Organizations Failing Painfully at Protecting, Securing Privileged Accounts
14.3.2018 securityweek Cyber
Legal Requirement for Cyber Insurance May be Necessary to Protect Privileged Credentials
The need to manage privileged accounts is understood by practitioners and required by regulators, but poorly implemented in practice. Eighty percent of organizations consider privileged account management (PAM) to be a high priority; 60% are required by regulators to demonstrate privileged account management; but 70% would fail an access control audit.
According to the 2017 Verizon Data Breach Investigations Report (DBIR), 81% of all hacking-related data breaches involved the use of stolen and/or weak passwords. The prize for hackers is gaining access to privileged account credentials. Once acquired, the adversary can move around the network with high capability and little visibility. Despite this, a new survey (PDF) by Thycotic demonstrates widespread poor implementation of PAM principles to protect key accounts.
Thycotic queried nearly 500 global IT security professionals. In privileged account provisioning, it found 62% of organizations fail at processes for privileged access; 70% fail to fully discover privileged accounts (while 40% do nothing at all to discover these accounts); and 55% fail to revoke access after an employee is terminated.
Even with strong controls, the report warns, "You cannot secure and manage what you do not know you have." However, most organizations have few and poor controls. Seventy-three percent of organizations do not require multi-factor authentication with privileged accounts; 63% do not track and alert on failed logon attempts for privileged accounts; and 70% fail to limit third-party access to privileged accounts.
Thycotic recommends a virtuous life cycle approach to privileged account management: define; discover; manage and protect; monitor; detect anomalous use; respond to incidents; and review and audit. Without automation, this will be impossible for anything but the smallest of companies. There are several companies -- including Thycotic -- that provide technology to assist.
SecurityWeek spoke to the report's author, Joseph Carson, chief security scientist at Thycotic to understand why privileged account management is failing. "Organizations," he said, "are not measuring their security effectively. They continue to spend their budget blindly; and with limited budgets, they have difficulty in letting go of their legacy solutions and attitudes, and investing in the future."
Sometimes, he continued, companies just use a spreadsheet or Word document to record their privileged accounts -- and sometimes nothing at all. "An automated system will save money by eliminating much of the manual effort," he suggested, "providing more complete control, making audits simpler, and reducing the risk of a serious breach."
Nothing here is new or unknown, so it doesn't explain why PAM hasn't been more widely adopted. "The ultimate problem," he said, "is a lack of enforcement by the regulators, leaving organizations free to continue doing the minimum and get away with it." Most of the regulations that require PAM have certifications that will demonstrate compliance; but Carson is concerned that 'certification' is just another business with its own business pressures and its own need to make a profit.
"Are the certifiers more concerned with having certified customers than rigorously enforcing the official standards? Is," he wonders, "certification effectively becoming a subscription service -- becoming a business process rather than a serious evaluation?"
The solution, he suggests, will only come when the regulators actually enforce their own regulations. "Enforcement needs to be harsh -- where a regulation requires PAM, failing companies need to be barred from further operation until the requirements are satisfied. Set the bar high, rather than the current position which is way too low."
Carson uses car seat belts as an example. When they first began to appear, not all vehicle manufactures included them -- just as not all organizations use PAM today. "What changed the situation," he said, "so that seat belts were installed in all motor vehicles as a matter of course, was the insurance industry. Insurance companies told the motor industry that they would not insure any car that did not have seat belts." Since motor insurance is required by law, it effectively meant no seat belt, no sale.
The difference, of course, is that cyber insurance is not a current legal requirement. Carson believes this will change over the next few years, courtesy of the European General Data Protection Regulation (GDPR). GDPR does not specify the need for privileged account management -- it requires the concept of 'least privilege'. This serves the same purpose, but couched in technology future-proof language.
GDPR comes with very high potential monetary sanctions (up to 4% of global turnover), and a regulatory body that has shown itself willing to use its powers against even the largest international organizations. To ensure it can collect the fines that it will inevitably levy, Europe may well turn to the cyber insurance industry.
"It will be the insurance industry that will drive organizations to actually do something about effectively managing their privileged accounts. No adequate certification will mean no insurance. This, of course, will require legal insistence on cyber insurance; and GDPR will drive that. We will probably see, in about one or two years, insurance will become mandatory for those companies regulated by GDPR," Carson said.