Why Do We Continue to Have Data Breaches?

Morey Haber, December 6th, 2017

Data breaches are all around us, as well as other cyber tragedies like WannaCry, Mirai, and Petya. Household names like FedEx, Maersk, Deloitte, Equifax, Nuance, and Sony have all been victims of recent cybersecurity breaches. The daily press is draining, but there is something that can be learned from all the facts that can help all those involved in security become more secure and hopefully stop the daily barrage of breaches and headline news.

First, statistics are great! They are a valuable commodity in a discussion to formalize a point and validate a position. Many times, others will question the source, accuracy, or even meaning of a statistic to skew the results. A statistic taken out of context, or viewed on its own, can lead to very misleading results. The point is statistics drive everything from social initiatives to new product development. The methodologies to collect and develop them are a science. They can help us explain why we continue to have breaches.

So what are good sources for statistics? Security professionals may turn to vendors, analysts, or the government for results such as the Verizon Data Breach Investigations Report or our yearly cybersecurity survey. While the data is compelling, in the end, users are still just arguing with percentages, case studies, and data that is quantifiable normally as a single sentence. For example, 76% of users admit to not changing default passwords. The fact speaks for itself, but there is no rhyme or reason why this is done, or acknowledged why the security best practice of changing them are being ignored. The answer is above the science of statistics. It is due to user behavior and begins to explain out problem.

In our recent survey, The 5 Deadly Sins of Privileged Access Management, we discovered and confirmed many of the security statistics – such as administrator rights and lack of security knowledge. They make valid arguments for peers to discuss the state of privilege access, but also revealed an interesting trend about user behavior that was quantifiable. In lieu of just asking, “do you change default passwords,” lead-in questions help reveal why and highlight the user behavior aspect of these problems. For example, one of the questions confirms a specific finding by asking, “How frequently have you have experienced a problem due to insecure security practices?” While this is not a trick question, it implies that the respondent to the security questions knows about an issue, it is not resolved, and has become a liability for the organization. Using follow-up questions, user behavior can be deduced for the security problems, and their corresponding statistics represented in the survey. This leads to a conclusion that five human traits are the reason breaches continue to occupy our daily news:

  1. Apathy – Specifically, among password practices, organizations believe that the threat level is highest for users sharing passwords with other users (79%). While organizations are generally well aware of the perils of sharing passwords, a relatively large number of respondents, 22%, report that bad password practices still persist.
  2. Greed – The practice of allowing users to run as administrators on their machines is recognized by study respondents as the highest threat level (71%) among privilege management malpractices. Although the risk is recognized, an astounding 38% of respondents report that it is still common for users to run as administrators on their machines, and 22% of respondents say this practice has caused downtime. Why are end-users still allowed to have administrator rights when it is a basic security hygiene to remove all excessive privileges?
  3. Pride – 18% of respondents claim that attacks that combine privileged access with the exploitation of an unpatched vulnerability are common. When combined with eliminating local administrator rights on end users’ machines, properly patching system vulnerabilities can close off most of today’s commonly reported attack vectors like ransomware. These threats thrive on system weaknesses and excessive access rights in order to move laterally.
  4. Ignorance – 68% of respondents consider least privilege on Unix/Linux an important PAM function. While 86% of respondents believe their Unix/Linux environments have the highest level of protection, 54% of respondents still run Sudo on at least one Unix/Linux server, and 39% still run it on workstations. Respondents report that Sudo shortcomings include that is time-consuming, complex, and lacks policy version control and synchronization making it a poor security practice.
  5. Envy – A surprising 37% of respondents report that they are not extending protection to SaaS applications and new cloud initiatives. Privileged access must be secured consistently across all resources and there is a form of envy that the cloud just does not need these initiatives; that is just not true.

Download “The 5 Deadly Sins of Privileged Access Management”, to get the full survey results and 5 steps to take to avoid these sins.

Considering known statistics for security best practices, we have a very compelling discussion. The conclusions are even more impressive when the user behavior driving them is exposed and communities can be educated that these behaviors are actually creating cyber security risks. Solving the problems based on statistics alone ignores the human element. By creating a dialogue on why a person does things, backing them up with statistics, users are more apt to actually implement a healthy change than just with raw data alone. This could help make breaches a less common occurrence in the end.

Therefore, here are five steps, if implemented, that can have a positive impact to address the five deadly sins that lead to the most frequent types of data breaches:

Deploy enterprise password management globally across all data centers, virtual and cloud. A centralized password management solution that includes built in session monitoring will ensure that both important capabilities are met, while providing an automated workflow that makes it easy to use across all accounts and applications.

Remove local admin rights from ALL Windows and Mac end users immediately. Once all users are standard users, IT teams can elevate a user’s access to specific applications to perform whatever action is necessary as part of their role without elevating the entire user on the machine. The benefit? When the next ransomware variant breaks out, your end users’ machines will be contained, preventing further propagation and easier to remediate from an IT perspective.

Prioritize and patch vulnerabilities. Attackers exploit asset vulnerabilities, hijack elevated privileges, or compromised credentials, and move laterally until they achieve their objective. What’s the first step in that chain? Vulnerabilities. Better prioritization and patching of vulnerabilities gives you boosts your ability to execute smarter privileged delegation decision-making with regards to assets or applications.

Replace Sudo for complete protection of Unix/Linux servers. With pressure on budgets, some organizations may be stuck with Sudo, but it doesn’t offer the industrial-strength capabilities that today’s security needs, for example, user behavior analytics, fine-grained policy controls, file integrity monitoring, centralized control, activity reporting, and more.

Unify privileged access management – on premise, in the cloud – into a single console for management, policy, reporting, and analytics. As organizations race to adopt “the cloud”, IT must provide the same level of protection to cloud-based systems as for on premise systems. Remember, they are someone else’s computers but we must protect them just like our own.

Companies willing to do these will help keep them out of the news for the wrong reasons, and avoid becoming yet another bad statistic. Changing user behavior is a key step in making this change.

Download “The 5 Deadly Sins of Privileged Access Management”, to get the full survey results and 5 steps to take to avoid these sins.