Is privileged access management (PAM) still overly complex? asks Joseph Carson, pictured, Chief Security Scientist and Advisory CISO, at Thycotic, the cyber security product company.
Cyber-criminals have a huge arsenal of tools at their disposal and an almost endless variety of system vulnerabilities they can exploit to breach their targets. In most cases however, security incidents can be traced back to the use of compromised user accounts. Indeed, the Verizon 2018 Data Breach Investigations Report found that 81 percent of data breaches involved the use of stolen or weak passwords.
Threat actors will often start by targeting ordinary users with phishing attacks designed to trick them into sharing their login credentials. Once this has been achieved, the attacker can use their details to access the system, where they can often remain undetected for months at a time. Moving about in the guise of a legitimate user, attackers can covertly exfiltrate confidential and mission critical data, or install malware that will facilitate larger attacks later.
The intruder can also work to escalate their access by gaining control of a privileged account, making them exponentially more dangerous. These superuser accounts have many elevated powers and permissions which can wreak havoc in the wrong hands. Attackers can use their powers to create or modify other user accounts, access any machine on the network, and trawl through the most confidential data at their leisure.
Protecting privileged accounts
Once an attacker has access to a privileged account, they can do a huge amount of harm to the organisation before it has the chance to stop them. They are free to bypass normal security controls and access sensitive data or install malware anywhere on the network. Further, superusers have the power to erase audit trails and destroy evidence, greatly increasing the invader’s ability to evade detection and obfuscate their activity from investigators.
Despite the dire threat posed by a compromised privileged account however, it is common to find the management and security of these accounts is minimal at best. In many cases, accessing a superuser can be as simple as searching through a hijacked user’s inbox to find the privileged account’s login details. Employees are often fairly ignorant about what privileged accounts are or what they can do, even if their role sees them access the accounts themselves.
Organisations need to ensure there are strong policies in place to govern how privileged accounts are accessed and used. Implementing a Privileged Access Management (PAM) solution can also go a long way in controlling and limiting superusers by enabling organisations to actively monitor sessions and establish time limits. Despite this utility however, PAM has a longstanding scarey reputation of being complex with many IT professionals, which means some organisations have avoided the solution.
PAM’s Complex past
The lingering complex reputation for PAM solutions dates back to an earlier time when cyber security and IT in general were quite different affairs. Legacy PAM software often struggled with being overly complicated, leading to needlessly difficult and lengthy implementation. Installations could take several months to finish, with some cases taking years or simply remaining incomplete. Alongside the time they took up, these older iterations could also be extremely resource heavy, requiring the efforts of multiple expensive specialists.
As a result of these issues, many IT teams decided that PAM was not worth the bother, while those that persevered are still bitter about all the grief the process caused them. It should be remembered that most of these experiences stem from a different era of security, where organisations could more comfortably rely on their firewall to keep attackers away from their networks and privileged accounts.
Flash forward several years, and it is readily apparent that the traditional perimeter approach is no longer effective. Attackers can exploit multiple different approaches to gain control of login credentials and skirt around defences, particularly with the advent of remote working. Once an intruder is inside the network, perimeter-focused security strategies can do little to detect or stop them.
While many IT veterans may still bear well-earned grudges against PAM tools that caused them months of headaches, they can no longer afford to shun the approach in the current security climate. The good news is that PAM solutions have evolved to become much easier to implement and use, and many are now designed for out-of-the-box deployment, enabling IT teams to get them up and running quickly without the need for expensive specialists. The best modern PAM tools are also built to be flexible and scale with the organisation as it grows and its security needs change.
Organisations can also greatly improve their experience installing and using PAM tools with the right groundwork. PAM works best when coupled with strong policies and user awareness about how privileged accounts are accessed and used. It is also important to conduct a thorough audit to identify all current accounts with elevated powers. This process can actually be beneficial even before the PAM solution is implemented, as it can help turn up signs of past account abuse that may have gone unnoticed.
Although some IT heads may still feel compelled to delay PAM, carrying out the proper preparation and choosing the right solution will enable them to gain full control over their privileged accounts without reliving the pain.
