The 53rd Edition of the Identity Jedi Newsletter

California Dreaming, when a breach isn't a breach, and a rant..because...yeah

Author

David Lee
September 20, 2023

Wednesday 9/20/23 - Identity Jedi Newsletter - Subscribe

Hey Jedi welcome to the 53rd edition of the Identity Jedi Newsletter. As we embark on year two of the IDJ newsletter, let’s kick this off with a bang! This week, we talk about breaches that aren’t breaches and why we need to do a better job of defining what identity security is. Grab your glass of water; we are about to get spicy 🌶️ 

This newsletter is brought to you by the wonderful state of California. Tacos, sunset, and waves. I ❤️ it here. 

Sponsored By

Bullet-proof your cloud IAM and ensure rapid recovery with Acsense.

You share, I give! Don’t forget about our referral program. Share the newsletter, get free stuff!

Let’s do this differently.

No sales pitches, no talking AT you, but talking WITH you, and most importantly…listening TO you.

Join me and the folks for S3 in Austin next month as we get real about what’s failing with identity. And we’ll talk about the future of identity…today!

Space is limited and filling up fast, so hit the link and secure your spot.

Let’s Get to the Good Stuff!

  • When a breach isn’t a breach

  • Spicy Tuesday

  • The problem is the password

MGM “Breach”

Sigh…

Ok let’s talk about this. Just reading the headline below would lead you to believe that the “breach” that happened at MGM recently had something to do with Okta.

But in fact, it didn’t.

And I would say it wasn’t a “breach” at all.

reported a consistent pattern of social engineering attacks against their IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all MFA factors enrolled by highly privileged users.

If I convince you to give me access to your bank account. Is that a breach? I didn’t break anything or take advantage of a gap in a product. I used the proper credentials to get access. What I do with that access may not be legal, but that’s a different story.

My point here is that no product can protect against everything. How often have we said security is about People, Process, and Technology? However, as soon as something goes wrong, what do we see:

“If customer X had Y product installed…”

“Here’s how we at Blah Blah, Inc would have..”

The truth. It doesn’t matter the product, if the attack vector is the people or the process. In this case, convincing the IT staff to reset MFA factors on a privileged account. So FOR THE LOVE OF GOD why do we keep doing the same thing!? Knowing that it ends in the same result.

Bottom line: This wasn’t an Okta problem, this wasn’t a breach. This was a hustle.

Las Vegas casino ransomware attacks: Okta in the spotlight

"I think our biggest challenge was, and this is something we learned the hard way, was the password reset..."

www.thestack.technology/mgm-okta-ransomware

Spicy Tuesday

Ok so nobody told me that Tuesdays were Spicy post day. But I am absolutely here for it! I say we make it a thing. #spicyTuesday.

Here’s a post from Richard Bird yesterday tell some truths.

Richard Bird on LinkedIn: #theguywiththebowtie #yeahisaidit #identitysecurity #identitymanagement… | 34 comments

IDPs are not identity and access security. Just like IAM is not identity and access security. IGA is not identity and access security. PAM is only access… | 34 comments on LinkedIn

www.linkedin.com/posts/rbird_theguywiththebowtie-yeahisaidit-identitysecurity-activity-7109869701861711872-cdpC?utm_source=share&utm_medium=member_desktop

The problem is the password.

A pretty good article with quotes from some different execs from “security” companies. I agree with the premise, passwords aren’t enough, we need to move to something stronger, better, etc.

My only nitpick is how?

Let’s talk about how to get off passwords. What are the steps we need to take to reduce the reliance on passwords? I’m seriously asking. While this is a good read, let’s all of us together create a better one. So I want to hear from YOU Jedi. Read this on the web, and leave a comment. ( If that doesn’t work just reply to this newsletter) and let me know your thoughts on how we can take real steps to getting rid of passwords

Security has an underlying defect: passwords and authentication

Cyberattacks are fueled by the shortcomings of business authentication controls. Bad things happen when access falls apart and credentials land in the wrong hands.

www.cybersecuritydive.com/news/security-defect-passwords-authentication/693471

It’s time to party!

