A stunning cybersecurity attack on FireEye allowed hackers to impact consulting, government, technology and telecom entities worldwide. The hardware and software company that protects clients in Asia, Europe, the Middle East and North America experienced an attack that may include other victims as well. Services by the company include preventing large-scale cyberattacks, deterring malicious software, investigating causes and analyzing cybersecurity risks.

Impact and risks of FireEye hacked cybersecurity Systems and stolen security data

What was the FireEye attack or hack about?

The attack on FireEye targeted its specialized security assessment capability, the Red Team hacking tools that make the company a leader in cybersecurity. Fortune 500 companies, numerous agencies of the federal government and thousands of worldwide organizations use the security systems that the attackers targeted successfully. FireEye attributes the attack to hackers backed by a nation-state motivated more by obtaining secret information or controlling critical systems than by financial gain.

Was cybersecurity system data about other companies stolen?

FireEye has not found any indication that the attack obtained information from the company’s consulting arm, incident-response business or intelligence data. Instead, the attack focused on the tools that FireEye uses to replicate potential hacking activities and identify weaknesses in clients’ computer networks. The U.K.’s Daily Mail reported that no evidence exists that the attack succeeded in removing client data, although when this occurs “stolen security related data about the state of an organization’s systems may prove to be extremely valuable to hackers who plan to penetrate systems” according to Henry Bagdasarian, Founder of Identity Management Institute.

What are the consequences of the hack for FireEye?

FireEye anticipates minimal impact from the hack. Still, it must replace the stolen tools and sustain a financial loss on professional services which account for more than 20 percent of company revenue. A lack of client credibility may impinge on the company’s claim of superiority over competitors in cybersecurity, leading to long-term damage to its reputation. Some business activity may slow down until clients can resume using FireEye’s consultant services without fear of a potential risk of exposure to insecure systems.

What consequences do FireEye users experience?

The theft of FireEye’s Red Team tools deprives clients of the cybersecurity capability to detect and deter system vulnerabilities. With tactics that the company had not seen previously, the attack limits clients’ ability to protect system integrity. FireEye’s tools allow clients to simulate actual attacks by cybercriminals, and the theft deprives them of the ability to defend against malicious acts that can create long-term damage.

What protections do the various types of cybersecurity software provide?

Cyber technology provides five kinds of security to address increasingly complex demands.

1. Securing critical infrastructure

Interruption of the physical systems that support modern societies can occur through cyberattacks on the electricity grid, hospitals, shopping centers, traffic lights and water purification. Responsibility for protecting critical infrastructure rests with organizations that understand the vulnerabilities that malicious attackers may exercise. Users of systems can develop contingency plans that provide alternative solutions in case of an attack on essential systems.

2. Protecting applications

Hardware and software identify and deter threats to malicious attacks through network installations of anti-virus programs, firewalls and encryption programs. Essential components of cybersecurity, the applications prevent unauthorized access to valuable assets and protect them from attack.

3. Securing a network

Protection of internal networks and infrastructure from unauthorized intrusion can result from implementing advanced network security technology. Security teams may incorporate machine learning to detect an abnormal increase in traffic that can indicate the presence of threats. Internal policies that can help prevent unauthorized access include anti-spyware software, additional logins, anti-virus programs, encryption methods, firewalls and new passwords.

4. Monitoring cloud security

Software-based tools protect the data in cloud resources by creating more security than traditional approaches can offer. Storage on physical servers offers less effective security measures and allows a greater incidence of intrusion. Studies indicate that an on-premise environment allows more than twice as many attacks as a service provider environment provides.

5. Securing the Internet of Things (IoT)

Unprecedented growth in ownership of appliances, printers, sensors, security cameras, televisions and Wi-Fi routers that connect to each other and the internet broadens the base of concerns for invasion by malicious attacks. Many intelligent devices exist in a vulnerable state that includes no security capability while they comprise the central technology of the consumer market for IoT.

What was FireEye response following the incident?

FireEye has not seen any evidence that the attack resulted in the use of the stolen tools. To counteract any potential impact, the company implemented some countermeasures that block any unauthorized use of the Red Team tools. A decision to share the implemented countermeasures with the security community helps others update their detection tools, and a blog post provides access to the measures as well.

