Breaches to enterprise security are often an inside, albeit unintentionally, thanks in part to the rise of privileged users. Once hackers gain access to a system, they use the access levels of a certain user to make lateral moves and ultimately wreak havoc.
Compromising privileged user credentials is one of the most common attacks organizations face, said Dale Gardner, director of product marketing CA Technologies, in a recent webinar hosted by IT World Canada, Are Your Must Trusted Employees Your Biggest Security Risk?
“Privileged users used to be a small number of individuals in an organization.” But this has changed thanks to the advent of virtualized environments and cloud computing coupled with increased access given to business partners and suppliers. “With those you see a growth in the number of administrators within the organizations and expansion of the attack surface.”
High profile breaches in the last few years have been key in driving interested in privileged access management (PAM), said Gardner. The one thing Home Depot, Anthem and Ashley Madison all have in common are privileged access credentials. In the case of Ashley Madison, source code from its system was dumped into the public domain and it included passwords to access third-party technology services such as Amazon Web Services.
“Increasingly we’re being concerned about espionage,” he said. “Attackers are moving beyond cybercrime to higher stakes gambits.”
Gardner said an effective method to prevent or detect breaches is to envision a kill chain, which is a way to look at how hackers get into a system and what they have to get what they want. “By understanding that and having a predictable series of events, you find opportunities to stop the chain of events.”
Generally, when an attacker gets inside a network, odds are the system the hacker landed in is not the end target. Instead, he will make lateral moves by elevating privilege in the system and repeat as necessary until the desired information attained or the desired damage is done. “An attacker can keep trying,” said Gardner. “A defender just has to make one mistake.”
A lot of environments lack PAM, making it easy for hackers to circumvent weak or default passwords, he said, and without automation in place, it becomes operationally difficult to manage passwords. Multi-factor authentication used to be difficult and expensive but the economics have changed and it’s now simpler to implement. “It’s reached a point where it’s best practice.”
Gardner said the best approach is one of “zero trust” where users are first authenticated but not given access to any specific resource until a policy has been defined in the system. Meanwhile, fear, uncertainty and doubt – the FUD Factor – helps to get the attention of senior management and convince them that security technology such as PAM is worth the investment, but using the kill chain illustration to demonstrate there are solutions to solve the problem goes even further.
Gardner said organizations are at various stages in the PAM maturity model. Technology is part of it, but processes and having management engaged with it are also necessary. Enterprises in the early stage are generally relying on technology that came with a specific application to manage access and the moving on to various point solutions. At a certain point, he said, PAM ideally stops being its own thing and becomes part of an enterprise’s overall governance model.
“It’s important for organizations to have a roadmap.”