Basic hygiene best practices go beyond hand washing – even if you’re doing lots of that these days. The same hygiene concept extends into the digital world of cybersecurity. In an age of near-constant attacks, organizations can’t afford to get caught with “dirt under their fingernails.” And yet, lax or risky practices persist in many companies.
Let’s get back to the basics, revisiting fundamental “security hygiene” best practices – across people, process and technology areas – to help mitigate the risk of cyber infection, enable the business and boost overall security health.
Take a good look at your people. People are an organization’s greatest asset, however, at the hands of motivated attackers, they can also become the weakest link. Numerous social engineering and phishing techniques allow attackers to target individuals with access to valuable systems and data and attempt to steal their credentials. Historically, their “prey” was IT admins and top-level executives with privileged access to every corner of an organization. But in today’s digital, cloud-based and largely virtual work environments, a new population of “big phish” is emerging. And it’s not necessarily who you’d expect.
Recent attacks on researchers and even third-party transportation providers involved in COVID-19 vaccine development and distribution are evidence of this. As another example, some companies are adopting tools to measure remote worker productivity. Privacy concerns notwithstanding, this creates new treasure troves of highly sensitive data that may be accessed by HR, legal and other non-technical teams. All of these individuals can now be considered privileged users, and as such, they’re attractive targets for attackers.
Get serious about cybersecurity awareness training. According to recent CyberArk research, nearly half of employees haven’t received remote work-specific cybersecurity training. This means those newly privileged users – along with many other employees and third-party vendors – may not be prepared for a well-crafted email in their CEO’s name that disguises a malicious PDF attachment. Schedule regular sessions to review cybersecurity best practices like never clicking on links or opening attachments before verifying the sender, using strong, unique passwords, following processes to guard privileged accounts and more.
Conduct an ethical phishing exercise. Send out a series of realistic emails and see how many employees take the bait by clicking on attachments or links. Even better, launch a targeted spear phishing simulation geared toward privileged users – and use the results in subsequent training to help ensure these power users don’t fall for the phish. Also consider third-party Red Team penetration testing exercises to help identify hidden vulnerabilities and attack vectors.
Revisit your corporate device policy. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently warned of increasing attacks on remote workers’ devices via phishing, brute force login attempts and other methods to gain access to corporate cloud resources. The agency offered a number of strong recommendations for bolstering cloud security, such implementing conditional access, enforcing strong privileged access management (PAM) controls and restricting email forwarding – and also suggested prohibiting personal device use altogether. While some organizations may not be ready or able to draw this hard line, in a time when 69% of remote workers admit to using corporate devices for personal use, every company should review their corporate device policies with a critical eye. As part of this, consider implementing minimum standards and guidelines for strengthening remote workers’ home networks, such as changing default router credentials and using strong WiFi passwords.
Establish a “normal” baseline for network activity. Take advantage of analytics to model baseline behaviors and benchmark risk levels. This will help speed the detection of anomalies and indicators of compromise (IOCs), such as a privileged user who suddenly accesses credentials at an unusual time of day or from an unusual location, demonstrates excessive usage or other abnormal trends.
Clearly define privileged user policies. Administrative privileged accounts and credentials were instrumental in extending the recent SolarWinds supply chain attack to thousands of public and private organizations around the world. To reduce risk, it’s important to clearly define how sysadmins and other highly privileged users should access systems via privileged accounts – and under what conditions, based on the principle of least privilege – and safeguard their privileged credentials from theft and abuse. Make sure HR has policies in place to emphasize IT managers’ responsibility for not only defining the roles of their teams, but also for monitoring and managing privileged activity, and working with IT to enforce security policies. This must be a shared responsibility, not something security teams should shoulder alone.
Implement or strengthen privileged access controls. After you’ve defined your user policies, you need to understand where every privileged account exists in your environments, before you can effectively protect them. This free tool can help. From there, start to implement or strengthen privileged access management controls like enforcing least privilege, regularly rotating privileged credentials, restricting access to Tier0 systems and monitoring privileged sessions. Based on our team’s experience working with organizations around the world, we’ve put together this list of recommended steps to help roll out quick, effective controls to regain command of privileged access.
Lock down critical endpoints. As part of a defense-in-depth approach, limit privilege escalation and credential theft by removing local admin rights on servers, VMs and other critical infrastructure, and implement Identity Security policies that help prevent attackers from moving vertically and laterally to gain administrative access in your environments. This will force attackers to use methods that will expose their presence, so you can detect attacks earlier, respond quickly and prevent attackers from reaching their end goal.
Enable secondary authentication methods. It’s one step that can block a majority of account compromise attacks. Further strengthen your access controls with risk-aware, adaptive multi-factor authentication that leverages user-specific contextual attributes such as location, device and network information to assign risk to each user login attempt and create dynamic access policies. Introducing strong MFA recommendations is also a good best practice to mitigate risk and close up security gaps (i.e. eliminate credential use without MFA).
Review third-party risk management processes. To mitigate risk of supply chain infiltration, now is the time to revisit your vendor assessment, onboarding and ongoing risk management processes and policies. In particular, do you have a strong grasp on each vendor’s own security controls, how they remotely access your environment and what privileges are granted – and to whom – to access your sensitive enterprise assets and information?
Schedule a security health check. Security isn’t a check-box task – it’s a continuous process, just as regular medical check-ups and dental cleanings are important to maintaining overall hygiene and health. It’s critical to reevaluate existing security controls at a regular cadence to understand where you might have vulnerabilities and take steps to address them to mitigate risk. Now’s the time to schedule a “health check” with your security solution providers to help get, and stay on, the right track.
And as you look for ways to improve your organization’s ability to control and monitor privileged activity, visit our Security Fundamentals Guide. You’ll find best practices and specific controls required to appropriately protect your PAM solution deployment, and ultimately, your privileged accounts.
If you’re already a CyberArk customer, our team of experts are available to guide a detailed review of your existing privileged access management infrastructure and provide documented recommendations on areas of improvement and tailored guidance to optimize your environment. To learn more about this important, regular “PAM health check,” read the CyberArk Success Plans Outcome Catalog.
Get back to the basics to regain some control and get on the right path toward improving overall security health.