Key to effective breach prevention: privileged user governance

  • 201691莫迪凱·羅森

幾乎每天都有網路安全攻擊的消息,組織新常態是假設他們已經 - 或將要攻破與資料外洩

With cybersecurity attacks in the news almost daily, the new normal for organizations is to assume they have been -- or will be -- breached.

最近Forrester研究報告80%的資料外洩涉及特權憑證。如由索尼公司,Home Depot和美國人事管理辦公室被駭,駭客一旦在系統 - 無論是透過網路釣魚攻擊或其他手段獲得存取 - 他們可以有條不紊地透過增加使用者權限,以不受阻礙地進一步滲透系統獲得對系統和企業最敏感的資料數據。

A recent Forrester study reported 80 percent of breaches involve privileged credentials.

As evidenced by the hacks at Sony, Home Depot and the Office of Personnel Management, once hackers are in the system -- whether gaining access via a phishing attack or another means -- they can methodically infiltrate a system further by increasing their user privileges to gain unfettered access to systems and organization’s most sensitive data.

駭客沿著這條有條不紊的方法,被稱為攻擊鏈(kill chain)的過程,如要停止被駭客攻擊,要了解攻擊鏈(kill chain)是至關重要的。

Stopping attacks somewhere along this methodical approach that bad actors use, a process known as the kill chain, is critical.

特權存取管理(Privileged Access Management ,簡稱PAM)已成為一個頂級的解決方案以對抗網路攻擊和中斷攻擊鏈(kill chain)如果沒有良好的治理,PAM是做只有一半的工作。

Privileged access management (PAM) has emerged as a top solution battling cyberattacks and interrupting the kill chain. Without good governance, however, PAM is doing only half the job.

太多的組織讓IT使用者有提升權限或使用特權的能力。例如,根據Ponemon Institute的研究超過650個機構,38%曾與特權存取權限的用戶沒有明顯的理由或原因,以及這些機構的36%未能撤銷這些特權當用戶不再需要這些特權的權利。這是一個駭客的夢想。

Too many organizations have users with elevated privileges that do not need those rights, leading to a “waxy build-up” of privileged access.

For example, according to a Ponemon Institute study of over 650 organizations, 38 percent had users with privileged access rights for no apparent reason,

and 36 percent of these organizations failed to revoke those rights when the users no longer needed those privileges. This is a hacker’s dream. 

為降低風險的關鍵是確保特權用戶所要做的工作所需的存取權限最小,這個原則被稱為最小特權

The key to reducing risk is ensuring privileged users have the minimum amount of access needed to do their jobs, a principle known as “least privilege.”

這個概念是如此重要,它是國土安全部第二階段的核心焦點連續診斷和減災方案。發展機制第一階段建設 - 側重於識別和保護網路資產而第2階段旨在使聯邦機構要透過這些安全工具來管理特權用戶,並確保持有鑰匙王國用戶與帳號是被密切監測不尋常的活動。這兩個階段,發現和強制使用者保有最低權限,如此以確保導入第三階段集中事件響應,事件管理和邊界保護的順利。

This concept is so critical that it is the core focus of Phase 2 of the Department of Homeland Security’s Continuous Diagnostics and Mitigation program.

Building on CDM Phase 1 -- which focused on identifying and securing network assets -- Phase 2 seeks to give federal agencies the security tools they need to manage privileged users and ensure that those users and accounts with the “keys to the kingdom” are closely monitored for unusual activity.

These two phases, discovery and enforcing least privilege, will then lead to a third phase focused on incident response, event management and boundary protections.

透過特權用戶治理來控制風險

Controlling the risk equation with privileged user governance

保護特權用戶存取,以整體來看,包括三個核心要素:

Securing privileged user access, when looked at holistically, includes three core elements:

發現 - 知道一個機構的特權用戶有誰,無論他們是網路管理員,第三方承包商或雲服務的管理員。

Discovery -- knowing exactly who an agency’s privileged users are, whether they are network administrators, third-party contractors or cloud service administrators.

強固 - 連續監測,讓使用戶不規則行為迅速被辨識並停止。

Enforcement  -- continuous monitoring so that irregular user behavior is quickly identified and stopped.

治理 - 確保只有真正需要提升權限和存取權限的用戶能存取。

Governance -- making sure that only users who truly need elevated privileges and access have that access.

當談到特權存取治理有兩個重要的步驟,在存取資源必需要請求,並且這些請求要被認證。這些重要的安全事件必須集中在一起加以考慮,因為單獨沒有一個能夠保證最低權限強制執行。


There are two important steps when it comes to governing privileged access -- when the access is requested and when those requests are certified. These vital security events must be considered together because neither one alone can ensure that least privilege is enforced.

存取請求是第一個檢查點,為了防止特權用戶不當或過度使用特權用戶權利的。

Access requests are the first checkpoints for preventing improper or excessive privileged user entitlements.

對的特別重要的評估,因為它們的存取已經升高。例如,所有的存取請求應自動遵守義務(SOD)控制的隔離檢查。

For example, all access requests should be checked automatically for compliance with segregation of duties (SoD) controls -- an especially important assessment for privileged users because their access is already elevated.

就好像此檢查可確保申請資金的人不是同一人批准預算並簽署支票的人。

This check ensures that the person requesting funding is not the same person approving the budget and signing the checks, for example.

即使請求透過SoD測試,特權存取仍然可能對組織的危險,需要進一步分析,以確定是否批准該請求。

Even if a request passes the SoD test, privileged access still may pose a risk to the organization and require further analysis to determine whether or not to approve the request.

存取認證需求一個管理者確認,以確定是否請求的存取是有效的還是不正確的權限已被授予。

Access certification requires a manager to determine if the requested access is valid or whether improper permissions have been granted.  

改變觀點

Changing perspectives

特權用戶治理不僅包括技術上的變化,而且也關於企業文化。

Privileged user governance covers not only changes in technology, but also in company culture.

多年來,管理,控制和監視那些誰是值得信賴的鑰匙王國看起來幾乎是一個事後的想法。畢竟,特權用戶是該公司的一個信任的員工或受信任的第三方合作夥伴或承包商。然後來到蔡爾茲特里,切爾西(布拉德利)曼寧和愛德華·斯諾登,以違反在TargetOPMHome Depot一起。這些違規造成的任何虐待或損害的特權。

For many years, managing, controlling and monitoring those who were trusted with the “keys to the kingdom” seemed almost an afterthought. After all, a privileged user was a trusted employee of the company or a trusted third-party partner or contractor.  Then came Terry Childs, Chelsea (Bradley) Manning and Edward Snowden, along with breaches at Target, OPM and Home Depot. Those breaches resulted from either abused or compromised privileged access.

今天,有兩到需要更好地管理和監控特權帳戶和用戶存取敏感數據的私營和公共部門日益認識。這是現在的必做清單。

Today, there is a growing awareness in both the private and public sectors of the need to better manage and monitor privileged accounts and users with access to sensitive data. It’s now on the must-do list.

改變並不總是那麼容易; 它需要時間和領導,落實。但是,如果沒有採取特權存取管理控制,一個機構的風險是在明天的頭條新聞。

Change isn’t always easy; it takes time and leadership to implement. But without taking control of privileged access management, an agency risks being in tomorrow’s headlines.

關於作者

莫迪凱·羅森是CA Technologies的安全業務部高級副總裁兼總經理。