Tracking privileged accounts can thwart hackers
By Byron Acohido, ThirdCertainty
PHOENIX – What do the Target hackers have in common with Edward Snowden?
Both successfully breached highly protected networks to steal mountains of sensitive data by abusing privileged accounts.
Privileged accounts are the logons that open access to desktops, laptops, servers, firewalls, databases, printers—pretty much any device with a microprocessor tied into a company network.
For the past 20 years, organizations of all sizes have dispersed privileged accounts widely without considering the security ramifications. All was assumed to be safe inside a company’s firewall. Hackers and data thieves have long known better, of course, and continue to take full advantage.
A 2013 survey by password security vendor CyberArk Software found that 86 percent of large enterprise organizations either do not know or underestimated the number of privileged accounts incorporated into their networks. “It’s a major and easy attack vector,” says CyberArk CEO Udi Mokady.
Snowden’s thievery pivoted off the privileged account granted to him as a contractor for the National Security Agency. The Target hackers had no special insider’s access, so they phished a privileged account from a heating and ventilation contractor who did work on Target stores.
Each day cyber criminals stretch their creativity to come up with novel ways to beg, borrow and steal privileged accounts. In one recent multitiered caper, shared exclusively with ThirdCertainty, hackers phished their way onto the Windows PC of a low-level clerk at a large multinational corporation.
Next, they purposely slowed the PC’s performance to a crawl, prompting the clerk to call the help desk and allow a technician to take over remote control of her PC to troubleshoot it—exactly what the hackers hoped for.
At that point the hackers pounced. They compromised the help desk technician’s PC and stole his privileged logon, then used it to plunder the corporation’s sensitive data.
Disclosure of that caper comes from Kevin Hickey, CEO of BeyondTrust Software, a Phoenix-based supplier of vulnerability and privileged accounts management systems. “It was a major breach of a very large enterprise,” Hickey says. “The hackers got quite a bit of information. ”
Clearly, it would behoove any business to take stock of privileged accounts—and thanks to the headlines spawned by Target and Snowden, many have finally begun to do so.
It’s encouraging that demand is heating up for “privileged access management,” or PAM, technologies. These cutting-edge systems, also referred to as “privileged identity management,” or PIM, are designed to help companies regularly monitor and police privileged accounts.
Research firm Gartner estimates that global spending on PAM systems soared to $450 million in 2013, a 38 percent jump from 2012. That correlates with an ongoing surge in queries and sales at CyberArk, Beyond Trust, Dell and other suppliers of PAM technologies.
“The porousness of the security perimeter, even with the best firewalls, requires that companies implement additional interior protections,” says Phil Lieberman, CEO of Lieberman Software, a Los Angeles-based PAM vendor.
Beyond helping companies detect and deflect attackers, PAM tools also hold promise for improving operational efficiency. That’s proving to be the case for customers of Budapest, Hungary-based PAM vendor BalaBit.
When the ATM network of a German bank customer recently failed, the bank tapped into BalaBit’s monitoring technology to trace the cause to an errant command executed by an ATM technician working remotely, says BalaBit CEO Zoltán Györkö.
“By searching for and replaying the relevant working session, the bank identified and addressed the problem in hours,” Györkö says. “Without having recorded all of the actions of the ATM administrator, it could have taken much longer to identify and fix the problem.”
Dell’s software division is also touting the productivity-boosting potential of the PAM systems it supplies to businesses. “The bad guys aren’t always outside the organization,” observes Dell Product Marketing Director Bill Evans. “Because of their powerful nature, these are the most sought-after accounts. Occasionally, internal resources may either inadvertently or purposefully use these privileged credentials to acquire and distribute confidential or proprietary information.”
One Dell customer, a large technology company, recently switched from manually managing privileged accounts to using an automated system. “They were able to grant administrators privileged access in a secure and controlled way, resulting in a 50 percent increase in productivity and enabling them to meet all their compliance requirements,” Evans says.
The first step for any company is obvious: Determine what privileged accounts exist on your network and make a list of who has access to what.
BeyondTrust CEO Kevin Hickey says lack of awareness is an all too common scenario. “You have a lot of very large organizations where they have privileges all over the place. There are some cases where there are hundreds and hundreds of administrators that have elevated privileges.
“Snowden is a good example. He was a consultant. If he had been locked down, with limited access to applications, and parameters set for when he could access them, print them out, and move them around, he wouldn’t have gotten away with it. Basically, Snowden could go anywhere he wanted to go.”