sign in sign up
<<
Home , 2017 Equifax data breach, Deloitte, OurMine, Sony Pictures hack

CREATE POSITION

Univers 55 Roman Depth is 2x width of “I” Standard IA Light Gray “I” 2x width of “I” Space between TM and logo is 1 x “I” 1x “I” Align with top of letter or top Why Your Organization of ribbon. Should Treat Every Account as Privileged Contents

PAGE

INTRODUCTION 3

YOU’VE BEEN LOOKING AT PRIVILEGED ACCESS ALL WRONG 5

YOUR BUSINESS SYSTEMS AND DATA ARE LESS SECURE THAN YOU THINK 7

IMPACT OF FAILING TO ACT 11

PROTECT YOUR ORGANIZATION WITH IDENTITY-DRIVEN SECURITY BEST PRACTICES 14

GET STARTED 18

Why Your Organization Should Treat Every Account as Privileged 2 Introduction

There have been a slew of major data breaches in recent years. The number of records exposed in data breaches last year alone reached 174.4 million—close to five times the The hard truth is that 36.6 million records exposed in 2016.1 any unsafe system or individual puts Every time you turn around, another organization is in the headlines for having millions of everyone at risk. records compromised. Look no further than the recent breach in which sensitive information on more than 140 million individuals was stolen. This trend is expected to continue, with data breaches and other costing the world $6 trillion per year by 2021, up from $3 trillion annually in 2015.2

In the vast majority of data breaches, stolen credentials for privileged accounts are the prime target for . In fact, Forrester estimates that 80 percent of security breaches involve privileged accounts.3

Traditional privileged accounts are IT-based and have special active directory (AD) attributes. IT administrators use them to log into servers, switches, routers, and applications and perform tasks without restriction. This level of access means these accounts pose a significant risk to your company. Once obtained by hackers, the accounts can be used to access the most sensitive data, lock out legitimate users, and create ghost accounts and back doors that are not easily seen.

Legacy security systems focus on protecting these AD privileged accounts; however, there are many business accounts with privileged access to critical systems and monetizable data that fall outside of the standard definition of “privileged.”

Why Your Organization Should Treat Every Account as Privileged 3 Accounts that Fall Under the Traditional Definition of a Privileged Account

• Local admin accounts are typically used by IT staff to perform maintenance or set up new workstations and often have the same passwords across platforms.

• Privileged user accounts give administrative privileges to one or more systems and usually have unique and complex passwords.

• Domain admin accounts have privileged access across all workstations and servers on a Windows domain. If these accounts are compromised, this could have catastrophic consequences for the organization.

• Emergency accounts, often called firecall or break glass accounts, give unprivileged users admin access to secure systems in an emergency.

• Service accounts are privileged local or domain accounts that are used by an application or service to interact with the operating system.

• Application accounts are used by applications to access databases and provide access to other applications.

Why Your Organization Should Treat Every Account as Privileged 4 You’ve Been Looking at Privileged Access All Wrong

The traditional definition of privileged access simply is not adequate for today’s cybersecurity threats. After all, privileged access has become much broader than just IT Your organization administrator accounts. With the business , there are more users must adopt a zero- accessing more critical systems and sensitive data. “Privileged” today should encompass trust mindset, any account with access to monetizable data (protected health information (PHI), credit operating under the card numbers, and social security numbers) or that can cause reputation damage. assumption that all users, endpoints, So, what do you do about these accounts that don’t fall under the standard definition, but and resources are still have access to confidential and critical data? There are business-privileged roles, such untrusted and as payroll and social media manager accounts, which are not monitored by traditional AD- therefore, always need based security tools. And there are business systems and applications that require exactly to be verified. the same protection as any of their high-risk or high-value internal IT systems.

The hard truth is that any unsafe system or individual puts everyone at risk.

“If you have something that is valuable to hackers, they will go to any length to obtain it,” observed Larry Szebeni, president of Apex Technology Services. “It’s just a matter of finding your network’s biggest vulnerability and launching a targeted attack at the right time.”5

There are many avenues of access to your systems, and more must be done to protect all accounts, not just traditional privileged accounts.

