crowmoor.se

As you know if you work in the field of Credential Theft Tier 0 is the most important thing to protect. With Tier 0 access I pwn a company, to use a security term. The implications from a contractual perspective is seldom considered when a company decides to outsource Tier 0, i.e. their Domain Controllers and PKI.

My challenge here is to understand why the risks aren´t understood either from a customer perspective or a service provider perspective. From a customer perspective the following is what I most hear when meeting customer after they have been compromised: ‘Top managers are deciding to utilise reputable contract security firms to be their security experts’. This means that they don´t understand the consequences of Tier 0 outsourcing and breach of Tier 0. This is all well and good if they write into the contract that Tier 0 must be protected but this seldom happens. Instead there are only quite general statements about security management.

From a service provider perspective they are bound by costs, mainly keeping the cost as low as possible, as the market is very competitive. In the high profile deals a price difference of a simple 2% easily mounts to hundreds k$ or millions of $ meaning that solutions that are not streamlined for all customers will not be implemented. Any service provider with cost conscious customers will sadly not implement the type of security described by Microsoft in SPA Roadmap. Furthermore, ‘reputable contract security firms’ are as any other consultancy company bound by the rules of supply and demand: it can only supply the competence it has and will only supply the competence customers buy. Many consultancy firms are interested in selling as much time as possible with a minimal of training as possible. This means that in the security market they´ll go for complex security products that takes time to implement, as that time can be billed to customers. They´ll also seldom update their skills on a corporate level, meaning that they´ll try to sell their defined security services even if they are outdated if the customers wants to buy them. As long as customers lack the skills needed to understand the risks and the proper mitigations for them less than good security consultants will thrive in selling ineffective security to customers.

During the following months I´ll dive into this a describe different cases I have encountered.