Category Archives: News

Inside Ireland’s Public Healthcare Ransomware Scare

Read Time:8 Minute, 40 Second

The consulting firm PricewaterhouseCoopers recently published lessons learned from the disruptive and costly ransomware attack in May 2021 on Ireland’s public health system. The unusually candid post-mortem found that nearly two months elapsed between the initial intrusion and the launching of the ransomware. It also found affected hospitals had tens of thousands of outdated Windows 7 systems, and that the health system’s IT administrators failed to respond to multiple warning signs that a massive attack was imminent.

PWC’s timeline of the days leading up to the deployment of Conti ransomware on May 14.

Ireland’s Health Service Executive (HSE), which operates the country’s public health system, got hit with Conti ransomware on May 14, 2021. A timeline in the report (above) says the initial infection of the “patient zero” workstation happened on Mar. 18, 2021, when an employee on a Windows computer opened a booby-trapped Microsoft Excel document in a phishing email that had been sent two days earlier.

Less than a week later, the attacker had established a reliable backdoor connection to the employee’s infected workstation. After infecting the system, “the attacker continued to operate in the environment over an eight week period until the detonation of the Conti ransomware on May 14, 2021,” the report states.

According to PWC’s report (PDF), there were multiple warnings about a serious network intrusion, but those red flags were either misidentified or not acted on quickly enough:

On Mar. 31, 2021, the HSE’s antivirus software detected the execution of two software tools commonly used by ransomware groups — Cobalt Strike and Mimikatz — on the Patient Zero Workstation. But the antivirus software was set to monitor mode, so it did not block the malicious commands.”
On May 7, the attacker compromised the HSE’s servers for the first time, and over the next five days the intruder would compromise six HSE hospitals. On May 10, one of the hospitals detected malicious activity on its Microsoft Windows Domain Controller, a critical “keys to the kingdom” component of any Windows enterprise network that manages user authentication and network access.
On 10 May 2021, security auditors first identified evidence of the attacker compromising systems within Hospital C and Hospital L. Hospital C’s antivirus software detected Cobalt Strike on two systems but failed to quarantine the malicious files.
On May 13, the HSE’s antivirus security provider emailed the HSE’s security operations team, highlighting unhandled threat events dating back to May 7 on at least 16 systems. The HSE Security Operations team requested that the Server team restart servers.

By then it was too late. At just after midnight Ireland time on May 14, the attacker executed the Conti ransomware within the HSE. The attack disrupted services at several Irish hospitals and resulted in the near complete shutdown of the HSE’s national and local networks, forcing the cancellation of many outpatient clinics and healthcare services. The number of appointments in some areas dropped by up to 80 percent.”

Conti initially demanded USD $20 million worth of virtual currency in exchange for a digital key to unlock HSE servers compromised by the group. But perhaps in response to the public outcry over the HSE disruption, Conti reversed course and gave the HSE the decryption keys without requiring payment.

Still, the work to restore infected systems would take months. The HSE ultimately enlisted members of the Irish military to bring in laptops and PCs to help restore computer systems by hand. It wasn’t until September 21, 2021 that the HSE declared 100 percent of its servers were decrypted.

As bad as the HSE ransomware attack was, the PWC report emphasizes that it could have been far worse. For example, it is unclear how much data would have been unrecoverable if a decryption key had not become available as the HSE’s backup infrastructure was only periodically backed up to offline tape.

The attack also could have been worse, the report found:

if there had been intent by the Attacker to target specific devices within the HSE environment (e.g. medical devices);
if the ransomware took actions to destroy data at scale;
if the ransomware had auto-propagation and persistence capabilities, for example by using an exploit to propagate across domains and trust-boundaries to medical devices (e.g. the EternalBlue exploit used by the WannaCry and NotPetya15 attacks);
if cloud systems had also been encrypted such as the COVID-19 vaccination system

The PWC report contains numerous recommendations, most of which center around hiring new personnel to lead the organization’s redoubled security efforts. But it is clear that the HSE has an enormous amount of work ahead to grow in security maturity. For example, the report notes the HSE’s hospital network had over 30,000 Windows 7 workstations that were deemed end of life by the vendor.

