Everyone knows the bad guys are breaching the walls, but no one wants to talk about it. Don’t get me wrong – traditional network defenses like firewalls and anti-malware are of course required as tried and tested methods to defend companies from cyber attack.
But a distinction has to be made when it comes to how far these can go towards overall organisational security, because all they do is keep out noise. In other words, they only prevent the low-skilled attacks that will always be out there looking for easy targets.
In fact, attacks doing damage beyond the network perimeter – even to organisations that aren’t such easy targets – are simply hopping over the traditional defenses by connecting to users through channels they use for everyday business, email (SPAM & phishing) and websites (cross site scripting and hijacked sites).
Attacks that skip the defenses and go right to users can be noise too, though. It is true that some number of people will always click on phishing emails – The Verizon Data Breach Investigation Report showed that 30% of phishing messages were opened – up 7% from the year before.
However, the difference between one laptop being compromised by malware sneaking in through email and the whole organisation being owned by an attacker through that email attack comes down to one thing: privilege.
For example, when the bad guy lands on the first laptop, he is operating as the user that clicked on the email. Most of the time, this is not the person who has direct access to the really sensitive data that the attacker would love to steal.
The way to get to the good stuff is to somehow grab higher level privileges. Those privileges let the attacker move laterally off of that first laptop, to start hitting other systems to find the information that the cybercriminal wants.
Indeed, the other side of the privilege problem is that the enemy isn’t always called 'bad guy' – sometimes the enemy is called 'employee.' Whether by accident or bad intentions, employees can also use privilege to harm the businesses they work for and there’s nothing a firewall could ever do about that since they walked in through the front door and already have basic access to the corporate systems.
There is, however, good news: protecting privilege from cybercriminals (outsiders) and insiders who might abuse power is actually pretty simple, and it starts with three simple changes:
First, we need to train staff, especially staff that has administrative rights, that they won’t have access to the power to do harm all the time without a gate. They will still be able to do everything they did before, but there will be an extra step.
They can think of it as scanning their badge before they walk into the server room. Now they will scan their virtual badge before they can walk into a secure library where all the rights are stored.
They can check out the power they need, everyone will be able to see who has it checked out, and then it will get checked back in where they’re done. It’s a small change, but it makes a big difference.
Second, we put a program in place to aggressively rotate those rights and credentials even when they’re not in use. When someone checks out some credential, we would change the security for that (e.g. the password) when it gets checked back in or when the checkout expires.
If that’s the only time we rotate that security on that system, though, that means the bad guys can get in through an email and start collecting rights from where they live to use later. However, if you’re rotating them all the time, then the bad guys get the rug pulled out from under them.
The good guys have no ill effect because they’re getting their rights from the secured library, which also gets updated every time the systems do.
The bad guys trying to hijack them right off the systems are out of luck because before they can get them out and use them to extract data, the security has been changed and they’re back to square one.
Third, now that we have this power to control rights and privileges we should hook it up to our other security systems to make sure everything is working in a healthy, closed loop process.
If you have analytics and logging solutions looking at all the security event data to find patterns, then you would surely want to throw in all the data about who has privilege legitimately. That leads to simple correlations – like an action that takes place using a privileged identity that was not currently checked out to any authorised user is suspicious.
If you have solutions that are detecting malware and other incidents as they happen, you can automate a privileged response in near real-time with no operational impact. Again, since the good guys and the approved processes are getting their rights from the secured library, there’s no impact on them if you go spin a bunch of security settings in response to a possible threat.
By automating privileged password management and following the above steps, organisations can stay a step ahead of cybercriminals as they attempt to leap over network defences and move around laterally within an organisation’s systems.
Sourced from Jonathan Sander, VP of product strategy, Lieberman Software