Your organization must adopt a zero-trust mindset, operating under the assumption that all users, endpoints, and resources are untrusted and therefore, always need to be verified in order to reduce the risk of a breach. If you do not broaden your understanding of privileged access, you are putting your organization at risk.

Why Your Organization Should Treat Every Account as Privileged 5 The recent breach of multinational and firm demonstrates the risk that poorly secured business systems can pose to an organization. In this case, hackers were able to breach a server and gain access to the private emails of at least five million Deloitte clients.

“The key lesson from this incident is that businesses need to do more to protect their private accounts,” said Rich Tehrani, group editor-in-chief at TMC, upon analyzing the breach. “Strong passwords need to be used at all times and enforced by IT. Also, two-step verification is imperative. If two-step verification had been used in this situation, hackers may have been unable to get inside of the network.”6

Why Your Organization Should Treat Every Account as Privileged 6 The Exception to the Role

Your Business Systems and Data Are Less Secure than You Think

To avoid a costly and potentially devastating , here are six business systems and applications that you want to pay attention to in reviewing your access control policies. There are numerous These systems often aren’t treated with the same level of concern for security as privileged ways for hackers to accounts, even though they provide access to highly sensitive and valuable information. get into your email system. Versions might 1) EMAIL, YOUR NEW ONLINE STORAGE be out of date, and patches might not be If you were to scan all employee emails, what would you find? Most likely, you’d discover applied in a timely valuable information that you don’t want to get outside your organization. Many companies, manner, if at all. including those who regularly send and receive highly sensitive and confidential information, lack proper email security.

For example, the Panamanian firm Mossack Fonseca hadn’t updated its client login portal and webmail systems in years and failed to encrypt sensitive emails. As a result, hackers exploited these security flaws to expose 4.8 million emails and 6.5 million other confidential client files.7

There are numerous ways for hackers to get into your email systems. Versions might be out of date, and patches might not be applied in a timely manner, if at all. And most email systems do not use because of the expense and hassle.

And sometimes email account breaches are the result of human error, as was the case with the Russian hack of Clinton Campaign Chairman John Podesta’s email. Hackers gained access to Podesta’s email account when he supplied his password in response to a email.8 The disclosure of 20,000 pages of sensitive and embarassing emails by WikiLeaks contributed to Hillary Clinton’s loss to Donald Trump in the 2016 presidential election.9

Why Your Organization Should Treat Every Account as Privileged 7 2) SOCIAL MEDIA Another security area that is often overlooked are company social media accounts, such as , LinkedIn, and . Leaving these accounts vulnerable puts your company at risk of major embarrassment and brand damage.

Unfortunately, social media accounts are rarely treated with the same care as other corporate assets. Often, they are protected with just a username and password, or access is shared among multiple people. Furthermore, these accounts are often assigned to interns or entry-level marketing personnel to manage, increasing the risk of human error.

As a result, there is a high risk that a can gain access to or figure out an account password and begin posting things that could damage a company’s or individual’s reputation.

One hacking group in particular, OurMine, has gained a reputation for taking over social media accounts by using information obtained in other public data breaches.10 Recent hacks by OurMine include HBO, PlayStation, and Facebook CEO .

In the case of Sony PlayStation, OurMine was able to take over the company’s Twitter and Facebook accounts, tweeting “PlayStation Network Databases leaked #OurMine” to the company’s millions of followers. They claimed to have also breached a confidential database, although they didn’t publish any of the information.

While OurMine’s primary purpose in taking over accounts is to sell its IT security service, there is little security in place to stop more malicious groups from hacking accounts and posting damaging information or extorting individuals or companies.

Why Your Organization Should Treat Every Account as Privileged 8 3) CRM AND MARKETING AUTOMATION 60 percent of Other systems that are often overlooked are customer relationship management (CRM) internal perpetrators software and marketing automation systems. Weak passwords can leave your prospect stole proprietary and customer information open to attack and theft. information in order to get hired by a CRM systems contain extremely valuable data that can include corporate intelligence, competitor and 30 financial information, sales data, patient health information, credit card information, banking percent used the wiring instructions, and extensive details about a company’s customers. They can also hold information to start 11 regulated, confidential, and proprietary information. a business.

