In a recently released report, the United States Department of Interior announced that two dams, both vital to national security, are under increased risk of internal attacks due to too many employees having access to admin accounts and standard practices of the industry not being followed, writes Adam Bosnian, executive vice president, Americas at the security software company CyberArk.
The report finds that some former employees still have access to accounts even after they have left. It also finds that the agency isn’t conducting rigorous enough background checks for employees with high-level privileges. A troubling revelation indeed.
We continue to learn about new security gaps in the critical national infrastructure space, and in many other sectors. Of course, employees need a certain amount of privileged access to do their jobs effectively. However, best practices have to always be followed including granting an appropriate level of access for employees whilst also adhering to a ‘trust but verify’ process. Organisations can open themselves up to a whole host of risks if steps like this aren’t followed.
We shouldn’t underestimate how employees can completely disrupt an organisation from within. This is nothing new; cast your mind back to 1999 where a former employee with a pirated copy of control system software, coupled with a two-way radio transmitter, was able to cause chaos on a sewage system in Australia. This stopped pumps and alarms and caused thousands of gallons of sewage to flood into the nearby landscape.
You can’t always predict the actions of humans. Take Edward Snowden and Chelsea Manning as prime examples. But what you can predict is that hackers will find ways to hack into privileged access accounts to obtain sensitive information and exploit it. Having robust security controls in place has never been more imperative. In today’s fast business climate, you can in fact have your cake and eat it when it comes to balancing both operations and security. Here are some tips for achieving this:
1.Identify and prioritise privileged access within the environment
To identify which accounts, need to be safeguarded and which need to be restricted, it is important to assess the environment’s status. Once businesses know the full status of their privileged accounts, it is much easier to carve out a security plan to monitor and control access.
2.Tackle the highest risk access first
Once privileged access has been identified, the organisation can plan ahead for a privileged access security hygiene programme.
3.Enforce principles of credential boundaries
Categorise your assets into tiers according to criticality of systems and grant access to accounts that can authenticate into those assets. For example, Tier 0 are mission-critical assets; Tier 1 are any servers that do not fall into Tier 0; and Tier 2 include endpoint devices. Each tiered asset should only have accounts that are accessible within its tier. The idea behind this is that if an attacker compromises a workstation that is in Tier 2, they cannot move laterally to Tier 0 and 1 assets.
4.Promote cyber hygiene best practices
Last and by no means least, it’s one thing to have the proper tools – it’s another thing entirely to utilise those tools strategically to the businesses’ best advantage. Password vaulting and management, isolation of privileged account access and limiting the number of users with administrative privileges all combine to reduce the organisation’s attack surface.
Removing passwords from the hands of admins, so that they don’t have to remember passwords, write them down on sticky notes or save them in easily accessed documents, makes their lives easier – an operational win. Vaulting those passwords and securing credentials where they are not easily breached or stolen is a win for security. Organisations today do not need to compromise on choosing between the two, if they use the right tools in the right setting.
Savvy cyber attackers will always try to find a way in through endpoint devices and exploiting weak privileged access controls. The key for organisations today is to mitigate the risks with thorough ‘trust but verify’ access controls, as well as taking every means possible to not sacrifice security at the cost of faster operations.
