Privileged Access Security Lessons Learned from My Xbox Fail
May 2, 2018 | Security and Risk | Katie Curtin-Mestre
I have a 10-year-old son, who like many boys his age, enjoys playing video games on the Xbox. He is only allowed to play on the weekends, and we adhere to some general guidelines around time limits. However, this is often circumvented by the, “I just need five more minutes!” which becomes another 30 minutes if we are not careful.
So imagine my surprise when my husband’s credit card was frozen due to concerns around fraudulent charges! It turns out that the charges were not fraudulent at all; instead, my son (who was either playing the part of a malicious or uninformed insider) had made several in-game purchases. The total bill was more than two Benjamin Franklins!
Of course I knew that Xbox security and parental controls were a good idea, but I just hadn’t gotten around to using them. Big mistake. Needless to say, this incident motivated me to implement the appropriate security controls on the Xbox, including: 1) a passkey needed to start the Xbox; 2) a separate account for my son with his own user name and password; 3) time limits managed by the system—not by humans who can sometimes get distracted or lose track of time; and 4) purchases cannot be made without authorization.
In some ways, my story is similar to that of many security teams who have failed to implement best practices to address their privileged access security risks because of limited bandwidth, priorities or other reasons. Amazingly, CyberArk’s recent 2018 Global Advanced Threat Landscape Report found that nearly half (46%) of IT security professionals rarely change their security strategy substantially—even after experiencing a cyber attack. This is absolutely mind-boggling to me, especially when the risks are so high in terms of fines, lost revenue and long-term reputational damage that a company can suffer if a breach is disclosed.
My #Xbox fail taught me three lessons that can also be applied to organizations as they gear up to implement privileged access security:
- Ignoring the problem is not a strategy. As we all know, ignoring a problem doesn’t make it go away, and I found out the hard way when we were hit with my son’s in-app charges while gaming on the xBox.In most cases, the problem will only grow worse over time. (The Phoenix Project documents the concept of technical debt quite well.) This is especially true when it comes to managing privileged access. In fact, most organizations today have more privileged accounts, credentials and secrets to secure than ever before. Why?
- As organizations and IT environments grow and transform in the digital era, more people and applications have access to sensitive systems and information—IT administrators of all types, privileged business users, SaaS admins and DevOps teams to name a few.
- Regular employees with local admin privileges can unwittingly compromise systems by clicking on a link in a phishing email and installing a malicious application that steals credentials on their computer. This can set off a chain reaction (as attackers move laterally) through the organization if proper security controls are not in place.
- There is a proliferation of non-human privileged actors. These non-human privileged actors come in the form of Service Accounts to embedded credentials in commonly deployed COTS (Commercial Off-the-Shelf) applications to credentials used by newer cloud-native applications.
Not sure of where to find all of these privileged credentials? A good place to start is with CyberArk’s free DNA Scan tool that can discover where your unmanaged privileged credentials lurk and assess your current privileged account security risks.
- Failing to get educated is not a strategy. I had no excuse for not getting smart on Xbox security—there was a wealth of information online, at my fingertips. This also goes for security professionals. A good resource to consider is CyberArk’s new Trustee level training. This online training is 100 percent free and available to anyone interested in learning the basics of privileged access security. You can even tune in during your commute or while working out.
- Being unwilling to change any aspect of BAU (Business as Usual) is not a strategy. Sure, it would be great to beef up security without changing your BAU at all. But this just isn’t reality. In my family’s case, the adjustment to BAU means that now either my husband or I have to take turns unlocking the Xbox before my son can use it. Sure, it’s an extra step, but entirely worth it to avoid another credit card conundrum.
Similarly, organizations that deploy privileged access security controls will need to adjust some of their daily routines to reduce their privileged security risk. One of our customers shared a story about dealing with heavy resistance from a colleague in IT who said the sky would literally fall if he had to make any changes to his normal routine. Interestingly, once the person finally got around to making the change (readers can speculate on how that came about), he became the biggest advocate for securing more privileged credentials leveraging CyberArk.
Now I am not going to lie and say that my son turned into the biggest advocate of our new regime, but he probably figures that it beats the alternative, which would be a total Xbox nuclear winter scenario.
So whether you’d like some more tips on Xbox security or have your own lessons to share, feel to reach out to me, @kcmestre, on Twitter.