Attackers don’t break-in when they can log-in
In IT security, the language we use can be misleading. We talk about attacks, breaches, and hacking our defences. These sound like violent acts – where an intelligent attacker outsmarts and out-thinks our security.
But that’s not always the case. In fact, most incidents are a whole lot quieter than that.
Attackers don’t always hack through layers of sophisticated security. Sometimes, they just use the password.
From individual users to service accounts, the privileged passwords you use are the easiest way into your business. They give people widespread access to your most confidential systems – the ones that support your everyday business and store your most private data.
And those passwords are often the least protected element of your IT.
How privileged passwords give attackers access
Privileged passwords are attached to accounts with elevated security permissions. The access they offer goes beyond a simple user desktop. That’s exactly why they make excellent attack vectors.
Common privileged passwords include:
- Administrative accounts, like a root user on Linux / UNIX or your Windows Administrator account.
- Service accounts that provide a security context for services. They’re not users specifically, and that means they’re often used from multiple applications and devices.
- Application accounts that secure the connection between two applications.
In the right hands, these are the passwords that help systems to work correctly and users to get on with what they need to do. But, in the wrong hands, they provide access to a wide range of functionality and data.
Take leading retailer Target, who had 40 million credit card numbers and personal information for as many as 70 million people stolen in November 2013. Their estimated losses were at $420 million according to Gartner. And the sophisticated, advanced attack methodology that was used? Attackers simply logged in.
They took privileged passwords from one of Target’s HVAC suppliers – a considerably easier target – then used their widespread access to infect Target’s network with a trojan.
Target’s passwords, when turned against them, posed a serious security threat. But, of course, those passwords are an essential part of business. There’s no getting around their existence – we’ll always need to secure our infrastructure using passwords.
So what steps can we take to secure the passwords themselves?
Why your passwords aren’t protected
There’s a lot you can do to protect your privileged passwords.
You can enforce robust policies – like changing passwords on a regular basis, or enforcing a certain level of password strength. You can implement processes that keep the window of opportunity for misuse small. You could even use something like dual control to ensure that no single user knows your privileged passwords, with each part of it defined by a different administrator.
But here’s the truth of it. That stuff is difficult and time-consuming and usually involves huge spread sheets.
We’re all working with limited resources. We’re trying to secure a huge range of devices, in a world where people bring their own laptop to work or take their operating system away with them on a USB drive. The threats continue to evolve. All of our resources go into keeping up.
And that means protecting your passwords gets left behind.
A practical approach to protecting your passwords
There’s no denying the risk associated with your privileged passwords. According to Verizon’s Data Breach Investigations Report, 88% of IT security breaches in 2014 involved privilege abuse of some kind. But a manual approach to the problem just isn’t sustainable.
That doesn’t mean you should do nothing. That just means you should look to automate the process as much as possible.
Thycotic Secret Server automatically discovers privileged passwords around your infrastructure, and consolidates them in a secure vault with two-factor authentication and AES 256 encryption. All of your policies are enforced automatically, from password complexity to change frequency.
And, crucially, every interaction with a password is monitored and logged. Regular reports can be generated with a few clicks, which is ideal for the demands of compliance standards like PCI DSS, HIPAA, and SOX.
So you’ll always know who is using a password – and what they are using it for.