monsitj - Fotolia
All organsations should do everything they can to control what they can to improve their resilience to cyber attack, according to Scott Carlson, technical fellow and executive security advisor at BeyondTrust.
“There are five things that I think are non-optional when it comes to cyber security and controlling identity and privilege,” he told the European Identity & Cloud Conference 2017 in Munich.
First, Carlson said those responsible for information security must ensure that they communicate in the right language.
“Use the language of the person or group you are talking to. We all know that systems architects speak a different language to company executives, and that acquired companies speak different languages to the new owners.
“And whatever style you choose to communicate, it is really important to tell the truth. It is our job to give people the information they can use to help us solve the problem. We need to tell the truth and we have to speak in business language, not in technology. Speak in terms of controls and use cases,” he said.
It is then up to the information security professional to map company use cases to controls and then buy or build a tool to enforce those controls.
“Very few companies have to build a tool, nowadays, because there are a lot of enterprise class [security] suppliers whose product is fit to use in most corporations. You don’t need to figure out how to put something together. You need to implement something in the way that works for you.”
Read more about privileged access management
- The theft, misuse and exploitation of privileged accounts is becoming an increasingly key tactic in advanced persistent threat attacks.
- Maintaining the security principle of least privilege can prevent abuse of privileged user accounts.
- This Security School explores the important steps enterprises need to take when managing privileged access accounts to prevent credential abuse and security incidents.
Second, while there is a lot of talk about risk-based security, the most important part of that is for organisations to identify their “crown jewels” in terms of data assets.
“Organisations have to identify what is important to them, but I do not mean that you should run a CMDB [configuration management database] project before you do information security,” he said, because often organisations put off protecting data assets because they are never quite finished finding all the assets.
Instead, Carlson said information security professionals should ask the board of directors, 10 vice-presidents, 10 database administrators and 10 systems architects where the 10 most important data assets are located.
“Just by doing this simple exercise, I will be that you will know at least 90% of what is important to your company,” he said. “When you start applying identity and privilege controls to your most important things, start with the ones that people [in the company] can name right away because they are the most important. Protect the crown jewels first.”
Managing access to privileged accounts
Third, it is very important for organisations to manage access to privileged user accounts because according to every independent security report, the vast majority of successful cyber attacks have abused a privilege.
Insiders have either abused their own privilege or outsiders have stolen it, guessed it, or colluded with someone who has it, he said. “Maybe you simply have to change the [privileged user account] passwords because you have never done it before or it has been the same for the past 12 years.”
Carlson said about 95% of privilege that boils down to a person mapping to a privileged account and having that be in the right place.
“Change the password, record what they do, turn it off if you don’t need it. Spend your time on things that matter to your business, and use a tool or a process to do the things that can be automated, like password rotation and multi-factor authentication. Stop thinking about it, and do it. Too many people get stuck in analysis paralysis,” he said.
Vulnerability and patch management
Fourth, organisations need to get smarter about vulnerability and patch management because many are still not very good at it, despite the fact that the most attacks use vulnerabilities that have already been patched.
“Businesses typically upgrade their most critical processing system at least one a year with new business logic, so why can’t we as security and infrastructure people open a change ticket, follow the business process and patch the thing? If we don’t, we risk losing to a botnet,” he said.
Just by addressing privileged access and patch management, organisations can eliminate at least 90% of successful exploits used by attackers.
However, he said an organisation’s vulnerability management programme should focus on its particular critical assets to limit the scope of critical vulnerabilities it has to keep on top of. “Look at the ones that are the greatest risk to your organisation and have a known exploit so you can patch what is important to you,” said Carlson
“It is no longer a question of whether you should do this. I want to challenge you why you have not done so already. If you are still thinking about the edge cases [like developers], put them down as edge cases and solve immediately for the other 98%,” he said, adding that most of these edge cases have been addressed by privilege account management software suppliers.
Fifth, Carlson said all organisations need to ensure their ability to detect things focuses on the abuse of privilege and that relate to their most important data assets.
“Through increased co-opetition, which is awesome, closed-loop remediation is becoming a thing again. You can detect malware and trigger a privilege change. You can detect misbehaviour and trigger a re-attestation. With Stix and Taxii, with APIs, Siems, and privilege management systems you can react in real time.
“When you look at how to detect and respond, you have to do the basics like turning on the logging functionality and have a Siem to organise this information, but if you can respond to what is critical and what is abused, it will help you to respond as quickly as possible.
“Layered security is still a thing. We still need something to prevent people from breaking in, you need to protect your endpoint from malware and privilege abuse, you should have a gatekeeper between your people and the datacentre, and inside the datacentre you should log, detect and control,” he said.
“If you are not already doing those things, start doing them now.”