EB: Can you explain why privileged identities sit at the core of today’s cyber-attacks?
PB: Despite privileged accounts being centred around gaining access to the most highly valued assets, the resources required to regularly rotate every admin account has typically been expensive. Therefore, instead of focusing on the security of these accounts, tech teams are focused more on ‘keeping the lights on’ and delivering new capabilities.
Alongside this neglect, many teams have an ‘if it’s not broke, don’t fix it’ mentality and do not spend the time and effort required to understand what permissions are really required for each account. Add into this dated legacy applications running old software with known vulnerabilities and we have some very ripe, easy pickings for any would-be attacker.
EB: What are the most common attack techniques used by hackers in order to elevate privilege?
PB: In order to elevate privilege, one of the first techniques used by attackers will be to breach the perimeter defence. Phishing techniques are a very powerful means of getting malware inside a machine. Laptops are also connecting to all kinds of open networks nowadays and bad networks alongside badly secured websites, all provide clear routes for malware to enter.
Old, unpatched software is another starting point for hackers. From here, they can start using techniques such as pass-the-hash to start looking for privilege accounts. Desktop admins that have logged on to old laptops are a good example – a hacker can obtain admin level access on an old machine and start looking for a permanent foothold inside the network.
EB: Do you think companies are aware of how important privileged identities are in cyber security?
PB: Companies are definitely becoming better aware of how important privileged identities are in cyber security. As the world headlines highlight the potential dangers, an ‘I don’t want to be the next’ mentality is spreading across industries of all sizes. However, audits are more and more regular and privileged access is becoming one of the key points that these audits inspect.
EB: How are companies currently failing to address this weak link in security?
PB: Overall, companies do understand the risks in terms of weak links in security. A lot of system designs will include exceptions for security credentials which are not being rotated as part of the schedule – it comes down to the cost of doing this manually.
Simple risk judgements taken by senior management can in most cases be effective, but a holistic approach is essential to ensure spend is delivering both value and risk reduction.
EB: What are the main challenges for IT in managing privileged identities?
PB: Resources and complexity are two of the main challenges for IT. Prior to the likes of CA’s Privileged Access Manager software, rotating accounts physically required a person to log into a system, changing the account and updating the password spreadsheet manually.
For a low impact system, although time consuming, largely this is not a complex action. However, for a business critical and customer facing system this can become more challenging in terms of changing controls, the testing that’s required, alongside the approval process.
EB: Do those challenges only get bigger with complex environments like hybrid IT?
PB: API’s make interacting with complex environments like hybrid IT a lot easier to manage privileged identities. Products like CA-APIM make life a lot easier for developers and implementers to deliver easy to manage systems. Cloud and hybrid environments allow more automation and a holistic view of who is accessing what and why. The technical challenges still come from legacy systems that were not designed with security and remote management in mind.
EB: What are the benefits of privileged identity management?
PB: The benefits of privileged identity management are simply about managing (programmatically) privileged access. Protecting, auditing and assessing that the right people have access to the right information, at the appropriate time and in the correct manner, is key.
EB: What are must-have elements in any Privileged Identity Management plan/strategy?
PB: The must-have elements in any Privileged Identity Management plan are low user impact. If the is not easy to use, users will look to circumnavigate it. Ease of deployment and maintenance are also key – nobody wants to have to set up a new dedicated infrastructure. A robust, resilient and simple appliance based solution is ideal. If your solution is complex, time constraints mean that privilege control systems can be bypassed to get new systems online in time.
EB: What steps should companies take to implement PIM?
PB: When implementing PIM, companies should remember this also needs to accommodate PAM (Access).
Firstly, businesses must understand their system and landscape. The majority of organisations do not know how many privileged accounts they have nor exactly what they are entitled to have access to. At CA we would always recommend performing a ‘who has access to what’ discovery project to help distinguish these users. Finally, by building out roles and requirements, whilst understanding what accounts need access to, is a crucial step. Just giving ‘admin’ access is not a good enough solution in the vast majority of cases.
EB: How do you foresee the security challenges with privileged identity changing and evolving in the near future?
PB: The evolution of security challenges in privileged identity will be in user identification. Hitting the right balance between making this too onerous and too loose, as always with security, is the real challenge, but CA Advanced Authentication is a good solution to help here.
Identity Analytics will also be key – predictive, constant and with the right balance of automation and visibility, this will address the constantly changing landscape.