Patchwork of Privilege

May 24, 2020

Product marketing manager from Thycotic, Erin Ducan, discusses privileged access in this Digital Summit session. Erin sets the stage with this: “We know that cyber attackers are utilizing new technology and automation to discover vulnerabilities more rapidly. For most organizations, the attack surface into which these attackers can infiltrate is massive. It is filled with hundreds, if not thousands of privileged accounts.”

What An Attack Surface Looks Like

Typically, data center admin accounts and network devices receive the most amount of attention when it comes to securing a source of vulnerability. However, there are commonly neglected parts of the attack surface as well, including:

  • Service accounts or non-human accounts
  • Cloud infrastructure accounts
  • Accounts in DevOps environments

These new tools and automation house account credentials, when overlooked, pave the way for breaches. As business develop new products, offer new services, and change through evolution or M&A, the attack surface grows.

An Ounce Of Prevention Is Worth A Pound Of Cure

The first step of minimizing risk is to know where it comes from. Every year, Thycotic does a black-hat survey. Last year, it was learned that 80% of hackers say that humans are most responsible for breaches. For hackers, targeting the human element is cheaper and more effective than attempting to penetrate firewalls and network infrastructure directly.

Awareness and education within an organization goes a long way toward cyber security. Implementing technology tools is not enough. Employees need to take ownership of their role in minimizing security risks.

Securing personal laptop and desktop end points is critical, because privilege accounts are the keys to the kingdom. If an application has too many compromised privileges, attacks are difficult to contain. Hackers, regardless of their methods, target accounts that grand them the broadest, deepest access to data. Why? Erin explains it this way:

“The reason they want these accounts is really simple. When you log in as an admin, every application that you run with that account has unlimited access to that computer. [A hacker] can implement malicious code or if you've gone to a site that automatically downloads something, that application gains unlimited access that way. An enterprise has to assume that your users are still going to browse insecure sites or that they'll receive email or instant messages from people that they may not know. And maybe now they're even playing an online game or two during the workday that exposed them to something malicious.

Even if you keep up to date on patches and virus signatures, which is really important for security, things still happen. So if that's going to happen no matter what security measures we take, we have to think about what power we're giving an exploit when it runs with admin privileges.”

One an admin account is exploited, attackers can install ransomware, put in a trojan horse, brick a machine, or install key loggers, erasing their tracks as they go.

While there are several logical reasons for giving users local admin rights, none of them are worth the security compromises. The principle of least privilege access control is that users or programs only have access to the things they need and only when they need it. Malicious actors know that, historically, organizations are horrible at this. In order to dead-end their movement before too much damage is done, building a security strategy that includes least privilege is key.

Least Privilege Report

In February, Thycotic partnered with Cybrary to conduct a global survey of more than 250 cybersecurity and IT professionals. The intent was to understand how they are implementing least privilege, the drivers of those projects, and the hurdles that they face. The report contained three key take-aways.

  • Recognizing that enforcing least privilege is highly complex, it must be planned for and implemented often. To be effective, least privilege programs must be continuous.
  • Success in implementing least privilege relies on comprehensive solutions that minimize impact on user productivity. Support from the budget and the C-suite is imperative.
  • Least privilege strategies work best when they are customized to an organization. Likely, an end user will win a conflict between business productivity and security.

Tips & Take-Aways

Erin offers some final, actionable advice before the session wraps up with audience Q&A. She recommends that a privileged champion be appointed as part of an enterprise’s least privilege implementation. This individual is responsible for communicating and coordinating with key stakeholders and working generally with relevant departments.

Sacrificing usability for security is a no-go.  There are PAM software solutions, like those from Thycotic, that can ensure least privilege will be easily implemented without negatively impacting business productivity.

A least privileged solution needs to be able to demonstrate compliance with multiple regulatory requirements.

Finally, integration is essential for coordinating all the technologies involved in managing least privilege as an ongoing program. An effective implementation of least privilege, especially on end-user end points, requires multiple layers of protection.

In order to get the most of this session, please go to the Cyber Security Digital Summit page, register, and then follow the link sent to your inbox.

Read the original article and additional information at Cyber Security Hub