Skip to content

Posts tagged ‘Privileged Credential Abuse’

May 3

CIO’s Guide To Stopping Privileged Access Abuse – Part 2

Why CIOs Are Prioritizing Privileged Credential Abuse Now

Enterprise security approaches based on Zero Trust continue to gain more mindshare as organizations examine their strategic priorities. CIOs and senior management teams are most focused on securing infrastructure, DevOps, cloud, containers, and Big Data projects to stop the leading cause of breaches, which is privileged access abuse.

Based on insights gained from advisory sessions with CIOs and senior management teams, Forrester estimates that 80% of data breaches have a connection to compromised privileged credentials, such as passwords, tokens, keys, and certificates. In another survey completed by Centrify, 74% of IT decision makers surveyed whose organizations have been breached in the past, say it involved privileged access abuse. Furthermore, 65% of organizations are still sharing root or privileged access to systems and data at least somewhat often. Centrify’s survey, Privileged Access Management in the Modern Threatscape, is downloadable here.

The following are the key reasons why CIOs are prioritizing privileged access management now:

  • Identities are the new security perimeter for any business, making privileged access abuse the greatest challenge CIOs face in keeping their businesses secure and growing. Gartner also sees privileged credential abuse as the greatest threat to organizations today, and has made Privileged Account Management one of the Gartner Top 10 Security Projects for 2018, and again in 2019Forrester and Gartner’s findings and predictions reflect the growing complexity of threatscapes every CIO must protect their business against while still enabling new business growth. Banking, financial services, and insurance (BFSI) CIOs often remark in my conversations with them that the attack surfaces in their organizations are proliferating at a pace that quickly scales beyond any trust but verify legacy approach to managing access. They need to provide applications, IoT-enabled devices, machines, cloud services, and human access to a broader base of business units than ever before.
  • CIOs are grappling with the paradox of protecting the rapidly expanding variety of attack surfaces from breaches while still providing immediate access to applications, systems, and services that support their business’ growth. CIOs I’ve met with also told me access to secured resources needs to happen in milliseconds, especially to support the development of new banking, financial services, and insurance applications in beta testing today, scheduled to be launched this summer. Their organizations’ development teams expect more intuitive, secure, and easily accessible applications than ever before, which is driving CIOs to prioritize privileged access management now
  • Adapting and risk-scoring every access attempt in real-time is key to customer experiences on new services and applications, starting with response times. CIOs need a security strategy that can flex or adapt to risk contexts in real-time, assessing every access attempt across every threat surface and generating a risk score in milliseconds. The CIOs I’ve met with regularly see a “never trust, always verify, enforce least privilege” approach to security as the future of how they’ll protect every threat surface from privileged access abuse. Each of their development teams is on tight deadlines to get new services launch to drive revenue in Q3. Designing in Zero Trust with a strong focus on Zero Trust Privilege is saving valuable development time now and is enabling faster authentication times of the apps and services in testing today.

Strategies For Stopping Privileged Credential Abuse – Part 2  

Recently I wrote a CIO’s Guide To Stopping Privileged Access Abuse – Part 1 detailing five recommended strategies for CIOs on how to stop privileged credential abuse. The first five strategies focus on the following: discovering and inventorying all privileged accounts; vaulting all cloud platforms’ Root Accounts; auditing privileged sessions and analyzing patterns to find privileged credential sharing not found during audits; enforcing least privilege access now within your existing infrastructure as much as possible; and adopting multi-factor authentication (MFA) across all threat surfaces that can adapt and flex to the risk context of every request for resources.

The following are the second set of strategies CIOs need to prioritize to further protect their organizations from privileged access abuse:

