In today’s digital economy, many organizations are trying to secure privileged accounts and credentials for employees/vendors focusing solely on the privileged identities. Privileged access is most often targeted by cyber security threats as it leads to the most sensitive data. Organizations typically protect the internet access with VPNs, IDS, IPS, firewalls, email gateways, etc, building multiple levels of security on the perimeter, however, these privileged accounts are far-reaching as they are found on-premises, in the cloud, on endpoints and across multiple DevOps environments. Security breaches of sensitive data ranging from customer records to intellectual property more often than not, involve the use of stolen privileged credentials. The higher the privileges of the account, the more valuable it is to an attacker. Compromise a network administrator, and an attacker would have free rein over the network, its applications, and devices.
Securing the access pathways is just as crucial to protect your critical systems and data from cyber threats. So, what can organisations do this year to tighten privileged access security to reduce risk from attackers and malicious insiders? The first step has to be reducing privileged access risk. This article highlights some of the tips and recommendations for how to drive down risk, in 2019 and beyond.
Eliminate irreversible network takeover attacks. Irreversible takeover attacks refer to incidents where the only viable resolution is to rebuild the affected environment. Attackers establish persistence in a company by performing an attack that is hard to identify and is so intrusive that the business must rebuild to remove the attacker. For example, savvy hackers can ruin organisational networks and create long-term damage by gaining access to domain controllers. IT teams must move privileged credentials to a centralised and automated system. Multi-factor authentication (MFA) must then be implemented to protect it.
Secure infrastructure accounts. Attackers leverage powerful default infrastructure accounts that exist in cloud and on-premises and are rarely used in day to day operations. But this can provide attackers access to highly sensitive data. Organisations must control and secure access to their on-premises and cloud infrastructure accounts, as these represents a key way in to valuable assets in the IT kingdom. Furthermore, organisations must vault all well-known infrastructure accounts and also automatically rotate passwords at a regular interval of time.
Limit lateral movement. Cybercriminals often steal credentials by gaining a foothold on the endpoints and then moving laterally across the infrastructure to carry out their attacks - for instance by using Pass-the-Hash techniques in order to steal elevated permission. To limit attackers’ movement, organisations must reduce local admin rights on IT Windows workstations to stop credential theft.
Protect credentials for third-party applications. Attackers increasingly target third-party vendors such as business services, legal counsel, management consultants, facilities maintenance support, logistics companies and more as their security defences are easier to infiltrate and their applications and IT systems are often less sophisticated. They compromise these applications that are used to perform operations such as deep scans in order to steal their embedded privileged credentials. To minimise risk, it’s important to safeguard all privileged credentials used by third-party applications and vendors. IT teams must be sure credentials are rotated frequently.
Manage *NIX SSH keys. External attacker or malicious insider can leverage unmanaged SSH keys to log in with root access and take over the *NIX (Linux and Unix systems) technology stack. Unix/Linux systems often house some of the organization’s most sensitive data and Linux systems are majorly deployed in cloud. Individual accounts and credentials are often overlooked by security teams. The associated private keys need to be secured in a vault. After vaulting, keys should be routinely rotated based on policy and appropriate monitoring put in place to detect any attempts to circumvent the privilege access controls.
DevOps secrets must be protected in the cloud and on-premises. Cybercriminals can compromise secrets embedded in code and continuous development/continuous integration tools, in order to exploit the environment for more pervasive access. The tools and coding methods of DevOps should not compromise privileged access security. Businesses must Vault and automatically rotate all public cloud privileged accounts, keys and API keys. Additionally, DevOps secrets used by CI/CD tools such as Jenkins, Ansible, and Docker should be securely stored in a vault, while allowing them to be retrieved on the fly, automatically rotated and managed – avoiding the need to use disparate key storage locations which prove difficult to manage and monitor.
Secure SaaS admins and privileged business users. Attackers steal credentials used by SaaS administrators and privileged business users to get high-level access to sensitive systems. To prevent this type of attack, IT teams must isolate all access to shared IDs and require MFA in order to establish a session under such an account. They must also monitor and record sessions of SaaS admins and privileged business users
Invest in periodic Red Team exercises. It’s important to adopt an attacker’s mindset in order to stay a step ahead of advanced cyberattacks. When businesses hire and operate their own Red Team or hire an outside firm, the drills will be as real as possible.
Invest in tools which help to measure reduction in privileged security risk. Measurement of risk and maturity is a critical capability. If a business is not gauging and adjusting for risk and change, it cannot know that enough damage has been done as well as understand the effectiveness of previous security controls and risk analysis activity. These assessments of the business risk is continually calibrated
Utilise MFA. Passwords are easy to crack, find and share. MFA helps to decrease compromise. It’s important that businesses ensure a privileged access management solution heavily leverages MFA to enhance the protection invested in.
These steps present a renewed opportunity for businesses to re-evaluate and strengthen their cyber security posture. The organisation has to start with securing privileged access in order to ensure that critical applications are accessed by the right people at the right time.