Oktane 23, the Party Bus Returns!

Our friends from Acsense are back with another party bus, and this time, it’s in San Francisco during Oktane! Of course, I’m always looking out for you Jedi so click the button below to secure your seat on the bus!

CISA Releases New Identity and Access Management Guidance

CISA has released new guidance on how federal agencies can integrate identity and access management into their ICAM architecture.

www.securityweek.com/cisa-releases-new-identity-and-access-management-guidance

APAC guide to identity and access management | Computer Weekly

The rise of identity-based attacks is fuelling investments in identity and access management (IAM) tools. We examine the key capabilities of IAM, discuss implementation best practices, and explore the future of this technology

www.computerweekly.com/feature/APAC-guide-to-identity-and-access-management

Misconfigured SAS token by Microsoft’s AI team exposes 38TB of GitHub data

While not technically exposed to the public, security researchers at Wiz say the lack of monitoring available for SAS tokens poses a security risk.

www.scmagazine.com/news/misconfigured-sas-token-by-microsofts-ai-team-exposes-38tb-of-github-data

‎Identity at the Center: #231 - Authorization 2.0 with Rich Dandliker of Veza on Apple Podcasts

‎Show Identity at the Center, Ep #231 - Authorization 2.0 with Rich Dandliker of Veza - Sep 18, 2023

podcasts.apple.com/us/podcast/231-authorization-2-0-with-rich-dandliker-of-veza/id1471899975?i=1000628238028

‎Cybersecurity Simplified: Episode 43: Daily Insecurities – What’s Making Cybersecurity News Headlines? on Apple Podcasts

‎Show Cybersecurity Simplified, Ep Episode 43: Daily Insecurities – What’s Making Cybersecurity News Headlines? - Aug 17, 2023

podcasts.apple.com/us/podcast/episode-43-daily-insecurities-whats-making-cybersecurity/id1547877889?i=1000624778881

‎State of Identity Podcast Series by Liminal: Navigating Identity Challenges in the Multi-Vendor, Multi-Cloud Landscape on Apple Podcasts

‎Show State of Identity Podcast Series by Liminal, Ep Navigating Identity Challenges in the Multi-Vendor, Multi-Cloud Landscape - Sep 6, 2023

podcasts.apple.com/us/podcast/state-of-identity-podcast-series-by-liminal/id1183881265?i=1000626984112

Identity Jedi Show Podcast

LIVE IN AUSTIN, TX

Don’t miss it, come hang out and have a good time and help us kick-off Season TWO! of the Identity Jedi Podcast! AAAND get a signed copy of the book as well. YOU DON’T WANT TO MISS THIS

Get your tickets!

Identity Jedi Podcast Show LIVE

Join us for the live kick-off of Season Two of the Identity Jedi Podcast with a special guest expert in security and identity. Register now!

www.eventbrite.com/e/identity-jedi-podcast-show-live-tickets-715740899297?aff=oddtdtcreator

The Last Word

Stop.

Selling.

FEAR.

Stop. Pushing lies.

Don’t believe half of the shit you read this week about products that would have “helped” with the MGM breach. Don’t fall for the clickbaity headlines, and think that this was a fault in a product. You wanna know what really happened?

Google Rachel Tobac.

We’ve GOT to get better around this stuff. The problem is how we think about all of this. We think security is a band-aid. That it’s a magic potion that makes everything better. We talk behind adjectives, and big words, and say absolutely nothing at all. So let me be clear:

1) Identity Security is a MARKETING TERM

2) Identity products are ADMINISTRATIVE TOOLS, and ADMINISTRATIVE TOOLS aren’t designed to STOP anything they are designed to make tasks easier

3)The answer is to train your PEOPLE and develop your PROCESSES to utilize TECHNOLOGY. YOU HAVE TO INVEST IN ALL THREE.

I’m done ranting….for this week.

Be Good to each other, Be Kind to each other, Love each other

-Identity Jedi

What did you think of this weeks newsletter?

Login or Subscribe to participate in polls.

The JEDI COUNCIL

Join the conversation

or to participate.