Salesforce, the largest provider of CRM software, warned its users a few years ago about a Dyre attack that could compromise their customer data. The Dyre attack was preceded by an attack on Salesforce users with Zeus malware, widely used by criminals to steal financial data from banks and their customers.12

And it’s not just cybercriminals who pose a threat to your CRM data. Departing employees often take customer data with them to their next employer. In 150 data theft cases that were studied, 60 percent of internal perpetrators stole proprietary information in order to get hired by a competitor and 30 percent used the information to start a business.13

4) HELP DESK SYSTEMS/TICKET MANAGEMENT Help desk systems are a gray area when it comes to privileged account management, because they blur the line between IT and business systems. They are often not protected as robustly as they should be and can become vulnerable to phishing attacks, weak passwords, and a lack of deprovisioning when an employee leaves.

In fact, close to 70 percent of companies fail to monitor their help desk employees, and one- fifth of employees fail phishing tests.14

Oftentimes, help desk and ticket management systems are run by entry-level employees who aren’t well-trained in security. Yet, help desk employees handle sensitive data every day and have remote access to sensitive systems.

Why Your Organization Should Treat Every Account as Privileged 9 5) WEBSITES AND CUSTOMER PORTALS Websites and Websites and customer portals are designed for the convenience of the visitor and customer portals customer, with security often being an afterthought. The reality is, if the security controls are designed for the are too burdensome, customers will simply go to competitors’ sites. convenience of the visitor and customer, Unfortunately, websites and portals can be vulnerable to easily hacked sign-ins and with security often outdated patches. being an afterthought.

Earlier this year, attackers exploited an unpatched vulnerability in Apache Struts’ web application to steal the personal and financial data held by Equifax on 143 million individuals.15 The patch was available two months before the hack, but the IT team failed to deploy it.

In the case of Verizon Enterprise Solutions, hackers uncovered and exploited security vulnerabilities in its enterprise client portal. As a result, the attacker stole records of more than 1.5 million Verizon enterprise customers.

6) COLLABORATION AND PROJECT SOFTWARE Project software, like Slack or Hipchat, is designed to foster open sharing of ideas and collaboration. However, it can be a challenge to secure these platforms without being perceived as inhibiting users.

This software suffers from similar vulnerabilities as websites and portals—easily hacked sign-ins and outdated patches. This can be a big problem for higher education institutions, in particular, where a premium is placed on collaboration and security controls often go against the institutional culture.

Companies, such as Wickr, are trying to make collaboration software more secure by encrypting messages sent on their platforms.17 Whether users will buy into the need for additional steps with encryption remains to be seen.

Why Your Organization Should Treat Every Account as Privileged 10 New Roles Are Not Always the Answer

Impact of Failing to Act

What happens if you fail to act to protect these systems and your organization suffers a breach? Here are some of the potential harms: It’s estimated that business costs, such as 1) REPUTATIONAL DAMAGE reputational damage, customer turnover, It’s estimated that the business costs of a breach, such as reputational damage, customer customer acquisition, turnover, customer acquisition, and diminished goodwill, increased from $3.32 million in and diminished 2016 to $4.03 million in 2017.18 goodwill, increased from $3.32 million in Probably the most notorious example of reputational damage from a data breach was 2016 to $4.03 million the hack. The hackers leaked confidential information, including executive in 2017. salaries, unreleased films, and embarrassing corporate emails. This information not only embarrassed corporate executives, but led to the ousting of as head of Sony Pictures.19

Why Your Organization Should Treat Every Account as Privileged 11 2) COMPLIANCE AND REGULATORY FINES Regulators on both sides of the Atlantic are increasingly cracking down on companies with poor data security. For example, in its largest fine to date, the FCC required AT&T to pay $25 million for a 2014 data breach that exposed the personal information of 280,000 customers.20

For a number of years, hefty fines have been doled out for violations of HIPAA’s security rule that requires healthcare companies to protect personal medical information. So far, close to $73 million in fines have been charged in 52 cases of HIPAA violations.21

In 2018, the European Union is set to enact the General Data Protection Regulation (GDPR), which will impose strong data protection requirements on companies doing business in Europe. It’s estimated that this will result in fines of up to $6.4 billion per year for FTSE 100 companies based on their past records of data breaches.22

