In the digital economy, privileged accounts, credentials and secrets are far-reaching—on-premises, in the cloud, on endpoints and across multiple DevOps environments, writes David Higgins of CyberArk, a cyber and Privileged Access Management product company.
Security breaches of sensitive data ranging from customer records to intellectual property more often than not, involve the use of stolen privileged credentials. So, what can organisations do this year to tighten privileged access security to reduce risk from attackers and malicious insiders? The first step has to be reducing privileged access risk. Below, I offer my tips and recommendations for how to drive down risk, in 2019 and beyond.
1.Eliminate irreversible network takeover attacks. Irreversible takeover attacks refer to incidents where the only viable resolution is to rebuild the affected environment. For example, savvy hackers can ruin organisational networks and create long-term damage by gaining access to domain controllers. IT teams must move privileged credentials associated with all tier0 and tier1 assets—such as domain controller accounts—to a centralised and automated system. Multi-factor authentication (MFA) must then be implemented to protect it.
2.Control and secure infrastructure accounts. Businesses must control and secure access to their on-premises and cloud infrastructure accounts—from server admin accounts to database instance accounts—because these are some of the riskiest keys to any IT kingdom. Furthermore, businesses must vault all well-known infrastructure accounts and automatically rotate passwords periodically and after every use.
3.Limit lateral movement. Attackers follow patterns – stealing credentials and moving laterally across the infrastructure to carry out their goals. To limit attackers’ movement, organisations have to reduce local admin rights on IT Windows workstations to stop credential theft.
4.Protect credentials for third-party applications. Attackers increasingly target third-party vendors such as business services, management consultants, legal counsel, facilities maintenance support, logistics companies and more as their applications and IT systems are often less sophisticated and their security defences are easier to infiltrate. To minimise risk, it’s important to vault all privileged credentials used by third-party applications and vendors. IT teams must be sure credentials are rotated frequently.
5.Manage *NIX SSH keys. SSH keys are gold to an external attacker or malicious insider, as they can leverage unmanaged SSH keys to log in with root access and take over the *NIX (Linux and Unix systems) technology stack. The associated private keys need to be secured in a vault. After vaulting, keys should be routinely rotated based on policy and appropriate monitoring put in place to detect any attempts to circumvent the privilege access controls.
6.Defend DevOps secrets in the cloud and on-premises. DevOps teams have the “need for speed.” Their tools and coding methods shouldn’t compromise privileged access security. Businesses must Vault and automatically rotate all public cloud privileged accounts, keys and API keys. Additionally, secrets used by CI/CD tools such as Ansible, Jenkins and Docker should be securely stored in a vault, while allowing them to be retrieved on the fly, automatically rotated and managed – avoiding the need to use disparate key storage locations which prove difficult to manage and monitor.
7.Secure SaaS admins and privileged business users. Cyber criminals steal credentials used by SaaS administrators and privileged business users to get high-level and stealthy access to sensitive systems. To prevent this kind of attack, IT teams must isolate all access to shared IDs and require MFA in order to establish a session under such an account. They must also monitor and record sessions of SaaS admins and privileged business users.
8.Invest in periodic Red Team exercises to test defences. In order to stay a step ahead of advanced cyber manoeuvres, it’s critical to adopt an attacker’s mindset. When businesses hire and operate their own Red Team or hire an outside firm, the drills will be as real as possible.
9.Invest in a tool to periodically measure reduction in privileged security risk. Measurement of risk and maturity is a critical capability. If a business is not gauging and adjusting for risk and change, it can’t focus and know if enough has been done or understand the effectiveness of previous security controls. This should also include measuring the effectiveness of previous risk analysis activity, so our assessments of the business risk are continually calibrated
10.Utilise MFA. Passwords are crackable, findable and sharable. MFA that requires “something you have” and “something you know” exponentially decreases compromise. It’s important that businesses ensure a privileged access management solution heavily leverages MFA to enhance the protection invested in.
The new year presents a renewed opportunity for businesses to re-evaluate and strengthen their cyber security posture. This has to start with securing privileged access as the first port of call, to ensure that critical applications are accessed by the right people at the right time. 2019 has to be the year that we take further measures to mitigate insider threat.
