Windows security vulnerability

Yesterday I was working late, so when I tumbled into my bed I forgot to close my laptop. The next morning I was in a hurry to get out of the door, so I just used the power off button. Surprisingly enough my laptop did not turn off, it went into windows – without any password or other form of authentication!

So off course I checked my settings and the password protected screensaver was on.

Being a security nerd I had to try again later that day… surprise surprise, same result. I can open the laptop without putting in password. After some testing I found the follwoing prerequisites for enablement of the security vulnerability.

1. Windows 7 operating system
2. A number of resource consuming programs needs to be running. I have tested while having Excel, Word, PDF, Power Point, Chrome, Outlook and Windows Explorer running simultaneously
3. The automatic screen saver must start on its own, as soon as a single key has been clicked the security hole is closed

If all of this is in place you simple do the following to open the laptop without a password.

1. Make sure only to click the off key – if you click any other key the laptop will be locked
2. With the screensaver on, hold the power off button to close the laptop
3. Once the task manager in windows opens, quickly click Cancel in the close program popup box
4. You are now in windows without password!

To protect yourself against this, make sure to always manually secure your laptop before leaving it unattended.

IAM Use Cases, why is “retainer” always missing?

I keep getting surprised about the 3 standard user cases everyone talks about; joiner, mover, leaver (JML). Everyone in the IAM sphere seems to have the same idea. Try and do a quick google search and you will find many many descriptions around the 3 areas. Just take the below.

• www.aveksa.com/joiners-movers-and-leavers-the-iam-circle-of-life
• www.itassetmanagement.net/2014/03/26/process-month-joiners-movers-leavers-process

It seems that joiner, mover, leaver is the foundation… or is it?

In my world it is a bid more diverse than that, especially if you also look into the time consumption within each use case. What I am trying to tell you is that usually an important and time consuming use case is missing – the retain use case

From my point of view the following use cases are needed by everyone looking into an identity & access management solution.

1. Joiner – How new people joining your organization are granted accesses
2. Retainer – The illegitimate child, covering especially governance activities
3. Mover – When people move around inside your organization
4. Leaver – How to handle people leaving the organization

The retain use case

In my world retainment of employees needs to be a separate use case area in any IAM solution. All other areas covers when something changes for the people in the organization; when they are hired, changes position inside the organization or leaves. But what happens when nothing changes for the employee?

Nothing, right?

But what if the same person has the same job over a 10 years period. Does nothing actually change for that employee? Just think what you were working on 10 years ago, not the same as today right? But if no attributes are changed for a person it is not a given that the IAM solution will capture the employees development. Hence the retainment use case becomes relevant.

What should be included in the retainment use case?

When talking about the retainment use case, I suggest that you at least evaluate the following use cases.

• Periodic certification of accesses and SoD violations
• Periodic certification of job role content
• Employee development without attribute changes

IAM temperature check by Deloitte

Based on 19 current IAM projects around the globe Deloitte Australia create a temperature check on the IAM market. It’s not a very comprehensive report, but it gives a good indication of how the IAM market and the current projects are dealing with the growing challenges of identity and access management.

I can 3 see three important conclusions from the report.

1. Even though many organizations are trying to involve the line of business IAM remains an IT challenge. Especially the CISO has IAM within his domain of responsibility. Just as interesting IT is also the main area for funding the IAM projects
2. IAM is still a matter of getting users on to the system, governance around e.g. SoD is only true for about 50% of the IAM projects
3. When looking at the software solutions we are still looking at a very diverse landscape. No supplier really has a tight hold on the clients. The study shows that all of the main IAM suppliers all have more or less the same number of projects

http://www2.deloitte.com/dk/da/pages/risk/articles/Temperaturmaaling-paa-Identity-Access-Management-omraadet.html

How many RFC connections do you have and which users authorize the connections?

Management of RFC usually lives its own life – sometimes under stringent control, but more often without any or highly limited control or documentation.

In a new environment it is easy to start in the right way with a controlled solution. But how to start the analysis of which RFC connections actually exists and from a security perspective, which are the users authorizing the connection?

Good news, SAP actually offers a standard report to collect and present all the information. The report can be executed using the standard transaction code RSRFCCHK.

Once you have executed the report on every system, you have a good starting point for aggregating the information across your entire SAP environment. The combined information will allow you to gain a unique inside into not only which connections actually exists, but also which users authorize the connections and thereby the authorizations for each of them.

Happy RCF hunting!