Privilege Access Management – Moving Front Lines of Cyber Security

Posted on by forteadmin in Cyber Security

Dear friends,

I don’t always have the privilege of welcoming an old friend and good colleague into the Forte Advisory Network and introducing them to you all, but today is such a day.  Dipak Rath, Sr. Manager of Security Ops at The Home Depot, has graciously accepted my challenge to write this guest blog post, and has not only one upped me, he has 3 more blog posts in this series that you will find posted here in the weeks ahead.

Dipak joined The Home Depot just before the well known data breach and has learned more through those experiences that many of us might learn in an entire career in the industry.  Today he shares his thoughts on the real insider threats, and I’m looking forward to what he’ll bring to us next!

Steve

@stevetout @forteadvisory

—————————-

It is clear to me and many IT security leaders around the world, that there is a common link between targeted attacks and information security breaches and that is the exploitation of privileged accounts. Privilege accounts give control over sensitive data, such as PII (Personal Identifiable Information) or credit card data and IT systems. They’re omnipresent in every organization, and sadly often overlooked, leaving them vulnerable to be used as powerful weapons in the attacker’s hands. It has become evident that privileged accounts are widely abused in cyber-attacks with increased sophistication.

pam-security-graphic

I’m convinced, beyond doubt that the frontline for securing organizations has moved. Network perimeter is no longer the battlefront; it’s within the enterprise, inside the network. FBI Director Robert Mueller made the statement in 2012: “There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.”

Ok, now let’s get into review a few key findings from the recent cyber-attacks. In most attacks the exploitation of privilege accounts has shown that the attacks proceed faster, easier and with lower risk of detection. These accounts even helped attackers to destroy evidence of their activities and establish multiple access points and backdoors that make it nearly impossible to keep them off internal networks.

In summary, there are three key findings uncovered from the recent targeted cyber-attacks and they are:

Finding #1: Every organization is fair game and can be in the crosshairs of the attackers.

Finding #2: Attackers will make their way in and exploit stealthily at a pace to maximize intended outcome

Finding #3: Attackers hanker for privileged access, which many organizations struggle to manage and secure

 

Finding #1: Every organization is fair game and can be in the crosshair of the attackers 

Every single company is now a potential target. Cyber attackers have broadened their targets, attacking companies of all sizes in a broad range of industries. We have seen many motives and many types of attackers – Hacktivist motivated to further their cause and get media attention, espionage backed by sovereign states to steal intelligence or hackers going after credit card or PII data which can be sold in the black market. In today’s connected business world, everyone is a potential target and attacks can take place in any organization in the supply chain and move laterally across organization boundaries. Attackers have expanded their sights to include companies in retail, media, energy, financial institutes, banks manufacturing and IT services, among others.

[tweetthis]In today’s connected business world, everyone is a potential target and attacks can take place in any organization.[/tweetthis]

The IT systems of SMEs (Small and Medium Enterprises) are usually less matured and their security defenses easier to infiltrate. Consequently attackers will often target such companies in the supply chain of larger companies with the ultimate goal to attack them.

 

Finding #2: Attackers will make their way in and exploit stealthily at a pace to maximize intended outcome 

Attackers do extensive research and reconnaissance of their breached organization’s IT environment, security tools, and people in position of power. They will look for unpatched software, improperly configured servers or any other technical vulnerability to gain entry. Attackers are also known to have customized malware code so it can circumvent anti-virus software, firewalls and other perimeter security tools. Attackers have become persistent and determined to infiltrate and when all else fails, they can exploit a rare zero-day vulnerability. Infiltration through phishing attack has been particularly problematic. It’s easier to get into the environment by phishing than by brute force attacks. Attackers research extensively employees of organizations and have up their game in sophisticated and credible phishing attacks with high level of success rate.

Once in the attackers stay under the radar for months or years, averaging six to eight months being undetected. One of the reasons they go undetected for so long is the breached organizations are not looking for the problem. Often times, the FBI or the Secret Service have obtained stolen data from exfiltration site. The approach used by the attacker is to lay low and emulate other legitimate user in the system.

 

Finding #3: Attackers hanker for privileged access, which many organizations struggle to manage and secure

Attackers want to particularly exploit privileged accounts because they are the easiest way to move laterally across apps, systems and databases. Harvesting privilege accounts is known to be done in quite a few ways – exploiting unpatched software vulnerabilities, installing a keylogger software or memory scrapping malware on privilege account user’s workstation, are to name a few. Accessing systems by exploiting privilege accounts saves the attackers a lot of effort and time, with very low risk of being detected.

Big data security monitoring

To make things worse, many organizations do not know what users have access to what types of sensitive data and IT systems, which makes tracking and monitoring privileged accounts a significant challenge. IT landscape is drastically changed with proliferation of corporate data and applications in cloud, mobile and social media. Research has shown most organizations have three to four times as many privileged accounts as employees. A majority of these accounts are service accounts, to enable system-to-system access, which unfortunately is granted broad access privileges with administrative rights over many systems. Sometimes organizations leave the default password with the false assurance that the account will be only used internally. Service accounts usually are not monitored proactively and if a threat actor compromises them and enumerates through the systems, they can penetrate extensively rapidly with low risk of being detected.

[tweetthis]many organizations do not know what users have access to what types of sensitive data and IT systems, which makes tracking and monitoring privileged accounts a significant challenge. [/tweetthis]

In short, organizations who take cybersecurity seriously operate under the assumption of being attack and know that the last line of defense before data breach is protecting privileged accounts from being compromised. Management of privilege accounts will ensure that the front lines are well protected wherever they may be inside your network.

Dipak is a Sr. Manager of Security Operations at The Home Depot with in depth experience leading global InfoSec  programs for organizations including Coca-Cola, Home Depot, Hydro Quebec, and AutoTrader.com. Dipak has Specialized in all practical categories of InfoSec including security strategy & risk, risk management, policies & standards, governance & compliance, roadmap & implementation planning.

Subscribe to Forteadvisory group news