It’s remarkable to see just how deep today’s data breaches go. We at Osirium believe that the following issues are the main contributors and share with you how Osirium PAM combats them.
Most businesses want to make the lives of their staff as easy as possible in order for them to be able to focus on getting the job done. In the security world, this means that every login or need to remember yet another password creates a barrier. As getting stuff done is key to business, security and business can often become in conflict with one another.
Using the same password, sharing passwords, or default passwords
In an environment where staff are using the same password, sharing passwords, or using default passwords, an attacker (internal or external) need only acquire one of these passwords to move through the data assets of a business. Moreover, the identity of the attacker is then hard to distinguish from legal access.
Your staff can be easily fooled and caught off guard, and most of the time they address their business responsibilities expecting that you are responsible for all the security, including their mistakes.
Whilst businesses often place significant focus on protecting their systems from initial breaches, the supporting infrastructure is often forgotten. A classic example of this is a focus on the Linux and Windows systems with less focus on the Hypervisor and even less on the NAS and SAN systems. The further away a system is from the end-users, the less likely the passwords are to change. It’s not uncommon to find SAN’s with passwords more than 5 years old, and new SANs often inherit old passwords as they are used to replace outgoing systems.
In the typical cut and thrust of a busy IT department no-one has the time to digest all the subtleties of the IT infrastructure, especially where more than one vendor implementation is involved. This means that there is often a lot of head scratching before the systems work together. Once they are working, there is an understandable reticence to change anything. You need to understand that attackers are specialised and have the time and motivation to understand all the interactions and how to subvert them.
These days the new hotness can become the old busted in 6 months. Cybersecurity suppliers tend to have a policy of supporting three releases back. So, in this ‘bi-modal’ world, it could be only 18 months before a system is outside of its support cycle.
Your Infrastructure is like any big critical system, it has to fail gracefully. It is designed to absorb the inevitable knocks it receives, with a repairable nature. We call this the security cell approach. You could think of it in the same way as a car; when a modern car is involved in a collision it fails cell by cell. Each cell absorbs collision energy, the subsequent cell absorbing more than the last, the goal being to protect the occupants.
If too many people have domain administrator access then your cells are too large. A compromise will go deep. A risk profile approach makes the most sense. If 86% of all passwords are being stolen from the desktop, why let them go anywhere near the desktop in the first place? If 10% of accounts are compromised by phishing, why let the users have passwords in the first place?
It’s a cognitive problem; you’re overloading your staff. They react by recording the passwords in files on the desktop. If you give them a complex password policy to follow they will reduce it to patterns. As soon as they use a pattern their passwords are vulnerable to rainbow table attacks. They start using common long words, reducing the problem from a multi-character brute force to an ordered token brute force.
Removing the ‘password problem’ from your people reduces the risk of security breaches by around 96%
Removing the ‘password problem’ from your people reduces the risk of security breaches by around 96%, and that’s significant. By taking an ‘Identity In, Role Out’ approach we gain a significant security cell. The actual accounts used on the systems can be valid for just that system, not all the others. Access to one system does not confer the right to wander around the others at will. This approach is a fundamental element of how Osirium PAM works.
Taking this a step further, you could ask why your users need access to systems in the first place. A workflow analysis will quickly reveal that most access is task-based in nature. If we wrap up and parameterise those tasks we can use an ‘Identity In, Task Done’ model, seen in the Task Automation element of Osirium PAM. Now your staff get what they need to get done much faster with the benefits of more security and fewer errors.
Of course, there will always be special instances in which particular staff need full access to your IT infrastructure in order to address special cases, changes and reconciliation. What it is important to remember here, is that there is always a reason for this need, and that reason can be managed as an incident or change. Your ticketing system can be used to drive your access profiles to enable access only when there is a reason for it. That’s a real reduction in attack surface and a great security cell. Even if an attacker has all the credentials they can’t use them without a valid business reason. This is the real essence of Privileged Access Management.
To address the issue of legacy systems, there are two levels of virtualisation. The first is straightforward: run the system on its own VM, and protect it with firewalls etc. You can still use the system and the firewalls will help with the protocol sensitive weaknesses that are discovered from time to time. Considering the second type of virtualisation, we’ve realised that legacy management tools are also a key part of the ongoing management. We’ve created MAP server as an environment to virtualise application management tools to keep them in their own safety cell as well.
If you’d like to find out more about Osirium PAM, Contact us.