Amid increasingly common data breaches, it has become clear that hackers’ favorite targets are privileged account credentials, especially those of security, IT and database administrators. Since this information can give hackers access to critical systems without triggering any alarms, it is no wonder that this particular attack vector has been used time and time again, including in the major breaches at Excellus BlueCross BlueShield, the U.S. Office of Personnel Management and Target. Outside third-parties and vendors with privileged access are also prime targets because they often use legacy access methods that create unrestricted and unmonitored attack footholds in a network.
But while cybercriminals are rapidly advancing their capabilities to compromise privileged access, corporate defenses are lagging behind. By definition, a good defense-in-depth strategy will include multiple layers and overlapping components, but that complexity often leads to a lack of focus on the highest risks. In order to develop an effective access security strategy, companies need to first understand their various levels of risk.
Risk is fundamentally based on two components: the criticality of the system being accessed and the trust in the person accessing that system.
For simplicity, let’s say you have two types of systems: critical and less critical. Critical systems include those that would bring business to a halt if they were shut down, and those containing data that would be detrimental if exfiltrated by a malicious actor, like the stock-impacting events that make headlines.
Less critical systems include everything else. It is important to note that these systems are not trivial, however, because attackers often use seemingly insignificant systems as an entry point for attackers to jump to your critical systems.
There are also, for the sake of simplicity, two categories of people accessing your systems: highly-trusted employees, and less-trusted external users.
Employees include anyone with a W-2 from your company, whether based on-site or in a remote location. Of course, there will always be malicious employees and insider threats, but in general, you should have more trust in your employees than in external parties.
External users include a wide range of third-parties that access your systems, from contractors who behave just like employees to technology vendors who may access one of your systems for maintenance or updates. Your level of trust will vary based on the type of third-party. An example of a trusted vendor may be an outsourced service person who provides daily IT support to your employees. An untrusted vendor may be more like the HVAC company that was the initial attack point in the Target breach.
By combining system criticality with levels of trust, we can define various levels of risk. For example:
- Risk Level 1 – Critical systems accessed by untrusted vendors
- Risk Level 2 – Critical systems accessed by trusted vendors
- Risk Level 3 – Critical systems accessed by employees
- Risk Level 4 – Less critical systems accessed by vendors
- Risk Level 5 – Less critical systems accessed by employees
In reality, your organization has much more granular levels of system criticality and trust with regard to both your employees and third-parties, but the risk area that typically rises to the top is third-party vendors with access to critical systems—in other words, external users with privileged access.
The problem is that, until recently, information security budgets were incredibly small compared to overall IT budgets, and most companies put their money into perimeter defenses, desktop/endpoint security and maybe some application security, usually with a defense philosophy driven by the “insider threat.” While some of these defenses have been effective, they do not address the highest-risk areas. Attackers always seek to identify the weakest person or role in the target’s cyber-ecosystem. A smart attacker knows that even these rudimentary measures will typically not extend to an enterprise’s vendors, partners or other third parties.
Traditional methods to try to control access for vendors and other third parties are way too vulnerable. Businesses typically just request that a third party be granted access and for IT to come up with some kind of legacy tunneling solution or a VPN to give them access. That access is usually granted without any useful controls, such as restricting the times the vendor can access the system, setting the duration, limiting the systems and applications they can see, or even recording and logging what the vendor did while on that system. When, in some rare cases, enterprises do try to control this access, they are most likely using “security by heroics,” pointing several solutions, tools or manual procedures at the termination of the tunnel to try to gain some measure of control. This is usually ineffective and does not remove the core issue of allowing untrusted, high-risk users to access the core network.
Effectively controlling and monitoring privileged access is central to an effective defense-in-depth strategy. Attackers need three things to compromise a target: knowledge, resources and time. You cannot make them dumber and you cannot take away their tools, but you can control their access to your environment and reduce their time inside, thus shrinking their foothold in your enterprise. It takes an average of 243 days for breaches to be detected. In the case of the recent Excellus breach, it was 21 months. If one of your privileged vendors’ systems is compromised and “owned” by a hacker, who could be connected to your network via an unmonitored VPN for months, the consequences can be dire.
Organizations need to address these risks in a number of ways, using technologies that match the capabilities of today’s hackers. The first is to create an outbound session for vendor or third-party use. This eliminates their unfettered physical connection to your network. Second, limit third-parties’ windows of access by controlling when they get in and how long they are allowed to stay there. Third, utilize application whitelisting to limit vendors to exactly what they need to see to do their job and nothing else—not even a start bar, command prompt or browser. Fourth, because sometimes even the “bare minimum” may include elements that could be exploited, record every second of every session when they are inside your environment. And finally, make sure to collect security logging data that can be digested and correlated by a security monitoring program.
Deploying new vendor access tools and processes can be a delicate subject in some cases, but you need to ensure that your company is protected. If the vendor has a stronger security posture than you, then they will completely understand why you are taking measures to control access. On the other hand, if they have a weaker security posture, then you are obligated to protect yourself from them.