“The HSE assessed its cybersecurity maturity rating as low,” PWC wrote. “For example, they do not have a CISO or a Security Operations Center established.”

PWC also estimates that efforts to build up the HSE’s cybersecurity program to the point where it can rapidly detect and respond to intrusions are likely to cost “a multiple of the HSE’s current capital and operation expenditure in these areas over several years.”

One idea of a “security maturity” model.

In June 2021, the HSE’s director general said the recovery costs for the May ransomware attack were likely to exceed USD $600 million.

What’s remarkable about this incident is that the HSE is publicly funded by the Irish government, and so in theory it has the money to spend (or raise) to pay for all these ambitious recommendations for increasing their security maturity.

That stands in stark contrast to the healthcare system here in the United States, where the single biggest impediment to doing security well continues to be lack of making it a real budget priority. Also, most healthcare organizations in the United States are private companies that operate on razor-thin profit margins.

I know this because in 2018 I was asked to give the keynote at an annual gathering of the Healthcare Information Sharing and Analysis Group (H-ISAC), an industry group centered on sharing information about cybersecurity threats. I almost didn’t accept the invitation: I’d written very little about healthcare security, which seemed to be dominated by coverage of whether healthcare organizations complied with the letter of the law in the United States. That compliance centered on the Health Insurance Portability and Accountability Act (HIPAA), which prioritizes protecting the integrity and privacy of patient data.

To get up to speed, I interviewed over a dozen of the healthcare security industry’s best and brightest minds. A common refrain I heard from those interviewed was that if it was security-related but didn’t have to do with compliance, there probably wasn’t much chance it would get any budget.

Those sources unanimously said that however well-intentioned, it’s not clear that the “protect the data” regulatory approach of HIPPA was working from an overall threat perspective. According to HealthcareIT News, more than 40 million patient records have been compromised in incidents reported to the federal government in 2021 so far alone.

During my 2018 talk, I tried to emphasize the primary importance of being able to respond quickly to intrusions. Here’s a snippet of what I told that H-ISAC audience:

“The term ‘Security Maturity’ refers to the street smarts of an individual or organization, and this maturity generally comes from making plenty of mistakes, getting hacked a lot, and hopefully learning from each incident, measuring response times, and improving.

Let me say up front that all organizations get hacked. Even ones that are doing everything right from a security perspective get hacked probably every day if they’re big enough. By hacked I mean someone within the organization falls for a phishing scam, or clicks a malicious link and downloads malware. Because let’s face it, it only takes one screw up for the hackers to get a foothold in the network.

Now this is in itself isn’t bad. Unless you don’t have the capability to detect it and respond quickly. And if you can’t do that, you run the serious risk of having a small incident metastasize into a much larger problem.

Think of it like the medical concept of the ‘Golden Hour:’ That short window of time directly following a traumatic injury like a stroke or heart attack in which life-saving medicine and attention is likely to be most effective. The same concept holds true in cybersecurity, and it’s exactly why so many organizations these days are placing more of their resources into incident response, instead of just prevention.”

The United States’ somewhat decentralized healthcare system means that many ransomware outbreaks tend to be limited to regional or local healthcare facilities. But a well-placed ransomware attack or series of attacks could inflict serious damage on the sector: A December 2020 report from Deloitte says the top 10 health systems now control a 24 percent market share and their revenue grew at twice the rate of the rest of the market.

In October 2020, KrebsOnSecurity broke the story that the FBI and U.S. Department of Homeland Security had obtained chatter from a top ransomware group which warned of an “imminent cybercrime threat to U.S. hospitals and healthcare providers.” Members associated with the Russian-speaking ransomware group known as Ryuk had discussed plans to deploy ransomware at more than 400 healthcare facilities in the United States.

