Data breaches are all around us, as well as other cyber tragedies like WannaCry, Mirai and Petya. Household names like FedEx, Maersk, Deloitte, Equifax, Nuance and Sony have all been victims of recent cybersecurity breaches. The daily press is draining, but there is something that can be learned from all the facts that can help all those involved in security become more secure and, it is hoped, stop the daily barrage of breaches and headline news.
First, statistics are great! They are a valuable commodity in a discussion to formalize a point and validate a position. Many times, others will question the source, accuracy or even meaning of a statistic to skew the results. A statistic taken out of context, or viewed on its own, can lead to very misleading results. The point is, statistics drive everything from social initiatives to new product development. The methodologies to collect and develop them are a science. They can help us explain why we continue to have breaches.
So, what are good sources for statistics? Security professionals may turn to vendors, analysts or the government for results. Cybersecurity company BeyondTrust is one of those vendors and produces statistics like the yearly Verizon Data Breach Investigations Report. While the data is compelling, in the end users are still just arguing with percentages, case studies and data that is quantifiable normally as a single sentence. For example, 76 percent of users admit not changing default passwords. The fact speaks for itself, but there is no rhyme or reason why this is done, or acknowledgement of why the security best practice of changing them is being ignored. The answer is above the science of statistics. It is due to user behavior and begins to explain our problem.
In a recent international survey called “The 5 Deadly Sins,” BeyondTrust discovered and confirmed many of the security statistics that have been mentioned in this article, such as administrator rights and lack of security knowledge. They make valid arguments for peers to discuss the state of privileged access but also revealed an interesting trend about user behavior that was quantifiable. In lieu of just asking, “Do you change default passwords,” lead-in questions help reveal why and highlight the user behavior aspect of these problems. For example, one of the questions confirms a specific finding by asking, “How frequently have you experienced a problem due to insecure security practices?” While this is not a trick question, it implies that the respondent to the security questions knows about an issue, the issue is not resolved, and it has become a liability for the organization. Using follow-up questions, user behavior can be deduced for the security problems, and their corresponding statistics represented in the survey.
This leads to a conclusion that five human traits are the reason breaches continue to occupy our daily news:
Apathy. Specifically, among password practices, organizations believe the threat level is highest for users sharing passwords with other users (79 percent). While organizations are generally well aware of the perils of sharing passwords, a relatively large number of respondents (22 percent) report that bad password practices persist.
Greed. The practice of allowing users to run as administrators on their machines is recognized by study respondents as the highest threat level (71 percent) among privilege management malpractices. Although the risk is recognized, an astounding 38 percent of respondents report it is still common for users to run as administrators on their machines, and 22 percent of respondents say this practice has caused downtime. Why are end-users still allowed to have administrator rights when it is a basic security hygiene to remove all excessive privileges?
Pride. Eighteen percent of respondents claim attacks that combine privileged access with the exploitation of an unpatched vulnerability are common. When combined with eliminating local administrator rights on end users’ machines, properly patching system vulnerabilities can close off most of today’s commonly reported attack vectors like ransomware. These threats thrive on system weaknesses and excessive access rights in order to move laterally.
Ignorance. Sixty-eight percent of respondents consider least privilege on Unix/Linux an important PAM function. While 86 percent of respondents believe their Unix/Linux environments have the highest level of protection, 54 percent of respondents still run Sudo on at least one Unix/Linux server, and 39 percent still run it on workstations. Respondents report that Sudo shortcomings include that it is time-consuming, complex and lacks policy version control and synchronization, making it a poor security practice.
Envy. A surprising 37 percent of respondents report they are not extending protection to SaaS applications and new cloud initiatives. Privileged access must be secured consistently across all resources, and there is a form of envy that the cloud does not need these initiatives — which is just not true.
Considering known statistics for security best practices, we have a very compelling discussion. The conclusions are even more impressive when the user behavior driving them is exposed and communities can be educated that these behaviors are actually creating cyber security risks. Solving the problems based on statistics alone ignores the human element. By creating a dialogue on why a person does things and backing them up with statistics, users are more apt to actually implement a healthy change than with just raw data alone. This could help make breaches a less common occurrence in the end.
Therefore, here are five steps that, if implemented, can have a positive impact to address the five deadly sins that lead to the most frequent types of data breaches:
Deploy enterprise password management globally across all data centers, virtual and cloud. A centralized password management solution that includes built-in session monitoring will ensure that both important capabilities are met, while providing an automated workflow that makes it easy to use across all accounts and applications.
Remove local admin rights from all Windows and Mac end-users immediately. Once all users are standard users, IT teams can elevate a user’s access to specific applications to perform whatever action is necessary as part of their role without elevating the entire user on the machine. The benefit? When the next ransomware variant breaks out, the end users’ machines will be contained, preventing further propagation and making it easier to remediate from an IT perspective.
Prioritize and patch vulnerabilities. Attackers exploit asset vulnerabilities, hijack elevated privileges or compromised credentials, and move laterally until they achieve their objective. What’s the first step in that chain? Vulnerabilities. Better prioritization and patching of vulnerabilities boosts a company’s ability to execute smarter privileged delegation decision-making with regards to assets or applications.
Replace Sudo for complete protection of Unix/Linux servers. With pressure on budgets, some organizations may be stuck with Sudo, but it doesn’t offer the industrial-strength capabilities that today’s security needs, such as user behavior analytics, fine-grained policy controls, file integrity monitoring, centralized control, activity reporting and more.
Unify privileged access management — on the premises, in the cloud — into a single console for management, policy, reporting and analytics. As organizations race to adopt “the cloud,” IT must provide the same level of protection to cloud-based systems as for on-premises systems. Remember, they are someone else’s computers but we must protect them just like our own.
Companies willing to implement these practices will help keep themselves out of the news for the wrong reasons, and avoid becoming yet another bad statistic. Changing user behavior is a key step in making this change.
Morey J. Haber is vice president of technology at BeyondTrust. With more than 20 years of IT industry experience and as author, with Brad Hibbert, of Privileged Attack Vectors, Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Currently, as VP of technology, he overseas strategy for both vulnerability and privileged access management solutions. BeyondTrust is a global security company that helps businesses reduce risks against data breach threats.
Speak Your Mind
You must be logged in to post a comment.