close icon
Home Page
Products

Products

PAM logo
Privileged Access Management
PEM logo
Endpoint Privilege Management
PPA logo
Automation
Industries

Industries

school_line
Education
bank_line
Finance
government_line
Government and Defence
hospital_line
Healthcare
computer_line
IT Operations
settings_5_line
Industrial Control Systems
briefcase_line
Legal
store_2_line
Retail
Partners

Partners

Resellers and Distributors
Partner marketing support
Partner opportunity
Resources

Resources

tool_line
Free Tools
bookmark_line
Blog
file_search_line
Case Studies
usb_line
PAM Integrations
video_line
Videos
Webinars
paper_line
White Papers
book_2_line
Osirium University
news_line
Documentation
Company

Company

IDcard_line
About
news_line
News & Events
Team
Investor Hub
Software reviews gold medal
See the report
search_3_line
BOOK A DEMO
All posts
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
23
July 2015

CISO Message to the Board about Breaches

Andy Harris

CISO’s and Breaches

It’s very clear to us how hard CISOs work to prevent breaches and how their influence is often limited in the face of perceived business requirements. This has given rise to CISOs re-branding themselves. They now call themselves as ‘business enablers’ or ‘corporate risk assessment specialists’.

This gives rise to the ‘prevention versus detection’ debate. The nature of the problem means the debate gets very technical very fast and therefore, are beyond the board’s appetite to digest. We’ve put this article together to help Infosec professionals find the right messages to delivery at board level.

It’s simple really

All the arguments follow a similar form. “The hackers use this complex attack or Social engineering technique to find a chink in the armour”.

At this point the board have switched off. They don’t understand the low-level technology and why the millions spent on firewalls are failing.

But they have already tuned out before the most important part that comes next. “After finding the chink the hackers search for a privileged account to hijack”.

That’s it, right there, an attack has no teeth until it has control of a privileged account! The 2014 statistics show that 98.8% of all breaches used a privileged account. 86% of the passwords to those accounts were stolen from desktop systems or network drives. 10% obtained through social engineering (Phishing) and 4% guessed using a brute force process.

The curious board member would ask why is this happening now? What’s changed? Well it has its roots gradual shift towards the cloud and outsourcing. There are some cost advantages gained but also many security opportunities lost.

Cloud and Outsource

Hardware and OS management costs reduced

Day to day Malware management reduced

No need for secure facilities to house servers

No need for expensive IT generalists

On Premise Data Centre and own IT Team

Lack of clarity on who has access to system and root accounts

Likely to become outsourced by the outsourcer. Now you have third and fourth parties with system level access to your applications

Lack of clarity about who has console access to your servers

The lowest paid people now have the highest privileges to your servers and data

Because of this, you don’t get to keep all the savings of outsourcing, some of it needs to redirect into increased security.

The Obvious

We’ve established that any attacker, internal or external needs to get access to a privileged account. Therefore, it makes complete sense to protect these accounts. We’ve further established that if we allow people to manage their passwords they’ll store them on their desktop. They may choose simple passwords or give them away to a phishing attack. Our approach: separate the people from the passwords – It’s that simple. No passwords to store, choose or give away to phishing site.

Messages to the Board

We can break these down into functional areas:

  • Firewalls control traffic across network boundaries. They also hide systems from direct sight of the Internet
  • Content security blocks the flow of known and likely malware from traversing the network.
    Intrusion Detection lets you know the probability of a breach in a system or application.
    Privileged Account Management controls who can do what, where and when on your systems and applications.

All sensible security policies will have a blend of all these. Osirium PAM does Privileged Account and Privileged User Management very well.

‍

Related Topics

Privileged Access Management
Manager
Audit, Compliance and Governance
all posts
Top
Home Page
cyber essentials certified badge
Industries
EducationFinanceGovernment and DefenceHealthcareIT OperationsIndustrial Control SystemsLegalRetail
Company
AboutTeamBoard of DirectorsInvestor HubJob Opportunities
Resources
Free ToolsBlogPAM IntegrationsVideosWebinarsWhitepapersDatasheetsDocumentationCase Studies
Support
Support PortalOsirium University
© 2023 OSIRIUM. All rights reserved.
AccessibilityPrivacy PolicyEULATerms of ServiceSitemap