Attackers often target superuser accounts with access to data and systems - how do you protect them?
The concept of ‘privilege' is integral to protecting computers and networks, but it wasn't until it was leveraged in several high-profile attacks that the security industry began to pay attention. Gartner recently listed privileged account management as the top security project for businesses, stating, 'CISOs should focus on these ten security projects to reduce risk and make a large impact on the business'. The company has also released its first Magic Quadrant for the Privileged Access Management market. Privilege is now something that all IT leaders - but especially the CISO - must be aware of.
Privileged access originally referred to the shared accounts that IT and systems administrators used to maintain networks and systems, with total visibility and control of data and information systems. "Whoever controlled these accounts controlled the network," said David Higgins, director of customer development at CyberArk.
The introduction of the Sarbanes-Oxley Act (SOX) in 2002 was one of the first times that securing privileged accounts became necessary to achieve compliance with a major regulation, although new laws like the USA's Health Insurance Portability and Accountability Act (HIPPA) have continued the trend.
SOX marked the point at which regulators began to understand just how much power individual users were able to gain over networks and data from privileged accounts.
The danger of that power was first demonstrated in the 2008 attack on San Francisco's FiberWAN network, during which disgruntled sysadmin Terry Childs locked access to the network by resetting administrative passwords to its switches and routers, by creating a password that gave him exclusive access to the system.
This massive denial of service attack was enabled by a single malicious insider with privileged access. What would happen if Childs had been an outside attacker?
"The ensuing years give us an answer," said Higgins. "From Edward Snowden, to Yahoo! and the Office of Personnel Management, to the SWIFT Bank attacks and the breach at Uber - the common denominator was that attackers exploited the access typically granted to a powerful insider and used it to launch and execute their attacks."
Today, privileged credentials exist everywhere, and the threat landscape continues to grow. Attackers know this as well, which is why nearly all of today's advanced attacks rely on exploiting privileged credentials to reach a target's most sensitive data, applications and infrastructure.
Privileged access management (PAM) technology helps companies to track and control who has access to these superuser accounts as part of their compliance programmes. For some time this was its only use; however, compliance doesn't equal security, and modern PAM tools protect companies from a range of attacks, including insiders like Childs.
"It contains attacks that get beyond the perimeter, safeguarding critical infrastructure, data and assets," said Higgins.
"Privileged accounts, secrets and credentials are everywhere, in every major IT project. From business-critical applications to DevOps, to cloud, to robotic process automation to IoT, privilege exists and is necessary for these initiatives to function properly. This is why privileged access management - the practice of managing and securing these privileged accounts, secrets and credentials - is now recognised as the top security project that CISOs should focus on to reduce risk to the business.
"Gartner's new Magic Quadrant has reaffirmed that strong security begins with ensuring good cyber hygiene and securing the known credentials and accounts that attackers seek to accomplish their goals."
CyberArk encourages IT and security leaders to become more aware of the dangers of unsecured privileged access, and are making the Gartner report available for free download. Access yours at https://www.cyberark.com/pr/gartner-mq-pam-leader/.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organisation and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.