Key to effective breach prevention: privileged user governance
幾乎每天都有網路安全攻擊的消息，組織新常態是假設他們已經 -或將要 –被攻破與資料外洩。
With cybersecurity attacks in the news almost daily, the new normal for organizations is to assume they have been -- or will be -- breached.
最近Forrester的研究報告80％的資料外洩涉及特權憑證。如由索尼公司，Home Depot和美國人事管理辦公室被駭，駭客一旦在系統 -無論是透過網路釣魚攻擊或其他手段獲得存取 -他們可以有條不紊地透過增加使用者權限，以不受阻礙地進一步滲透系統獲得對系統和企業最敏感的資料數據。
A recent Forrester study reported 80 percent of breaches involve privileged credentials.
As evidenced by the hacks at Sony, Home Depot and the Office of Personnel Management, once hackers are in the system -- whether gaining access via a phishing attack or another means -- they can methodically infiltrate a system further by increasing their user privileges to gain unfettered access to systems and organization’s most sensitive data.
駭客沿著這條有條不紊的方法，被稱為攻擊鏈(kill chain)的過程，如要停止被駭客攻擊，要了解攻擊鏈(kill chain)是至關重要的。
Stopping attacks somewhere along this methodical approach that bad actors use, a process known as the kill chain, is critical.
特權存取管理（Privileged Access Management，簡稱PAM）已成為一個頂級的解決方案以對抗網路攻擊和中斷攻擊鏈(kill chain)。如果沒有良好的治理，PAM是做只有一半的工作。
Privileged access management (PAM) has emerged as a top solution battling cyberattacks and interrupting the kill chain. Without good governance, however, PAM is doing only half the job.
Too many organizations have users with elevated privileges that do not need those rights, leading to a “waxy build-up” of privileged access.
For example, according to a Ponemon Institute study of over 650 organizations, 38 percent had users with privileged access rights for no apparent reason,
and 36 percent of these organizations failed to revoke those rights when the users no longer needed those privileges. This is a hacker’s dream.
The key to reducing risk is ensuring privileged users have the minimum amount of access needed to do their jobs, a principle known as “least privilege.”
This concept is so critical that it is the core focus of Phase 2 of the Department of Homeland Security’s Continuous Diagnostics and Mitigation program.
Building on CDM Phase 1 -- which focused on identifying and securing network assets -- Phase 2 seeks to give federal agencies the security tools they need to manage privileged users and ensure that those users and accounts with the “keys to the kingdom” are closely monitored for unusual activity.
These two phases, discovery and enforcing least privilege, will then lead to a third phase focused on incident response, event management and boundary protections.
Controlling the risk equation with privileged user governance
Securing privileged user access, when looked at holistically, includes three core elements:
Discovery -- knowing exactly who an agency’s privileged users are, whether they are network administrators, third-party contractors or cloud service administrators.
Enforcement -- continuous monitoring so that irregular user behavior is quickly identified and stopped.
Governance -- making sure that only users who truly need elevated privileges and access have that access.
There are two important steps when it comes to governing privileged access -- when the access is requested and when those requests are certified. These vital security events must be considered together because neither one alone can ensure that least privilege is enforced.
Access requests are the first checkpoints for preventing improper or excessive privileged user entitlements.
For example, all access requests should be checked automatically for compliance with segregation of duties (SoD) controls -- an especially important assessment for privileged users because their access is already elevated.
This check ensures that the person requesting funding is not the same person approving the budget and signing the checks, for example.
Even if a request passes the SoD test, privileged access still may pose a risk to the organization and require further analysis to determine whether or not to approve the request.
Access certification requires a manager to determine if the requested access is valid or whether improper permissions have been granted.
Privileged user governance covers not only changes in technology, but also in company culture.
For many years, managing, controlling and monitoring those who were trusted with the “keys to the kingdom” seemed almost an afterthought. After all, a privileged user was a trusted employee of the company or a trusted third-party partner or contractor. Then came Terry Childs, Chelsea (Bradley) Manning and Edward Snowden, along with breaches at Target, OPM and Home Depot. Those breaches resulted from either abused or compromised privileged access.
Today, there is a growing awareness in both the private and public sectors of the need to better manage and monitor privileged accounts and users with access to sensitive data. It’s now on the must-do list.
Change isn’t always easy; it takes time and leadership to implement. But without taking control of privileged access management, an agency risks being in tomorrow’s headlines.