacking. Nowadays we are so concerned about organized crime and nation-states that it feels good to remember hacking started as a lighthearted activity of enthusiastic teenage nerds.

High schools always have been the quintessential victims of hacks, for obvious reasons. Schools are authoritarian by essence. Hackers use objects and software in ways that were not originally intended. They like to circumvent the rules, and question authorities. Hacking culture was not pulled out of some marketer's hoodie!

Photo by Daniel Lincoln / Unsplash

Alright, maybe a little bit of marketing.

While witnessing these teenagers' giddiness, especially as a parent, gave me a warm feeling, we must also look at the story from the school district's point of view. The outlook is bleak. The teenagers pwned the invasive spyware agent installed in school computers using default passwords and manufacturer's backdoors that were documented in online manuals. One of the default passwords was, well, password. In a commercial-grade product! In 2022!

The root cause is obvious. Schools are up against an immense threat (students hacking for prestige and cheaters) with extremely limited budgets

I do not envision things improving much from the IT point of view in the schooling system. In light of the threat of automation discussed previously, teachers' skills will become more valuable. We need more teachers and better-paid teachers, which should be prioritized over technology. Yet we need more than ever for our young generations to develop digital literacy, which only schools can reliably provide at a population scale.

I don't really have a solution here. My knee-jerk is to think that spyware belittles teenagers and school staff should stay out of kid's intimacies anyway. But that's not fixing any historic lack of investments.

And regardless of means, even the biggest players fall prey to these attacks...

🔐 Cisco Breach: The Human Element

Cisco Systems revealed having suffered a data breach that began in May 2022. Attackers were able to gain access to internal systems and threatened to reveal documents if they weren't paid a ransom. Cisco chose to go public with a detailed technical breakdown of the breach.

The attackers were able to compromise an employee's personal gmail credentials. After logging into Chrome with the stolen credentials, the attackers were able to gather a corporate password that was synced to the personal Google Account. To defeat MFA, the attackers simply used the strategy perfected by all our 4-year-olds: asking repeatedly in the most obnoxious manner until you give in (a.k.a. MFA fatigue).

Once they gained access to Cisco's VPN, hackers relied on known Windows system administrators' tools to dump passwords hashes and edited the registries to maintain access. Most of these come straight from the known playbooks. They even used the famous hacking utility mimikatz!

Photo by Lily Banse / Unsplash

Pictured: A bad case of mimikatz

What needs to be commended, though, is Cisco's security team's transparency and ability to share its knowledge. A strong security program does not solely focus on not getting breached. It creates a culture of ethics and integrity that persists even after a breach. Here, the team was able to showcase their talent by highlighting how they responded with detailed forensics, created antivirus signatures, shared indicators of compromises and malicious IP addresses, and attributed the attack to potential gangs. I believe such a transparent response to be the best way to save your reputation.

But you know what is better than what Cisco did? A detailed technical breakdown of how you did not get breached.

🛡️ Cloudflare's Resilience: Phishing-Resistant MFA

Cloudflare, a Cisco competitor in some regards, posted a brilliant blog post on a sophisticated phishing attack they suffered. It is also believed that the same group that targeted Cloudflare was able to breach another competitor, Twilio.

Cloudflare's blog demonstrates how they use their own network security products to stave off the attackers, which is always a good idea (every tech company should be its own "customer zero"). They also point out how three employees fell for phishing and were saved by their hard keys which are bonded to specific resources using cryptography. The attackers, upon successful phishing, were receiving a Telegram direct message to prepare to harvest the typical 2FA codes via SMS or an Authenticator App. However, with the hard Yubi-Key, the button sends the message directly to the identity provider, rendering second-factor theft instantly detectable.

🧩 The Bigger Picture: It's All About Identity Protection

Here’s the thing: These attacks, whether they’re sophisticated or rely on outdated tech, all come down to the same lesson: We have to adapt and evolve. The industry moves fast, but the fundamentals of security don’t change. We need to:

  • Adopt phishing-resistant MFA: Stop relying on outdated methods. Go for hardware-based keys that make phishing harder to pull off.
  • Train and empower your people: Human error will always be a factor. So, let’s equip our teams with the right knowledge and tools.

That's all we need, really. Love and identity measures.

💬 A Personal Reflection

This is something I tell to my students in IAM. There are days when I feel like I’m barely holding it all together. The constant battle to maintain IAM emasures in even small organizations is like fighting against impending avalanches. It's chaos you can't contain but that you need to. Sometimes, I need to remember why I do this work. It’s not just about locking down systems; it’s about helping people and organizations protect what matters most.

I know it’s hard. You know it’s hard. But we can’t let that stop us. Security is never about perfection, it’s about progress. We get better every day. And we get better together.