CREATE POSITION Univers 55 Roman Depth is 2x width of “I” Standard IA Light Gray “I” 2x width of “I” Space between TM and logo is 1 x “I” 1x “I” Align with top of letter or top Why Your Organization of ribbon. Should Treat Every Account as Privileged Contents PAGE INTRODUCTION 3 YOU’VE BEEN LOOKING AT PRIVILEGED ACCESS ALL WRONG 5 YOUR BUSINESS SYSTEMS AND DATA ARE LESS SECURE THAN YOU THINK 7 IMPACT OF FAILING TO ACT 11 PROTECT YOUR ORGANIZATION WITH IDENTITY-DRIVEN SECURITY BEST PRACTICES 14 GET STARTED 18 Why Your Organization Should Treat Every Account as Privileged 2 Introduction There have been a slew of major data breaches in recent years. The number of records exposed in data breaches last year alone reached 174.4 million—close to five times the The hard truth is that 36.6 million records exposed in 2016.1 any unsafe system or individual puts Every time you turn around, another organization is in the headlines for having millions of everyone at risk. records compromised. Look no further than the recent Equifax breach in which sensitive information on more than 140 million individuals was stolen. This trend is expected to continue, with data breaches and other cybercrime costing the world $6 trillion per year by 2021, up from $3 trillion annually in 2015.2 In the vast majority of data breaches, stolen credentials for privileged accounts are the prime target for hackers. In fact, Forrester estimates that 80 percent of security breaches involve privileged accounts.3 Traditional privileged accounts are IT-based and have special active directory (AD) attributes. IT administrators use them to log into servers, switches, routers, and applications and perform tasks without restriction. This level of access means these accounts pose a significant risk to your company. Once obtained by hackers, the accounts can be used to access the most sensitive data, lock out legitimate users, and create ghost accounts and back doors that are not easily seen. Legacy security systems focus on protecting these AD privileged accounts; however, there are many business accounts with privileged access to critical systems and monetizable data that fall outside of the standard definition of “privileged.” Why Your Organization Should Treat Every Account as Privileged 3 Accounts that Fall Under the Traditional Definition of a Privileged Account • Local admin accounts are typically used by IT staff to perform maintenance or set up new workstations and often have the same passwords across platforms. • Privileged user accounts give administrative privileges to one or more systems and usually have unique and complex passwords. • Domain admin accounts have privileged access across all workstations and servers on a Windows domain. If these accounts are compromised, this could have catastrophic consequences for the organization. • Emergency accounts, often called firecall or break glass accounts, give unprivileged users admin access to secure systems in an emergency. • Service accounts are privileged local or domain accounts that are used by an application or service to interact with the operating system. • Application accounts are used by applications to access databases and provide access to other applications. Why Your Organization Should Treat Every Account as Privileged 4 You’ve Been Looking at Privileged Access All Wrong The traditional definition of privileged access simply is not adequate for today’s cybersecurity threats. After all, privileged access has become much broader than just IT Your organization administrator accounts. With the business digital transformation, there are more users must adopt a zero- accessing more critical systems and sensitive data. “Privileged” today should encompass trust mindset, any account with access to monetizable data (protected health information (PHI), credit operating under the card numbers, and social security numbers) or that can cause reputation damage. assumption that all users, endpoints, So, what do you do about these accounts that don’t fall under the standard definition, but and resources are still have access to confidential and critical data? There are business-privileged roles, such untrusted and as payroll and social media manager accounts, which are not monitored by traditional AD- therefore, always need based security tools. And there are business systems and applications that require exactly to be verified. the same protection as any of their high-risk or high-value internal IT systems. The hard truth is that any unsafe system or individual puts everyone at risk. “If you have something that is valuable to hackers, they will go to any length to obtain it,” observed Larry Szebeni, president of Apex Technology Services. “It’s just a matter of finding your network’s biggest vulnerability and launching a targeted attack at the right time.”5 There are many avenues of access to your systems, and more must be done to protect all accounts, not just traditional privileged accounts. Your organization must adopt a zero-trust