Peter Draper, Technical Director
EMEA, Gurucul
I
It’s widely accepted by today’s
cybersecurity departments that many
serious data breaches can be traced
back to the abuse of privileged
credentials and yet teams still struggle
to integrate this realisation into day-today
operations.
On the face of it, this shouldn’t be
happening. Organisations have been
making big investments in IT security
tools such as Security Information Event
Management (SIEM), next-generation
firewalls and intrusion prevention
systems (IPS), as well as a variety of
anomaly detection systems, email and
web filtering and Data Leak Prevention
(DLP). Despite this, data breaches
continue to plague companies, with new
avenues for attack appearing such as
unsecured Remote Desktop Protocol
(RDP) and VPN servers, oiled by a
steady flow of software vulnerabilities,
including ‘surprise’ zero days.
Organisations feel compelled to
open their networks to cope with an
increasingly mobile, remote workforce,
to the cloud and IoT, and to enable a
complex web of remote access used by
suppliers and service providers. Many
of those connections, including those
to cloud applications, are accessed
using powerful privileged account
credentials that represent a security risk.
These accounts are difficult to find and
controlling and monitoring access to
them is challenging.
From the attacker’s side, bypassing
these privileged account credentials
to access sensitive systems is little
more than a percentages game. With
so many avenues to target them –
social engineering, phishing attacks,
zero days and collaboration with
malicious insiders – penetrating an
organisation’s network is about patience.
If at first you don’t succeed, keep trying
because it’s a certainty that a new
weakness will emerge.
Once armed with the credentials to
get behind an organisation’s defences,
attackers look to grab what they can,
such as SSH keys, certificates and
domain admin hashes to move laterally
on the network. It’s a despairing thought
FEATURE
that among the thousands of privileged
accounts attackers might aim for, it takes
only one to seed a major data breach
that brings an organisation to its knees.
Privileged Access
Management (PAM)
This isn’t just about threats from outside
the organisation, but the ones emanating
from inside it too. According to Gurucul’s
Cybersecurity Insiders’ 2020 Insider
Threat Report, security professionals
are well aware of the threat posed by
unsecured privileged accounts, with
63% agreeing that privileged users
pose the biggest risk from inside an
organisation and 68% saying they felt
vulnerable to insider attacks generally.
Almost all of these organisations will
have deployed multiple layers of security
solutions to contain threats from outside
the organisation, but conventional
security tools do not defend against
privileged account misuse. When the
same scenarios are modelled inside the
network, there is often no defence at all.
A major problem
hindering
organisations
has been the
inherent difficulty
in identifying and
securing privileged
accounts
A major problem hindering organisations
has been the inherent difficulty in
identifying and securing privileged
accounts, including those in the cloud.
Consequently, many invested in Identity
and Access Management (IAM). While
IAM is good at managing user identities
tied to a known person, it struggles to
cope with identities that aren’t defined in
this way such as admin accounts used
to manage IT resources. Finding these
www.intelligentciso.com | Issue 24
49