Why Your Organization Should Treat Every Account as Privileged 12 3) LAWSUITS In 2017, the average Lawsuits resulting from data breaches can take years to settle and cost companies millions cost of a data breach of dollars. For example, Target had to pay $18.5 million to settle a lawsuit over a 2013 for a U.S. company breach that led to the theft of 40 million credit and debit card numbers. And there’s no was a record high end in sight—in 2016, there was a 7 percent increase in litigations filed in relation to of $7.35 million, up data breaches.24 5 percent from the previous year. 4) STOLEN IP More than 80 percent of a company’s value can be tied up in intellectual property (IP), but most theft of IP does not get the attention that theft of personal information and credit card data gets.25 Theft of IP can lead to devaluation of trade name, revoked contracts, lost customer relationships and business opportunities, and bankruptcy.

5) EXECUTIVE JOB LOSS It is clear that a major data breach can cost top executives their jobs. We need to look no further than the recent Equifax breach, which saw 143 million records stolen by hackers. The chief information officer (CIO), the chief security officer, and the chief executive officer (CEO) all “retired” in the days following the public disclosure of the breach.26

6) COSTS Data breach costs can be devastating for a company. In 2017, the average cost of a data breach for a U.S. company was a record high of $7.35 million, up 5 percent from the previous year. The average cost for each lost or stolen record was $225, up 2 percent from 2016.27

The data breach costs identified in the report included loss of business, help desk activities, inbound communications, special investigative activities, remediation, legal expenditures, product discounts, identity protection services, and regulatory fines.

Why Your Organization Should Treat Every Account as Privileged 13 Protect Your Organization with Identity-Driven Security Best Practices

In order to treat every account as privileged, you should implement identity-driven security via an identity and access management (IAM) system, strong, multi-factor authentication, and best practices that include:

ROBUST PRIVILEGED ACCESS MANAGEMENT (PAM) CAPABILITIES • Time- and location-based access controls: Help minimize your attack surface by taking time of day and location of individual into account in your access control policies.

• Least privilege principle: A zero-trust mindset means restricting access rights to only what is absolutely required to perform one’s daily job. Some of the benefits of implementing the least privilege principle include reduced attack surface, decreased chance of malware attack, and greater ease in achieving and proving compliance.

• Just-in-time access to software that isn’t required every day: Fewer entitlements is best practice. You should have a streamlined request process that makes it easy to ask for access when needed, rather than granting birthright or annual entitlements.

• Checkout and randomization of passwords for high-value or high-risk systems: Define policies that require checkout passwords for high-value or high-risk systems, and then randomize those passwords when they are checked back in. Of course, with some business accounts, such as social media, it may be too cumbersome to require this in every instance. In these cases, options could include requiring checkout only outside of standard business hours or the company network. You can also require a password be checked in before another user can check it out to ensure only one person is posting at a time.

Why Your Organization Should Treat Every Account as Privileged 14 IMPROVING DATED PASSWORD POLICIES 80 percent of hacking- 80 percent of hacking-related breaches leverage either stolen passwords or weak related breaches 28 passwords. Despite this, many organizations are still using dated password policies that leverage either stolen can actually put them more at risk. passwords or weak passwords. For example, limiting passwords to eight to twelve characters makes it difficult to use a “pass phrase,” which is considered stronger and easier to remember than a password. Despite this, many organizations are still You should also move away from mandatory password changes and implement strong using dated password authentication to augment or even entirely replace passwords. policies that can actually put them more at risk.

Why Your Organization Should Treat Every Account as Privileged 15 TWO-FACTOR OR MULTI-FACTOR AUTHENTICATION (MFA) Implementing two-factor or multifactor authentication (MFA) is a must. You can implement modern frictionless MFA options—such as one-time passwords, push authentication, Blue- tooth authentication, and fingerprint biometrics. This can address shortcomings of pass- words or even eliminate them entirely. The key is to promote user adoption of MFA with:

• Flexible authentication policies that consider flexibility from your users’ perspective and give them the choice of what authentication methods to use. For example, enabling a user to use an alternative to the default authentication method if they don’t have their token or do not have internet access. Flexibility in authentication methods is the best way to ensure security, while meeting the needs of your users.

