Cyber criminals rarely accomplish their goal with access to a single system. They take advantage of vulnerable credentials to gain a foothold into an organization, elevate privileges and quickly parlay it into lateral movement to discover sensitive data. In fact, more than 74% of today’s breaches stem from improper privileged access management (PAM).
While PAM isn’t anything new to IT and security leaders, attackers have recently become adept at exploiting privileged access, moving laterally from just one point of entry to an entire network in seconds. Just last year, Russian state-sponsored hackers accessed a non-governmental organization’s cloud and email systems through lateral movements. After exploiting a misconfigured account with default multi-factor authentication (MFA) protocols, attackers took advantage of a Windows Print Spooler vulnerability, dubbed “PrintNightmare.” In this attack, the hackers ran arbitrary code with system privileges and made off with data and documents, and it was at the center of a recent CISA and FBI advisory that warned other companies to take action to protect against similar attacks.
The surge in cyber incidents that exploit privileged access, like the recent Okta breach, have become the latest evidence that criminals and malicious insiders will search for new opportunities to execute a takeover of an organization, leverage supply-chains to breach other organizations, and much more. Despite well-known best practices, Fortune 1000 organizations often grant expansive privileged access, prioritizing convenience over risk. The Fortune 1000 should be on much higher alert.
Fortunately, IT and security teams don’t have to sacrifice user experience for the sake of security. With the current emphasis on Zero Trust, Fortune 1000 organizations should start looking beyond their PAM solutions to properly manage their privilege sprawl.
Why convenience is the biggest crutch
All too often, good intentions around efficiency, speed, and productivity lead to open access that raises the risk of attack for the organization. As most of today’s IT identity management teams’ provision and manage admin accounts, it’s common practice to vault admin credentials which auto-rotates passwords, ensures password strength and facilitates recording of admin sessions. However, each individual administrator’s access to endpoints is persistent: always-on, always-available. Over time, this access remains available even if no longer necessary, resulting in a privilege sprawl. The security teams see this privilege sprawl as a massive attack surface that is readily exploited, as evidenced in several recent attacks. Therein lies the issue: compliance-driven PAM solutions from yesterday, which focus on authentication, fall woefully short of addressing today’s pressing cybersecurity challenges around authorization – as evident from the current conversation about Zero Trust.
Admins need access to get their job done. But they don’t need 24×7 access when they only manage systems on occasion. This is where organizations can get into trouble, and it unfortunately usually happens over time, as de-provisioning is delayed or held up because its effect may be deemed to cause disruption. This is one of many reasons why privilege sprawl just happens: over-provisioning is common because it’s convenient to just grant access (and easy to forget broad access was granted). There is also a common fear of “breaking” something. and it’s harder to provision again than to just keep the access the way it is. Over time, the situation can spin out of control, making it painfully difficult to determine who has access to what systems. Whatever the reasoning, organizations inevitably leave many users over-provisioned. This doesn’t even take into account third-party access. Contractors need temporary access to systems, but it often lives on long after the contracted work is complete, leaving an open door to attackers. Mergers and acquisitions, for example, can blur the picture as companies combine policies and controls and lose visibility around admin access.
These are exactly the kinds of access that CISA and the FBI are warning companies to regain control over, but where should companies begin?
Move from just in case to just in time
The first shift IT leaders need to make is to address time. Hackers tend to target credentials that have 24×7, always-on standing access. These “just in case” credentials give hackers a foothold in the systems, allowing them to maintain a presence and seek lateral movement.
Standing privileged access is convenient for users, but that means it’s convenient for hackers too. Once they’ve compromised these types of credentials, they usually have the keys to other doors within reach and can bypass other safeguards.
Remove standing privileged access and take away a criminal’s launch pad. A just in time approach sets a finite period for privileged access, which removes the potential for lateral movement while maintaining a good user experience for verified, trusted administrators.
Implement Zero Standing Privilege
Thanks to the industry-wide battle cry for ‘Zero Trust’, organizations from both the private and public sectors are scrambling to embrace and implement Zero Trust strategies across digital assets, but one often overlooked element is privilege access. And a Zero Trust approach to privilege access can make an immediate difference in strengthening an organization’s security.
The strategy, dubbed ‘Zero Standing Privilege,’ (ZSP) minimizes the attack surface by removing admin accounts from systems, thus eliminating the impact of compromised privileged credentials. It also removes attackers’ opportunities to elevate privileges to install malware across the network. There are many strategies for trying to reduce the risk of lateral movement, but few come close to zero standing privilege. Even single sign-on (SSO) still leaves open the door for attackers to impersonate users.
ZSP is the necessary step for organizations to implement privilege access governance. It enforces a critical step: that of authorizing the user for every access to every system with just-in-time administration, thus protecting the organization from a breach spreading due to implicit trust conferred to administrators across the systems they are provisioned on. ZSP not only reduces lateral movement risks but also makes incident response easier by minimizing the potential damage.
There is, of course, no way to fortify everything or anticipate a zero day – there will always be weak spots. Hackers know what they’re doing. Breaches will still happen. But by adopting a principle of least privilege and evolving from PAM to Privilege Security, IT leaders can fortify the enterprise, stop lateral movement, and still allow IT admins to work efficiently yet securely. Amid looming cybersecurity threats and increased warnings, now, more than ever, is the time to get started on your Zero Trust privilege security journey.