Jason Lim is the Founder & CEO of Cydentiq. Having 15 years of expertise in the information technology industry and identity security domain, Jason gained substantial experience in various roles including leadership, strategic advisory for identity security, service delivery, business development, marketing strategy, team development and success mentoring. He is highly passionate in the areas of identity management and insider threat. He is also the subject matter expert of privileged access management and has been providing extensive advisory service across different industries especially financial services. Jason is an active public speaker in cybersecurity & technology conferences such as EC-Council, ISACA Malaysia Chapter & Malaysia Institute of Accountants (MIA), and others.
Prior to this startup journey, he was the Vice President of Cybersecurity at Wiki Labs, responsible to build the new cybersecurity business division and drive go-to-market strategies. Under his leadership, Jason has successfully transformed the business into a growing & profitable model. As part of his cybersecurity journey, Jason has established his remarkable milestones at MasterSAM, was responsible to drive company operation & strategic direction in Malaysia & Singapore, and also the business expansion to the Asia Pacific region before the company was acquired by Silverlake.
In an interesting conversation with CISO MAG, Jason Lim discusses the challenges he faced while setting up the cybersecurity division at Wiki Labs, his views on Privileged Access Management Risk, and much more.
Do you think the current cybersecurity measures would be relevant in another two years, or will it become obsolete?
Today, cyber threats are evolving. Cyber attacks are getting more sophisticated and organized. Prevention is no longer an effective strategy because you can’t protect if you don’t have the visibility. Visibility is the key in today’s complex environment. While we have billions of data collected from different sources, it is important to know how can we get good information and provide better insights from it to make decisions. Organizations should start leveraging a good analytical platform that uses artificial intelligence, machine or deep learning technologies to accelerate data processing and analysis for quicker business value and decision. Organizations today also lack response capability. Many times, when they are under attack, they often panic.
I realize organizations today spend so much time and effort in ensuring they have good policy and they stay compliant to the regulations such as PCI DSS, ISMS, etc. There is nothing wrong with this, but the fact is that it is not just about gaining a tick at the compliance level. Even if you are 100% compliant, it does not mean you are 100% hack-proof. Organizations need to start building a holistic approach to cyber resilience. Cyber maturity assessment is recommended to provide an in-depth review of an organization’s ability to protect its information assets from cyber threats. It combines the view of people, process, and technology to identify areas of vulnerability, prioritize areas for remediation, and demonstrate both corporate and operational compliance, turning information risk to business advantage. My advice for organizations would be to continuously review their cyber resilience strategy and preparedness against cyber threats.
According to a recent Privileged Access Management Risk and Compliance Report, 70 percent of organizations fail to fully discover privileged accounts and 40 percent do nothing at all to discover these accounts. How worrying is this and what can be done to counter this?
Visibility is the power – what you don’t know can’t get you further. Privileged accounts are always the prime target of attackers as they provide the direct path to your network. There is no need to break the windows if you have the key. With privileged account access, you become the “king” and you could do anything you want, including suspending critical service, extracting sensitive information, installing malware, injecting malicious code into programs, deleting entire filesystem, etc. Statistics show that most of the data breach incidents reported today are caused by compromised credentials, lack of visibility and access control, and unauthorized access to critical systems. Ask yourself a few questions – how many firewalls and servers are there in your organization? How many privileged accounts are there within each system? Has anyone changed the default passwords? Do you control who can access those critical systems? How do you monitor third-party vendor access? How do you mitigate the risk of password sharing?
I would recommend the 4A principles to complete your privileged access management framework:
Authentication: It is important to know that securing a system with just the password is no longer a good protection strategy. Password is always a hacker’s best friend. Hackers may take time to crack the password, depending on its complexity and algorithm. But, the fact is, once the password is compromised, they can access your critical data freely. There is a need to build an extra layer of protection for privileged access to reduce the attack surface. Many security compliance standards have emphasized the need for multi-factor authentication in their regulatory guidelines as a part of the best security practice today.
Authorization: It is highly recommended to adopt the least privilege model as the best security practice. At Zero-Trust principle, it emphasizes trusting nobody by default, meaning that nobody should have the access to the system until they are granted proper authorization.
Access: To satisfy the Role-Based Access Control (RBAC) principle, the access should always be restricted and relevant to the user’s function role. Use auto-login technology to connect to critical systems, thus, eliminating the exposure risk of privileged credentials. Each privileged access should be restricted within a specific period and none should have administrative access at all times. The privileged credentials must be periodically randomized – either right after use, schedule, or manual trigger, based on strong password complexity requirements.
Audit: Auditing is an important process that examines and ensures proper security control is always in place to fulfill regulatory compliance standards. Some of the frequently asked questions from auditors are: when was your last change of password, how do you audit their activities performed on the server? Do you restrict your administrators’ access? What is your approval process? Be sure to monitor and record user activities; the recorded data must be available instantly to allow real-time monitoring or session playback so that one can take immediate action when necessary.
You also hold great expertise in Identity and Access Management. According to you, what are the major challenges in this area?
In the past, cyber attackers spent their time devising ingenious malware, hunting vulnerabilities, stealing credit card information, and exploiting systems for financial gain. Today, cyber-attacks are getting more sophisticated and identity theft has become one of the prominent attacks. Attackers just need to find only one weakness among millions of exposure points to gain the door access to the organization. The top three challenges are:
Compliance gap due to lack of access review
It’s often a nightmare for IT department when it comes to access review audit – processes tend to be manual and they struggle hard to collaborate with business units to generate application entitlement reports, and often collect inconsistent outcomes, run manual consolidation, and eventually fail the regulatory compliance. Most organizations struggle to answer the basic question: “Who has access to what?” Over time, certain employees may have been granted excessive rights or privileged access to critical systems. Organizations tend to be weak in this visibility context, as a result, the audit does flag out these scenarios. There is no centralized and holistic view of the user access matrix across the entire organization. You can never get it right without fundamental visibility.
Manual provisioning and de-provisioning of access
I have seen several examples where a new hire, especially a replacement, is simply granted the same access rights as the existing staff – often by “cloning” their account – without reviewing his/her appropriateness of existing access. During the hiring process, HR would typically inform IT to manually create an identity and assign appropriate rights to the new employee. Over time, the employee may have requested additional access which requires manual grant and revoke operations according to the approved timeframe. If an employee gets promoted or transferred to a different department, his/her current and new roles will also need to be managed properly. When the employee leaves the organization, his/her account would eventually be deactivated and removed one day. Can you imagine there are so many gaps that exist due to a huge hassle of manual operation running behind this? Orphan accounts are the best scenario to prove this challenge.
Too many passwords to manage
We’ve all been there before. We waited too long, and our password expired. Or we made a change, and somehow that change didn’t trickle down to all of the relevant systems we need to access. If we need to use multiple applications at work, do we use different passwords and make it complex? Most people hate complex and expired passwords and figure out another easy password to remember. Password creation, update, and deletion (CRUD) is a real issue with real costs that IT wants to reduce. Having automated tools that are easy to use and can integrate with existing systems can alleviate much of the pain here along with a single-sign-on solution that is protected with multi-factor authentication.
Disclaimer
When this interview was taken, Jason Lim was the Vice President of Cybersecurity at Wiki Labs. Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