• Risk-based authentication (RBA) that adapts the authentication based on risk level. RBA calculates a risk score for any given access attempt in real time, based on a predefined set of rules. Users are then presented with authentication options appropriate to that risk level. This way, you don’t burden the user with additional security steps unless context demands it.

Why Your Organization Should Treat Every Account as Privileged 16 PRIORITIZE YOUR ACCOUNTS BASED ON IMPORTANCE AND RISK While the best way to protect your organization from the impact of a data breach is to treat every account like it is privileged, if you don’t have the resources to do this, you need to prioritize your account types based on importance and risk.

Your organization should start by developing standardized prioritization criteria for what is considered high risk versus low risk for all account types—even those that aren’t consid- ered true privileged accounts.

The reality is that without standardized criteria, application owners are left to decide for themselves what should or should not be considered a privileged account. And they are likely to opt for the latter out of convenience.

Some factors to consider when you are prioritizing are the number of individuals with this type of access are: frequency of account usage, amount of sensitive data accessed by the account, scope of privilege (one system versus multiple systems/platforms), and control level granted.

Why Your Organization Should Treat Every Account as Privileged 17 Get Started.

In today’s world, the traditional definition of privileged access is outdated and ignores many systems your company uses that contain sensitive data. Privileged access is broader than just access to and protection of credit card data, customer information, or critical systems. If you do not broaden your understanding of privileged access, you are putting your organization at risk.

If you want to see how RapidIdentity can help secure access to all of your business systems and accounts, give us a call at 877-221-8401 or request a demo.

Why Your Organization Should Treat Every Account as Privileged 18 Sources

1. Identity Theft Resource Center and CyberScout, “Data Breach Category Summary,” 2017, http://www.idtheftcenter.org/images/breach/2017Breaches/ITRCBreachStatsReportSummary2017.pdf; Identity Theft

Resources Center and CyberScout, Data Breach Reports, 2016, https://www.idtheftcenter.org/images/breach/2016/DataBreachReport_2016.pdf

2. Steve Morgan, “Cybersecurity Ventures Predicts Cybercrime Damages Will Cost the World $6 Trillion Annually by 2021,” Cybersecurity Ventures’ Cybercrime Report, Oct. 16, 2017, https://cybersecurityventures. com/hackerpocalypse-cybercrime-report-2016/

3. Andras Cser, The Forrester Wave: Privileged Identity Management, Q3 2016, Forrester Research, 2016.

4.Venkat Rajaji, “What Does ‘Privilege Account’ Really Mean?,” Core Security (blog), July 7, 2016, https://www.coresecurity.com/blog/what-does-privilege-account-really-mean.

5. Larry Szebeni, “WSU Data Breach Is a Reminder About Physical Network Security,” Apex Technology Services (blog), June 19, 2017, http://www.apextechservices.com/topics/articles/432859-wsu-data-breach-a- reminder-physical-network-security.htm.

6. Rich Tehrani, “Breaking: Deloitte Announces Data Breach,” Apex Technology Services (blog), September 25, 2017, http://www.apextechservices.com/topics/articles/434682-breaking-deloitte-announces-data- breach.htm.

7. Matt Burgess and James Temperton, “The Security Flaws at the Heart of the Panama Papers,” Wired, April 6, 2016, http://www.wired.co.uk/article/panama-papers-mossack-fonseca-website-security-problems.

8. 2016 Presidential Campaign Hacking Fast Facts,” CNN, October 31, 2017, http://www.cnn.com/2016/12/26/us/2016-presidential-campaign-hacking-fast-facts/index.html.

9. Jeff Stein, “What 20,000 Pages of Hacked WikiLeaks Emails Teach Us about Hillary Clinton,” Vox, Oct. 20, 2016, https://www.vox.com/policy-and-politics/2016/10/20/13308108/-podesta-hillary-clinton

10. Wang Wei, “Sony PlayStation Social Media Accounts Hacked; Claims PSN Database Breach,” The Hacker News, August 21, 2017, https://thehackernews.com/2017/08/sony-playstation-hacking.html.

