Despite the fact that the average cost of a data breach has skyrocketed to $3.62 million, and 60% of small businesses go out of business within six months of getting hacked, an alarming 54% of organizations still use spreadsheets and paper to handle privileged credentials. Understandably, the only people who are happy about this are cyber criminals, who rely on old tactics — such as using compromised Windows administrator and Unix root credentials — to steal data, commit identity theft, and wreck corporate reputations.
The best — and frankly, the only — solution to this growing threat is for organizations to switch from a reactive posture to a proactive one, in which they no longer ask: “What should we do when we get hacked?”, but instead ask: “Since someone is almost certainly going to try and hack us sooner or later, how do we fortify our defenses and stay a step ahead of the bad guys?”.
The answer to this vital question is for organizations to deploy a comprehensive next-generation Privileged Access Management (PAM) strategy. Here are 6 key pieces to this puzzle:
1. Create a Robust Password Management Policy
Most end users understand that choosing easy-to-guess passwords is like leaving their car running with the doors unlocked and a big sign that screams: “PLEASE STEAL ME!”. However, they can get frustrated when dealing with unfamiliar criteria, or trying to remember dozens of passwords for various accounts. As such, they tend to cut corners when it comes to password management (choosing, storing and sharing), which puts everyone at risk. To prevent this from happening, sysadmins need a standardized and enforceable password policy that is supported by established and emerging best practices. [For more guidance on this, please read this article: “Top 10 Password Policies and Best Practices for System Administrators”.]
2. Identify & Assess Privileged Accounts and Users
A key building block of a robust PAM strategy is to identify all privileged accounts and end users, and to analyze access levels that align with usage needs, acceptable risk levels, and any compliance or regulatory requirements. Where necessary, it is important to limit access in accordance with the principle of least privilege (PoLP). Granted, some end users won’t be happy about a security downgrade. However, their misery may be short-lived if they are clearly informed that the change is not designed to make their life harder; it is to thwart hackers from attacking the organization and inflicting massive damage (which could include job losses!).
3. Use a Powerful and User-Friendly Password Management Solution
As the old saying goes: a chain is only as strong as its weakest link. And unfortunately, the weakest link on the corporate threat surface has always been — and will always be — end users. The way to fortify this vulnerability is with a highly-secured vaulted password management solution that improves overall network visibility, while at the same time giving end users an intuitive and hassle-free experience. This latter point is very important! Frankly, it doesn’t matter how powerful a software solution might be. If end users fail to adopt it, the chain will break in many places.
4. Implement 2FA
Research by the U.S. National Institute of Standards and Technology (NIST) has found that end users aren’t as good at choosing strong and unique passwords as they should be — and they often think they’re better at creating impenetrable passwords than they are. To close the gap, network security needs to be augmented by something physical that only end users have access to, such as a smartphone, keychain token, USB token, or smartcard. Admittedly, 2FA is not a silver bullet — hackers can and do bypass them. Nevertheless, 2FA is an essential component of a complete PAM strategy.
5. Lock Down Instant Messages
End users like instant messaging at work, mostly because they think it makes them more productive and efficient. After all, why make a phone call or send an email when you can engage in an instant 2-way (or 10-way) conversation? Well, IT security professionals have ample justification for not loving insecure instant messaging: it is a gateway for worms and other malware, and the perfect backdoor (perfect if you’re a hacker, that is) for trojan horses. The solution is not to eliminate instant messaging from the work environment — that would improve security, but it would lead to an end user revolt! Rather, the best way to fix this vulnerability is for organizations to use a secure P2P file sharing and IM platform that locks down instant messages, file transfers, and sharing credentials.
6. Regularly Audit and Optimize
Auditing all operations is not just about identifying and addressing real and potential vulnerabilities. It is also important for proactively identifying group training and one-on-one coaching opportunities, as well as for establishing standards and enforcing accountability. It is also helpful to deploy a logging tool to generate visibility of both PAM and non-PAM activities across the organization, so that sysadmins can gain deeper insights and note emerging trends, while more quickly and accurately detecting data breaches and insider threats.
The Bottom Line
According to Verizon’s 2018 Data Breach Investigation Report, 9% of the 2,216 confirmed data breaches in 2017 were due to compromised privileged credentials and accounts. And this proportion is only going to increase in the years ahead, as hackers develop tools and tactics that target this vulnerability — especially SMBs, which have become ground-zero for cyber crime. A comprehensive PAM strategy goes a long way towards helping organizations switch their network security posture from reactive to proactive, helping them stay a step ahead of the bad guys.
From the Desk of Our CSO, Martin Lemay:
“As an addendum to “Regularly Audit and Optimize”, penetration testing and red-teaming exercises can help determine whether the overall PAM strategy is being implemented effectively and working as expected. Penetration tests will detect and identify weaknesses in the implementation, while a red-team exercise will test the corporate ability to detect and respond to policy violation attempts. Together, these exercises can provide a realistic and valuable security posture to the PAM solution, helping organizations continuously improve their PAM strategy and, therefore, optimize investment.”