All identities are not created equal. There are regular users. And then there are superusers, people who wield far greater access and privilege in the organization’s IT environment.
These privileged identities are necessary—users like database administrators and sys admins do need extensive access to computers, networks and applications—but privileged identities come with risk. In addition, IT departments often give non-technical executives (e.g. VP of Sales, CEOs, CFOs, etc.) broad privilege inside corporate applications, figuring it is better to give too much freedom to upper management than get yelled at when someone can’t create a report.
These elevated permissions make privileged accounts intensely sought by hackers, who can steal far more information and do far more damage if they get their hands on a privileged identity. After all, why rob the branch bank on the corner when you can break into Fort Knox? You want to get maximum return for your effort and privileged identities provide it.
Verizon’s 2015 Data Breach Investigations Report shows that the organization’s most vulnerable point is not just any ol’ password but passwords that hold the proverbial keys to the kingdom, those privileged identities that have root, admin or read/write access privileges for critical infrastructure, apps and data.
If privileged identities are well audited and monitored, and not shared like some viral video, hackers can be discouraged and damage contained. But too often it’s quite simple for cybercriminals to get ahold of privileged identities.
Hackers used basic phishing emails to penetrate the networks of Sony Pictures in fall 2014. An investigation of the hack revealed that a number of top Sony Pictures executives, including CEO Michael Lynton, got fake Apple ID-verification emails in mid-September asking them to go to a phony Apple website to confirm their Apple ID and password. Assuming, correctly, that some of the executives were using the same ID and password at work, the hackers gained broad access and ransacked the Sony files.
The Problem of Pervasive Privilege
It’s not only company executives who present a soft spot for hackers. Increasingly it’s lower-level employees, as privileged identities become more pervasive. With the consumerization of IT and the popularity of BYOD, there has been an explosion of new apps in the enterprise. Employees in every cubicle are using Box, Workday and Salesforce, and they’re not waiting for IT’s permission to do so. They’re using their own apps on their own devices. Many are spinning up servers in the cloud for infrastructure in the cloud, a practice dubbed bring your own server. So privilege is now being consumerized like apps and devices.
The danger to the organization is that, as the number of apps, devices and servers expands, so does the number of privileged accounts. In an increasingly complex IT environment, IT people tend to deal with the complexity by making processes easier. They share privileged accounts. Or they make everyone in IT a superuser, so if a problem occurs anyone in IT can fix it.
And it’s not just only IT people with privileged access anymore. Nowadays many of the regular folks in the enterprise are granted privileged access. Marketing, for example. If they want to update the corporate Twitter or Facebook account, they don’t call IT to do it, they just do it themselves—and the door opens wider. This is how pro-ISIS cybervandals hijacked the social media accounts of the U.S. military.
The Solution of Least Privilege
So how do companies protect themselves from hackers in pursuit of privileged accounts? First, they must be smart. Remind everyone, executives included, what a phishing attempt looks like. Enforce better password hygiene: don’t share passwords and change them more often.
Second, adopt the principle of least privilege. Limit access to the minimum level necessary for normal functioning. IT should assume that networks will be breached and bad guys will get in. But when they get in IT can contain and minimize the damage if it has implemented the practice of least privilege.
Least privilege means giving people only the degree of privilege they absolutely need and access to the data they absolutely must have. It means auditing activity, especially on the most sensitive systems, looking for suspicious behavior and generating alerts if something funky is happening. It also means implementing two-factor authentication to verify that people really are who they say they are.
The old perimeter was the firewall. The new perimeter is identity—making sure a user, especially a privileged users, is who he purports to be, not some North Korean hacker (or someone making themselves look like one) with a pilfered executive password. Fortunately, there is rising awareness of this fact. That’s why identity is the fastest-growing major market in the security industry.