How CISOs Can Reduce Cybersecurity Risks with Least Privilege Strategy
By: Rohan Vaidya
In recent weeks, popping to the shops for supplies has become an exercise in queue management. For a period, getting your hands-on certain items became virtually impossible. While the panic buying trend has faded, governments’ instruction to stay at and work from home has seen demand for online grocery shopping skyrocket. When you add opportunistic attackers and mandated home working for most employees to the mix, it’s a recipe laced with cyber-risk.
Now, more than ever, our online behaviour and habits don’t just encompass downtime spent on our own devices. According to a recent survey report published by Capgemini, with lockdown measures in place across India, there has been a surge in the use of online channels and the trend will continue even after it is lifted. More online payments being made means more bounty to be made, which in turn means more risk.
Data and assets, ripe for the picking
Makers of ransomware and malware of all kinds will see this time as one of opportunity. Wherever there is uncertainty, vulnerabilities occur, and vulnerabilities are exactly what cybercriminals are looking for. But in this situation, there is more at stake. Why? Well, in 2020, what we lose to them will not always just be the personal, such as our PPI or bank details. Whilst these data nuggets will always be welcomed by a certain sort of cyber-criminal, our changing purchasing patterns also put our employers at risk.
The corporate laptops that we use snap up bargains aren’t isolated devices. They are – potentially – a gateway to much more lucrative data and assets. Even the ability to hold a city to ransom, or an opportunity to take down a critical infrastructure supplier, could result from something of a ransomware attack that starts on an end users device. And this isn’t just a potential threat at the moment. Reports of data breaches have been coming in thick and fast since stringent lockdown measures were put in place. The threat is already here.
Businesses invest heavily in security. But the types of protection currently in place aren’t always enough to stop attacks like ransomware, a threat that can be delivered in the shape of a simple phishing email and can easily evade anti-virus and firewall tools. In fact, it was the fastest growing form of attack affecting businesses in 2019 according to Accenture, up 21% from 2018. Malware is also a common threat that arises simply by landing on an infected web page.
Organizations worldwide recognise the problem. Our own Global Advanced Threat Landscape survey found that ransomware and malware were seen as one of the top three threats faced by 59 percent of respondents (all of whom were security professionals). But what are they doing about it?
Denying the prize
It’s been demonstrated time and time again that attacks will follow the path of least resistance, almost always targeting privileged credentials that provide access to the most sensitive areas of corporate networks. It’s no different during this period of increased online activity – attackers are using social engineering techniques that prey on contemporary trends and concerns to seize credentials used or stored on corporate devices, as well as exploit a user’s privileges on these devices.
The management of privileged credentials is known as privileged access management and involves the implementation of strict access controls over individual accounts within an organisation’s network. Providing users with unique credentials each time they require access to data/information means security teams can limit user access to the specific areas of a network that the staff requires in order to fulfil their work obligations. By doing this, attackers are denied freedom of movement, and are much less likely to be able to move laterally across a network even after compromising a user’s account. Without these controls, cybercriminals can hop from one account to the next, slowly making their way towards the more critical assets.
Despite its vital nature, securing privileged access has often gone under the radar within corporate cyber defence strategies.
Two pieces of evidence from CyberArk’s study back up this worrying picture. First is that only 41% of security professionals understood that privileged credentials exist on user machines. The second is that only 27% said that their organizations were planning to introduce the principle of ‘least privilege’ security on the infrastructure running their business-critical applications.
One way to look at it is: if you don’t know something is there, it’s hard to protect it. As we experience this ‘new normal’ way of working, locking down least privilege on employee laptops is an extremely effective way of stopping an attack from spreading. It’s not just access to user machines that is at stake here, but to the valuable assets and data held elsewhere in the network.
In order to avoid exacerbating the risk of cyber-threats presented by home working, people must limit their online activities when at work, be sensible about what they search for, and, most importantly, security teams must stop laptops used by home workers from acting as launch pads to a much more damaging compromise.
(The author is Managing Director Sales – India, CyberArk and the views expressed in this article are his own)