The breach prevention playbook
It seems like every day we hear of a new, high-profile data breach. No longer are we shocked when some major brand is exposed for having lost data at the hands of external bad actors or unwitting internal parties. The question has switched from 'will I be breached?' to 'when will I be breached?'
In football, there’s an adage that the best offense is a good defense. In the battle against cyber attacks, it’s all about choosing the right defense to combat the ever-changing tactics used by bad actors both outside and inside your organization. In order for a team to succeed, it must find and exploit weaknesses in the opposing team’s defense. Cybersecurity is no different.
Eliminating weaknesses, closing gaps and preparing for and anticipating how attackers might try to access your data is the surest path to victory. However, just as it is required for all eleven defensive players to do their job for the team to win, a comprehensive approach to security is the best hope for success in the battle against breaches, and an identity-centric mindset is critical to installing an effective, lock-down defense.
The Credential Conundrum
Authentication is the first step to a solid defense, as most breaches start with poor authentication practices. A bad actor will procure a legitimate login credential (a password) from an unsuspecting user via phishing, social engineering, or even plain theft. When the password is obtained, it allows the bad actor to log in to systems as someone they are not. The network doesn’t recognize that it is a malicious actor entering the credentials, allowing them to access anything as a "legitimate" user who has permission to access. Fortunately, several tactics and technologies can help further strengthen authentication tactics.
Goodbye, Passwords. Hello, SSO & Multi-Factor Authentication
Simple practices such as requiring frequent password changes and enforcing strict password policies give businesses and their users a false sense of protection from credential-based threats. However, the big problem with passwords isn’t that they are hard to remember, it’s that there are often too many to remember and they’re not as secure as we think.
Single sign-on (SSO) technologies and implementing multi-factor authentication can eliminate the problem of too many passwords and the lack of security as it relates to the password itself. SSO enables a user to utilize a single, strong password across the entire range of systems they need to access. Another advantage of SSO is that it can apply stronger authentication methods to systems that don’t natively support them. For example, natively many UNIX and Linux systems transmit passwords in clear-text -- an obvious risk; but an SSO solution that enables an Active Directory (AD) log-on to work for Unix/Linux will automatically extend AD’s password encryption and stronger authorization to those non-Windows systems.
Multi-factor authentication -- another effective tool in the fight against stolen passwords -- adds a second layer of security in the form of, for example, a smart card or a one-time password token, to give an added and near-impenetrable level of protection. If a user’s password falls into the wrong hands, it is virtually useless when multi-factor authentication is also in play.
Closing Security Gaps with the Right Authorization
Authorization is the concept of controlling what a user is allowed (and not allowed) to do once they are authenticated. In formulaic terms, authentication + authorization = access. Correct authorization is the key to breach prevention. Oftentimes, cybercriminals may not get the access they desired on their first try. As a result, many will go through a series of lateral moves and escalation tactics to obtain the access they want. Errors in authorization -- often inadvertent -- can open the gates to these bad actors.
One critical tactic enterprises can employ to improve authorization is improved provisioning. This is the process of setting up user accounts and assigning them the rights that enable them to do their job -- and only those rights. In the age of outsourcing and digital transformation, enterprises are becoming increasingly complex and the volume of users and systems continue to grow. As a result, provisioning becomes unruly if not properly managed.
Often, provisioning is a series of unrelated tasks performed by autonomous IT teams. For example, an AD team will set up a user’s account and permissions in AD but an entirely different team will set up SAP permissions for the same user. It is not uncommon for full provisioning -- across all systems, enterprise wide -- to take days or weeks and involve significant IT intervention and tedious manual processes.
That’s where the second rung, and perhaps the most critical part, of the authorization ladder comes into play: de-provisioning. This is the process of removing access to an account once that access is no longer needed. As users change jobs internally, it is important to ensure that new rights and access they require are set up appropriately, but equally important that old rights and access they no longer need are eliminated. Even more critical is removing the ability to access systems for terminated employees, contractors that have finished their tenure, and any other instance of temporary access that someone was granted to your network. A good portion of high-profile breaches are the direct result of bad actors finding orphaned accounts that retain the access rights they covet. And another portion of these breaches are disgruntled ex-employees who maintained access long after that access should have been removed.
Be Mindful of Privileged Accounts & Administrative Access
While authentication and authorization are important tactics to effectively protecting a business against all identity-based breaches, there is a special class of authentication and authorization that should receive special attention: privileged accounts.
Every server, operating system, application and database has a system account that enables IT to perform necessary actions within that system. In UNIX and Linux systems, for example, it is called root. In AD, it is called the Active Directory Admin. Since these particular accounts are tied to the system and not an individual user, credentials are often shared among all those in IT that need to access these systems to perform their jobs. In addition, in order to perform administrative tasks (e.g., installing an update to an operating system or provisioning a user into a specific role), the credential has basically unlimited power. That is why these credentials are considered the "crown jewels" that bad actors are after. If bad actors can escalate to admin status, or get their hands on the admin password, they can wreak serious havoc.
A well-rounded defense will pay special attention to privilege account misuse and employ best practices like password vaulting, which eliminates the sharing of administrative credentials and leverages workflows and approval processes to ensure that when a credential is issued, it is necessary, deserved, logged and approved. A password vault stores all admin, root, system, service and other passwords, and automatically triggers an alert when the conditions of the workflow and approval scheme have been met.
Analytics and audit of privileged sessions is the second critical piece preventing privileged account abuse. Privileged analytics enable organizations to discover unknown internal and external threats and risky activities by detecting unusual behavior and anomalies. Governance is critical for managing privileged access as well, and organizations must extend traditional end user governance to cover privileged users and the technologies in place to grant them appropriate access.
Winning the Game
When all players on the field are on the same page and when each player performs his or her job with precision, dominating the opposing team is easy. The same holds true for cybersecurity. A comprehensive, identity-centric approach that emphasizes strong authentication, proper and controlled authorization, and pays special attention to privileged accounts, coupled with a team united under this approach, is the winning formula for preventing breaches and keeping the bad guys at bay.
Tyler Reese is Product Manager at One Identity. With more than 15 years in the IT software industry, Tyler Reese is extremely familiar with the rapidly evolving IAM challenges that businesses face. He is a product manager for the Privilege Account Management portfolio where his responsibilities include evaluating market trends and competition, setting the direction for the product line -- and ultimately, meeting the needs of end-users. His professional experience ranges from consulting for One Identity’s largest PAM customers to being a systems architect of a large company.