  1. After completing an inventory of privileged accounts, create a taxonomy of them by assigning users to each class or category, personalizing privileged credential access to the role and entitlement level for each. CIOs tell me this is a major time saver in scaling their Privileged Access Management (PAM) strategies. Assigning every human, machine and sensor-based identity is the goal with the overarching objective being the creation of a Zero Trust-based enterprise security strategy. Recommended initial classes or categories include IT administrators who are also responsible for endpoint security; developers who require occasional access to production instances; service desk teams and service operations; the Project Management Office (PMO) and project IT; and external contractors and consultants.
  2. By each category in the taxonomy, automate the time, duration, scope, resources, and entitlements of privileged access for each focusing on the estimated time to complete each typical task. Defining a governance structure that provides real-time access to resources based on successful authentication is a must-have for protecting privileged access credentials. By starting with the attributes of time, duration, scope and properties, organizations have a head start on creating a separation of duties (SOD) model. Separation of duties is essential for ensuring that privileged user accounts don’t have the opportunity to carry out and conceal any illegal or unauthorized activities.
  3. Using the taxonomy of user accounts created and hardened using the separation of duties model, automate privileged access and approval workflows for enterprise systems. Instead of having administrators approve or semi-automate the evaluation of every human- and machine-based request for access, consider automating the process with a request and approval workflow. With time, duration, scope, and properties of privileged access already defined human- and machine-based requests for access to IT systems and services are streamlined, saving hundreds of hours a year and providing a real-time log for audit and data analysis later.
  4. Break-glass, emergency or firecall account passwords need to be vaulted, with no exceptions. When there’s a crisis of any kind, the seconds it takes to get a password could mean the difference between cloud instances and entire systems being inaccessible or not. That’s why administrators often only manually secure root passwords to all systems, cloud platforms and containers included. This is the equivalent of leaving the front door open to the data center with all systems unlocked. The recent Centrify survey found that just 48% of organizations interviewed have a password vault. 52% are leaving the keys to the kingdom available for hackers to walk through the front door of data centers and exfiltraticate data whenever they want.
  5. Continuous delivery and deployment platforms including Ansible, Chef, Puppet, and others need to be configured when first installed to eliminate the potential for privileged access abuse. The CIOs whose teams are creating new apps and services are using Chef and Puppet to design and create workloads, with real-time integration needed with customer, pricing, and services databases and the systems they run on. Given how highly regulated insurance is, CIOs are saying they need to have logs that show activity down to the API level in case of an audit. The more regulated and audited a company, the more trusted and untrusted domains are seen as the past, Zero Trust as the future based on CIO’s feedback.

Conclusion

The CIOs I regularly meet with from the banking, financial services, and insurance industries are under pressure to get new applications and services launched while protecting their business’ daily operations. With more application and services development happening in their IT teams, they’re focusing on how they can optimize the balance between security and speed. New apps, services, and the new customers they attract are creating a proliferation of new threat surfaces, making every new identity the new security perimeter.

Apr 21

CIO’s Guide To Stopping Privileged Access Abuse – Part I

CIOs face the paradox of having to protect their businesses while at the same time streamlining access to the information and systems their companies need to grow. The threatscape they’re facing requires an approach to security that is adaptive to the risk context of each access attempt across any threat surface, anytime. Using risk scores to differentiate between privileged users attempting to access secured systems in a riskier context than normal versus privileged credential abuse by attackers has proven to be an effective approach for thwarting credential-based breaches.

Privileged credential abuse is one of the most popular breach strategies organized crime and state-sponsored cybercrime organizations use. They’d rather walk in the front door of enterprise systems than hack in. 74% of IT decision makers surveyed whose organizations have been breached in the past say it involved privileged access credential abuse, yet just 48% have a password vault. Just 21% have multi-factor authentication (MFA) implemented for privileged administrative access. These and many other insights are from Centrify’s recent survey, Privileged Access Management in the Modern Threatscape.

How CIOs Are Solving the Paradox of Privileged Credential Abuse

The challenge to every CIO’s security strategy is to adapt to risk contexts in real-time, accurately assessing every access attempt across every threat surface, risk-scoring each in milliseconds. By taking a “never trust, always verify, enforce least privilege” approach to security, CIOs can provide an adaptive, contextually accurate Zero Trust-based approach to verifying privileged credentials. Zero Trust Privilege is emerging as a proven framework for thwarting privileged credential abuse by verifying who is requesting access, the context of the request, and the risk of the access environment.

By taking a least privilege access approach, organizations can minimize attack surfaces, improve audit and compliance visibility, and reduce risk, complexity, and the costs of operating a modern, hybrid enterprise. CIOs are solving the paradox of privileged credential abuse by knowing that even if a privileged user has entered the right credentials but the request comes in with risky context, then stronger verification is needed to permit access.

Strategies For Stopping Privileged Credential Abuse

The following are five strategies CIOs need to concentrate on to stop privileged credential abuse. Starting with an inventory of privileged accounts and progressing through finding the gaps in IT infrastructure that create opportunities for privileged credential abuse, CIOs and their teams need to take preemptive action now to avert potential breaches in the future.

In Part 1 of a CIO’s Guide to Stopping Privileged Access Abuse, below are the steps they can take to get started:

