Tracking privileged accounts can thwart hackers

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

PHOENIX – What do the Tar­get hack­ers have in com­mon with Edward Snow­den?

Both suc­cess­ful­ly breached high­ly pro­tect­ed net­works to steal moun­tains of sen­si­tive data by abus­ing priv­i­leged accounts.

Priv­i­leged accounts are the logons that open access to desk­tops, lap­tops, servers, fire­walls, data­bas­es, printers—pretty much any device with a micro­proces­sor tied into a com­pa­ny net­work.

For the past 20 years, orga­ni­za­tions of all sizes have dis­persed priv­i­leged accounts wide­ly with­out con­sid­er­ing the secu­ri­ty ram­i­fi­ca­tions. All was assumed to be safe inside a company’s fire­wall. Hack­ers and data thieves have long known bet­ter, of course, and con­tin­ue to take full advan­tage.

A 2013 sur­vey by pass­word secu­ri­ty ven­dor Cyber­Ark Soft­ware found that 86 per­cent of large enter­prise orga­ni­za­tions either do not know or under­es­ti­mat­ed the num­ber of priv­i­leged accounts incor­po­rat­ed into their net­works. “It’s a major and easy attack vec­tor,” says Cyber­Ark CEO Udi Mokady.

Snowden’s thiev­ery piv­ot­ed off the priv­i­leged account grant­ed to him as a con­trac­tor for the Nation­al Secu­ri­ty Agency. The Tar­get hack­ers had no spe­cial insider’s access, so they phished a priv­i­leged account from a heat­ing and ven­ti­la­tion con­trac­tor who did work on Tar­get stores.

Clever hack

Each day cyber crim­i­nals stretch their cre­ativ­i­ty to come up with nov­el ways to beg, bor­row and steal priv­i­leged accounts. In one recent mul­ti­tiered caper, shared exclu­sive­ly with Third­Cer­tain­ty, hack­ers phished their way onto the Win­dows PC of a low-lev­el clerk at a large multi­na­tion­al cor­po­ra­tion.

Next, they pur­pose­ly slowed the PC’s per­for­mance to a crawl, prompt­ing the clerk to call the help desk and allow a tech­ni­cian to take over remote con­trol of her PC to trou­bleshoot it—exactly what the hack­ers hoped for.

At that point the hack­ers pounced. They com­pro­mised the help desk technician’s PC and stole his priv­i­leged logon, then used it to plun­der the corporation’s sen­si­tive data.

Dis­clo­sure of that caper comes from Kevin Hick­ey, CEO of BeyondTrust Soft­ware, a Phoenix-based sup­pli­er of vul­ner­a­bil­i­ty and priv­i­leged accounts man­age­ment sys­tems. “It was a major breach of a very large enter­prise,” Hick­ey says. “The hack­ers got quite a bit of infor­ma­tion. ”

Clear­ly, it would behoove any busi­ness to take stock of priv­i­leged accounts—and thanks to the head­lines spawned by Tar­get and Snow­den, many have final­ly begun to do so.

More: 3 steps to deter­mine if your busi­ness is secure 

It’s encour­ag­ing that demand is heat­ing up for “priv­i­leged access man­age­ment,” or PAM, tech­nolo­gies. These cut­ting-edge sys­tems, also referred to as “priv­i­leged iden­ti­ty man­age­ment,” or PIM, are designed to help com­pa­nies reg­u­lar­ly mon­i­tor and police priv­i­leged accounts.

Research firm Gart­ner esti­mates that glob­al spend­ing on PAM sys­tems soared to $450 mil­lion in 2013, a 38 per­cent jump from 2012. That cor­re­lates with an ongo­ing surge in queries and sales at Cyber­Ark, Beyond Trust, Dell and oth­er sup­pli­ers of PAM tech­nolo­gies.

The porous­ness of the secu­ri­ty perime­ter, even with the best fire­walls, requires that com­pa­nies imple­ment addi­tion­al inte­ri­or pro­tec­tions,” says Phil Lieber­man, CEO of Lieber­man Soft­ware, a Los Ange­les-based PAM ven­dor.

Beyond help­ing com­pa­nies detect and deflect attack­ers, PAM tools also hold promise for improv­ing oper­a­tional effi­cien­cy. That’s prov­ing to be the case for cus­tomers of Budapest, Hun­gary-based PAM ven­dor Bal­aBit.

When the ATM net­work of a Ger­man bank cus­tomer recent­ly failed, the bank tapped into BalaBit’s mon­i­tor­ing tech­nol­o­gy to trace the cause to an errant com­mand exe­cut­ed by an ATM tech­ni­cian work­ing remote­ly, says Bal­aBit CEO Zoltán Györkö.

By search­ing for and replay­ing the rel­e­vant work­ing ses­sion, the bank iden­ti­fied and addressed the prob­lem in hours,” Györkö says. “With­out hav­ing record­ed all of the actions of the ATM admin­is­tra­tor, it could have tak­en much longer to iden­ti­fy and fix the prob­lem.”

Dell’s soft­ware divi­sion is also tout­ing the pro­duc­tiv­i­ty-boost­ing poten­tial of the PAM sys­tems it sup­plies to busi­ness­es. “The bad guys aren’t always out­side the orga­ni­za­tion,” observes Dell Prod­uct Mar­ket­ing Direc­tor Bill Evans. “Because of their pow­er­ful nature, these are the most sought-after accounts. Occa­sion­al­ly, inter­nal resources may either inad­ver­tent­ly or pur­pose­ful­ly use these priv­i­leged cre­den­tials to acquire and dis­trib­ute con­fi­den­tial or pro­pri­etary infor­ma­tion.”

One Dell cus­tomer, a large tech­nol­o­gy com­pa­ny, recent­ly switched from man­u­al­ly man­ag­ing priv­i­leged accounts to using an auto­mat­ed sys­tem. “They were able to grant admin­is­tra­tors priv­i­leged access in a secure and con­trolled way, result­ing in a 50 per­cent increase in pro­duc­tiv­i­ty and enabling them to meet all their com­pli­ance require­ments,” Evans says.

The first step for any com­pa­ny is obvi­ous: Deter­mine what priv­i­leged accounts exist on your net­work and make a list of who has access to what.

BeyondTrust CEO Kevin Hick­ey says lack of aware­ness is an all too com­mon sce­nario. “You have a lot of very large orga­ni­za­tions where they have priv­i­leges all over the place. There are some cas­es where there are hun­dreds and hun­dreds of admin­is­tra­tors that have ele­vat­ed priv­i­leges.

Snow­den is a good exam­ple. He was a con­sul­tant. If he had been locked down, with lim­it­ed access to appli­ca­tions, and para­me­ters set for when he could access them, print them out, and move them around, he wouldn’t have got­ten away with it. Basi­cal­ly, Snow­den could go any­where he want­ed to go.”