It's probably no surprise when North Korea is accused of launching cyber attacks on western technology companies, but today's report from Reuters of a potential attack on AstraZeneca is particularly striking.
Reuters reports that the company has had multiple attacks in the form of fake job offers to staff members via LinkedIN and WhatsApp. Clearly, AstraZeneca would be a high-value target in the midst of the COVID-19 pandemic. Not only could they disrupt or delay development of a vaccine but also steal the valuable intellectual property behind the vaccine.
Although this is a very high-profile case, and most attacks don't come from national governments, phishing attacks like these are far too common. The recent NCSC Annual Review reported that the NCSC had taken down over 166,000 phishing URLs and had over 2.3 million suspicious emails forwarded to their SERS reporting system.
The real threat behind these emails is the opportunity they provide for getting access to corporate systems. Whether that's to install malware for ransom (such as WannaCry) or exfiltrate valuable personal data, or intellectual property such as vaccine formulations. It's such a prevalent problem, NCSC has issued specific guidance to NHS agencies on how to prevent and prepare for ransomware attacks.
Such malware can only be successful if the environment lets it. There are several best practices to prevent or limit the potential for attacks. They start with training staff to recognise potential attacks, which is clearly important. But there are two fundamental steps every organization should take to prevent attacks: remove local administrator privileges and separate users from valuable privileged credentials.
Many organizations have granted users elevated privileges on their workstations or laptops with a "local admin account". That lets the user run an application that needs administrator rights, to install software or change configuration settings such as WiFi connections without having to contact the IT help desk when Windows pops-up the User Access Control panel. That's convenient but highly dangerous. If that user can install software and falls victim to a phishing attack, they may install malware which starts infiltrating the network. The user may never know they've been attacked until much later.
Removing those rights can be painful. If users can't run the applications they need or have to keep calling the Help Desk, productivity plummets and no-one is happy.
Osirium's Privileged Endpoint Management (PEM) solves these problems by allowing the organization to remove local admin rights but still let the user run the elevated apps they need. You can get a free tool from Osirium to discover what local admin rights you have in your organization.
The second key element is not letting users have access to the admin credentials on the systems or databases housing valuable data. If the user never has direct access to the privileged credentials, the valuable privileged credentials can't be stolen by malware.
That separation is possible with a modern Privileged Access Management (PAM) solution. With Osirium PAM, the user identifies themselves to PAM, ideally using multi-factor authentication (MFA). PAM then controls access to those shared systems and databases. All the work done during that privileged session can be monitored and recorded to spot if unexpected or dangerous changes are made such as those from an attacker.
Recently, an Osirium PAM customer was asked "When should an organization start with PAM?" The answer was clearly "It's day 1." It makes a lot of sense. If you can't control access to the foundational IT systems like networks, firewalls, backups, etc. then you're leaving the organization open to attack. The reason smaller or startup organizations haven't been treating PAM with that priority has been that the older generation of PAM was big, complex and expensive. With Osirium PAM, small teams can even get started for free.
So, its never too early. And it's never too late, but you do need to get started and adopt a PAM solution that delivers protection in hours or days, not weeks and months after the project starts . If you'd like to discuss PAM or PEM, please get in touch.