Hours after that piece ran, I heard from a respected H-ISAC security professional who questioned whether it was worth getting the public so riled up. The story had been updated multiple times throughout the day, and there were at least five healthcare organizations hit with ransomware within the span of 24 hours.

“I guess it would help if I understood what the baseline is, like how many healthcare organizations get hit with ransomware on average in one week?” I asked the source.

“It’s more like one a day,” the source confided.

In all likelihood, the HSE will get the money it needs to implement the programs recommended by PWC, however long that takes. I wonder how many U.S.-based healthcare organizations could say the same.

Read More

Top 10 Malware November 2021

Read Time:17 Second

In November 2021, the Top 10 stayed consistent with the previous month with the exception of Gh0st, Mirai, and Ursnif, which returned to the Top 10. The Top 10 Malware variants comprise 69% of the total malware activity in November 2021, decreasing 2% from October 2021. Shlayer and CoinMiner continue to lead the Top 10 […]

Read More

End-of-Support Software Report List

Read Time:18 Second

The importance of replacing software before its End-of-Support (EOS) is critical. EOS occurs when software updates, patches, and other forms of support are no longer offered, resulting in software becoming prone to future security vulnerabilities. Using unsupported software and firmware/hardware, puts organizations at risk in the following ways: Subsequent vulnerability disclosures place your organization at […]

Read More

CIS Benchmarks December 2021 Update

Read Time:18 Second

The following CIS Benchmarks have been updated or released.  We’ve highlighted the major updates below. Each Benchmark includes a full changelog that can be referenced to see all changes made.  CIS F5 Networks Benchmark v1.0.0 This new Benchmark provides prescriptive guidance for establishing a secure configuration posture for F5 Networks. Thanks to the entire CIS F5 […]

Read More

Smashing Security podcast #255: Revolting receipts, a Twitter fandango, and shopkeeper cyber tips

Read Time:17 Second

“Demonically” possessed devices print out antiwork propaganda, advice on how to secure your store, and is Twitter’s new photo privacy policy practical?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Dinah Davis.

Read More

NSA Guidance: Zero Trust Applied to 5G Cloud Infrastructure: Parts 1 and 2

Read Time:17 Second

Part 1 of a 2-part series By: Kathleen M. Moriarty, CIS Chief Technology Officer and active participant in the Critical Infrastructure Partnership Advisory Council (CIPAC) Cross Sector Enduring Security Framework (ESF) Working Group The Critical Infrastructure Partnership Advisory Council (CIPAC) Cross Sector Enduring Security Framework (ESF) Working Group is an industry and government partnership which […]

Read More

Hear from the Experts with these Cybersecurity Podcasts

Read Time:17 Second

The selection of podcasts – on everything from gaming to movies to sports – has exploded in recent years. Whatever topic you’re interested in, chances are there’s a show for you. So what if you’re looking to learn more about an important and complex subject like cybersecurity? Where should you start and whom can you […]

Read More

Preventing the Most Common Cyber-Attacks with Cybersecurity Training

Read Time:3 Minute, 25 Second

Many offices are operating with a hybrid of remote and in-person workspaces as the COVID-19 pandemic continues and evolves. Wherever your team is located, security continues to be everyone’s responsibility. A refresher course in cybersecurity is a great way to help employees get back in the swing, and re-establish security best practices they may have forgotten.

Prevent Cyber Threat Actors from Taking Advantage

Cyber threat actors are always on the lookout for weaknesses they can exploit. In 2020, the transition to a remote working environment was the big concern. Now, the return to a “new normal” could be even riskier, as people regain access to secure areas and shared working spaces. Cyber-attackers will look for ways to take advantage of people’s return to the workplace, such as tricking returning employees into revealing passwords or credentials for accessing the office network and systems.

According to the 2021 Verizon Data Breach Investigations Report (DBIR), 85% of breaches involved a human element. These were primarily phishing (social engineering) and the use of stolen credentials (hacking). Cybersecurity awareness training will help keep your employees from making the kind of mistakes that could put your organization at risk.

