The European Union Agency for Cybersecurity (ENISA) and CERT-EU recently published a set of best practices that are well worth reviewing and assessing how your organisation matches up.
In many ways, nothing is surprising here. Many of the recommendations echo those already included in Cyber Essentials, NIST-800, ISO27001, and many other standards. That doesn’t mean they’re not important, though.
Your organisation may already be subject to those policies and are fully compliant, but that doesn’t mean there isn’t room for improvement. For those of you that aren’t subject to regulatory compliance, the recommendations are an excellent place to start to ensure you’re following best practices to prevent your business from being victim to an attack.
Over the last decade or so, every business has been investing in its cyber security defences. That’s generally meant buying more and more tools to plug gaps or as the next great defence (until the next new attack comes along anyway). I say “buying more” rather than “improving their defences” as they can be very different.
Buying more or building walls higher and higher doesn’t necessarily translate into better protection. That’s not to say all those tools are wasted – they definitely have important work to do – but they introduce a whole new set of risks. With more tools from more vendors, you’ll need more experts to ensure they’re all managed and maintained correctly. You may even end up with conflicts to resolve (e.g., the traffic your firewall thinks is OK may not be the same as your network sniffer tools).
Perhaps the most significant risk is that every new tool introduces new potential backdoors into your defences.
That’s a pretty radical assertion but consider this: everyone of those tools has one or more administrator accounts. Those powerful accounts allow you to create/change/remove other users, change the configuration, access sensitive data, and much more.
There’s more work to do with more admin accounts in controlling access to the account credentials. Do you know who has access? Who needs access? Does the access get removed when no longer needed? Are the credentials shared and, if so, how? The questions go on and on. Controlling these powerful, privileged accounts is foundational to the rest of your security stack. If you don’t have that control, you don’t have solid foundations for your defences.
Like Cyber Essentials et al., the new recommendations address these challenges, and Privileged Access Management (PAM) is ideally placed to address them.
Of the 14 recommendations, many can be addressed with PAM. Let’s take a look:
Almost every organisation relies on partners and suppliers to access their IT systems, ranging from customer databases to telephony systems to air conditioning. Virtual Private Networks (VPNs) are often used for remote access, and they may require MFA for connections, but that’s a very loose control. Once the user is connected, do you have visibility into what they’re doing? What systems do they access? Ensure their workstation complies with your cybersecurity policies?
PAM provides visibility and control over remote access. You can isolate the user and their workstation from your systems, control what systems they access, and monitor their activity in real-time (with recordings). Often vendor access is the initial driver in adopting PAM as it’s such a critical risk factor. This video shows PAM control for vendor access.
Human beings are not good at passwords. Complex, hard to break passwords are difficult to remember. Enforcing policies such as changing passwords regularly make things worse as it’s so easy to fall into simple patterns around birthdays, pet names etc. It’s no wonder passwords are too simple, and bad habits like reusing passwords or saving them in spreadsheets and notebooks still happen.
PAM protects the credentials to access corporate IT systems and automatically generates and rotates secure passwords. Those credentials are never revealed to the admins, so they can’t be abused or stolen. Of course, the users should still adopt best practices such as MFA, but now the risk is limited to that person’s identity, not the systems they access. With the latest release of Osirium PAM, MFA is built-in, so it’s easy to manage, and no additional purchase is needed.
It should be obvious, but the effort to update systems and potential impact on users often means updates get delayed. Here’s an example of using privileged automation to identify which systems need an update to reduce the effort and apply updates more quickly.
As mentioned earlier, remote access to IT systems is needed, but it’s also very risky. PAM provides visibility and control over that access. With Osirium PAM, the protection can be taken to another with two options:
A vital element of any resiliency plan has to be backups. Asa result, it’s no surprise backup management systems are a prime target for ransomware attacks. After all, the harder it is to recover, the more likely a victim will pay the ransomware.
PAM should be used to protect backup management systems (in fact, the National Cyber Security Centre has issued explicit guidance on this).
A cardinal sin in IT should be not changing default password son new devices and services. It’s the first thing an attacker will try. With Osirium PAM, new devices can be “fully managed” so admin accounts are protected before they can be accessed through device retirement.
PAM can be fast to deploy and start protecting your systems. If you’d like to learn more, please get in touch.