As you know, I’ve been spending more and more time concentrating on identity issues when a person is not present. This is what the attribute-based access control folks refer to as “non-person entities” (NPEs).
In the article, CyberArk’s Scott Carter makes the following points:
Today there are many more machine identities than human ones.
They may have a short shelf life. Unlike humans, who usually access your systems for months or years if not decades, machine identities may be “created and discarded dynamically in minutes.” (Incidentally, I just wrote a LinkedIn article that delves into this in more detail.)
These identities are being breached. “Half of the surveyed organizations experienced security breaches tied to compromised machine identities within the past year.”
What does this mean?
Well, for CyberArk, it means that it endorses technologies such as automating certificate lifecycle management. And by the strangest coincidence, CyberArk offers a solution…
But for us, it means that we don’t only need automation, but we also need governing processes to ensure that ALL the people and NPEs that are accessing our systems are properly managed, quickly commissioned, and quickly decommissioned.
(Image from Imagen 3. Yes, I’m falling into the habit of reusing images for multiple use cases. It’s easier that way.)
I’m admittedly fascinated by the parallels between people and non-person entities (NPEs), to the point where I asked at one point whether NPEs can use the factors of authentication. (All six. Long story.)
When I got to the “something you are” factor, which corresponds to biometrics in humans, here is what I wrote:
Something you are. For simplicity’s sake, I’ll stick to physical objects here, ranging from pocket calculators to hand-made ceramic plates. The major reason that we like to use “something you are” as a factor is the promise of uniqueness. We believe that fingerprints are unique (well, most of us), and that irises are unique, and that DNA is unique except for identical twins. But is a pocket calculator truly unique, given that the same assembly line manufactures many pocket calculators? Perhaps ceramic plates exhibit uniqueness, perhaps not.
But I missed one thing in that discussion, so I wanted to revisit it.
Understanding IMEI Numbers
Now this doesn’t apply to ceramic plates or pocket calculators, but there are some NPEs that assert uniqueness.
Our smartphones, each of which has an International Mobile Equipment Identity (IMEI) number.
IMEI stands for International Mobile Equipment Identity. It’s a unique identifier for mobile devices, much like a fingerprint for your phone’s IMEI number.
Now some of you who are familiar with biometrics are saying, “Hold it right there.”
Can someone assert that there has NEVER been two people with the same fingerprint in all of human history?
But let’s stick to phones, Johnny.
Each IMEI number is a 15-digit code that’s assigned to every mobile phone during its production. This number helps in uniquely identifying a device regardless of the SIM card used.
This is an important point here. Even Americans understand that SIM cards are transient and can move from one phone to another, and therefore are not valid to uniquely identify phones.
What about IMEIs?
Are IMEIs unique?
I won’t go into the specifics of the 15-digit IMEI number format, which you can read about here. Suffice it to say that the format dictates that the number incorporate the make and model, a serial number, and a check digit.
Therefore smartphones with different makes and models cannot have the same IMEI number by definition.
And even within the make and model, by definition no two phones can have the same serial number.
Why not? Because everyone says so.
It’s even part of the law.
Changing an IMEI number is illegal in many countries due to the potential misuse, such as using a stolen phone. Tampering with the IMEI can lead to severe legal consequences, including fines and imprisonment. This regulation helps in maintaining the integrity of mobile device tracking and discourages the theft and illegal resale of devices.
IMEIs in India
To all of the evidence above about the uniqueness of IMEI numbers, I only have two words:
So what?
A dedicated person can create or modify multiple smartphones to have the exact same IMEI number if desired. Here’s a recent example:
The Indore Police Crime Branch has dismantled two major digital arrest fraud rackets operating in different parts of the country, seizing a massive database containing private details of 20,000 pensioners in Indore….
A dark room in the flat functioned as the nerve centre of the cyber fraud operation, which had been active since 2019. The group specialised in IMEI cloning and used thousands of SIM cards from select mobile networks.
IMEIs in Canada
“Oh, but that’s India,” you say. “That couldn’t happen in a First World country.”
A Calgary senior is warning others after he was scammed out of $1,000 after buying what he thought was a new iPhone 15 Pro Max.
“I didn’t have any doubt that it was real,” Boyd told Global News….
The seller even provided him with the “original” receipt showing the phone had been purchased down east back in October 2023. Boyd said he also checked the phone’s serial number and the International Mobile Equipment Identity (IMEI). All checked out fine.
Boyd said the first sign of a problem was when he tried to update the phone with his own information and it wouldn’t update. It was only after he took it to a representative at a local Apple retailer, that he realized he had been duped.
IMEIs in general
Even IMEICheck.net, which notes that the threat of stealing one’s phone information is overrated, admits that it is possible (albeit difficult) to clone an IMEI number.
In theory, hackers can clone a phone using its IMEI, but this requires significant effort. They need physical access to the device or SIM card to extract data, typically using specialized tools.