Security Awareness and Skills Training in the CIS Critical Security Controls

Ongoing security awareness training is an important component of the cybersecurity best practices known as the CIS Critical Security Controls (CIS Controls). The CIS Controls offer prioritized and prescriptive actions that protect organizations from known cyber-attack vectors.

The recently released CIS Controls v8 includes one Control devoted specifically to security awareness and skills training (CIS Control 14). It recommends that organizations, “Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.”

A gap analysis of the cybersecurity skills and behaviors your employees lack is an important first step. With this information, organizations can build an education roadmap to train employees and influence their behavior in order to become more security conscious. A top priority is the ability to identify social engineering attacks such as phishing, phone scams, and impersonation calls.

Discounted SANS Training Available to SLTTs

Some of the best online cybersecurity awareness training is available through the SANS Institute, a trusted source for cybersecurity certification and research. The Center for Internet Security (CIS) is proud to collaborate with SANS to provide this training to U.S. State, Local, Tribal, and Territorial (SLTT) government entities. Now through January 31, 2022, eligible SLTT organizations can receive more than 50% off comprehensive security awareness training programs.

Source: © SANS Institute, SANS 2021 Security Awareness Report

SLTTs usually have a much smaller budget for security training than other organizations, as illustrated in the chart above. This is one of the main reasons why CIS and SANS partner to offer security training programs at an affordable cost, ensuring that critical government organizations can improve their security posture and enhance their cybersecurity readiness to better protect their staff, their citizens, and the nation.

SLTTs can access the SANS trusted and effective cybersecurity awareness training program, SANS Security Awareness, with competitive group purchasing discounts. Developed by highly experienced cybersecurity instructors and experts, SANS Security Awareness offers a customizable mix of end user training content to address relevant threats, teach security concepts that are critical to your workplace, and adhere to your organization’s corporate culture. Demos are also available for all versions of SANS Security Awareness. Employees can take online security training at home, prior to returning to the office, as easily as upon their return.

CIS Controls Training

Control 14 in the recently released CIS Controls v8 is focused on establishing and maintaining a security awareness program. If you’re interested in learning more about the latest version of the CIS Controls, auditing your security program against their recommendations, and implementing the best practices in your organization, the updated SEC566: Implementing and Auditing CIS Critical Controls course is available at a significant discount through our partnership program. Dozens of other OnDemand and Live Online courses from SANS are available as well.

Read More

Why OAuth is so Important: An Interview with Justin Richer

Read Time:14 Minute, 6 Second

This is the third article in this series by Kathleen Moriarty, CIS Chief Technology Officer.

In this article, Moriarty interviews Justin Richer, an internet security expert with over two decades of experience, and author of “OAuth2 In Action,” as well as many OAuth (Open Authorization) extensions. Together they take a deep dive into authentication, authorization, federation, and related technologies.

Related articles in this series:

Why Are Authentication and Authorization So Difficult?
Authentication and Authorization Using Single Sign-On

Moriarty: Strong authentication and dynamic authentication are intrinsic to a zero trust architecture as these measures reduce the chance of an attacker gaining a foothold on your network, moving laterally, or surviving a reauthentication request. It’s not as simple to just deploy these technologies as there are many to choose from and there are lots of deployment considerations to ensure the expected security gains are met. Let’s say an organization has selected a multi-factor authentication (MFA) solution that meets their needs (). They are considering an authorization framework.

What are the high-level considerations for an organization considering OAuth?

Richer: OAuth is a powerful security framework that allows software to act on the behalf of users without exposing their credentials to the software. OAuth is a fairly loose collection of related protocols that are applicable in different environments, and the first choice to be made is which pieces to deploy. The OAuth working group is currently drafting OAuth 2.1 that pulls together many of the best practices from the last decade of experience with this protocol family. In OAuth 2.1, if there is a user involved in the delegation process, the recommendation is to use the Authorization Code Grant with the Proof Key for Code Exchange extension (PKCE). If there is no user involved with the delegation process, the recommendation is to use the Client Credentials Grant. Other grant types and extensions are available for specific applications and use cases, but these two cover the majority of cases.

