In the late 1990s, exploitable vulnerabilities began to traverse the young Internet, proving that poorly coded and tested software could be exploited for fun, financial gain, and the exfiltration of sensitive information. In order to detect these software flaws, vendors like eEye, ISS, and Nessus began creating vulnerability scanners to identify operating systems and software with these weaknesses. As you can imagine, the detection methods, risk scoring, descriptions, and the accuracy of each vulnerability assessment scanner led to a myriad of false positives and false negatives between the tools. While one vendor may have identified a vulnerability as high (there were no critical ratings back then), another vendor may have scored the risk as medium or even low, depending on their research and personal opinions.
To solve this discrepancy, standards organizations like MITRE and NIST began building compliance standards like CVE, CVSS, and CWE so everyone could speak the same language and assess vulnerabilities consistently. This brief history lesson has taught us one important thing: without standardization and a common language to describe threats, every organization and vendor could represent the same problem in a different way, ignoring the knowledge and risk insights gained from other perspectives. This includes governments, which learned very early on that vulnerabilities and exploits could be used for cyber warfare against military and commercial installations.
Today, if we consider identities as the new perimeter, and we know the flaws from SIM jacking to MFA fatigue, the world is in need of a new compliance standard to identify, classify, and score identity-based security risks—just as we did for vulnerabilities. The difference between our history lesson on vulnerability assessments and identity security lies in the shift from scanners to APIs and agents. Like early vulnerability scanners, the cybersecurity industry needs to develop a methodology for detection, recommendation, and remediation that will ultimately become ubiquitous. This will form the foundation for a common identity-based risk language and, regardless of vendor, level the playing field for organizations trying to mitigate this threat. For this, I propose a simple approach based on time-tested methods of existing standards, called something like CIE—Common Identity Exposures.
This new standard needs to be developed from the ground up, as scoring models like CVSS are not applicable to identity-based risks, and current terminology is inconsistent across vendors. Regardless, here are a few attributes that should be considered as we explore the possibility of developing a new compliance standard:
- Name: A simple title for the detection of an identity security-based risk.
- Description: A verbose representation of the identity security-based risk, including the possibility of compromise and identity attack vectors that could lead to exploitation.
- Risk: The risk of the identity-based threat based on a simplified scoring mechanism, such as critical, high, medium, low, and informational—similar to other standards.
- Identity: The associated identity for the detection, including username, email address, and other relevant designators.
- Identity Provider: The identity provider and directory store affected by the detection and the owner of the identity.
- Detection: The actual API, log, event, or detection method—including XML or JSON—that triggered the finding.
- Remediation: The manual or automated method to resolve the identity-based risk and what potential negative impact it could have on the environment.
With these attributes in mind, all vendors assessing identity security-based risks can speak a common language, regardless of their technological implementation. As many of my peers would say, you cannot fix something if you do not know how broken it is, and you cannot prioritize what to fix first if you do not know the severity of all measured risks. A new compliance standard can help ensure that everyone works on the most critical problems first and communicates them in the same way. Then, organizations can truly understand the risks of poor identity hygiene within their environment, and we can ultimately solve the problems associated with identity being the new perimeter.
About the Author: As the Chief Security Advisor at BeyondTrust, Morey J. Haber is the lead identity and technical evangelist at the company. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. Morey has previously served as BeyondTrust’s Chief Security Officer, Chief Technology Officer, and Vice President of Product Management during his 12-year tenure. In 2020, Morey was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board, assisting the corporate community with identity security best practices.