The cloning process involves copying the IMEI and other credentials necessary to create a functional duplicate of the phone. However, IMEI number security features in modern devices are designed to prevent unauthorized cloning. Even if cloning is successful, hackers cannot access personal data such as apps, messages, photos, or passwords. Cloning usually only affects network-related functions, such as making calls or sending messages from the cloned device.
Again, NOTHING provides 100.00000% security. Not even an IMEI number.
What this means for IMEI uniqueness claims
So if you are claiming uniqueness of your smartphone’s IMEI, be aware that there are proven examples to the contrary.
Perhaps the shortcomings of IMEI uniqueness don’t matter in your case, and using IMEIs for individualization is “good enough.”
(Imagen 3 image. Oddly enough, Google Gemini was unable, or unwilling, to generate an image of three smartphones displaying the exact same 15-digit string of numbers, or even a 2-digit string. I guess Google thought I was a fraudster.)
Because people who have been around for a while have heard the phrase that if you’ve ever had [REDACTED] with someone, you’ve had [REDACTED] with everyone they’ve ever had [REDACTED] with. At least in terms of [REDACTED] transmitted diseases. Lloyds Pharmacy Online even developed a “[REDACTED] degrees of separation” calculator to quantify that exposure.
Beyond third-party risk
But enough about [REDACTED]. Your company’s data and information are subject to similar threats.
I mean, it’s all well and great for you to adopt a third-party risk management system to make sure that your vendors and suppliers aren’t letting bad things happen to your data and information.
But guess what? All those third parties have third parties of their own.
A fourth party is an independent entity that provides services to you on behalf of your third-party service provider – also known as your third party’s third party. A fourth party is also known as a subcontractor or sub-outsourcer. Fourth parties have not signed an agreement with your organisation, so they do not have a legally binding obligation to your business. Your third party itself may subcontract all or some obligations of their agreement to you to another service provider.
An example
Let me delve into an example that I touched upon in my January post.
Let’s say that you did business with Bank of America.
You checked out Bank of America’s systems as part of your due diligence.
Perhaps you determined that everything was right and fine with the bank.
But it was NOT right and fine with one of Bank of America’s software providers, which is a FOURTH party to you.
So there’s this other system that you never contracted with.
And the fourth parties have fifth parties, the fifth parties have sixth parties, and so fourth. I mean forth.
Making an impact
Luckily there are companies that provide aids not only to address third-party risk, but also nth-party risk when data is transmitted all over the place.
When marketers write content for Chief Information Security Officers, we need to ensure they’re listening. The content needs to speak to their concerns. Understanding their emotions helps us to do that.
Tapping into their emotions helps to ensure the CISOs are paying attention, and that the CISOs are not dismissing our content as unimportant and unworthy of their attention. (See what I did there, dear marketer?)
Are our prospects listening to us?
I’ve talked about emotions and content before. My approach is fairly simple, identifying the emotions encountered at two stages of the customer journey:
The negative emotions faced at the “problem” stage. Perhaps fear, anger, or helplessness.
The positive emotions faced at the “results” stage, after you have provided the customer with the solution to their problem. This could be the happiness or satisfaction resulting from hope, accomplishment, or empowerment.
What do CISOs fear?
I’m reworking a client piece targeted to Chief Information Security Officers (CISOs), and I needed to re-examine the things that keep CISOs up at night. I started with a rudimentary list.
Cyberattacks. (Duh.)
Technological complexity.
Resource constraints.
Corporate liability.
Job security.
A good list—well, I think so—but is it good enough? (Or big enough?) The elements are rather abstract, since you can discuss concepts such as “resource constraints” without FEELING them.
What do CISOs really fear?
Maslow’s famous hierarchy of needs is (literally) based upon physiological (survival) and safety needs. Can I translate the abstractions above into something more primal?
Loss of all our information, leaving us dumb and helpless.
Confusion and bewilderment in (as the AI bots are fond of saying) “the ever-changing landscape.”
Overwhelming burnout from too much to do.
No money after being sued into oblivion.
Wandering the streets homeless and starving after losing your job and your income.
How should we express those fears?
Now there are various ways to express those primal fears. I could go for maximum effect (will the wrong decision today leave you homeless and starving tomorrow?), or I could write something a little less dramatic (are you vulnerable to the latest cyber threats?). The words you choose depend on your company’s messaging tone, which is why I recently reshared my original brand archetypes post from August 2021. A Sage will say one thing, a Hero another.
Why?
Anyway, thank you for reading. Writing this helped me, and maybe it gave you some ideas. And if you want to know more about the seven questions I like to ask before creating content (emotions being the 7th), read my ebook on the topic.
I just read a post by SentinelOne, but it’s too early to tell if this is just a string of buzzwords or a legitimate endeavor.
The post about a proposed “Autonomous SOC Maturity Model” (ASOCMM?) includes buzzwords such as “autonomous,” “SOC” (system and organizational controls, or security operations center – take your pick), “agentic AI,” and of course “maturity model.”
Having done my maturity model time during my days at Motorola Solutions predecessor Motorola (although our group stuck with CMM rather then moving on to CMMI), I’ve certainly seen the benefits and drawbacks of maturity models for organizations large and small. Or for organizations large: I shudder at the thought of implementing a maturity model at a startup; the learning curve at the Printrak part of Motorola was bad enough. You need to hit the target between no process, and process for process’ sake.
