A fresh take on privilege access management to safeguard against cybercrime

Think of privilege escalation attackers as undercover agents. Insidious and unseen, undercover agents successfully infiltrate organisations by identifying a weak point in their defences, infiltrating their ranks and then gaining the trust of insiders only to betray them later on.

Privilege escalation attacks work the same way, exploiting common cyber vulnerabilities like bugs, misconfiguration or inadequate access controls to gain entry into an organisation’s systems or networks. They then move laterally through the environment to steal data, plant malware and often wreak havoc.

Take the infamous 2021 Colonial Pipeline attack in the United States (US), for instance. The attack, via an orphan VPN account, saw the attackers work their way through the environment and ultimately install ransomware onto the network, according to Scott Hesford, Director of Solutions Engineering at cybersecurity provider BeyondTrust.

Consequently, the gas pipeline operator had to halt its services for nearly a week, causing long lines and fuel outages at gas stations across the east coast of the US and forcing President Joe Biden to declare a state of emergency. The pipeline only resumed operations after the operator paid a ransom of US$4.4 million to the criminal gang responsible and retrieved the decryption key.

A similar attack method was also deployed in the Florida Water incident in 2021, where the attackers used a third-party remote access tool to access the controls of the water systems of the city. Likewise, the well-known Target attack in 2013 saw 110 million customer account records, including credit card information, being stolen when attackers successfully leveraged the systems access provided to Target’s HVAC supplier.

What then can organisations do in response to these insidious threats? Hesford tells GovInsider that a zero trust, identity-centric approach is the way forward.

Trust no one: An identity-centric approach

A recent survey by BeyondTrust finds that zero trust is a consideration for nearly all public sector organisations in Singapore – 97 per cent, to be exact. This approach calls for constant verification of an individual’s identity, verifying that the user is authorised to access or take action each time they interact with an organisation’s network, system or application.

A few key components make up this zero trust, identity-centric approach, according to Hesford.

The first is the identity lifecycle – how accounts are created, managed and removed. “It is important that [users] accounts are regularly reviewed for access,” he says. “If there’s any changes to their role, and therefore needs, type, then all access should be reviewed and removed as appropriate.”

Next, it is vital to assess how and where privileges are used within an organisation or in a system. The same study by BeyondTrust found that 54 per cent of Singapore-based IT leaders believe that users across their organisations have excessive privileges. Hesford observed that during the pandemic in particular, organisations tended to grant administrative access to employees at home who needed to download additional software or add devices such as printers to facilitate their work.

In response, Hesford suggests implementing least privilege through the use of modern privilege access management (PAM). This process involves organisations determining who the user is, when and how long they are accessing or using an application or data, and where they are using it before deciding on access controls.

In this approach, users are given access only to the tools they need to fulfil their roles, as opposed to being granted blanket access rights depending on their clearance level. For instance, human resource executives may be granted access to payroll and employee documents, but will not be able access client files.

Such controls need to be applied to third-party vendors as well to prevent incidents like the Target breach from happening. This granular approach allows organisations to control exactly which systems and/or processes third-party users have access to, rather than granting them access to the whole network, Hesford explains.

And on occasions where users are granted administrative access, Hesford says that the Just-in-Time approach should be considered and that such access should be regularly reviewed.

But no single control is a silver bullet, Hesford emphasises. Rather, organisations need to have a defence-in-depth strategy, with multiple cybersecurity controls.

For instance, BeyondTrust’s suite of solutions also includes application control, which prevents applications from creating external processes that may impact other files or networks on a device.

Another important cyber tool to have on hand is the ability to perform a discovery, Hesford adds. This means having a complete overview of an organisation’s IT environment, including elements like the number of active administrative accounts, how old their credentials are, the number of dormant accounts, and so on.

This then provides organisations with a clear understanding of potential vulnerabilities in their IT environment, allowing them to take action where necessary. “It’s all about contracting the threat surface,” he says. “The fewer admin accounts, the better.”

Securely reveal privileged accounts and credentials in your environment for free. Sign up now!