As part of Hub City Media’s ongoing efforts to ensure ForgeRock IAM environments remain secure, we are advising that ForgeRock has released a security advisory update for Directory Services. 

To maintain the best possible security posture, please review this patch with your team.

For assistance with applying this patch, contact us. 

ForgeRock Directory Services 5.5.2

Component: Core Server

Security Advisory #201803: ForgeRock has discovered a Medium-level security vulnerability in ForgeRock Directory Services (DS) 5.0.0, 5.5.0, 5.5.1, 6.0.0 and in OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3. The vulnerability also affects embedded DS / OpenDJ in AM 5.x, AM 6.0 and OpenAM 13.x as well as IDM 6.0.

Release Notes for 5.5.2: ForgeRock maintenance releases provide fixes to existing bugs that improve functionality, security and performance for your DS deployment. No new features have been introduced. The release can be deployed as an initial deployment or used to upgrade from an existing version.

Vulnerability Details: The password policy response control is returned incorrectly when an account is locked and a bind operation for the account includes the correct password. As a result, it is possible to brute force a locked account’s password even after it has been locked due to too many authentication failures.

Resolution: Update / upgrade to DS 5.5.2 or deploy the relevant patch bundle.

From November 27 to December 1, the city of Las Vegas was a hub for Identity and Cloud discussions - from the Gartner IAM Summit to the AWS (Amazon Web Services) re:Invent Cloud Conference. With an ever changing industry landscape, it can be difficult to keep up; however, the AWS conference brought a multitude of new ideas to the table and did not disappoint.

Members of the Hub City Media team attended re:Invent, including CTO and founder Steve Giovannetti. “This is the future of how systems are going to get developed. We’re going to start seeing more people going to the cloud, more interesting uses of the cloud and serverless technologies like AWS Lambda. This is the next step in the cloud evolution.” 

Thousands attended the conference, bustling back and forth between Key Notes and Tech Talks. One talk that stood out to our team was “Automating DDoS Response in the Cloud,” focusing on how to automate security infrastructure. Large-scale cyber security attacks are becoming more and more frequent - staying a step ahead of hackers is crucial to keeping our data safe. We were able to see what innovations AWS is making in the cloud, including using an Amazon Dash Button to run scans or ask Alexa if they’d been hacked. Looks like she does more than report weather!  

Giovannetti also participated in the annual AWS Hackathon, along with about 400 others. Teams worked on completing a series of challenges over the span of eight hours - many providing difficult hurdles to overcome. The challenges spanned from requiring forensic analysis to taking a broken environment, repairing and then hardening it. Through this, the audience was able to see the extensive security features and services offered by AWS. 

One of the most interesting aspects of the conference was seeing how AWS’s biggest clients, like Netflix and Capital One, are leveraging the platform. The major common thread between these types of clients is the use of automation as the key to managing large environments. Many clients were using AWS Lambda to implement Open Source frameworks to a surprising scale, as well as building functions to enforce security policy. 

AWS went through a laundry list of new announcements for their technology, including AWS support for Kubernetes and Amazon GuardDuty Intelligent Threat Detection System. One of our many takeaways from this conference is that, with the incredible amount of talks, meetings and key notes to attend, attendees really need to focus on one track and stick to it in order to walk away with the most value. This conference is an eye opener for anyone in the field, from potential developers to CTOs - even if you don’t use AWS, the conference still provides copious amounts of new and important information. 

Hub City Media’s Security Engineer, Eli Krantz, was very satisfied with his learning experience and enjoyed the “TED-talk-like” atmosphere. “Anyone who is uncertain about moving to the cloud will change their mind after attending this conference. I went in liking the cloud, but for the skeptics out there, this is a great one to attend. It really gets you thinking about how to handle and audit security in the future. I left with a much stronger understanding of AWS security practices, and I’m excited to use this in the field.” 

See you next year! 

For a closer look at what went on at the conference this year, check out the AWS youtube channel. 
 

Hub City Media (HCM) and Oracle hosted a Lunch & Learn event in Atlanta on April 7, 2016, providing industry leaders with the opportunity to discuss Enterprise User Security (EUS). The discussion focused around simplifying user management and avoiding common security risks. 

As enterprises keep up with data proliferation, database tasks such as provisioning, resetting passwords, assigning roles and managing privileges become a greater challenge. We established this forum to help businesses understand how to consolidate / manage user credentials and privileges using Directory services while strengthening security and compliance. 

HCM presented various case studies around EUS, showcasing our ability to assist customers with database issues by implementing EUS, and were well-received by the audience. Two examples are detailed below.  

National Insurance Company

Business Problem
-Manage database access by individuals with AD credentials
-Include multiple AD domains across operational groups in multiple data centers
-Retain user identity in database account name

Technical Solution
-Enterprise User Security
-OUD with replication across data centers
-OUD proxy links to 3 AD domains
-Dedicated Schema account mappings

National Healthcare Management

Business Problem
-Healthcare breaches in the news
-Risk focus on individual user database access: authentication and authorization
-Risk assessment showed poor password management and orphan    account management

Technical Solution
-Enterprise User Security
-OUD with replication across data centers
-OUD proxy to Active Directory
-Mix of Shared and Dedicated Schema account mappings
-Enterprise roles provisioned via group membership

Demonstration on Oracle Enterprise User Security. Presented by Hub City Media, Inc.

Even if you’re already using Oracle Data Redaction, Database Firewall, Virtual Private Database and / or Fine Grained Auditing, EUS can also significantly improve the quality and enforcement of your policies. This feature can simplify account provisioning across ALL Oracle databases and can be fully managed through an Active Directory.

If you'd like to learn more about EUS or any of our Database Security or IAM offerings, we'd be happy to help! Contact us for more information. 

Hub City Media is a software integrator specializing in sophisticated Identity and Access Management solutions, custom software development and integrations. We provide fully customizable Professional Services and 24 / 7 / 365 Managed Support tailored to the specific needs of each organization.