Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

IT Security’s Best Kept Secret - Hiding in Plain Sight

January 23, 2013

  • Blog
  • Archive
This blog post was first posted on Wired.com on January 22nd, 2013. It can be found, in it's original formatting, here: http://insights.wired.com/profiles/blogs/it-security-s-best-kept-secret-hiding-in-plain-sight
There’s a reason the old saying “an ounce of prevention is worth of a pound a cure” resonates in so many situations – because it's true. In today’s risk-averse IT security environment, proactive measures definitely get their due investment, but the best kept secret in reducing risk eludes many organizations. Reducing the threats within corporate networks, while mitigating the potential damage caused by successful breaches, is largely about managing and reducing attack surface - identifying the vulnerabilities and privileges that attackers seek out as part of increasingly sophisticated attacks. Depending on an organization’s size, however, managing this attack surface isn’t as simple as checking items off a list. Much like holding the ocean back with a broom, organizations have spent untold billions on firewalls, intrusion detection and prevention systems and the industry's favorite night club bouncer - antivirus - who hasn't spotted a fake ID since 1987. Unfortunately for these and many other security technologies, Verizon's 2012 Data Breach Investigations Report tells us that of the breaches it surveyed, 96 percent were not highly difficult for attackers and 97 percent could have been avoided through simple or intermediate controls. So much for the night club bouncer. What are we missing? Having a deep background in vulnerability management, I know that over 90 percent of breaches leverage known vulnerabilities - a point proven by Verizon's data. Seems simple enough: identify a vulnerability; apply a patch. If only it were that easy. Even with the widespread availability of patching tools, it's not uncommon for IT to not have the ability to push a patch in the face of an rapidly evolving attack (something lovingly referred to as "panic patching"). Change-control windows, patch compatibility, even the risk of machines not coming back online after a reboot add to the risk equation. The Best Kept Secret in IT Security There's another kind of patch that, when applied and managed as part of a healthy network security diet, will continue to pay security dividends time and time again. It's what I'll call the "privilege patch". It's a simple concept, but one that all too often ends up on the "cure" side of the ledger instead of serving as the prevention it really is. Managing privileges on corporate desktops is often about governing employee access. However, the insider threat posed by elevated privileges isn't solely about employees; it's also about stopping outsiders exploiting unsuspecting employees. These elevated machine privileges are sought out for what they allow an attacker to do after they've compromised a system, such as installing malware or probing and infecting other computers on the network. The aforementioned Verizon report states that 98 percent of data breaches in 2011 came from external agents, but goes on to suggest those attacks were successful because they were enabled in part by human error or ignorance. In short, we all let this happen every day. Reducing a machine to it's "least privilege" is akin to applying a patch - a patch that will thwart the vast majority of attacks which prey upon (and require) machines with elevated rights to propagate their actions. Like antivirus, it isn't the panacea that you hope any security practice is; however it does as much (or in many, many cases more) to reduce the attack surface on your network as more complex options. Least Privilege raises a stronger challenge to attackers than the alternative, a system with unchecked privileges. It's Good to Have Choices If there is one thing that I've learned in my conversations with IT security practitioners, tacticians and executives, it's that they want options when it comes to making decisions regarding their protection strategies. This is especially true when it comes to remediation. Pushing patches is often untenable, as is closing off ports and services in the name of avoiding an attack - business must go on, productivity must be protected along with company data and assets. In this instance, applying the privilege patch can be a tactical option, used as means to temporarily reduce attack surface, while more permanent measures are pondered. It's an option many security teams overlook when it comes to looking for ways to reduce their overall risk profiles. As the Verizon report shows us, the corporate desktop is often an attackers’ best friend. It doesn't have to be. ------------------ Want to see if the "privilege patch" is a viable option for your network security? Check out PowerBroker for Windows today, free trials available.
Photograph of Scott Lang

Scott Lang, Sr. Director, Product Marketing at BeyondTrust

Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Mapping BeyondTrust Solutions to the Qatar National Information Assurance Policy v2.0

Whitepapers

KuppingerCole Executive Review - BeyondTrust Endpoint Privilege Management

Webcasts

Tech Talk Tuesday: Managing Vendor Access

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.