• livemarks

info@qualityplusconsulting.com l +1 262-553-6510

QPC podcasts have moved

Please forgive our old content here while we reorganize and redo our old website.

All new QPC podcasts are hosted on a more convenient platform for all of us.

Please visit https://qpcsecurity.podbean.com where you can use the Podbean mobile app, stream directly from the site, and sign up for the RSS feed.

Breakfast Bytes - Failure of One Identity

12/14/2018, 1/5/2019

The Failure of the One Identity Concept

MP3 - The Failure of the One Identity Concept

MP3 - Privileged Identity Management

 

 

The Failure of the One Identity Concept

This is just going to make identity theft even bigger. The One Identity concept is a complete FRAUD.

It seems the real goal here is to sweep together all the data that corporations have already harvested, expand on it, legitimize it, and use it to gain even greater control over the people of the world — all while pressing their social agenda in the process.

And what happens when your ONE UNIFIED IDENTITY is compromised or you are locked out of it?

Who do you call? Who provides support for that?

Think of it like you only have one email address or one bank account or one computing device and you are disconnected from any one of those at any time. Who do you call?

If you don't have a relationship with a provider who KNOWS you as a human and can otherwise verify your identity that way, then good luck getting the issue resolved.

https://www.thenewamerican.com/tech/computers/item/30831-mastercard-and-microsoft-want-to-take-control-of-your-identity

Major problems with "passwordless" authentication.
 

Privileged Identity Management

Question posed by another admin:

While discussing security & compliance with a colleague the other day, they mentioned the O365 security roadmap recommends creating dedicated admin accounts, and elsewhere that admins should change their passwords every 90 days.

I spoke with people involved with securescore last year and had the impression Microsoft was backing away from the idea of a separate admin account, and instead focusing on securing the one identity. What is the current thinking about admin accounts?

https://securescore.office.com/#!/score

Do not expire passwords

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-admin-roles-secure

Ensure separate user accounts and mail forwarding for global administrator accounts

Ensure the passwords of administrative accounts have recently changed

https://docs.microsoft.com/en-us/office365/securitycompliance/security-roadmap#30-days--powerful-quick-wins

Use dedicated admin accounts for admin activity

 

QPC response:
Privileged Identity Management is useful for those that actually have the high end of Enterprise Mobility Suite. Conditional access being part of that also such as protecting the accounts from authenticating unless the traffic is coming from approved IP ranges or impossible travel protection, etc.

I like using a completely separate admin account because that account does not ever receive any phishing or other hack attempts. The bad guys have no idea what the account name even is. We even put ours on a different domain suffix. Therefore there is no mixing between the end user who accesses their normal mail, normal websites, and admin access ever. Given the ability for keystroke loggers to get onto systems, and yes for smartphones to be compromised also, I would rather use a completely separated system in the vein of a privileged admin workstation for anything where admin is used. By the way, I also think it is extremely ill advised to use Office 365 admin tools on smartphones due to the ease of hacking smartphones.

I personally think that using smartphone app or SMS based MFA when the smartphone has a SIM card in it is very risky. https://qualityplusconsulting.com/podcasts/278-breakfast-bytes-sim-jacking
I've seen several phones hacked, apps hijacked, and the phone in general taken over.
This is why I use a completely separate device without SIM in it for MFA. And where possible I would rather use a hardware token that is impossible to remotely hack.

Due to the security risks, I'm not a fan of the one identity concept. It is too easy to exploit.

All our admin accounts change passwords frequently.
For TXT-based MFA where no other option is allowed on a system, we use dedicated non-cellular phone numbers that are not published and don't back end into any equipment that someone could figure out is tied to an admin via public records.

FYI, all your phone numbers that you have ever gotten tied to your name via a cell or standard POTS carrier are publicly available information. Just look at truthfinder.com. There are so many ways for admins to be socially engineered and targeted, that we require use of completely separate accounts with completely separate MFA mechanisms.

The MFA mechanisms that are smartphone based are also severely vulnerable to customs, border patrol. TSA, and foreign gov snatch and grab. In Europe now, govs are just cloning your devices because they want to. I would rather use a system that they cannot clone or hijack as the MFA mechanism.

 
There are a lot of usability benefits that admins get by having a separate admin account in O365, some of which include recommendations from the Graph that are exposed on the SharePoint home page, SharePoint search and Delve. If you have a separate admin account for admin tasks, like joining a group/site, then those actions don't contaminate your personal account graph data with alot of info about things you don't really want to be correlated with.
 

The Creepy Line documentary

Excellent documentary available as included on Amazon Prime right now.

https://www.thecreepyline.com
 

Google CEO lied to Congress about location tracking

The Associated Press investigation proves otherwise.

https://www.apnews.com/828aefab64d4411bac257a07c1af0ecb
 
 
 
 
 
 
Linkedin