During the past couple of years, we've witnessed a series of devastating data breaches affecting some of the world's most renowned businesses, with each breach inflicting staggering costs in terms of financial and reputational damage.
What's lesser known, though, is many of those breaches began with an exploit of a single, unsecured privileged account and escalated to eventually gain control over the network. Every large enterprise, whether on-premises or in the cloud, is home to potentially hundreds of thousands of vulnerable privileged accounts.
Keys to the IT Kingdom – Privileged Identities
Privileged identities are the keys to the IT kingdom. They provide the access needed to view and extract data, alter system configuration settings, and run programs on just about every IT asset in an enterprise.
Almost every account on a network has some level of privilege associated with it and is therefore vulnerable to exploitation. In fact, there are so many privileged accounts in large enterprises that many organizations don't know where all of their privileged accounts reside or who has access to them.
Compounding the problem, privileged identities are often shared among IT administrators, with credentials that are rarely – if ever – changed. It's the classic example of too many people having too much access for far too long.
Contrary to assumption, privileged identities are not managed by Identity and Access Management (IAM) products. Meanwhile, conventional perimeter security tools like next-generation firewalls protect against known threats but react too late against new, advanced persistent threats and zero-day attacks. Therefore, privileged credentials must be managed by software that's separate from IAM and perimeter security.
Cyber attackers need privileged access to carry out their illicit plans, whether it's to install malware or key loggers, steal or corrupt data, or disable hardware. That's why privileged credentials are in such high demand among hackers. In fact, recent research conducted by Mandiant revealed that 100% of the data breaches they investigated involved stolen credentials.
A data breach can begin with just one compromised privileged account. Here's how such "land and expand" cyber attacks work:
· Criminal hackers or malicious insiders exploit an unsecured privileged account to gain persistent access.
· Once the hackers gain a foothold in the network, remote access kits, routers, and key loggers are installed.
· From there, the attackers look for SSH keys, passwords, certificates, Kerberos tickets, and hashes of domain administrators on compromised machines.
· When they have these stolen credentials, the hackers can anonymously move from system to system on the network, and extract data at will.
Next-Generation Privilege Management
A truly secure environment requires privileged identities on all systems to be discovered and managed. However, because of the sheer number of privileged accounts in a large enterprise, this can seem overwhelming.
With new types of IT security solutions, like privileged access management (PAM), organizations can automatically discover privileged accounts throughout the enterprise (on-premises and in the cloud), bring those accounts under management, and audit access to them.
Automated PAM products ensure that each privileged credential is updated as frequently as necessary, even every couple of hours. This negates the damage inflicted by zero day attacks and other advanced threats, because even if an intruder compromises a credential, it has a limited lifetime and is not shared among multiple systems. The stolen credential cannot be leveraged to leapfrog between systems.
Best of all, the land and expand attack is stopped in place.
About the Author: Jonathan Sander is VP of Product Strategy for Lieberman Software. As such, he is responsible for working with sales, marketing, product development and the channel to steer the direction of the company through corporate development and product management. His talk, "When Firewalls Crumble: Cyber Defense Beyond the Perimeter," will be presented at InfoSec World 2016 on Monday, April 4th.