The most recent Verizon DBIR confirmed, yet again, that privileged account security is an essential part of an organization’s defense – protecting networks and data from cyber attacks and cyber criminals.
Over 100,000 security incidents and 2,260 confirmed breaches were analyzed to compile this year’s Data Breach Investigations Report (DBIR), which for the first time includes a separate section on credentials – a telltale sign on the increasing importance of Privileged Account Security.
According to the DBIR, approximately 80% of data breaches are executed by external actors and the predominant reason for the attacks is financial gain. One of the most notable findings is that the time it takes to compromise a network takes less than an hour in 93% of cases.
“As previously alluded to, these cases begin with a phish, featuring an attachment whose mission in its malware life is to steal credentials. If you have legit creds, it doesn’t take a very long time to unlock the door, walk in and help yourself to what’s in the fridge.”
Once in, credentials represent the top data variety that attackers seek. This is mostly due to the large amount of opportunistic banking Trojans and the desire to acquire intellectual property.
Within the credentials section, Verizon reports that 63% of confirmed data breaches involved weak, default or stolen passwords. Observing incident classification patterns – recurring combinations of who (Actors), what (assets), how (actions) and why (motive) among other incident characteristics, privilege misuse was the second most common reason for a credential attack.
Even more alarming, in Point of Sale attacks, “Ninety-seven percent of breaches featuring use of stolen credentials also had a vector of Partner. This is selected when the Actor uses legitimate partner access in the hacking action.”
In incidents of cyber espionage, the second most prevalent threat action is the use of malware. Specifically, malicious software was involved in 90% of cyber-espionage incidents. The report goes on to mention that whether it’s delivered via email, a web drive-by, or direct/remote installation, protecting the endpoint is critical to thwart malware attacks.
Achieving Privileged Account Security
In a recent presentation, Rob Joyce, Chief of the Tailor Access Operations of the NSA, remarked that privileged credentials of network administrators and other privileged users are sought after by persistent threat actors as a means for gaining access to critical systems. Privileged credentials are in fact, absolutely critical for this purpose and ultimately, to reach the heart of the enterprise.
As recommended by Mr. Joyce, privileged account security must be a strategic priority for an organization. It’s imperative for organizations to understand what normal privileged user behavior is and what isn’t. Effective protection requires implementing a robust and dynamic password policy that includes enforcing a policy of “least privilege” to ensure users have only enough privileges required to do their job. Finally, the increase in phishing attacks beckons the need for organizations to increase cyber security awareness to mitigate this type of attack.
Here are some important practices to keep in mind around privileged account security:
- Understand what your privileged users do across your network; their credentials are a target that must be secured.
- Implement least privilege and application whitelisting as a means to stop malware from spreading.
- Do not lose sight of applications which may have hard-coded credentials built into scripts. These could expose hashes that compromise your most critical assets, such as domain controllers.
- Understand anomalous behavior and how to stop it before it takes over your networks.
The importance for organizations to proactively secure privileged accounts is no secret. Privileged Account Security is not only essential in defending networks and data from cyber attacks and cyber criminals but also in building an effective and proactive cyber security posture that can standup to the most aggressive of attacks.