Guest written by: John Hathaway, Regional Sales Manager, Middle East, BeyondTrust
Take a look inside any large enterprise and you’ll likely find that passwords are still not under complete control; users with administrator privileges are still causing problems and far too many system vulnerabilities remain unpatched. In fact, according to a recent report by Forrester, 80 percent of breaches are the result of abuse or misuse of privileged credentials.
For years, security experts have outlined the best practices for privileged account management (PAM) but despite this, IT organizations continue to struggle with PAM for five key reasons. I jokingly refer to these as ‘The Five Deadly Sins’ and while it might sound a little dramatic, consider that these “sins” cost the typical enterprise nearly $4M annually from things like lost productivity, costs to mitigate incidents and legal or compliance issues.
Not Deploying Privileged Password Management Globally
Most IT managers will be quick to point out that some of the top threats associated with passwords is sharing of passwords, not changing default passwords and using weak passwords. While that is not a surprise, what is surprising is that many of these bad practices are prevalent in most organizations today as evidenced by findings from a recent survey we conducted.
A third of the respondents report users routinely share passwords with each other, and a fourth report the use of weak passwords. Shockingly, one in five report many users don’t even change the default passwords. One way to mitigate poor password management is by deploying a centralized password management solution, that includes built-in session monitoring, across all data centers be it virtual or cloud. This will ensure that both important capabilities are met with strong workflow and ease of use for your high-maintenance users.
Too many holdout admin users
How much privilege does an end user really need? Users, greedy for power, will say they need complete privilege. In fact, 94 percent of Microsoft system vulnerabilities in 2016 can be attributed to users with admin rights yet again, users with elevated privileges are common across organizations, a problem that has been shown to cause direct downtime of computing systems.
It is essential that IT teams remove all local admin rights from all Windows and Mac end users. Once all users are standard users, IT teams can elevate a users’ access to specific applications to perform whatever action is necessary as part of their role without elevating the entire user on the machine. The benefit? When the next ransomware variant breaks out, your end-users’ machines will be contained, preventing further propagation. It will save your IT team and help desk many headaches, and save the business from possible downtime. In parallel, you can use asset and application vulnerability insights to help you make better decisions on elevating privileges.
Ignoring the link between vulnerabilities and excessive privileges
Consider the cyber-attack chain. Attackers exploit asset vulnerabilities, hijack elevated privileges or compromised credentials, and move laterally until they achieve their objective. Vulnerabilities is the first step in the chain, yet attacks combining privileged access with exploitation of an unpatched vulnerability are common.
Simply patching known system vulnerabilities can prevent most of today’s commonly-reported attack vectors. So why doesn’t IT stay current on their patches? As they say, pride cometh before the fall.
Better prioritization and patching of vulnerabilities gives you better insight into whether to delegate privileges to an asset or application. The result is better intelligence and less risk of unknowns.
Believing Sudo is sufficient to protect your Unix/Linux system and data
Given pressures of budgets, many IT managers rely on Sudo to manage least password privilege for Unix/Linux servers. The problem with Sudo is that it doesn’t offer the industrial-strength capabilities that today’s security needs including ability to:
- Analyze user behavior by correlating keystroke logs, session recordings and privileged events against asset vulnerability data and security intelligence from best-of-breed security solutions
- Elevate privileges for standard users through fine-grained, policy-based controls utilizing contextual factors such as time, day and location
- Audit and report on changes to critical system, application, and data files
- Achieve policy-driven command control and auditing
- Enable a host-based and/or proxy-based approach to privilege management
- Unify policy, management, reporting and analytics, upgrades and more across all privilege management systems
The only solution is to replace Sudo with a solution that allows you the capabilities above.
Not prioritizing SaaS applications and the risk they introduce
Organizations are moving to the cloud with a vengeance. As with all platforms, protecting against privileged access abuse is crucial for cloud workloads. Unprotected SaaS workloads can lead to a host of problems; some immediate, some longer lasting. It is not up to the provider to protect your cloud workloads, it is up to IT.
As organizations race to adopt *aaS to keep pace with business demands, IT must provide the same level of protection to cloud-based systems as for on-premise systems. This includes capabilities such as ability to:
- Enable automation for DevOps
- Find, group and scan cloud assets
- Protect virtual and cloud management consoles and instances
- Use a cloud access service broker to enable third-party access
- Perform vulnerability assessments for hybrid and public cloud infrastructures
Personally Identifiable Information (PII) must be protected at all costs. Too protect access to this data, organizations must deploy an integrated PAM solution that providers control and visibility over all privileged accounts and users across Windows, Mac, Unix and Linux desktop and server platforms and in doing so improves system security and closes gaps – it’s the only way to atone for our “sins”.