So what of this autonomous SOC maturity model? Perhaps it can be real.
“At SentinelOne, we see the Autonomous SOC through the lens of a maturity model. We welcome debate on where we, as an industry, are on this evolutionary revolution. We hope most will agree that this is a better way to look at Autonomous SOC innovation and adoption – far better than the binary, all-or-nothing debates that have long fueled analyst, vendor, and industry watcher blogs and keynotes.”
If nothing else, a maturity model approach lends (or can lend) itself to continuous improvement, rather than just checking off a box and saying you’re done. A Level 5 (or Level 4 on a 0-4 scale) organization, if it believes what it’s saying, is ALWAYS going to improve.
This metal injection attack isn’t from an Ozzy Osbourne video, but from a video made by an expert lock picker in 2019 against a biometric gun safe.
The biometric gun safe is supposed to deny access to a person whose fingerprint biometrics aren’t registered (and who doesn’t have the other two access methods). But as Hackaday explains:
“(T)he back of the front panel (which is inside the safe) has a small button. When this button is pressed, the device will be instructed to register a new fingerprint. The security of that system depends on this button being inaccessible while the safe is closed. Unfortunately it’s placed poorly and all it takes is a thin piece of metal slid through the thin opening between the door and the rest of the safe. One press, and the (closed) safe is instructed to register and trust a new fingerprint.”
Biometric protection is of no use if you can bypass the biometrics.
But was the safe (subsequently withdrawn from Amazon) over promising? The Firearm Blog asserts that we shouldn’t have expected much.
“To be fair, cheap safes like this really are to keep kids, visitors, etc from accessing your guns. Any determined person will be able to break into these budget priced sheet metal safes….”
But still the ease at bypassing the biometric protection is deemed “inexcusable.”
So how can you detect this injection attack? One given suggestion: only allow the new biometric registration control to work when the safe is open (meaning that an authorized user has presumably opened the safe). When the safe is closed, insertion of a thin piece of metal shouldn’t allow biometric registration.
For other discussions of injection attack detection, see these posts: one, two.
By the way, this is why I believe passwords will never die. If you want a cheap way to lock something, just use a combination. No need to take DNA samples or anything.
Oh, and a disclosure: I used Google Gemini to research this post. Not that it really helped.
A little (just a little) behind the scenes of why I write what I write.
What does TPRM mean?
I was prompted to write my WYSASOA post when I encountered a bunch of pages on a website that referred to TPRM, with no explanation.
Now if I had gone to the home page of that website, I would have seen text that said “Third Party Risk Management (TPRM).”
But I didn’t go to the home page. I entered the website via another page and therefore never saw the home page explanation of what the company meant by the acronym.
Unless you absolutely know that everybody in the world agrees on your acronym definition, always spell out the first instance of an acronym on a piece of content. So if you mention that acronym on 10 web pages, spell it out on all 10 of them.
That’s all I wanted to say…
How is NIST related to TPRM?
…I lied.
Because now I assume you want to know what Third Party Risk Management (TPRM) actually is.
Let’s go to my esteemed friends at the National Institute of Standards & Technology, or NIST.
When companies began extensively outsourcing and globalizing the supply chain in the 1980’s and 1990’s, they did so without understanding the risks suppliers posed. Lack of supplier attention to quality management could compromise the brand. Lack of physical or cybersecurity at supplier sites could result in a breach of corporate data systems or product corruption. Over time, companies have begun implementing vendor management systems – ranging from basic, paper-based approaches to highly sophisticated software solutions and physical audits – to assess and mitigate vendor risks to the supply chain.
Because if MegaCorp is sharing data with WidgetCorp, and WidgetCorp is breached, MegaCorp is screwed. So MegaCorp has to reduce the risk that it’s dealing with breachable firms.
The TPRM problem
And it’s not just my fictional MegaCorp. Cybersecurity risks are obviously a problem. I only had to go back to January 26 to find a recent example.
Bank of America has confirmed a data breach involving a third-party software provider that led to the exposure of sensitive customer data.
What Happened: According to a filing earlier this month, an unidentified third-party software provider discovered unauthorized access to its systems in October. The breach did not directly impact Bank of America’s systems, but the data of at least 414 customers is now at risk.
The breach pertains to mortgage loans and the compromised data includes customers’ names, social security numbers, addresses, phone numbers, passport numbers, and loan numbers.
Note that the problem didn’t occur at Bank of America’s systems, but at the systems of some other company.
Manage your TPRM…now that you know what I mean by the acronym.
He had purchased a feature-rich home security system and received an alarm while he was traveling. That’s all—an alarm, with no context.
“The security company then asked me, ‘Should we dispatch the police?’ At that moment, the reality hit: I was expected to make a decision that could impact my family’s safety, and I had no information to base that decision on. It was a gut-wrenching experience. The very reason I invested in security—peace of mind—had failed me.”
Bredemarket 