What security considerations should organizations keep in mind for deployments?

Richer: The OAuth Authorization Server (AS) is the key point for an OAuth system. Since the AS issues access tokens and authorizes the client software, if the AS is compromised, then an attacker could act with impunity on the network by impersonating anyone. This is the core issue behind the Golden SAML attack at the center of the Solar Winds breach. The SAML equivalent of the AS was attacked and its signing keys were stolen, allowing attackers to bypass all the security and authentication requirements in the system by acting as their own AS. Therefore, protection of the AS, its keys, and its storage are of the utmost importance.

Ultimately, the trust model of an OAuth system is a combination of trusting the AS, the client software, and the end users. In a functioning delegation, the end user delegates their access rights to the client software using the AS as a means for accomplishing this. An OAuth deployment needs to be able to answer key questions such as who is allowed to delegate authority, to whom, and for what. These questions will guide deployers in determining how to build and configure their OAuth systems.

The OAuth working group learned quite a bit from a security protocol proofing performed by researchers a few years back. Have the gaps been addressed in available libraries and products?

The OAuth ecosystem is continuously evolving. These days, most libraries support PKCE and related projects, however some naive but well-meaning implementations skip important checks like randomizing and validating the “state” parameter or sharing client identifiers between different pieces of software. It is possible to build out a very secure OAuth ecosystem, but it’s still up to the deployer and developer to implement all the appropriate checks.

What is OpenID Connect and how does OAuth fit into it?

OpenID Connect is an identity protocol built on top of OAuth 2.0. Where OAuth provides software a way to access something on a user’s behalf, OpenID Connect extends this by saying that the software is asking for access to the identity of the end user. In this way, OpenID Connect can leverage all the power and flexibility of OAuth and deliver an authentication technology on top of an authorization technology. OpenID Connect accomplishes all of this by adding several important constructs to OAuth, including an identity assertion (called an ID Token) separate from the access token, as well as a standardized identity API (the UserInfo Endpoint) that is protected by OAuth. The OAuth portions of OpenID Connect can simultaneously be used to grant access to other resources, in addition to the user’s identity, at the same time. In this way, a user can log into a piece of software and let that software access protected functionality on their behalf.

Moriarty: OWASP Top 10 Web Application Security Risks highlights key recommendations to protect against common application vulnerabilities and includes recommendations for OpenID Connect and OAuth, such as the use of a JSON Web Token for cryptographic protection on authorization tokens.

Are these recommendations baked into products and libraries or are there certain actions implementers need to be keenly aware of?

Access tokens need to be constructed in such a way that an attacker can’t generate or modify the token and what it’s good for. The use of JWT as an access token format is one approach that is commonly supported, and another is to use cryptographically random reference tokens that contain no information in them. These tokens can be used with OAuth Token Introspection to look up token information in real time from the AS. Furthermore, key-bound access tokens like OAuth mutual transport layer security (MTLS), OAuth Demonstration of Proof of Possession (DPoP), and the newly-proposed OAuth HTTP Signature binding all make it more difficult for an attacker to steal and use access tokens by tying the token to a key.

The key itself is not sent over the wire with the access token, so theft of both would require a much more advanced attack than simply stealing a valid token in flight from a poorly-configured client or resource. We are seeing an increase in software that supports these more advanced token formats, though bearer tokens (OAuth’s default, which requires no such key) are far and away still the most common.

Moriarty: As mentioned earlier in the blog series, the Security Assertion Markup Language (SAML) vulnerability led to attackers being able to bypass multi-factor authentication in the SolarWinds attack. The only recommendation I’ve seen to avoid this exploit, dubbed a golden SAML attack, is to correlate logs for authorizations back to authentication.

Are there other well-known vulnerabilities in SAML?