What risks exist for the theft of software data?

FireEye’s filing to the U.S. Securities and Exchange Commission stated that no evidence existed that attackers had stolen customer data. While the theft of security software creates a potential risk, FireEye’s tools provide a greater risk as a threat to governmental security systems.

How does the attack affect the risk for theft of the software program?

While the loss of security tools presents a threat, FireEye’s disclosure of the malicious intrusion alerts users to exercise countermeasures. The company works with different software makers to improve defenses against its proprietary security tools, enhancing the likelihood of others avoiding compromises in security.

What can users of security software products learn from the FireEye attack?

Experts caution that a security breach can happen anywhere at any time, and the response to it may matter more than the incident. FireEye advised clients of Common Vulnerabilities and Exposures that may curtail the usefulness of the stolen security tools. A further step includes rules that clients can use in responding to any apparent use of the stolen tools.

What can we learn from the breach?

The compromise to software that affected the Pentagon and the U.S. military, the Justice Department, NASA, the National Security Agency, the State Department and leading telecommunications and accounting firms occurred from an infected security update. Users received instructions from the Homeland Security Department to review all networks for evidence of compromise and to disconnect products from the compromised products. The attack increased the need for users to monitor potential exposure to malicious intrusion and implement measures to prevent exploitation.

Identity and access management certifications

Most business transactions necessitate knowing the identity of customers. Although there are situations that do not require knowing a customer, such as in retail, knowing the identity of a customer is a basic requirement for mutual accountability in complex and long-term business contracts. Most importantly, many businesses are required to use a customer identity verification process to remain in compliance with the law. Therefore, it is important for today’s business leaders to have an understanding of the most effective customer identification methods.

Best Customer Identification and Identity Verification Methods

What Is a Customer Identification Program?

The U.S. government and other world governments have implemented a broad range of laws in response to the growth of terrorism and international money laundering. In 2001, the U.S. Congress passed the Patriot Act, a law that requires banks to collect information about their customers and conduct extensive background checks.

One of the most significant requirements under the Patriot Act is the requirement for financial institutions to set up a customer identification program. CIP programs are more broadly referred to as know your customer programs, but the term CIP denotes the specific laws defined under the Patriot Act.

Under CIP requirements, banks must collect sufficient information about their customers to adequately verify their identity. CIPs are why banks collect highly personal information about customers, such as multiple forms of identification and Social Security numbers. Banks also ask customers a series of questions designed to verify that they are who they say they are. If bankers discover any irregularities, they are required to submit an expanded version of a Suspicious Activity Report under the Bank Secrecy Act of 1970.

Although formal CIPs get most of the attention in regulated industries, customer identification is also used in industries that are not required to comply with know your customer laws. Nearly any e-commerce website wants to know the identity of customers to contact them if something goes wrong and to avoid getting scammed. Customer identification is also important when seeking to develop a long-term customer relationship or when asking a customer to sign a legal document.

Importance of Customer Identification

CIPs are of significant importance to financial institutions because they are required to comply in proportion to their size. Smaller banks only have to do minimal checks to confirm a customer’s identity, but larger banks have to use sophisticated customer identity verification methods. In practice, banks are required to use a broad range of digital identity verification tools to confirm that customers are who they say they are and that they should be allowed to open an account.

Compliance with CIP requirements is crucial because banks can face enormous fines for failing to comply. For instance, Wachovia was forced to pay $160 million in 2010 for failing to adequately verify customers who were agents of drug cartels in South America. Wachovia’s mistakes were significant because its failure to implement an effective CIP enabled more than $8 billion in illicit cross-border transactions to take place.

Customer identification is also important for most e-commerce businesses because credit card fraud is widespread. When fraudulent cards are used, businesses usually lose money spent by a customer regardless of whether they delivered the product or service in return. Additionally, when a contract is necessary, businesses cannot hold customers liable when they do not know their identity.

Benefits of Customer Identification

Implementing a proper customer identification process can protect banks from heavy fines that can be incurred for noncompliance. Today, there are sophisticated software tools available that can verify the identity of customers with a high degree of accuracy. Most of these tools are used over the internet to access enormous haystacks of data that can be used for purposes of identity verification.

