The Monetary Authority of Singapore Emphasizes Privileged Account Security in its Technology Risk Management Guidelines – Why?
In June 2013, the Monetary Authority of Singapore (the M.A.S) enhanced its “Technology Risk Management” (T.R.M.) guidelines to provide banks and financial institutions a risk management framework for their IT environments. Recognizing that improper control over privileged accounts is one of the largest security risks organizations face, the T.R.M. guidelines emphasize specific requirements related to privileged account security.
Privileged Accounts are Powerful
Privileged accounts are the keys to the proverbial IT kingdom. They enable the highest level of access and operation in IT networks, and therefore pose the most significant security concern. If hijacked by an external attacker or a malicious insider, privileged accounts will allow attackers to take full control of the IT infrastructure, disable security controls, steal confidential information, commit financial fraud, disrupt operations and much more. That’s why TRM guidelines 11.1 state that financial institutions should:
- Only grant user access to IT systems and networks on a need-to-use basis and within the period when the access is required.
- Ensure that records of user access are uniquely identified and logged.
- Enforce strong password controls over users’ access to applications and systems.
By employing a proper privileged account security platform that discovers, secures and rotates credentials, while granularly controlling the use of privileged accounts, organizations can limit privileged access to only those individuals who truly need access.
Privileged Accounts are Extensively Used
Privileged accounts are not just associated with IT admin accounts or super users. These accounts are configured in every device on the network—and are also used by third parties and automated processes (such as those that control backup, access databases and perform other back-end functions). That is why the guideline 5.1.4 of the TRM stipulates:
- IT outsourcing should not result in any weakening or degradation of the financial institution’s internal controls.
- The financial institution should require the service provider to employ a high standard of care and diligence in its security policies, procedures and controls to protect the confidentiality and security of its sensitive or confidential information, such as customer data, computer files, records, object programs and source codes.
Think about it. How many vendors and contractors does your company work with? Their access is often privileged and needs to be protected.
Privileged Accounts are Highly Coveted
By analysing the majority of cyber breaches in the past 24 months, a common thread emerges: the external attackers penetrated the perimeter security of the targeted network, then leveraged stolen credentials to escalate privileges, conduct reconnaissance and move laterally in the network—all while avoiding detection. In some cases, the attackers stayed in the network for months without detection. That’s why 9.6.1 of the TRM guideline notes that:
- Security monitoring is an important function within the IT environment to detect malicious attacks on IT systems. To facilitate prompt detection of unauthorised or malicious activities by internal and external parties, the financial institution should establish appropriate security monitoring systems and processes.
A proactive step to mitigating this risk is to isolate, monitor and control privileged sessions to prevent the sensitive credentials from residing on less secure user endpoints. Real-time monitoring and termination of privileged sessions due to unexpected or malicious activity provides additional layers of protection.
With the evolving threat landscape and growing complexities and reliance on IT systems in the financial sector, financial institutions must implement controls to secure their IT environments to avoid costly data breaches. The MAS TRM guidelines provide a valuable, in-depth model to follow. To learn more, download our free whitepaper.