Richer: In the SolarWinds attack, the attackers were not only able to create valid assertions that looked just like they had come from the identity provider (IdP) but  they were also able to inject those assertions into waiting applications. SAML’s WebSSO profile is built around the application waiting for such an assertion to be injected from the web browser, which allowed attackers to create active sessions for arbitrary users. The applications being attacked made no difference between waiting for a response to a login request and receiving a request unbidden. SAML does have an Artifact Binding extension that would prevent this, but that extension is largely unused in the wild.

Why might an organization use SAML versus other available federation technologies?

Richer: Federation technologies are often chosen as the least common denominator among the parties who want to federate. Therefore, if both sides speak SAML and not something else, then SAML is the sensible choice because it’s what’s available.

While OAuth is an authorization technology and SAML is a federation technology, might OpenID Connect that includes OAuth be a better option than SAML today?

Richer: OpenID Connect is greatly superior to SAML from a technology standpoint in most measurable ways, especially when used with OAuth 2.0’s best security practices (such as not using the Implicit Grant Type). OpenID Connect also separates the assertion carrying the authentication event (the ID Token) from the conveyance of user account attributes (from the UserInfo Endpoint). SAML combines these both into a single assertion, and also encourages the use of this assertion to access additional resources beyond logging in. The separation of concerns allows for better privacy practices and better efficiency, as attributes don’t need to be passed around all the time. It also enables better security, as selective discloser can be used to limit what attributes are sent for a given transaction. Furthermore, OpenID Connect can be deployed more readily for non-web applications, such as mobile applications.

OpenID Connect also encourages short-lived assertions and the use of proper session management at client applications, as opposed to a single assertion that lives long and should be used at multiple different applications for login. Finally, OpenID Connect’s use of OAuth allows the client application to access additional services and APIs with the same access token, making for a better user and developer experience.

When might you use both OpenID Connect and SAML?

Richer: One would use multiple types of federation technology when the endpoints and environments that they need to connect to already speak those types. It is not uncommon for an organization to expose their identity infrastructure with multiple protocols in parallel to fit these cases. From a user’s perspective, SSO is still achieved as one account allows them to log into multiple applications. There are some cases where an identity proxy is used to translate between one federation protocol and another, allowing two groups to connect to each other that otherwise would be technologically limited. Such situations come with their own risks, such as the proxy being attacked directly or actions being tracked.

Moriarty: You [Richer] havebeen active in the Grant Negotiation and Authorization Protocol (GNAP) working group of the IETF as an author of this new proposed standard. Having been involved in the effort for the design team, the working group has been considering these types of attacks.

What measures are being baked into the Security Considerations for GNAP to prevent attacks like golden SAML?

Richer: The golden SAML attack counts on the attacker being able to create a signed artifact just like the AS and having that artifact accepted by the target to effect a log in or resource access. If the AS’s keys are stolen and those keys are used for things like generating signed access tokens to be trusted by resource servers, then an attacker would be able to create their own trusted access tokens. Technologies like token introspection, which is a built-in option for GNAP, can help this with liveness detection. Additionally, all access tokens in GNAP are, by default, bound to keys associated with client instances. If the resource server is able to validate the identifier for the key in addition to the access token itself, it will be able to further protect itself against accepting bad tokens. Finally, a resource server is going to want to analyze how and where access tokens are being presented. If the same token is rapidly being presented from different parts of the world, for example, that raises suspicion. These are approaches that can be used with OAuth but are more naturally fit for GNAP.

Fundamentally however, the access token is not used to log in a user to an application. That job is given to the assertion next to the access token. The assertion is directed at the client application, not the resource server. While an attacker who steals the AS’s keys would be able to generate a signed assertion, it would be more difficult to insert that assertion into the client application because of how GNAP is designed. Assertions that would constitute a login are only ever passed as a response to a direct HTTP call to the AS, never injected from an untrusted context like a web browser. In order to inject a fraudulent assertion, an attacker would need to impersonate the target AS enough that the client instance would be talking directly to the attacker. This would require things like DNS and certificate poisoning attacks on top of the signing key theft.

