Im going to disagree with you there. I dont think the problem is a lack of experts, I believe the bigger problem is lack of basic security knowhow in our admins and developers, along with the necessary transparency and documentation to allow an admin to know exactly how authentication is being preformed.

Experts are for expanding the knowledgebase of the field, discovering new attack/defense techniques, etc, but we can’t honestly blame the lack of them for problems like this.
Issues with IPs and MAC addresses were added to that knowledgebase a couple decades ago and by now there is really no excuse for systems to still be being built/updated that use those mechanisms.

Very astute Ray.

I am with the vendor a security sub-system that is in effect, an “authorization engine” that works in tandem with IDM or authentication methods. Enforcement of user access rights are extended from the network edge to the resulting end behaviors that occur on the network, post-authentication.

It is very common to view authentication used as a “proxy” for authorization, which is insufficient. Without actual enforcement, the opportunity for unauthorized behaviors will exist. If we think about your quote of the 4th principle, and realize that is generally easy for malware or external attackers to gain entry to the network, then an extension of that is that the current lack of this capability is why malware and insiders currently present high security risk.

What is not realized often enough, is that external attackers that successfully penetrate the perimeter are now insiders. Their highest probability of success comes from assuming the identity of low ranking employees, because there tends to be more of them. The lack of authorization at that point is why there is a failure to prevent privilege escalation, at which point the attacker has access to anything in the network.

A strong authorization engine protects the systems and resources from even the authorized users with passwords.

This is where some time ‘attacking’ will in the long run inform ‘design’. I agree with Jake on learning more about the folks you’re hiring, but also like to point out that newbie to expert is not a simple phase transition, it takes time.

I would note that the comments from Ray with regard to distinction of authorisation are additionally insightful and serve as an important element of access control even where authentication is implemented in an ideal manner in order to ensure access is permitted only as required.

You’re quite right about the strength of MACs and IP addresses – we are in the midst of an assessment during which we used faking of both – not to perform an attack but to get access to another network for setup! We’ll use the techniques for the actual pen-test once we download all the packages we want.

Another issue is reliance on VLANs as a security measure. I can’t claim any credit, but my teams have used multiple techniques to get past VLAN separation, usually to get to the primary, privileged VLAN.

All of this relates back to the fourth principle of cyberwarfare (according to Duggan and Parks :

Some entity within the cyber world has the authority,
access, or ability to perform any action an attacker desires
to perform. The attacker’s goal is to assume the identity of
that entity, in some fashion.

That estimate sounds about right, though it may be off by a factor of two or three. There aren’t many who really understand what goes on in a network, what the authentication is based upon, or even what authentication actually is.

These are still very new and raw fields of interest. There are lots of pretenders. The public doesn’t know the difference between the wannabes and the real pros.

Until professional organizations get good at showing people what to look for and what to expect from a reputable security professional, I feel that this farce will continue.