Additionally, businesses other than banks can use the same identity management tools that have been developed for formal CIPs. Many businesses can benefit from using a customer identification method to confirm that their customers are who they say they are. Identity verification can help with compliance and prevent fraud. Some employers even confirm the identity of new hires when they are first brought on.

Types of Businesses That Need Customer Identification

All financial institutions are legally required to use CIPs to confirm the identity of their customers. However, many other businesses have used CIPs to improve their security. In today’s highly digitalized world, identity verification is especially important when users are given access to highly sensitive information systems.

The reality is that nearly all businesses have a need to use some form of customer identification. In retail or retail-like buying situations, such as in e-commerce or in simple phone-based transactions, customer identification can often be as simple as confirming that the name and address provided by a customer matches their credit card details. Some situations may necessitate simply asking a customer to see their identification without photocopying it. There are also situations where a business needs to develop a relationship with a customer before agreeing to a transaction.

When to Use Customer Identification

Certain types of business transactions require the use of CIPs. Money transfers of more than $10,000 are required to be scrutinized, and CIPs are an important element in scrutinizing any transaction. For very large international transactions, banks will usually go through an extensive customer identification process to verify that the identity of all parties can be confirmed.

There are also many business transactions that make voluntarily using CIPs a favorable option. Before investing a large amount of money in a new business, investors usually want to verify the identity of all major shareholders and officers. Some businesses also need to verify the identity of certain major vendors and customers to avoid making a serious mistake.

Finally, it is often beneficial to verify the identity of users who open accounts on websites. Identity verification is especially important when users will make purchases through a website or are expected to enter into a contractual agreement.

Customer Identification Methods for Online Business

Customer identification is challenging in the online environment because users can easily use a VPN or a simple proxy to hide their identity. Nevertheless, many effective online methods of customer identification have been discovered.

Most online identification strategies use some form of multi-factor authentication to confirm who a person is. MFA involves testing:

  • what a customer knows,
  • what devices a customer owns, or
  • personal attributes of a customer.

The most common form of MFA is the implementation of phone-verified accounts. PVAs ask a user for their phone number at the point of registration before sending a code to the user’s phone. The user then has to enter the code they receive on the registration page to verify their account.

More basic MFA methods ask users for their email address. Users then have to click through from an email they receive to confirm that they are a legitimate user. However, email verification only stops low-level users since email addresses from major providers, such as Gmail and Yahoo, can be inexpensively purchased in bulk quantities.

In situations that require more rigorous identity verification, websites can ask users to upload their identification cards or passports to confirm their identity. Selfies can also be used to verify users. However, the trade-off is that some users feel unsafe when sending highly personal forms of identification through the internet, so businesses lose a segment of potential customers when more complex methods are used. More complex identity verification also significantly slows adoption by reducing the conversion rate on registration pages.

Customer Identification for Offline Business

Offline businesses also need to implement significant customer verification procedures in many cases. Identifying customers is usually easier in the offline environment since businesses can usually verify who a customer is by knowing them personally.

When a customer relationship first begins, businesses can ask in-person clients to submit their identification card or passport. Some businesses ask for two forms of identification. Social security cards and birth certificates should not be accepted as forms of identification since these documents can be easily forged. In cases when customer relationships take place over the phone, the same methods used for online identity verification can be used.

In offline relationships, customer identification is inherently enhanced in several ways. When businesses talk to customers in person or over the phone, it is often easier to hear when customers are being dishonest or shuffling through their notes. Smaller businesses are often able to recognize the voice of a person who has attempted to open accounts under other names in the past. Of course, most offline relationships take place in person or through video chat, so it is possible to see a person’s live face to confirm their identity.

Implementing a Customer Identification Program

Businesses that need to use a CIP should understand the steps necessary for getting started.

The first step is to understand the extent to which you need to verify the identity of your customers. Some CIP tools use exhaustive methods to confirm identities while other tools are designed for mass verification or for smaller businesses.

Next, you should evaluate solutions that are available in the marketplace. Some tools use customer identity verification methods that may not be sufficient for your particular use case. It is also important to consider the sales impact of increasing verification requirements. The reduction in revenue should be weighed against compliance and fraud risks that could manifest as a result of the activity of inauthentic users.