Additionally, GNAP is being designed in a dynamic-first mindset, where the relationships between all parties are not necessarily known ahead of time. OAuth and SAML assume that all parties have made agreements to behave nicely ahead of time, and the trust of the network relies on those agreements. While GNAP allows such agreements, they are an optimization on top of a protocol that assumes a dynamic introduction of all actors and components. This dynamic trust model puts less trust into any individual component and more into the overall holistic process. An attacker then has to attack the process itself in order to execute successfully.

We have a number of authorization protocols, why is GNAP important?

GNAP is building on what came before it, in the same way that OAuth 2.0 built on OAuth 1.0, AuthSub, and BBAuth, and the way that OpenID Connect built on OpenID 2.0 and SAML. GNAP is being designed in a forward-facing way that embraces security and privacy in ways we now know are important, and its design takes into account the kinds of applications and deployments you see around the internet today. For example, single-page applications and mobile applications are currently much more common than server-side web applications on a dedicated server, and GNAP’s core design assumptions take that into account. We’re also seeing a push against OAuth’s assumption of the user always being in a web browser, and GNAP accounts for this by having an abstracted and extensible interaction phase. None of this is being built in a vacuum, and all the best aspects of things that have come before are being incorporated. Instead of patching together spot-fixes that often conflict, GNAP is letting us design a better foundation.

Moriarty: From my perspective, it seems that adding another authorization protocol could be confusing to industry.

Would GNAP replace OAuth 2.0 for some implementations and why?

For many systems, GNAP would replace OAuth 2.0 as it can solve the same core problems in a very similar fashion. Where GNAP really shines is the spaces where OAuth is awkward or lacking. In much the same way that OpenID Connect took over the use cases where SAML began to fail – mobile applications and API access, for instance – GNAP can take over in cases where OAuth starts to fall apart, such as cross-application delegation, multi-user and multi-stage access rights, and complex API access. And GNAP is able to do this all with a simplified and clean protocol that fits modern environments.

I’d like to thank Justin Richer for his time and valuable insights!

About the Author

Kathleen Moriarty
Chief Technology Officer

Kathleen Moriarty, Chief Technology Officer, Center for Internet Security has over two decades of experience. Formerly as the Security Innovations Principal in Dell Technologies Office of the CTO, Kathleen worked on ecosystems, standards, and strategy. During her tenure in the Dell EMC Office of the CTO, Kathleen had the honor of being appointed and serving two terms as the Internet Engineering Task Force (IETF) Security Area Director and as a member of the Internet Engineering Steering Group from March 2014-2018. Named in CyberSecurity Ventures, Top 100 Women Fighting Cybercrime. She is a 2020 Tropaia Award Winner, Outstanding Faculty, Georgetown SCS.

Kathleen achieved over twenty years of experience driving positive outcomes across Information Technology Leadership, IT Strategy and Vision, Information Security, Risk Management, Incident Handling, Project Management, Large Teams, Process Improvement, and Operations Management in multiple roles with MIT Lincoln Laboratory, Hudson Williams, FactSet Research Systems, and PSINet. Kathleen holds a Master of Science Degree in Computer Science from Rensselaer Polytechnic Institute, as well as, a Bachelor of Science Degree in Mathematics from Siena College.

 

 

About the Guest

Justin Richer
Security Architect | Author

Justin Richer is a security architect, software engineer, standards editor, and systems designer with over two decades of industry experience. He is the lead author of “OAuth2 In Action” from Manning Publications (with Antonio Sanso) and contributor to OAuth 2.0 and OpenID Connect. Justin is the editor of the OAuth extensions for dynamic client registration (RFC 7591, RFC 7592) and token introspection (RFC 7662), and authored Vectors of Trust (RFC 8485). Justin is a co-author of the U.S. federal Digital Identity Guidelines (NIST SP 800-63) and contributing editor to UMA 2.0. He is the editor for GNAP and HTTP Message Signatures in the IETF. An ardent proponent of open standards and open source, he believes in solving hard problems with the right solution, even if that solution still needs to be invented.

Read More