  1. Discover and inventory all privileged accounts and their credentials to define who is accountable for managing their security and use. According to a survey by Gartner, more than 65% of enterprises are allowing shared use of privileged accounts with no accountability for their use. CIOs realize that a lack of consistent governance policies creates many opportunities for privileged credential abuse. They’re also finding orphaned accounts, multiple owners for privileged credentials and the majority of system administrators having super user or root user access rights for the majority of enterprise systems.
  2. Vault your cloud platforms’ Root Accounts and federate access to AWS, Google Cloud Platform, Microsoft Azure and other public cloud consoles. Root passwords on each of the cloud platforms your business relies on are the “keys to the kingdom” and provide bad actors from inside and outside the company to exfiltrate data with ease. The recent news of how a fired employee deleted his former employer’s 23 AWS servers is a cautionary tale of what happens when a Zero Trust approach to privileged credentials isn’t adopted. Centrify’s survey found that 63% or organizations take more than a day to shut off privilege access for an employee after leaving the company. Given how AWS root user accounts have the privilege to delete all instances immediately, it’s imperative for organizations to have a password vault where AWS root account credentials are stored. Instead of local AWS IAM accounts and access keys, use centralized identities (e.g., Active Directory) and enable federated login. By doing so, you obviate the need for long-lived access keys.
  3. Audit privileged sessions and analyze patterns to find potentially privileged credential sharing or abuse not immediately obvious from audits. Audit and log authorized and unauthorized user sessions across all enterprise systems, especially focusing on root password use across all platforms. Taking this step is essential for assigning accountability for each privileged credential in use. It will also tell you if privileged credentials are being shared widely across the organization. Taking a Zero Trust approach to securing privileged credentials will quickly find areas where there could be potential lapses or gaps that invite breaches. For AWS accounts, be sure to use AWS CloudTrail and Amazon CloudWatch to monitor all API activity across all AWS instances and your AWS account.
  4. Enforce least privilege access now within your existing infrastructure as much as possible, defining a security roadmap based on the foundations of Zero Trust as your future direction. Using the inventory of all privileged accounts as the baseline, update least privilege access on each credential now and implement a process for privilege elevation that will lower the overall risk and ability for attackers to move laterally and extract data. The days of “trust but verify” are over. CIOs from insurance and financial services companies recently spoken with point out that their new business models, all of them heavily reliant on secured Internet connectivity, are making Zero Trust the cornerstone of their future services strategies. They’re all moving beyond “trust but verify” to adopt a more adaptive approach to knowing the risk context by threat surface in real-time.
  5. Adopt multi-factor authentication (MFA) across all threat surfaces that can adapt and flex to the risk context of every request for resources. The CIOs running a series of insurance and financial services firms, a few of them former MBA students of mine, say multi-factor authentication is a must-have today for preventing privileged credential abuse. Their take on it is that adding in an authentication layer that queries users with something they know (user name, password, PIN or security question) with something they have (smartphone, one-time password token or smart card), something they are (biometric identification like fingerprint) and something they’ve done (contextual pattern matching of what they normally do where) has helped thwart privileged credential abuse exponentially since they adopted it. This is low-hanging fruit: adaptive MFA has made the productivity impact of this additional validation practically moot.

Conclusion

Every CIO I know is now expected to be a business strategist first, and a technologist second. At the top of many of their list of priorities is securing the business so it can achieve uninterrupted growth. The CIOs I regularly speak with running insurance and financial services companies often speak of how security is as much a part of their new business strategies as the financial products their product design teams are developing. The bottom line is that the more adaptive and able to assess the context of risks for each privilege access attempt a company’s access management posture can become, the more responsive they can be to employees and customers alike, fueling future growth.

Mar 5

74% Of Data Breaches Start With Privileged Credential Abuse

Centrify’s survey shows organizations are granting too much trust and privilege, opening themselves up to potential internal and externally-driven breaches initiated with compromised privileged access credentials. Photo credit: iStock

Enterprises who are prioritizing privileged credential security are creating a formidable competitive advantage over their peers, ensuring operations won’t be interrupted by a breach. However, there’s a widening gap between those businesses protected from a breach and the many who aren’t. In quantifying this gap consider the typical U.S.-based enterprise will lose on average $7.91M from a breach, nearly double the global average of $3.68M according to IBM’s 2018 Data Breach Study.

Further insights into how wide this gap is are revealed in Centrify’s Privileged Access Management in the Modern Threatscape survey results published today. The study is noteworthy as it illustrates how wide the gap is between enterprises’ ability to avert and thwart breaches versus their current levels of Privileged Access Management (PAM) and privileged credential security. 74% of IT decision makers surveyed whose organizations have been breached in the past, say it involved privileged access credential abuse, yet just 48% have a password vault, just 21% have multi-factor authentication (MFA) implemented for privileged administrative access, and 65% are sharing root or privileged access to systems and data at least somewhat often.

Addressing these three areas with a Zero Trust approach to PAM would make an immediate difference in security.

“What’s alarming is that the survey reveals many organizations, armed with the knowledge that they have been breached before, are doing too little to secure privileged access. IT teams need to be taking their Privileged Access Management much more seriously, and prioritizing basic PAM strategies like vaults and MFA while reducing shared passwords,” remarked Tim Steinkopf, Centrify CEO. FINN Partners, on behalf of Centrify, surveyed 1,000 IT decision makers (500 in the U.S. and 500 in the U.K.) online in October 2018. Please see the study here for more on the methodology.

