As evidenced by the recent Twitter breach, cybercriminals increasingly target users as a way to gain unauthorized access to privileged locations in an organization’s IT ecosystem. The Twitter breach is a bit of an anomaly in terms of data security events. While employees can seek financial gain by leveraging their access to internal documents, the 2020 Data Breach Investigations Report found that over 80% of hacking breaches involved either brute force attacks or lost/stolen credentials. Limiting user access and monitoring how they use access provides a layer of security often considered an afterthought when compared to the focus on external monitoring controls.
How Cybercriminals Use Lost/Stolen Credentials
Credential theft is when a user’s login ID and corresponding password are compromised, often then sold on the dark web. Despite media portrayals of hackers in dark basements furiously typing code, brute force attacks tend to be less glamorous. They occur when a cybercriminal sends a flood of requests to an organization’s systems, networks or software, hoping to find a user ID that corresponds to one of the commonly used password combinations.
Malicious actors download software from the dark web, then apply an organization’s user ID formula. Most organizations use some combination of firstname.lastname@example.org or email@example.com. The software then allows the cybercriminal to try various combinations of names and passwords that they hope allow them access to the organization’s IT ecosystem.
Once the cybercriminal finds a match, he or she can access any information that credential provides the user, allowing the threat actor to move within the company’s systems and networks undetected. Since the cyberattacker used valid credentials, the activity appears normal, ultimately flying below the security team’s radar.
Working with your IT department is critical when trying to reduce access risk arising from lost/stolen credentials. You can only mitigate risk when you understand the full scope of your IT controls’ effectiveness.
Why Privileged Credentials Are Risky
While all user access levels can lead to a data security incident, the jackpot of credential theft is the privileged access or user. Users with privileged access have “superuser” powers within a company’s IT ecosystem. Privileged access is riskiest because it grants the user higher access rights than standard users, including making/deleting users or updating software.
For example, to do their job, IT administrators need nearly unfettered access to an organization’s ecosystem. They need to create accounts and grant access to other users. However, that also makes them a high risk user since they could, conceivably, create fake accounts and grant them privileged access then engage in malicious data theft or credential theft, moving around in the organization’s systems and networks without looking suspicious.
Problematically, organizations today have a variety of privileged users, both human and electronic. Many organizations use robotic process automation (RPAs), computer programs that automate mundane, repetitive tasks to reduce operational costs. However, since many of the tasks for which they are used require privileged access, any misconfiguration that can compromise the RPA becomes a privileged access risk to the entire IT stack.
As a risk management professional, this means that you need to look at both the human users accessing your systems, networks, and software, and also the potential digital or machine identities that can increase your cybersecurity risk profile. Working closely with your IT team can help you better understand the types of machine identities being used and the ways in which they can compromise your risk mitigation strategies.
Enforcing Identity and Access Controls as Best Security Practices
Best security practices pose problems for organizations, as no set definition exists because cybercriminals continue to evolve their methodologies. With most organizations embracing remote workforces for the foreseeable future, on-premises security controls no longer provide the necessary protection. As your organization uses more cloud-delivered technologies and services, you need to re-assess your IT and identity risks.
To secure data and protect privacy, companies should look to the identity perimeter to limit access and monitor privileged access within their ecosystems by taking the following steps:
Apply the Principle of Least Privilege
The first step to creating best Identity and Access Management (IAM) practices is to ensure that all users have only the access they need to fulfill their job functions and nothing more. For example, someone in human resources might need access to an employee’s address, but not all the banking information attached to the record if they are not in the payroll area.
Mitigating these risks means understanding how users access information and what information they need to access. Reducing the amount of data users access reduces the likelihood that users will accidentally leak sensitive data.
Apply Attribute-Based Access Controls
Remote employees can now access sensitive information from anywhere—home, coffee shop or even smartphone. By increasing the number of access locations, they also increase the attack surface. Leveraging attributes that directly address these new risks can help you reduce the likelihood of a data breach by limiting how, when, or where user access information. This limitation enforces your access policies and mitigates the risks associated with an account takeover by preventing suspicious-looking access.
Most IAM strategies start by assigning users to roles within the organization. For example, someone is an HR manager, so they need a certain set of rights within the organization’s system. However, role-based access controls (RBAC) only limit access based on what the user does in the company. With attribute-based access controls (ABAC), organizations can set additional contextual attributes such as geographical location, IP address, or time of day. This additional context allows the organization to limit access to high risk resources on a more detailed level. With the explosion of remote work, ABAC provides a way to limit users’ access when the organization has determined that a location or time of day would be considered riskier. For example, someone using a public WiFi is at a higher risk of a “man in the middle” cyberattack than someone using their home WiFi. If the organization sets trustworthy IP addresses, then users cannot access sensitive information from public WiFis, reducing the attack surface.
Continuously Monitor Access
The same continuous monitoring mantra that exists at the network perimeter also holds true at the identity perimeter. With user access monitoring, organizations can review the resources accessed to ensure they are appropriate to the users’ needs. Organizations need a way to detect suspicious access to sensitive information. For example, if an HR representative is accessing health care information at 2 a.m., the organization needs to know whether that employee typically works late at night or whether this signals a potential data security incident. Without visibility into when and how users interact with data, organizations cannot prove that they enforced their access policies as a best practice.
Visibility into anomalous data access reduces risk by helping you identify a potential data security incident before a cybercriminal steals information. In the alternative, should a cybercriminal manage to steal sensitive data, your continuous monitoring can help you reduce the time spent in your IT stack and trace the risky access.
Digital Transformation, Remote Work and Securing Data
Digital transformation, accelerated by the rapid move to remote working, streamlines productivity but also increases risks. With more users connecting more devices from more places at less regular times, identity and access must be an integral part of an organization’s data security.
Establishing and enforcing strict access policies is now more important than ever before. Malicious actors will continue to look for user accounts that act as backdoors to organizations’ systems, networks, and software. To secure data, risk managers need to be more actively engaged in monitoring access and mitigating potential threats arising from compromised accounts.