Connect with us

Hi, what are you looking for?


Identity & Access

A New Year’s Resolution: Security is Broken…Let’s Fix It

As we near the end of 2018, another wave of massive cyber-attacks has exposed personally identifiable information belonging to hundreds of millions of people and will cost the impacted businesses untold amounts of dollars in lost revenue, settlements, and fines.

As we near the end of 2018, another wave of massive cyber-attacks has exposed personally identifiable information belonging to hundreds of millions of people and will cost the impacted businesses untold amounts of dollars in lost revenue, settlements, and fines. The data breaches at Marriott International, Dell, Dunkin Donuts, Atrium Health combined with research by IntSight, showing that online phishing sites skyrocketed by 297 percent during the past year, is a clear indicator that security is broken. 

According to Gartner, worldwide IT security spending is expected to exceed $114 billion in 2018. Despite these massive investments, 66 percent of companies are still being breached according to a study by Forrester Research — and worse, they’re breached on average five or more times over a 12-month period. As an industry, our New Year’s resolution should be to rethink traditional approaches to security to account for the current threatscape.

The post-mortem analysis of most data breaches typically boils down to two essential findings:

Credential Abuse is at the Core of Hacks

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity. Equipped with the right credentials, cyber adversaries and malicious insiders can wreak havoc on an organization’s network, exfiltrate sensitive data, or even siphon off funds — all while concealing their malicious activities from threat detection solutions. 

Things get even worse if a stolen identity belongs to a privileged user who has even broader access, and which provides the intruder with “the keys to the kingdom”. In fact, 80 percent of security breaches involve privileged credentials, according to Forrester Research. In addition, 65% of enterprises allow for the unrestricted, unmonitored, and shared use of privileged accounts, according to Gartner.

These findings only scratch the surface of how privileged credentials can be exploited and the damage they can cause in the wrong hands. As the Marriott breach illustrates, it takes just one compromised privileged credential to affect millions of data records. With privileged access abuse being the #1 cause for today’s breaches, it is mindboggling to see that the industry spends less than 5 percent of the world’s IT security spending on identity-related technologies. For its part, Gartner recommends putting Privileged Access Management on top of an organization’s list of security projects.

Advertisement. Scroll to continue reading.

Hackers Exploit an Ever-Expanding Attack Surface

Organizations need to recognize that perimeter-based security, which focuses on securing endpoints, firewalls, and networks has lost much of its effectiveness due to the ever-expanding attack surface. Today’s environments are completely different and offer bad actors a far broader point of attack. Privileged access not only covers infrastructure, databases, and network devices but also extends to cloud environments, Internet of Things devices; it includes big data projects, it must be automated for DevOps, and it now needs to cover hundreds of containers or microservices to represent what used to be a single server. 

Considering the breadth of attack surface organizations need to secure, they must discard the old model of “trust but verify” which relied on well-defined boundaries. They should, instead, pursue a “never trust, always verify, enforce least privilege” approach to privileged access.

Welcome to a World of Zero Trust

Acknowledging we live in a Zero Trust world and need to assume that untrusted actors are already present inside the network, organizations must move towards a security model that requires granting least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. This Zero Trust Privilege approach is based on six fundamental elements:

• Verify Who – Today, identities include not just people but workloads, services, and machines. Properly verifying who means leveraging enterprise directory identities, eliminating local accounts, and decreasing the overall number of accounts and passwords to reduce the attack surface. 

• Contextualize the Privileged Access Request – For each privileged access request, it is important to know why somebody, or something is performing the activity. To do this, we must understand the context behind the request for access, as well as review and approve it based on the context provided. 

• Establish a Secure Admin Environment – When accessing privileged resources, it is critical that we do not either enable malware access to servers or introduce infections during connections. To achieve this, we need to make sure access is only achieved through a clean source (e.g., Web-based access to sensitive systems via an administrative jump box).

• Grant Least Privilege – Least privilege establishes granular role-based access to privileged resources. Another objective to granting least privilege is to limit lateral movement across the network.

• Audit Everything – For privileged sessions, it is a best practice to audit everything. With a documented record of all actions performed, audit logs can not only be used in forensic analysis to identify the source of a problem but also to attribute actions taken by a specific user. Because these sessions are so sensitive, it is also a best practice to keep a video recording that can be reviewed or used as evidence, especially in regulated industries.

• Apply Adaptive Security Controls – Gartner promotes CARTA – Continuous, Adaptive, Risk and Trust Assessment – and it’s absolutely required for privilege access too. Living in a world of Zero Trust means knowing that even if the right credentials have been entered by a user, other risk factors (like the request originating from an unusual location, or at unusual time of day) may dictate that a stronger form of verification is required. Modern machine learning algorithms can analyze a privileged user’s behavior and identify “anomalous” or “non-normal” (and therefore risky) activities, and alert or notify security. 

With 2019 just around the corner, organizations should examine their overall cyber security and identity management strategies and align them to address the #1 cause of today’s data breach — privileged access abuse. By implementing least privilege access, organizations can minimize their attack surface, improve audit and compliance v
isibility, and reduce risk.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.