Privileged Access Management & Equifax: 5 Deadly Sins
The veiled cause for many breaches making headlines, according to cybersecurity insiders, is misuse and abuse of privileged accounts – counting access, session and elevation management – at many organizations including financial services.
Phoenix based security firm BeyondTrust announced in its annual report, which surveyed nearly 500 IT professionals from around the world, identified the “Five Deadly Sins of Privileged Access Management,” and how they prevent organizations from effectively protecting sensitive information.
Because so many attacks start with the misuse of privileged accounts, BeyondTrust said it is not surprising that respondents rated privileged access management (83%), privileged session management (74%), and privilege elevation management (74%) somewhat to extremely important to their efforts.
“We have known for a while that privileges are a problem,” Morey Haber, VP of technology at BeyondTrust. “underneath the hood we found that people know that there's a problem. They are either too busy or they don't think it'll ever happen to them.
For years, security experts have outlined best practices for privileged access management to reduce problems. Despite this, IT organizations continue to struggle with PAM. Forrester research found 80% of data breaches are the result of the abuse or misuse of privileged credentials.
Even the recently headline shattering Equifax data breach had PAM underpinnings according to Haber. He explained the Equifax breach is in two pieces.
The first is the public breach that affected 143 million people using Apache Struts, an open-source web application framework.
“The second piece is Equifax Argentina, which is an internal portal that had ‘admin, admin’ as default credentials and allowed exposure internally to years of disputes that potential citizens of Argentina had with Equifax, including personal data etc.”. Haber suggested 76% of organizations do not change default passwords. “If they're using canned applications to do this work it's a pretty good correlation that a large quantity of them are still using the default credentials for admin rights or other types of work.”
From its survey results, BeyondTrust identified PAM’s five deadly sins:
1. Apathy. Asked to list the top threats associated with passwords, respondents listed employees sharing passwords with colleagues (79%), employees not changing default passwords shipped with devices (76%), and using weak passwords like “12345” (75%). Despite knowing better, respondents admitted that many of these same bad practices are common. A third of respondents reported users routinely share passwords with each other, and a fourth report the use of weak passwords. One in five don’t even change the default passwords!
2. Greed. Users often insist they need full administrative privileges over their devices. That creates problems for IT. Almost 80% of respondents cite allowing users to run as administrators as their biggest threat, followed by not having control over applications on users’ machines (68%). Nearly 20% admitted it is common for users to run as administrators on their machines. Often, these practices directly caused system downtime.
3. Pride. One in five respondents said attacks combining privileged access with exploitation of an unpatched vulnerability are common. Simply patching known system vulnerabilities can prevent most commonly-reported attack vectors. Too often IT does not stay current on their patches.
4. Ignorance. Two-thirds said managing least privilege for Unix/Linux servers is somewhat to extremely important. One popular option is Sudo, which allows delegation of authority. However, just 29% said Sudo meets their needs. The most commonly cited problems with Sudo: time-consumption (32%), complexity (31%) and poor version control (29%). Despite this, the typical respondent runs Sudo on 40 workstations and 25 servers.
5. Envy. Enterprises are rushing to embrace cloud computing. Yet, more than a third report they are not involved in protecting SaaS applications from privileged access abuse.
Beyond Trust advised organizations to deploy enterprise password management across all data centers, virtual and cloud, and remove local admin rights from all Windows and MacOS end users immediately. Ninety four percent of Microsoft system vulnerabilities in 2016 are attributable to users with admin rights.
Organizations should also prioritize and patch vulnerabilities, replace Sudo for protection of Unix/Linux servers, and unify privileged access management, on-premise and the cloud, into a single console for management, policy, reporting and analytics.