We’ve heard for a number of years now that ‘every company is a technology company’
Today IT is at the heart of almost every organisation, and as a result privileged accounts, credentials and secrets exist in all areas of their IT infrastructures, whether on-premise, in the cloud, on endpoints and across multiple DevOps environments.
These credentials remain the most valuable asset for hackers seeking to infiltrate organisations and seize sensitive data. According to the 2018 Verizon Data Breach Investigations Report, the most common cause of security breaches – ranging from customer records to intellectual property , and everything in between – involve the use of stolen privileged credentials.
But how exactly can organisations tighten up their privileged access security and reduce the chances of a successful attack from external hackers or malicious insiders? The first and most important step in doing so is reducing privileged access risk. With that in mind, I’ve collated my top recommendations for how to drive down risk in 2019 and beyond below:
- Control and secure infrastructure accounts. Businesses must control and secure access to their on-premise and cloud infrastructure accounts — from server admin accounts to database instance accounts and everything in between — because they are some of the most valuable keys to any IT kingdom. As part of this process, businesses must store or ‘vault’ all well-established infrastructure accounts and automatically rotate passwords periodically after every use.
- Eliminate irreversible network takeover attacks. Irreversible takeover attacks refer to incidents where the only viable resolution is to rebuild the affected environment. Savvy hackers can infiltrate organisational networks and cause long-term damage by gaining access to domain controllers. IT teams must therefore move privileged credentials associated with all tier0 and tier1 assets — such as domain controller accounts — to a centralised and automated system. Multi-factor authentication (MFA) must then be implemented to protect it.
- Restrict lateral movement. Attackers tend to follow patterns, stealing credentials and moving laterally across an organisation’s IT infrastructure to execute their plans and move a step closer towards their end goal. Businesses must reduce local admin rights on IT Windows workstations to stop credential theft and limit attackers’ movement.
- Protect credentials for third-party applications. Attackers are increasingly targeting third-party vendors such as business services, management consultants, legal counsel, facilities maintenance support, logistics companies and more, because they view them as an ‘easy target’; their applications and IT systems are often less sophisticated and their security defences easier to infiltrate. To minimise risk, it’s important to vault all privileged credentials used by third-party applications and vendors. IT teams must also be sure these credentials are rotated frequently.
- Defend DevOps secrets in the cloud and on-premises. DevOps teams have the “need for speed”, with speed of deployment often their number one concern. Nonetheless, their tools and coding methods shouldn’t compromise privileged access security. Businesses must vault and automatically rotate all public cloud privileged accounts, keys and API keys. Additionally, secrets used by CI/CD tools such as Ansible, Jenkins and Docker should be securely stored in a vault and automatically rotated and managed, while permitting access to developers as and when required.
- Manage *NIX SSH keys. SSH keys are gold to an external attacker or malicious insider. With them, they can leverage unmanaged SSH keys to log in with root access and take over the *NIX (Linux and Unix systems) technology stack. These keys must also be secured in a vault, and subsequently be rotated regularly based on policy. Moreover, a solution that enables event notifications and automation to lessen the potential impact of human error should be deployed in all circumstances.
- Secure SaaS admins and privileged business users. Cyber criminals often target credentials used by SaaS administrators and privileged business users to get high-level and stealthy access to sensitive systems. IT teams must isolate all access to shared IDs and require MFA if they are to prevent this kind of attack. They must also monitor and record sessions of SaaS admins and privileged business users.
- Invest in periodic Red Team exercises to test defences. In order to stay a step ahead of advanced cyber manoeuvres, it’s critical to adopt an attacker’s mindset. Businesses should consider either establishing their own Red Team or hiring an outside firm to ensure these drills will be as realistic as possible.
- Invest in a tool to periodically measure reduction in privileged security risk. Measurement of risk and maturity is a critical capability. If a business is not gauging and adjusting for risk and change, it can’t focus and cannot know if enough has been done. Measurement tools may be available from a privileged access management solution. There are also solutions in the market available to measure an enterprise’s entire security programme against an established framework (such as NIST CSF).
- Utilise MFA. Passwords are crackable, findable and sharable. MFA that requires “something you have” and “something you know” exponentially decreases compromise. It’s important that businesses ensure a privileged access management solution heavily leverages MFA to enhance the protection invested in.
The new year presents the perfect opportunity for businesses to re-evaluate and strengthen their cyber security posture. This must start with securing privileged access as the first port of call, to ensure that critical applications are accessed by the right people at the right time. 2019 has to be the year that we take further measures to mitigate insider threat.
About the Author
David Higgins is Director of Customer Development, EMEA, CyberArk. CyberArk is the only security software company focused on eliminating cyber threats using insider privileges to attack the heart of the enterprise.