A recent quote from Rob Joyce, Head of the NSA's Tailored Access Operations: “Don’t assume a crack is too small to be noticed, or too small to be exploited” he said when talking about his role in testing security for the nations networks. “We need that first crack, that first seam. And we’re going to look and look and look for that esoteric kind of edge case to break open and crack in.”
It’s not just about compliance.
We tend to think that satisfying compliance makes us secure, when it is really just the minimal amount of due diligence that should be performed.
Time and time again, we see headlines proclaiming extensive attacks on the very organizations that we regularly interact with as part of our personal lives. Shopping, movies, games. It’s very hard not to interact with companies that store even the smallest amount of our personal data these days.
Yet, in most breaches the data we hold so near and dear to our hearts is not always extracted through gaping holes. It’s fair to say that all large organizations have security problems in place, whether through compliance, due diligence, or a mixture of both. It’s the cracks we have to worry about.
It could be an unpatched system, an application susceptible to malware; stolen credentials that allow external access to a single system inside the firewall boundary. Just one system. Just one application. “That first crack, that first seam.”
So hackers have got to that single system. What do they do now?
- Look for, and try to attack privileged accounts that are vulnerable.
- Establish an attack vector to gain access to the accounts.
- Identify privileges that extend beyond the boundary of the system they are on
- Rinse and repeat.
Hackers will slowly move through the organization system by system, crack by crack. They may take years to execute, but these low and slow attacks fly under the radar, and with more and more organizations capping log retention to as little as 12 months, I am sure there are many ‘accidents’ just waiting to happen out there.
Privileged Access Management Security Strategies That Can Help
The good news is that you can mitigate the risk of external attack through solid privileged access security management. PowerBroker Password Safe allows you to:
- Scan your network - Ensure that forgotten privileged accounts on endpoints are discovered, and brought under management.
- No account gets left behind – Create a common policy framework that makes sure that accounts that get brought under management stay under management.
- Make sure access is authorized – Leverage Adaptive Workflow Control to restrict network connections to ensure that the people logging onto your systems originate from the correct location.
- Audit what users are doing – Video record all user interaction to systems potentially exposed to the outside. Log all keystrokes, and allow rapid forensics to pinpoint what was typed and what was seen.
PowerBroker Password Safe allows the dynamic assignment of just-in-time privileges via Adaptive Workflow Control, allowing organizations to lock down access to resources based upon the day, date, time, and location. By limiting the scope to specific runtime parameters, it narrows down the window of opportunity where someone might be exploiting misappropriated credentials. For example, if you normally expect the HVAC contractor to be logging on from particular systems, you can ensure that access is only permitted from predefined allowable address ranges. Similarly you can set up policies to control when the accounts are accessible, and alert when specific access policies are invoked.
On top of granular access controls, PowerBroker Password Safe ensures managed accounts have their passwords regularly rotated, even upon release – every password issued can be a one-time password for security.
The product also has an integrated session manager (at no extra charge) that can automatically log users onto resources without ever revealing the password, record all video and keystrokes for later playback, and allow real-time session monitoring, with options to remotely manage/disconnect active sessions.
To help you identify and address the weak links in your organization, we’ve partnered with Nick Cavalancia at Techvangelism to develop an eBook “External Attacks and Privileged Accounts: 5 Steps to Control the Threat Potential.” Download chapter one, titled "Understanding The Threat Potential: External Attacks and Privileged Accounts” today.
Martin Cannard,
Martin has been helping organizations solve challenges in the privileged account management and identity and access management space for over 24 years. At Dell Software, Martin managed a team of Solution Architects, focused on designing and implementing solutions in the Privileged Account Management (PAM) space. Prior to joining Dell, Martin was Sr. Product Manager for Novell Privileged User Manager, a privilege management application acquired from Fortefi, an organization where he served as Vice President, Corporate Development. Prior to this, he was Program Manager of Client Technologies at Symantec where he was responsible for many ground-breaking field and channel enablement applications. Additionally, Martin managed the European QA group at Axent Technologies and has held various management positions in consulting, systems development, and operations. Martin is a regular speaker for security events, and webinars.