Everyone knows the bad guys are breaching the walls, but no one wants to talk about the failures of conventional perimeter security. Don’t get me wrong. Traditional network defenses like firewalls and anti-malware are, of course, required methods to defend against cyber attacks.
But a distinction has to be made when it comes to how far these products go toward overall IT security. All they really do is keep out noise. In other words, perimeter security only prevents the low-skilled attacks looking for easy targets.
Cyber attacks can inflict damage by hopping over traditional perimeter defenses and connecting to users through email (phishing) and websites (cross site scripting and hijacked sites).
Attacks that go right to users can be noise too, though. Some number of people will always click on phishing emails. The Verizon Data Breach Investigation Report showed that 30% of phishing messages are opened. That’s up 7% from the year before.
Cyber Attacks Seek Privileged Access
However, the difference between one laptop compromised by malware sneaking in through email and the whole organization being owned comes down to one thing: privilege.
Here’s why. When the bad guy lands on the first laptop, he operates as the user who clicked on the email. Most of the time, this is not the person with direct access to the really sensitive data that the attacker would love to steal. The way to get to the good stuff is to somehow grab higher level privileges. Those privileges let the attacker move laterally off of that first laptop. That means he can hit other systems until finding the right information.
The other side of the privilege problem is that the enemy isn’t always called “bad guy”. Sometimes the enemy is called “employee” and an insider threat solution is required.
Whether by accident or bad intentions, employees can also use privileged access to cause harm. There’s nothing a firewall can do about that. The employee already has basic access to corporate systems.
Controlling Privileged Access in 3 Steps
There is, however, good news. Protecting privilege from cybercriminals (outsiders) and insider threats who abuse their power is actually pretty simple. It starts with three simple changes:
- We need to train staff with administrative rights that they will no longer have privileged access without a gate. They will still be able to do everything they did before, but there will now be an extra step. Explain that it’s similar to scanning their badges before they walk into the server room. Now they will scan a virtual badge before they can walk into a secure library where all the rights are stored. They can check out the credentials they need, everyone can see who checked out the credentials, and then the credentials are checked back in. It’s a small change, but it makes a big difference.
- We must put a program in place to aggressively rotate those credentials, even when they’re not in use. When someone checks out a credential, we must change the password when it gets checked back in or when the checkout expires. If that’s the only time we rotate the credentials, though, the bad guys can still get in through phishing and collect privileged rights that they can exploit. However, if you’re rotating credentials all the time, then the bad guys get the rug pulled out from underneath them. The good guys have no ill effect. They’re getting their rights from the secured library, which also gets updated every time the systems do. The bad guys trying to hijack credentials are out of luck. Before they can steal a password and use it to extract data, the passwords change. The attacker is back to square one.
- Now that we have this power to control rights and privileges we should integrate it with our other security systems to make sure everything works in a healthy, closed loop process. You probably have analytics and logging solutions looking at security event data to find patterns. You would surely want to throw in all the data about who has privilege legitimately. That leads to simple correlations. For example, an action that takes place using a privileged identity that was not checked out to an authorized user is suspicious. If you have solutions that detect malware and other incidents as they happen, you can automate a privileged credential change response in near real-time, with no operational impact. Again, the good guys get their rights from the secured library. So there’s no impact on them if you spin a bunch of passwords in response to a possible threat.
By automating privileged credential management and following the above steps, you can stay a step ahead of cyber criminals who leap over your network defenses.