Tools for Customer Identification

The final step for executing a CIP is to implement and use customer identity management software. Most software tools are available on a subscription basis, but some tools require a minimum term of several years. There are hundreds of vendors available, so be sure to read online reviews to confirm that a particular software suite will be effective in your situation. However, once you have put in the work to choose the right software tool, you can continue to validate the identities of your customers for years to come.

Selecting and using the right identity and access management software helps companies manage user access in an automated and efficient manner to reduce unauthorized access and data breach incidents. Controlling access to data systems has become more important than ever before in a world where data breaches have become a common occurrence. The prevalence of hacking continues to grow rapidly. From 2018 to 2020, there has been a 47% increase in the frequency of incidents involving insider threats including malicious data exfiltration and accidental data loss. The Verizon 2021 Data Breach Investigations Report suggests that insiders cause 22% of security incidents.

Learn to choose the right IAM product when selecting an identity and access management software.

Why Use IAM Software?

Identity and access management seeks to solve the problem of unauthorized access by using sophisticated processes and software to track and control who has access to any given system or group of systems. Likewise, the quality and appropriateness of software deployed by an organization is the primary driver of the effectiveness of IAM. Organizations seeking to implement IAM, therefore, need to understand how to choose the right software solution.

Making the right decision when you’re looking at enterprise identity management software for your organization is critical. Choosing the software for your project can mean success or failure. It’s important to understand where the process can go wrong and to take the time to make the right decision the first time around.

The use of IAM software helps companies to manage user access in an automated and time-efficient manner to further reduce the chances of data breaches with fewer resources. Software can, for instance, automatically assign access to a range of systems when users are assigned to a particular role. Access privileges can also be easily revoked when users are finished with a particular project or moved to a new role.

Software also enables organizations to seamlessly manage access to third-party systems using APIs, URL blocking, and even packet interception. Modern software tools use standard protocols, so businesses can more easily manage legacy systems while remaining prepared for future upgrades or software migrations. Standardization also increases the feasibility of using multiple software solutions simultaneously.

IAM software varies widely, but most of the leading software solutions have been proven to be effective over many years. These software tools can be updated frequently, and many of the cloud-based solutions are updated continuously. Therefore, software solutions are secure and constantly adapt to new changes in the business, security, and technological environments.

Most software solutions can be easily selected and deployed with the right technical identity professionals to allow identity and access management roles to perform efficiently. There are also software-based IAM solutions designed for smaller organizations and even individuals. As long as the right software solution is selected, the chances of a data breach occurring can be significantly reduced in less time.

IAM Software Selection Due Diligence

Just about every company that provides identity and access management solutions will assure you that their offering will meet and exceed all of your needs. But how can you be certain their product will satisfy all of your business needs and be cost-effective?

If you make the wrong decision, your project could fall short of its requirements, go over budget, or just outright fail. If you make the right decision, you’ll satisfy all of the business requirements, finish within your budget, secure your organization, and create a framework you can use for future projects with minimal cost.

By being thorough and detailed when selecting an identity management software solution, you can be confident in knowing that you chose the right product for the right price.

Define Your Business Objectives

Integrating a new software product into your business requires to first define your business objectives. Documenting what it is that you want to improve and also determining an ROI projection is critical.

To property implement your business objectives, document the objectives you have and share them with your executives and stakeholders. Get their feedback and add that to your projections. What’s key is basing your ROI figures on estimates or solid numbers given to you by your executives rather than from your own conclusions. Some benefits include:

  1. Merging processes across several departments into single workflows.
  2. Reducing the time and cost it takes to begin a process by automating communication and other processes.
  3. Making sure processes aren’t lost and are finished within reasonable timeframes.
  4. Finding information faster and preventing duplication of the information you have.
  5. Keeping users updated automatically with regular reports and changes as they occur.
  6. Creating an audit trail to ensure compliance.
  7. Determining the productivity of your staff so that bottlenecks can be eliminated.

Once you’ve determined the processes that are the most critical, you can work out how they need to flow, and then determine the value you’ll get from automating them. At this point, you’re prepared to create your ROI projections as well as the request for your proposal.

The ultimate goal here is to acquire a solution that will be able to fully integrate your business processes while keeping within your established budget. Most software providers will say their applications can be customized to fulfill any and all requirements, but with your business processes fully established and in-hand, you’ll easily be able to determine the weak spots.

