Security Experts:

A New Year's Resolution: Security is Broken…Let's Fix It

As we near the end of 2018, another wave of massive cyber-attacks has exposed personally identifiable information belonging to hundreds of millions of people and will cost the impacted businesses untold amounts of dollars in lost revenue, settlements, and fines. The data breaches at Marriott International, Dell, Dunkin Donuts, Atrium Health combined with research by IntSight, showing that online phishing sites skyrocketed by 297 percent during the past year, is a clear indicator that security is broken. 

According to Gartner, worldwide IT security spending is expected to exceed $114 billion in 2018. Despite these massive investments, 66 percent of companies are still being breached according to a study by Forrester Research — and worse, they’re breached on average five or more times over a 12-month period. As an industry, our New Year’s resolution should be to rethink traditional approaches to security to account for the current threatscape.

The post-mortem analysis of most data breaches typically boils down to two essential findings:

Credential Abuse is at the Core of Hacks

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity. Equipped with the right credentials, cyber adversaries and malicious insiders can wreak havoc on an organization’s network, exfiltrate sensitive data, or even siphon off funds — all while concealing their malicious activities from threat detection solutions. 

Things get even worse if a stolen identity belongs to a privileged user who has even broader access, and which provides the intruder with “the keys to the kingdom”. In fact, 80 percent of security breaches involve privileged credentials, according to Forrester Research. In addition, 65% of enterprises allow for the unrestricted, unmonitored, and shared use of privileged accounts, according to Gartner.

These findings only scratch the surface of how privileged credentials can be exploited and the damage they can cause in the wrong hands. As the Marriott breach illustrates, it takes just one compromised privileged credential to affect millions of data records. With privileged access abuse being the #1 cause for today’s breaches, it is mindboggling to see that the industry spends less than 5 percent of the world’s IT security spending on identity-related technologies. For its part, Gartner recommends putting Privileged Access Management on top of an organization’s list of security projects.

Hackers Exploit an Ever-Expanding Attack Surface

Organizations need to recognize that perimeter-based security, which focuses on securing endpoints, firewalls, and networks has lost much of its effectiveness due to the ever-expanding attack surface. Today’s environments are completely different and offer bad actors a far broader point of attack. Privileged access not only covers infrastructure, databases, and network devices but also extends to cloud environments, Internet of Things devices; it includes big data projects, it must be automated for DevOps, and it now needs to cover hundreds of containers or microservices to represent what used to be a single server. 

Considering the breadth of attack surface organizations need to secure, they must discard the old model of “trust but verify” which relied on well-defined boundaries. They should, instead, pursue a “never trust, always verify, enforce least privilege” approach to privileged access.

Welcome to a World of Zero Trust

Acknowledging we live in a Zero Trust world and need to assume that untrusted actors are already present inside the network, organizations must move towards a security model that requires granting least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. This Zero Trust Privilege approach is based on six fundamental elements:

• Verify Who - Today, identities include not just people but workloads, services, and machines. Properly verifying who means leveraging enterprise directory identities, eliminating local accounts, and decreasing the overall number of accounts and passwords to reduce the attack surface. 

• Contextualize the Privileged Access Request - For each privileged access request, it is important to know why somebody, or something is performing the activity. To do this, we must understand the context behind the request for access, as well as review and approve it based on the context provided. 

• Establish a Secure Admin Environment - When accessing privileged resources, it is critical that we do not either enable malware access to servers or introduce infections during connections. To achieve this, we need to make sure access is only achieved through a clean source (e.g., Web-based access to sensitive systems via an administrative jump box).

• Grant Least Privilege - Least privilege establishes granular role-based access to privileged resources. Another objective to granting least privilege is to limit lateral movement across the network.

• Audit Everything - For privileged sessions, it is a best practice to audit everything. With a documented record of all actions performed, audit logs can not only be used in forensic analysis to identify the source of a problem but also to attribute actions taken by a specific user. Because these sessions are so sensitive, it is also a best practice to keep a video recording that can be reviewed or used as evidence, especially in regulated industries.

• Apply Adaptive Security Controls - Gartner promotes CARTA – Continuous, Adaptive, Risk and Trust Assessment – and it’s absolutely required for privilege access too. Living in a world of Zero Trust means knowing that even if the right credentials have been entered by a user, other risk factors (like the request originating from an unusual location, or at unusual time of day) may dictate that a stronger form of verification is required. Modern machine learning algorithms can analyze a privileged user’s behavior and identify “anomalous” or “non-normal” (and therefore risky) activities, and alert or notify security. 

With 2019 just around the corner, organizations should examine their overall cyber security and identity management strategies and align them to address the #1 cause of today’s data breach — privileged access abuse. By implementing least privilege access, organizations can minimize their attack surface, improve audit and compliance visibility, and reduce risk.

view counter
Torsten George is currently a security evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He has more than 20 years of global information security experience and is a frequent speaker on cyber security and risk management strategies. Torsten regularly provides commentary and publishes articles on data breaches, incident response best practices, and cyber security strategies in media outlets. He has held executive level positions with RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).