Cybercrime and insider access are now fully commoditised on the black market; just a few pounds will buy your way inside a Fortune 500 company network, and the data fetches a high price. Exploitation of privileged accounts (IT and administrator accounts with higher permissions and rights than average users) is a key tactic in modern cyberattacks. Privileged access is the simplest way into a network, and as organisations move to the cloud, streamline supply chains and invite third parties to routinely access their infrastructures, cyber attackers are increasingly targeting these accounts to steal and exploit their access. Techniques are becoming more widely available, easier to learn, and are lowering what it takes to be a black hat hacker.
What is the ‘Insider Threat’?
Cyber breaches that leverage privileged accounts are damaging and difficult to detect, shut down and recover from because they require an organisation to identify a legitimate login that’s being used for illegitimate purposes. Privileged access can cause denial-of-service attacks, breach personal data, complete unauthorised transactions, and then hide all activity by deleting audit data (particularly if the attacker is an insider with existing domain knowledge). Privileged attackers look just like normal traffic and can cover their tracks, remaining undetected for months or even years.
How big is the issue?
Though regulators and auditors enforce controls to monitor it, over 65% of organisations still allow unrestricted and unmonitored use of privileged accounts, and in most organisations, developers, contractors and other system administrators all receive full super-user rights, limiting accountability and auditability. In fact, 86% of large enterprise organisations either don’t know or underestimate the number of privileged accounts associated with their networks. There are often 3 to 4 times more privileged accounts than employees. Passwords are shared widely and rarely changed, and credentials of ex-employees or contractors rarely erased. In the case of Microsoft, an attacker was able to log into their network 15 years after his employment there was terminated. This is the equivalent of forgetting who and how many people you gave out copies of your front door keys to.
How are businesses responding?
Most businesses operate in reactive mode with the focus on detection and remedy after a breach, rather than prevention altogether. Like a deer in headlights, they continue to use out-of-date systems that haven’t been appropriately updated for today’s connected society with routine remote access. Furthermore, no one monitors these systems to know who is using them, or what data is leaving the network. For instance, no one at the Department of Education, responsible for storing data from millions of student loan applicants, even noticed when auditors connected rogue hardware to their network. Neither Snowden’s data breach nor that infamous Target attack could have been carried out without the abuse of privileged account credentials. The same goes for the IRS data breach, with weak passwords like ‘password’ and 7,329 ‘potential vulnerabilities’ due to uninstalled software patches.
Is Privileged Access Management the solution?
As threats evolve, so do security requirements. We’re starting to see an industry-wide shift to more omnipresent solutions like Privileged Access Management. Privileged Access Management tools help businesses provide secure privileged access to critical assets and meet compliance requirements by managing and monitoring all privileged accounts and access. Increased security risks, evolving IT infrastructure, regulatory milestones such as GDPR (May 2018) and Cyber Essentials, and proven ROI for investments in Privileged Access Management have meant that Gartner estimate that the Privileged Access Management market will grow at 27% CAGR through 2020. This accounts for 2% of all cyber-security spending and 38% of the IAM market. Gartner also predicts that by 2020, over half of all security failures associated with IaaS and PaaS will be directly attributable to gaping security holes caused by failure to adopt Privileged Access Management processes and technology. Businesses need to wake-up. Regardless of attack origin, leveraging privileged accounts is a critical success factor for attackers in 100% of all advanced attacks.
What can your business do?
- Identify all critical business systems and assets
- Isolate, monitor, and manage every point of access
- Identify and reduce the number of privileged accounts
- Deploy multi-factor authentication to secure privileged accounts
- Enforce the principle of least privilege to restrict end-user access
- Monitor and record all activity
Author: Andy Harris, Chief Technology Officer at Osirium
Andy has over 25 years’ experience inventing and building unique IT networking and security products. In a long and distinguished career including being Technical Director at Integralis Andy has invented many leading-edge technologies including IP Network Translation Gateway, Print Symbiont Technologies for LAN-based printers and Disaster Master, a technique of continuously updating a backup site with mirrored data.
As one of the Co-Founders and CTO of MIMEsweeper, Andy was the creator of the world’s first content security solution which became the default product in its space. Andy went on to start WebBrick Systems which was one of the pioneering Home Automation technologies, also a forerunner to what we know as IoT devices today. While serving as Engineering Director, Andy created and patented several core components in the Osirium product family.