The issue was highlighted earlier this year when the federal government confirmed Australian Bureau of Meteorology computer systems had been compromised – more troubling as the Bureau owns one of the country's largest supercomputers and has links to many other public sector agencies enabling lateral escalation by cyber attackers.
According to a recent report from consulting firm PWC, the number of detected security incidents in Australia increased by 109% during 2015. This has led to an increase in security budgets of 59% and it is likely a significant proportion of this will be used for access control.
iTWire sought comment from Matthew Brazier, ANZ Regional Director for CyberArk, because one of the best ways to stop lateral escalation is by securing, managing and monitoring privileged user accounts. Brazier has penned a good all-round explanation of the issue which is reproduced below.
One of the most important components in an effective security strategy is the use of privileged accounts that provide access to sensitive IT assets. Protecting these can allow an organisation to defend against advanced external and internal attacks and reduce its overall attack surface.
Experience shows the majority of serious, targeted security incidents follow a similar path. The attackers penetrate the perimeter using malware or existing inside access, steal credentials, escalate privileges, and then laterally move to new systems.
This process of privileged account compromise, escalation and movement typically continues until the attackers execute the final stage of the attack which is usually stealing data or causing disruption.
In organisations that do not secure privileged accounts, IT teams are often responsible for their own accounts which are typically shared among multiple users, reused across systems, and rely on only single-factor authentication. The problem is exacerbated by the fact that accounts are often configured with far more privileges than needed, making it easy for users to intentionally or accidentally cause damage.
Many Australian businesses face these types of attacks, but are reluctant to speak about them publicly. Problems can range from short-term disruption to critical systems and workflows to significant financial losses. Finding a way to guard prevent attacks is critical.
Securing privileged accounts
Privileged account security tools help organisations secure, control and monitor privileged accounts thereby helping to stop attackers early. At the same time, having centralised credential storage and policy management enables an IT security team to apply strong access controls and enforce policies.
Combined, these help to protect against unauthorised privileged account access, minimise the risk of privilege abuse, and limit an attacker’s window of opportunity in the event of a compromise. For added security, multi-factor authentication solutions can validate identities before users are permitted to access privileged credentials, and connections to highly sensitive systems can be isolated.
Because privileged accounts can enable attackers to masquerade as authorised users, continuous monitoring and intelligent threat detection are further critical factors. Once an authorised privileged account has been compromised, the most effective way to identify an attack is through behavioural analysis and anomaly detection.
Automated account management
Another key area of focus for a business's security team should be effective account management. This can be a complex task as new IT administrators joining an organisation may need administrative access to dozens, hundreds or potentially thousands of systems. When an administrator leaves or changes roles, it’s almost impossible to remember or locate all the accounts and permissions that should be removed.
As well as the time, it takes to manually provision, maintain and remove accounts, such processes are also highly prone to human error. A single mistake can lead to a variety of consequences such as inconsistent policies or user account lockouts.
The solution is the automation of the account management process. This allows an organisation to configure privileged account access, credential and audit policies once, and automate the enforcement of those policies. Such automation helps minimise the on-going effort and cost associated with managing privileged user and application accounts.
Automating the provisioning and de-provisioning of privileged access and the rotation of credentials can significantly decrease an IT team's workload while simultaneously strengthening an organisation's overall security.
A third area of focus for Australian organisations should be the deployment of a centralised credential management platform. Without one, IT administrators may be faced with manually keeping track of tens or hundreds of credentials. In organisations that are required to regularly rotate account credentials to meet compliance and audit requirements, this management process is even more difficult.
A centralised account management approach can help an organisation secure and manage the credentials used to access privileged accounts in both on-premises and cloud-based environments. Instead of needing dozens or hundreds of sets of separate credentials, administrators need only one which can be a password, token, certificate or other multi-factor authentication method. Once logged in to a central console, administrators can seamlessly and securely access all authorised privileged accounts from one place.
Reliable audit trails
A fourth area requiring attention is the need for reliable audit trails that meet compliance requirements. Organisations often must be able to document who has access to what accounts, the location of users who accessed those accounts, and what actions were taken while using privileged accounts.
Without a centralised way to collect and store this information, IT teams may be forced to log in to each individual system, retrieve audit logs and then manually piece the logs together to create a usable audit trail.
When account credentials are instead centrally stored in a privileged account security solution, users must first log in to that central solution before they access authorised privileged accounts. As a result, IT auditors need only look to the central control point to see which users are authorised to access what accounts and which users accessed what accounts at what time.
To stay competitive, businesses need to remain agile while at the same time not compromising security. Taking an inside-out approach, by focused on protecting the heart of the organisation, can significantly reduce security threat exposure while at the same time providing the added benefits of streamlined operations and simplified user processes.
By making use of privileged account controls, automated account management, centralised access and reliable audit trails, Australian businesses and government organisations can reach these important objectives.