“Who got breached today?” It seems that rarely does a news cycle go by without a revelation of some company, government entity, or web service experiencing a major breach with implications for vast numbers of people. The thinking has shifted from a mindset of “how can I prevent a breach?” to “I know it’s going to happen, how can I minimize the impact?” And what are those impacts? They range from embarrassment and brand degradation to significant financial loss, careers in shambles, and even companies going out of business.
The most severe breaches inevitably stem from powerful credentials (typically those logins used for administration) falling into the wrong hands. No one in their right mind would hand over the keys to their kingdom to a bad actor. But these bad actors are sneaky. They’ll get their hands on a relatively harmless user credential through social engineering, phishing, or brute force and use escalation techniques and lateral movements to gain super user access – and then all bets are off.
One of the foundational pillars of identity and access management (IAM) is the practice of privileged access management (PAM). IAM is concerned with ensuring that the right people, have the right access, to the right systems, in the right ways, at the right times, and that all those people with skin in the game agree that all that access is right. And PAM is simply applying those principles and practices to “superuser” accounts and administrative credentials. Examples of these credentials are the root account in Unix and Linux systems, the Admin account in Active Directory (AD), the DBA account associated with business-critical databases, and the myriad service accounts that are necessary for IT to operate.
PAM is widely viewed as perhaps the top practice that can alleviate the risk of a breach and minimize the impact if one were to occur. Key PAM principles include eliminating the sharing of privileged credentials, assigning individual accountability to their use, implementing a least-privilege access model for day-to-day administration, and implementing an audit capability on activities performed with these credentials. Unfortunately, we now have clear indicators that most organizations have not kept their PAM program on par with ever-evolving threats.
One Identity recently conducted research that revealed some alarming statistics when it comes to this most important protective practice. The study of more than 900 IT security professionals found that too many organizations are using primitive tools and practices to secure and manage privileged accounts and administrator access, in particular:
Although many organizations are attempting to manage privileged accounts (even if that attempt is with inadequate tools) fewer are actually monitoring the activity performed with this “superuser” access:
And if those statistics weren’t scary enough, data indicates that way too many organizations (commercial, government, and worldwide) fail to do even the basic practices that common sense demands:
The bottom line is simple, common-sense activities such as changing the admin password after each use and not leaving the default in place will solve many of the problems. But also an upgrade to practices and technologies to eliminate the possibility of human error or lags due to cumbersome password administration practices, will add an additional layer of assurance and individual accountability. And finally, expanding a PAM program to include all vulnerabilities – not just the ones that are easiest to secure – will yield exponential gains in security.
About the Author: Jackson Shaw is Vice President, Product Management at One Identity. He has been involved with directory, meta-directory and security initiatives for 25 years.
Copyright 2010 Respective Author at Infosec Island
This post was originally published on http://www.infosecisland.com/rss.html.