Do you know about the power of privileged access?

clock • 3 min read

Attackers often target superuser accounts with access to data and systems - how do you protect them?

The concept of ‘privilege' is integral to protecting computers and networks, but it wasn't until it was leveraged in several high-profile attacks that the security industry began to pay attention. Gartner recently listed privileged account management as the top security project for businesses, stating, 'CISOs should focus on these ten security projects to reduce risk and make a large impact on the business'. The company has also released its first Magic Quadrant for the Privileged Access Management market. Privilege is now something that all IT leaders - but especially the CISO - must be aware of.

Privileged access originally referred to the shared accounts that IT and systems administrators used to maintain networks and systems, with total visibility and control of data and information systems. "Whoever controlled these accounts controlled the network," said David Higgins, director of customer development at CyberArk.

The introduction of the Sarbanes-Oxley Act (SOX) in 2002 was one of the first times that securing privileged accounts became necessary to achieve compliance with a major regulation, although new laws like the USA's Health Insurance Portability and Accountability Act (HIPPA) have continued the trend.

SOX marked the point at which regulators began to understand just how much power individual users were able to gain over networks and data from privileged accounts.

The danger of that power was first demonstrated in the 2008 attack on San Francisco's FiberWAN network, during which disgruntled sysadmin Terry Childs locked access to the network by resetting administrative passwords to its switches and routers, by creating a password that gave him exclusive access to the system.

This massive denial of service attack was enabled by a single malicious insider with privileged access. What would happen if Childs had been an outside attacker?

"The ensuing years give us an answer," said Higgins. "From Edward Snowden, to Yahoo! and the Office of Personnel Management, to the SWIFT Bank attacks and the breach at Uber - the common denominator was that attackers exploited the access typically granted to a powerful insider and used it to launch and execute their attacks."

Today, privileged credentials exist everywhere, and the threat landscape continues to grow. Attackers know this as well, which is why nearly all of today's advanced attacks rely on exploiting privileged credentials to reach a target's most sensitive data, applications and infrastructure.

Privileged access management (PAM) technology helps companies to track and control who has access to these superuser accounts as part of their compliance programmes. For some time this was its only use; however, compliance doesn't equal security, and modern PAM tools protect companies from a range of attacks, including insiders like Childs.

"It contains attacks that get beyond the perimeter, safeguarding critical infrastructure, data and assets," said Higgins.

"Privileged accounts, secrets and credentials are everywhere, in every major IT project. From business-critical applications to DevOps, to cloud, to robotic process automation to IoT, privilege exists and is necessary for these initiatives to function properly. This is why privileged access management - the practice of managing and securing these privileged accounts, secrets and credentials - is now recognised as the top security project that CISOs should focus on to reduce risk to the business.

"Gartner's new Magic Quadrant has reaffirmed that strong security begins with ensuring good cyber hygiene and securing the known credentials and accounts that attackers seek to accomplish their goals."

CyberArk encourages IT and security leaders to become more aware of the dangers of unsecured privileged access, and are making the Gartner report available for free download. Access yours at https://www.cyberark.com/pr/gartner-mq-pam-leader/.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organisation and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

You may also like
'Drop the geek speak': Gartner's Paul Furtado on how to be a security success story

Skills

Soft skills are key to winning executive support

clock 26 July 2023 • 5 min read
These are the security trends to watch in 2023

Security

It's about the attack surface, identity and supply chains, says Gartner's Paul Furtado

clock 23 March 2023 • 7 min read
Digital transformation falls apart without access management

Strategy

Seamless journeys are crucial to the digital experience

clock 05 December 2022 • 2 min read
Most read
01

Intel splits in two, signs deal with Microsoft

22 February 2024 • 7 min read
03

Cambridge University hit by DDoS attack

20 February 2024 • 1 min read
05

Gemma: Google unveils open AI models

22 February 2024 • 3 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Threats and Risks

Operation Cronos: NCA reveals details of LockBit affiliates

Operation Cronos: NCA reveals details of LockBit affiliates

Operation has been crippled - for now

clock 22 February 2024 • 3 min read
Microsoft exposes state-backed hackers using AI tools for espionage

Microsoft exposes state-backed hackers using AI tools for espionage

Hackers linked to Russian military intelligence have been using LLMs to delve into satellite communication protocols relevant to military operations in Ukraine

clock 15 February 2024 • 3 min read
France uncovers massive Russian disinformation campaign

France uncovers massive Russian disinformation campaign

Dubbed 'Portal Kombat'

Vikki Davies
clock 14 February 2024 • 2 min read