How You Choose To Secure Privileged Credentials Determines Your Future 

Identities are the new security perimeter. Threats can emerge within and outside any organization, at any time. Bad actors, or those who want to breach a system for financial gain or to harm a business, aren’t just outside. 18% of healthcare employees are willing to sell confidential data to unauthorized parties for as little as $500 to $1,000, and 24% of employees know of someone who has sold privileged credentials to outsiders, according to a recent Accenture survey.

Attackers are increasingly logging in using weak, stolen, or otherwise compromised credentials. Centrify’s survey underscores how the majority of organizations’ IT departments have room for improvement when it comes to protecting privileged access credentials, which are the ‘keys to the kingdom.’ Reading the survey makes one realize that forward-thinking enterprises who are prioritizing privileged credential security gain major cost and time advantages over their competitors. They’re able to keep their momentum going across every area of their business by not having to recover from breaches or incur millions of dollars on losses or fines as the result of a breach.

One of the most promising approaches to securing every privileged identity and threat space within and outside an organization is Zero Trust Privilege (ZTP). ZTP enables an organizations’ IT team to grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment.

Key Lessons Learned from the Centrify Survey

How wide the gap is between organizations who see identities as the new security perimeter and are adopting a Zero Trust approach to securing them and those that aren’t is reflected in the results of Centrify’s Privileged Access Management in the Modern Threatscape surveyThe following are the key lessons learned of where and how organizations can begin to close the security gaps they have that leave them vulnerable to privileged credential abuse and many other potential threats:

  • Organizations’ most technologically advanced areas that are essential for future growth and attainment of strategic goals are often the most unprotected. Big Data, cloud, containers and network devices are the most important areas of any IT infrastructure. According to Centrify’s survey, they are the most unprotected as well. 72% of organizations aren’t securing containers with privileged access controls. 68% are not securing network devices like hubs, switches, and routers with privileged access controls. 58% are not securing Big Data projects with privileged access controls. 45% are not securing public and private cloud workloads with privileged access controls. The study finds that UK-based businesses lag U.S.-based ones in each of these areas as the graphic below shows:

  • Only 36% of U.K. organizations are very confident in their company’s current IT security software strategies, compared to 65% in the U.S. The gap between organizations with hardened security strategies that have a higher probability of withstanding breach attempts is wide between U.K. and U.S.-based businesses. 44% of U.K. respondents weren’t positive about what Privileged Access Management is, versus 26% of U.S. respondents. 60% of U.K. respondents don’t have a password vault.

  • Just 35% of U.S. organizations and 30% of those in the UK are relying on Privileged Access Management to manage partners’ access to privileged credentials and infrastructure. Partners are indispensable for scaling any new business strategy and expanding an existing one across new markets and countries. Forward-thinking organizations look at every partner associates’ identity as a new security perimeter. The 35% of U.S.-based organizations doing this have an immediate competitive advantage over the 65% who aren’t. By enforcing PAM across their alliances and partnerships, organizations can achieve uninterrupted growth by eliminating expensive and time-consuming breaches that many businesses never fully recover from.
  • Organizations’ top five security projects for 2019 include protecting cloud data, preventing data leakage, analyzing security incidents, improving security education/awareness and encrypting data. These top five security projects could be achieved at scale by having IT teams implement a Zero Trust-based approach to Privileged Access Management (PAM). The time, cost and scale advantages of getting the top five security projects done using Zero Trust would free up IT teams to focus on projects that deliver direct revenue gains for example.

Conclusion

Centrify’s survey shows organizations are granting too much trust and privilege, opening themselves up to potential internal and externally-driven breaches initiated with compromised privileged access credentials. It also reveals that there is a strong desire to adhere to best practices when it comes to PAM (51% of respondents) and that the reason it is not being adequately implemented rarely has to do with prioritization or difficulty but rather budget constraints and executive buy-in.

The survey also shows U.K. – and U.S.-based organizations need to realize identity is the new security perimeter. For example, only 37% of respondents’ organizations are able to turn off privileged access for an employee who leaves the company within one day, leaving a wide-open exposure point that can continue to be exploited.

There are forward-thinking organizations who are relying on Zero Trust Privilege as a core part of their digital transformation efforts as well. The survey found that given a choice, respondents are most likely to say digital transformation (40%) is one of the top 3 projects they’d prefer to work on, followed by Endpoint Security (37%) and Privileged Access Management (28%). Many enterprises see digital transformation’s missing link being Zero Trust and the foundation for redefining their businesses by defining every identity as a new security perimeter, so they can securely scale and grow faster than before.

%d bloggers like this: