While organizations rely on IT privileges to enable essential operations and functionality, the potential for misuse or abuse of privilege by insiders, malware, and external threat actors continues to expand in scope. Today, privileges proliferate across on-premise and cloud environments. They’re built into operating systems, file systems, applications, databases, hypervisors, cloud management platforms, DevOps tools, and more. IoT devices are notorious for hardcoding credentials that provide privileged access—but the practice of embedding credentials persists in many other parts of the IT ecosystem as well.
Gartner recognized privileged account management as the #1 IT security project for 2018, and in a Feb. 2019 report, again acknowledged PAM as a top-10 IT security project while ranking it second in the information security space for spending growth. Today, BeyondTrust published research—the Privileged Access Threat Report 2019—that also indicates that PAM is getting more scrutiny, with roughly 93% of organizations using some PAM tools. However, there is clearly much work for organizations to do in maturing their privileged access security controls. As this new BeyondTrust research reveals, privilege blind spots, backdoors, and careless practices abound.
Before we dive a bit deeper into the new report’s findings, let’s recognize one thing that hasn’t changed over the years—why privileges/privileged access remains highly coveted by attackers. Cybercriminals target privileges/privileged access because it can expedite access to an organization’s highest-value targets. With privileged credentials and access in their clutches, a cyberattacker or piece of malware essentially becomes an “insider”. That’s a truly alarming scenario, especially once highly privileged access, such as that of a superuser, is obtained.
We also know that external attack pathways commonly follow a modus operandi, referred to as the cyberattack chain. Attackers exploit vulnerabilities and user privileges to gain a foothold. They then cement their presence and skulk laterally around the IT environment—exploring opportunities to escalate their privileges, grab additional credentials, and assert control over more assets and data.
As the 2019 Microsoft Vulnerabilities Report revealed, 81% of the 189 Critical Microsoft vulnerabilities reported in 2019 would be mitigated by removing local admin rights from users. That data alone makes a compelling case for enforcing least privilege and application control, such as via an endpoint privilege management solution. However, according to our Privileged Access Threat Report 2019, endpoint privilege management distantly trails other PAM capabilities in adoption. With privilege playing a role in almost every security breach today, just what magnitude of a wake-up call will it take to finally close that security gap?
According to the new BeyondTrust research, one wrinkle in privileged access threats that’s consistently top-of-mind is vendor access. For me, one of the most eye-popping survey revelations is that organizations have, on average, 182 vendors logging into their systems every week. SLAs can help keep your vendor security on the right track, but how do you trust that your vendors are doing the right security things? What can you do to protect your organization if they aren’t?
For cybersecurity-conscious companies, the good news is that most cyberattacks are opportunistic, seeking to exploit the most inadequately protected prey. The bad news is that your cyber-resilience is only as strong as your weakest link. Remote access pathways represent those weakest links for most organizations—and cybercriminals know it.
Let’s now review some key takeaways, including how organizations are trying to address privileged access challenges, from this freshly published research. You can also download the full report here.
Highlights from BeyondTrust’s Fourth Annual Privileged Access Threat Report
BeyondTrust’s Privileged Access Threat Report 2019 was compiled from surveying over 1,000 key IT decision-makers from a diverse range of industries across the U.S. EMEA, and APAC. This research report, conducted jointly with independent research agency Loudhouse, explores the 2019 privileged threat landscape in detail, with a focus on how IT decision-makers are addressing privileged access security.
Insider Threats & External Cyberattackers
The 2019 edition of the Privileged Access Threat Report revealed that insider threats remain top-of-mind, and for good reason - 64% of respondents believe they have suffered a breach due to misused or abused employee access. Often, breaches caused by insiders arise from inadvertent errors—rather than intentionally malicious actions. Survey responses reflected this with IT decision-makers citing higher concern with unintentional, employee-involved breaches rather than malicious insider threats.
Shoddy password security practices were widely cited as an insider security threat by respondents. These behaviors could be clearly addressed and prevented by modern enterprise password security solutions.
Unsurprisingly, 61% of organizations also consider external attacks as a significant or moderate concern.
Vendor Access Risk
Many IT teams struggle mightily enough in trying to manage identities and privileged access within their organization. However, IT security pros must also control vendor access. The enterprises surveyed reported an average of 182 vendors logging in to their systems each week, with 58% saying they have suffered a breach due to vendor access. At organizations with 5,000+ employees, 23% say they have more than 500 vendors regularly logging into their IT environment. All of these third-party remote access points add up to a massive risk exposure that becomes particularly dangerous when inadequately managed.