11. Kurt Long and Avani Desai, “Data Breach in Your CRM System. Do You Know the Risks?,” isBuzz News, http://www.informationsecuritybuzz.com/articles/data-breach-in-your-crm-system-do-you-know-the-risks/.

12. Dom Nicastro, “5 Things Salesforce Users Should Know About Malware Attack,” CMS Wire, September 11, 2014, https://www.cmswire.com/cms/customer-experience/5-things-salesforce-users-should-know- about-malware-attack-026463.php =

13.Kurt Long and Avani Desai, “Data Breach in Your CRM System. Do You Know the Risks?,” isBuzz News, March 9, 2016, http://www.informationsecuritybuzz.com/articles/data-breach-in-your-crm-system-do-you- know-the-risks/

14. “Could Your IT Help Desk Be Your Biggest Security Risk?,” The Zog Blog, December 5, 2016, http://www.zoginc.com/help-desk-security/.

15. Lily Hay Newman, “Equifax Officially Has No Excuse,” Wired, September 14, 2017, https://www.wired.com/story/equifax-breach-no-excuse/.

16. Elizabeth Weise, “1.5M Customers of Verizon Anti-hacker Unit Hacked,” USA Today, March 25, 2016, https://www.usatoday.com/story/tech/news/2016/03/25/15-million-customers-verizon-anti-hacker-unit- hacked/82251118/.

17. Andy Greenberg, “This App Wants to Be Your Encrypted, Self-Destructing Slack,” Wired, December 6, 2016, https://www.wired.com/2016/12/wickr-professional-encrypted-work-chat/.

18. Ponemon Institute and IBM Security, 2017 Cost of Data Breach Study, June 2017, https://www-01.ibm.com/marketing/iwm/dre/signup?source=urx-15764&S_PKG=ov58458

19. Ben Fritz, “Amy Pascal Steps Down as Head of Sony’s Film Business,” Journal, February 5, 2015, https://www.wsj.com/articles/amy-pascal-steps-down-as-head-of-sony-pictures-film- business-1423157351.

20. Goldman, “AT&T Hit With Record-Breaking $25 Million Data Breach Fine,” eSecurity Planet, April 10, 2015, https://www.esecurityplanet.com/network-security/att-hit-with-record-breaking-25-million-data- breach-fine.html.

21. “HIPAA Enforcement Highlights,” Department of Health & Human Services website, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html.

22. Dina Medland, “Data Breaches Could Cost FTSE 100 Companies $6.4B A Year In Fines,” Forbes, June 2, 2017, https://www.forbes.com/sites/dinamedland/2017/06/02/data-breaches-could-cost-ftse-100- companies-6-4b-a-year-in-fines/#4e3da2444d07.

23. , “Target Pays Millions to Settle State Data Breach Lawsuits,” Fortune, May 23, 2017, http://fortune.com/2017/05/23/target-settlement-data-breach-lawsuits/.

24. Bryan Cave, 2017 Data Breach Litigation Report, 2017, https://d11m3yrngt251b.cloudfront.net/images/content/9/6/v2/96690/Bryan-Cave-Data-Breach-Litigation-Report-2017-edition.pdf.

25. John Gelinne, J. Donald Fancher, and Emily Mossburg, “The Hidden Costs of an IP Breach: Cyber Theft and the Loss of Intellectual Property,” Deloitte Review, July 25, 2016, https://www2.deloitte.com/insights/us/ en/deloitte-review/issue-19/loss-of-intellectual-property-ip-breach.html.

26. Jon Russell, “Equifax CEO Richard Smith Has ‘Retired’ Following Huge Data Breach,” TechCrunch, September 26, 2017, https://techcrunch.com/2017/09/26/equifax-ceo-richard-smith-has-retired-following- huge-data-breach/.

27. Ponemon Institute and IBM Security, 2017 Cost of Data Breach Study, 2017, https://www.ibm.com/security/data-breach.

28. Verizon Enterprise, 2017 Data Breach Investigations Report, 2017, http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/.

Why Your Organization Should Treat Every Account as Privileged 19 IDENTITY AUTOMATION 7102 N Sam Houston Pkwy W, Ste 300 Houston, TX 77064, USA Phone: +1 281-220-0021 Email: [email protected] www.identityautomation.com