How to defend your organisation when the firewall collapses
By: Jonathan Sander, VP of product strategy, Lieberman Software
Traditional network defenses like firewalls and anti-malware are essential in defending companies from cyber attacks. However, they are not enough; all they do is keep out noise, preventing the low-skilled attackers that will always be out there looking for easy targets.
In fact, attacks that do significant damage beyond the network perimeter – even to organisations that aren’t such easy targets – are simply hopping over the traditional defenses by connecting to users through channels they use for everyday business: email via SPAM & phishing and websites via cross site scripting and hijacked sites.
It is true that some number of people will always click on phishing emails – The Verizon Data Breach Investigation Report showed that 30% of phishing messages were opened – up 7% from the year before. However, the difference between one laptop being compromised by malware sneaking in through email and the whole organisation being owned by an attacker through that email attack comes down to one thing: privilege.
When the bad guy lands on the first laptop, he is operating as the user that clicked on the email. Most of the time, this is not the person who has direct access to the really sensitive data that the attacker would love to steal. So he needs to somehow grab higher level privileges letting him move laterally off of that first laptop, to start hitting other systems and find the information he wants.
But what if the enemy isn’t always called “bad guy” – what if they are called “employee.” Whether by accident or bad intentions, employees can also use privilege to harm the businesses they work for and there’s nothing a firewall could ever do about that since they walked in through the front door and already have basic access to the corporate systems.
There is, however, good news: protecting privilege from cybercriminals (outsiders) and insiders who might abuse power is actually pretty simple, and it starts with three simple changes:
First, we need to train staff, especially staff that has administrative rights, that they won’t have access to the power to do harm all the time without a gate. They will still be able to do everything they did before, but there will be an extra step. They can check out the power they need, everyone will be able to see who has it checked out, and then it will get checked back in where they’re done. It’s a small change, but it makes a big difference.
Second, we put a program in place to aggressively rotate those rights and credentials even when they’re not in use. When someone checks out a credential, we would change the security for that (e.g. the password) when it gets checked back in or when the checkout expires. If that’s the only time we rotate that security on that system, though, that means the bad guys can get in through an email and start collecting rights from where they live to use later. However, if you’re rotating them all the time, then the bad guys get the rug pulled out from under them. The good guys have no ill effect because they’re getting their rights from the secured library, which also gets updated every time the systems do. The bad guys trying to hijack them right off the systems are out of luck because before they can get them out and use them to extract data, the security has been changed and they’re back to square one.
Third, now that we have this power to control rights and privileges we should hook it up to our other security systems to make sure everything is working in a healthy, closed loop process. If you have analytics and logging solutions looking at all the security event data to find patterns, then you would surely want to throw in all the data about who has privilege legitimately. That leads to simple correlations – like an action that takes place using a privileged identity that was not currently checked out to any authorised user is suspicious. If you have solutions that are detecting malware and other incidents as they happen, you can automate a privileged response in near real-time with no operational impact. Again, since the good guys and the approved processes are getting their rights from the secured library, there’s no impact on them if you go spin a bunch of security settings in response to a possible threat.
So that’s it, automate privileged password management and follow the three simple steps above and you can stay ahead of the cybercriminals while they are trying to jump over your network defences and move around laterally within an organisation’s systems.