Privileged Accounts are Now Everywhere, & Privileged Attack Vectors are Getting Worse
by Morey Haber, Chief Technology Officer & Chief Information Security Officer, BeyondTrust
Ever since the first password was stolen, there have been some form of privileged attack vectors. In fact, the first recorded history of password usage, called a passcode, dates all the way back to the Roman empire. Initially the Roman military would carve a passcode into wood and soldiers would pass it around via the active guard on duty. You would need to the know the passcode in order to proceed or perform a guarded function. It provided proof of your identity and the more modern satirical reference of a password code like in Monty Python and the Holy Grail, “What is your favorite color”? Needless to say, they were a shared resource which is a known liability since multiple people would have knowledge of them, there is no way to protect them, no way to enforce sharing them, and at any given time not unique per person per instance.
Today, the most common storage of a password is the human brain, and not physically documented and shared. We assign a password to a system or application, recall it when it needs to be used, and hopefully remember it each time we change it. Our brains are full of passwords and often we forget them, reuse them, need to share them, and are forced to document them on post-it notes, spreadsheets, and even communicate them via email or SMS text messages (a very poor security practice in itself). None of which are very secure and can be just as faulty as being carved into a piece of wood.
These insecure methods for creating, sharing, and reusing passwords have caused the press to report front page news articles on data breaches and educate people on the insecure methods for password storage, sharing, and risks when good password strategies are not adhered too. This translates into business and our personal lives. Passwords are everywhere and we need at least one basic tenet to help fix a thousand year old problem. To make matters worse, there are now more privileged passwords than ever before, and we continue to create more and more of them. Consider the graphic below representing the history of passwords within an organization:
- 20 Years Ago: Privileged passwords where contained within an organization’s firewalls. The perimeter was fairly well defined and only trusted individuals had the highest rights. End users had local administrator access and exploitation of vulnerabilities was mostly theoretical. Asset Attack Vectors only existed in the form of computer viruses.
- 10 Years Ago: Computing transitioned into the golden age of virtualization and SaaS based cloud applications. New privileged passwords where needed to manage hypervisors, SaaS applications, and emerging hybrid cloud environments. The perimeter was no longer clearly defined and privileged password protecting runtime and critical data began appearing outside of the corporate firewall.
- Today: Next generation devices and technological implementations of software have proliferated across our networks. Everything from IoT to DevOps use privileges to implement the technology and many of them suffer from flaws that can expose Privileged Attack Vectors. Privileged passwords are now everywhere from our homes, mobile phones, to our corporate resources.
- The Future: Technology is not slowing down, and the sharing of data, applications, and networked resources will continue to share data and potentially be exposed by threat actors. While data privacy will continue to be a concern, legitimate sharing of information and applications will always require some form of privileges. This creates even more privileged passwords (mainly certificates for application to application sharing) everywhere, like a large mesh network, and the proliferation will continue to expand.
Therefore, the most important security recommendation for everyone:
Ensure that every privileged password created is unique and not shared with any other resource (including people) at any other time.
While it is important to recognize that remembering that many passwords (an average of 120 for the modern day corporate user) is nearly impossible, there are tools, solutions, and techniques for making this a reality and minimize threats. Modern operating systems, browsers, and applications can help create unique passwords for every resource and securely store them for retrieval in lieu of remembering every single one. They are basically stored behind one master unique password that only the owner knows. While this is good solution for home and small business users (to a limited degree), it does not scale to most businesses that need to share accounts (due to technology limitations) and automatically keep passwords and certificates unique due to employee changes or regulatory compliance guidelines.
This recommendation ensures that if your password is stolen, leaked, or inappropriately used it can only be leveraged against the corresponding resource assigned (if MFA or 2FA is not present). A threat actor cannot use the same account and password to attack other resources since the password was not reused and is unique. They are essentially contained unless they have advanced techniques to steal other credentials from the system they have compromised like scraping passwords from memory. In that case, keeping them unique and changing them frequently will help mitigate the attack.
In addition, a password alone should never be the only authentication mechanism for critical data, sensitive systems, and potentially daily operations into those resources. Multi-factor Authentication (MFA) or Two Factor Authentication (2FA) should be layered on top to ensure a unique password per account is actually being used by the correct identity and context when authentication is required.
This is where the concepts of Privileged Access Management (PAM) can help solve the Privileged Attack Vector problem. PAM is a solution, philosophy, and procedural implementation across an organization’s entire information and security infrastructure. It automates management for sensitive accounts and passwords, application accounts, and local administrative accounts, across nearly all IP-enabled devices. It helps ensure unique and complex password recommendations can be implemented across any organization and mitigate threats of poor password hygiene. Furthermore, request, approval, session monitoring, and password retrieval is documentable for end-user access to prove any access is appropriate.
The goal of Privileged Access Management is to mitigate the Privileged Attack Vector problem. And, if that can be solved, then the risk surface for any resource can be reduced to a truly manageable level.
About the Author
Morey Haber has 20+ years of IT industry experience. He joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition and overseas strategy for both vulnerability and privileged access management. In 2004, Morey joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and key customer accounts. Morey began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators.
This article was contributed by Morey Haber, author of Privileged Attack Vectors.