mindset, operating under the assumption that all users, endpoints, and resources are untrusted and therefore, always need to be verified in order to reduce the risk of a breach. If you do not broaden your understanding of privileged access, you are putting your organization at risk. Why Your Organization Should Treat Every Account as Privileged 5 The recent breach of multinational accounting and tax firm Deloitte demonstrates the risk that poorly secured business systems can pose to an organization. In this case, hackers were able to breach a server and gain access to the private emails of at least five million Deloitte clients. “The key lesson from this incident is that businesses need to do more to protect their private accounts,” said Rich Tehrani, group editor-in-chief at TMC, upon analyzing the breach. “Strong passwords need to be used at all times and enforced by IT. Also, two-step verification is imperative. If two-step verification had been used in this situation, hackers may have been unable to get inside of the network.”6 Why Your Organization Should Treat Every Account as Privileged 6 The Exception to the Role Your Business Systems and Data Are Less Secure than You Think To avoid a costly and potentially devastating data breach, here are six business systems and applications that you want to pay attention to in reviewing your access control policies. There are numerous These systems often aren’t treated with the same level of concern for security as privileged ways for hackers to accounts, even though they provide access to highly sensitive and valuable information. get into your email system. Versions might 1) EMAIL, YOUR NEW ONLINE STORAGE be out of date, and patches might not be If you were to scan all employee emails, what would you find? Most likely, you’d discover applied in a timely valuable information that you don’t want to get outside your organization. Many companies, manner, if at all. including those who regularly send and receive highly sensitive and confidential information, lack proper email security. For example, the Panamanian law firm Mossack Fonseca hadn’t updated its client login portal and webmail systems in years and failed to encrypt sensitive emails. As a result, hackers exploited these security flaws to expose 4.8 million emails and 6.5 million other confidential client files.7 There are numerous ways for hackers to get into your email systems. Versions might be out of date, and patches might not be applied in a timely manner, if at all. And most email systems do not use encryption because of the expense and hassle. And sometimes email account breaches are the result of human error, as was the case with the Russian hack of Clinton Campaign Chairman John Podesta’s email. Hackers gained access to Podesta’s email account when he supplied his password in response to a phishing email.8 The disclosure of 20,000 pages of sensitive and embarassing emails by WikiLeaks contributed to Hillary Clinton’s loss to Donald Trump in the 2016 presidential election.9 Why Your Organization Should Treat Every Account as Privileged 7 2) SOCIAL MEDIA Another security area that is often overlooked are company social media accounts, such as Twitter, LinkedIn, and Facebook. Leaving these accounts vulnerable puts your company at risk of major embarrassment and brand damage. Unfortunately, social media accounts are rarely treated with the same care as other corporate assets. Often, they are protected with just a username and password, or access is shared among multiple people. Furthermore, these accounts are often assigned to interns or entry-level marketing personnel to manage, increasing the risk of human error. As a result, there is a high risk that a hacker can gain access to or figure out an account password and begin posting things that could damage a company’s or individual’s reputation. One hacking group in particular, OurMine, has gained a reputation for taking over social media accounts by using information obtained in other public data breaches.10 Recent hacks by OurMine include HBO, Sony PlayStation, and Facebook CEO Mark Zuckerberg. In the case of Sony PlayStation, OurMine was able to take over the company’s Twitter and Facebook accounts, tweeting “PlayStation Network Databases leaked #OurMine” to the company’s millions of followers. They claimed to have also breached a confidential database, although they didn’t publish any of the information. While OurMine’s primary purpose in taking over accounts is to sell its IT security service, there is little security in place to stop more malicious groups from hacking accounts and posting damaging information or extorting individuals or companies. Why Your Organization Should Treat Every Account as Privileged 8 3) CRM AND MARKETING AUTOMATION 60 percent of Other systems that are often overlooked are customer relationship management (CRM) internal perpetrators software and marketing automation systems.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages20 Page
-
File Size-