Ideally, you want to extend the same best practice security from your own environment to your vendor ecosystem. However, most organizations, as evidenced by our survey results, seem far from enabling this level of secure remote access. In fact, only 29% of organizations say they are very confident that they know how many third-party vendors are accessing their systems, and only 31% are very confident they know how many individual logins can be attributed to third-party vendors.
Our survey respondents also weighed in on risks and security concerns around Internet of things (IoT).
Less than one in five respondents affirmed that they are confident in having eliminated IoT risks from their environment. Roughly six in ten decision-makers say that default passwords retained in IoT are a moderate or significant threat, with the same number worried about IoT device passwords stored as plain text. However, 91% of those organizations that deploy an IoT security solution are confident in their ability to address both of these IoT security challenges.
Compliance Concerns Driving Privileged Access Security Maturity
Nearly every month we learn of new or pending regulations related to information security, or of existing frameworks that are expanding in scope or sharpening their teeth. Indeed, 44% of our survey respondents say that complying with external standards is imposing a substantive impact on how they’re governing employee access. A year into its implementation, GDPR is exerting a forceful impact, with 65% saying that GDPR compliance continues to affect their business, and 58% stating that remaining GDPR compliant is more difficult than expected.
How Organizations are Addressing Privileged Access Security
So, what strategies are IT leaders implementing to address the diverse array of privileged access challenges, and what has been effective? On the positive side, roughly 93% of organizations are using at least some privileged access management (PAM) tools. However, on the downside, point solutions seem to proliferate, while gaps in crucial areas of privileged access remain unaddressed.
On average, the organizations surveyed employ four different methods for privileged credential management. These organizations seem to be getting at least some of the important password security basics right, with three quarters of them restricting the use of shared admin passwords, and 72% regularly rotating admin passwords. However, four tools for password management seems excessive—and inefficient. Especially considering that today’s best enterprise password management solutions provide fully integrated capabilities for privileged account password management, SSH key management, DevOps secrets management, application password management, privileged session management, and more.
Our report also revealed that, while most organizations have deployed secure remote access/support solutions and privileged password management solutions, only about a third of respondents had adopted endpoint privilege management solutions for either their desktop or server environments.
Organizations with three or more PAM tools voiced far more confidence in their visibility of threats and ability to detect where threats have originated from (insider, vendor, etc.). This visibility also enables organizations to more effectively address these risks. According to our research, these same organizations experience less severe security breaches and have better visibility and control than those who use manual solutions or no solution at all. Impressively, 90% of those with fully integrated PAM tools are confident they can identify specific threats from employees and vendors with privileged access. However, most organizations do not yet feel their PAM solutions are “fully integrated.”
As BeyondTrust Chief Technology Officer & Chief Information Security Officer, Morey Haber, summed it up, “Organizations need to accept that the way to mitigate risks is by managing privileged accounts through integrated technology and automated processes that not only save time, but also provide visibility across the environment. By implementing cybersecurity policies and solutions that also speed business efficiency, versus putting roadblocks in users’ way, organizations can begin to seriously tackle the privileged access problem.”
Next Steps to Reduce Privilege-Related Risks
Download the Privileged Access Threat Report 2019 now and start applying insights from your peers to close security gaps and boost protection across your entire enterprise.
BeyondTrust is the only security vendor that offers a truly integrated approach to holistically address the broadest swathe of privileged access risks. The BeyondTrust PAM platform includes:
- Password Safe: A comprehensive privileged credential management solution to store, secure, and manage privileged credentials of all types—including for privileged accounts, applications, SSH keys, service accounts, and more. The solution also includes robust privileged session management capabilities.
- Endpoint Privilege Management: A true least privilege solution for servers, desktops, and other endpoints. The solution also enables organizations to centralize authentication for Unix, Linux, and Mac environments by extending Active Directory’s Kerberos authentication and single sign on.
- Privileged Remote Access: A solution for securing, managing, and auditing vendor and internal remote privileged access—without a VPN—ensuring you don’t have to compromise security when extending access beyond your perimeter.
To learn how to mature and automate your security controls around privileged access and remote access, while drastically reducing your threat surface, contact BeyondTrust today.
Matt Miller, Senior Content Marketing Manager, BeyondTrust
Matt Miller is a Senior Content Marketing Manager at BeyondTrust. Prior to BeyondTrust, he developed and executed marketing strategies on cyber security and cloud technologies in roles at Accelerite (a business unit of Persistent Systems), WatchGuard Technologies, and Microsoft. Earlier in his career Matt held various roles in IR, marketing, and corporate communications in the biotech / biopharmaceutical industry. His experience and interests traverse cyber security, cloud / virtualization, IoT, economics, information governance, and risk management. He is also an avid homebrewer (working toward his Black Belt in beer) and writer.