Imagine you need a solution that must assign tasks automatically. Just about every application will be able to do that at a high level. But take this as an example of a more thoroughly fleshed-out process:

When a task is created, it must be automatically assigned to individuals in the necessary department round-robin. The person who is assigned the task needs to receive an email notifying them of the task and providing them a link to view and edit it. This must all work seamlessly on various devices such as phones, tablets, and computers. If the person that’s assigned the task does not edit or view the task within eight working hours, the task must be automatically assigned to that user’s manager. Once this is done, an email must be sent to the user and their manager.

Sitting down with your vendors and giving them detailed process requirements, such as this one, will go a long way towards finding one who can provide solutions for your exact needs while remaining within your budget.

Defining Business Requirements

The key to selecting the right software solution is to start by understanding your unique business requirements. There are hundreds of different software solutions available in the marketplace because needs vary widely. Some organizations have already deployed some form of IAM software solution, and they either need a supplementary solution or are in need of an upgrade. Other organizations are new to using IAM software or currently use rudimentary IAM solutions, such as password managers or IAM solutions designed for consumers.

When choosing IAM software, your organization should start by taking account of your organizational objectives. Many organizations seek IAM solutions in response to a data breach or an alarming instance of unauthorized access. In these cases, it is crucial to focus on addressing a wider scope of potential threats rather than patching the one specific issue that occurred. The fundamental cause of security problems is often a lack of proper internal controls or a lack of understanding of security challenges among individuals tasked with managing security.

Your organization should also consider the range of third-party software applications that you are currently utilizing. IAM software should be compatible with any software that runs on your internal network and with cloud-based solutions that your organization utilizes. You should also take into account any APIs that your organization takes advantage of and the API support that an IAM software solution offers.

Best Practices for Identity and Access Management Software Selection

When selecting a software package, you should start by evaluating the reputation of the vendor that you are considering. Anyone can create software, so some solutions are made by an individual or a small team with a limited reputation. Some software tools have a history of enabling data beaches or being exposed for having serious security vulnerabilities.

It is also a good best practice to thoroughly study online reviews from similar organizations that have used a particular solution. Some providers claim to offer everything under the sun, but they often underdeliver through shoddy implementation.

The availability of customer support should also be thoroughly considered since your organization will inevitably encounter technical challenges on a regular basis. Some providers include customer support with their products, but carefully consider any limitations. Most providers impose significant limits on the availability of their customer support resources, but reputable providers usually offer additional support resources for an hourly rate or have a community of certified third-party contractors who can be hired for professional assistance.

Software Selection Criteria

The software selection criteria used by your organization should be tailored to your needs. Relying solely on a general set of selection criteria will lead to serious problems when the unique needs of your organization are not met. However, there are some general selection criteria that should be used by nearly all organizations, such as:

Support for multi-factor authentication: Multi-factor authentication can improve security throughout your organization. Also, when using IAM tools to access legacy login systems, support for multi-factor authentication can streamline account recovery and reduce the need for manual intervention.
Active monitoring: One of the most powerful features of modern IAM software tools is the ability to actively detect, monitor, and respond to potential threats. Since no system is fully secure, active monitoring is the most effective way of denying unauthorized malicious users the opportunity to study and exploit a system.
Third-party management: Third parties that access a system are a serious concern for most organizations. Software can help to minimize access to these users while enabling them to obtain the access they need in less time.
Integration: Many of the best IAM software providers have actual partnerships with other leading software providers in a wide range of fields. These partnerships enable seamless and highly secure integration.
Ease of implementation: Some IAM software tools can take months or even years to fully implement. Carefully consider your organization’s timeline and integration budget before making a decision.

When Customization Is Necessary

If your organization has complex needs, you may need to customize a software package for your requirements. Nearly all of the best IAM software providers recognize the need for customization, so they provide many means of customization.

When you need to customize your software, APIs are important for simplifying most of your customization needs. APIs also make customization easy when using other software or when accessing systems remotely.

When you need a high degree of customizability, look for vendors that either offer customization services or can provide access to their source code. Many of the leading software providers have training programs that can quickly get your development team up to speed about how to implement customization for their particular software tool.

Request for Proposal

If you do produce a lengthy RFP, and you most definitely should, you’re going to find that a lot of vendors won’t respond to it unless they believe there’s a great chance of getting your business.

To counter this, you’ll want to make a preliminary RFP that’s much more succinct. Use this RFP to narrow down potential vendors. While this RFP will be shorter, it should still be highly specific to your business. Some of the questions you might include are:

  1. List only a few of your processes in high detail. Can this system automate these tasks?
  2. What’s the timetable for the full implementation of the new system?
  3. What level of knowledge is necessary to maintain or modify the system?
  4. How much will the new system cost over the next five years, including implementation, consulting, and training?

Take the responses you get from this shorter RFP and whittle down your list of vendors even further. Once you’ve done this, you can send your full-length RFP to the remaining vendors and let them know they’ve made the shortlist.

With your follow-up RFP, as with your preliminary one, your questions should be in great detail and answerable in a quantitative manner. Here’s an example:

What sort of knowledge and training is necessary and how long does it take for a user to create a custom table with modifiable columns and fields?

One system might not allow this. Another system might require a system administrator to create a table in just a few minutes. While still another might require hours of training and hundreds of dollars in consulting fees and custom programming. This is why it’s critical to ask the right questions and validate the vendor’s responses during their presentation.

Taking the example of tables a step further, you might also ask:

  1. Do custom tables work like default tables?
  2. Can custom tables and default tables be linked to each other?
  3. Can reports and business processes be used with custom tables?

Getting precise answers to these sorts of questions will give you a much more detailed idea of what it will take to implement the solution in terms of cost and time. These answers will also give you a sense of confidence that the vendor you select will be able to provide you with the right solution.

Ask for a Custom Demo

Most enterprise software companies have a standard demo they show to their potential clients. While these are good for getting an idea of how the software functions or which problems it solves, they’re ultimately not very useful if the right questions are not sked during the product demo. Vendors tend to focus on the functionality that works well and obfuscates the parts of their system that don’t.

While you should certainly ask for a demo that more closely reflects your business processes, keep in mind that it’s unreasonable to ask a vendor to invest an inordinate amount of time into customizing their system to meet your needs when they aren’t sure they’ll get your business.

While a solution may work for your business and meet your needs, keep in mind that adapting it for changes to your processes down the line may inflate the cost of the system beyond what it took for the initial implementation. In other words, it’s imperative that you determine how difficult it is to modify or configure the system and how much help the vendor provides when doing so.

To determine this in a demo, you need to take a two-step approach. The first step is to go through your processes and select one that is absolutely critical to your business. If this process is unique to your business, even better. Pass this process to the vendor and ask them to implement it within a given amount of time. If they can automate your most critical and complex process and demonstrate it to you, they’ll likely have few issues in automating the rest of your processes. If they fail in this step, you can save everyone’s time, skip step two, and move on to another vendor.

Step two will involve having the vendor modify their system in real time while you watch. Do let them know in advance so they can have the necessary resources on hand to make these changes, but don’t give them the exact details of the change beforehand. The purpose of this step is to determine how difficult it is and how much time it takes to customize their system. This will help you understand if it’s something your staff will be able to complete in-house, or if you’ll need to pay the vendor to make any changes.

Can a Single Software Solution Resolve All IAM Risks?

Many organizations ultimately choose to rely on a single software solution in an attempt to reduce security risks. A single software solution can be appropriate and effective in many cases when all needs are met by that solution. Using a single solution is usually favorable for smaller organizations that have fewer resources to master several tools simultaneously and to customize their deployment. However, using multiple solutions can help to resolve additional IAM risks for some organizations. Evaluate your own needs to decide whether relying on a single provider is appropriate in your unique situation.

Conclusion

An enterprise IAM software solution can streamline processes, reduce costs, reduce errors, strengthen security, and improve customer relationships, just to name a few. Yet failure in proper software selection, implementation, and maintenance can prove to be catastrophic. Take your time when looking for an IAM software solution for your business.

Beginning with a detailed assessment of your business processes, objectives and requirements, and taking a thorough and disciplined approach with software vendors, you’ll be able to make a decision on a solution that will stay within budget, meet all of your requirements, and continue to serve your organization for years to come.

Apply For CIMP Certification