By now about 143 million Americans know, or ought to know, that their most sensitive personal financial information is in the hands of bad guys. Where do we go from here?
This, of course, refers to the well-publicized Equifax data breach. What isn’t known, at least not yet, is who actually breached the credit bureau and how they did it. In its announcement of the breach, Equifax says its investigation remains ongoing and “is expected to be completed in the coming weeks.”
In any case, Richard Smith, Equifax CEO, said: “I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”
While that may be scant comfort to most of us, at least it can serve as an impetus for every organization that maintains databases of sensitive information to re-examine security systems, procedures, and policies.
On that score, two broad areas of security approaches seem to have emerged and may need much higher attention than before.
As deduced from recent literature on the subject, these are: identifying and protecting privileged accounts (as opposed to general perimeter security), and consolidating the multiple security solutions that many organizations run into a coordinated, entity-wide system.
Protecting “privileged accounts”
First, privileged accounts. What are they?
Core Security Inc., which specializes in account access management, says that, in general, these are any accounts that have access to monetizable data, such as Social Security numbers, credit card numbers, passwords, etc. The most common types of privileged accounts are local admin accounts, privileged user accounts, domain admin accounts, emergency accounts, and service accounts.
All of these are password protected—and that’s their main vulnerability. The passwords often are easy to guess (i.e. “admin/admin”), seldom changed, stored in unencrypted files, or disclosed unintentionally by users who may be victims of phishing attacks.
Thycotic, another provider of privileged account management, surveyed more than 250 hackers who attended the annual Black Hat convention in Las Vegas. Nearly one third said that accessing privileged accounts was the No. 1 choice as the easiest and fastest way to get access to critical data, followed by 27% who said access to user email accounts was the easiest.
“Given that privileged accounts are prime targets for hackers, IT professionals should consider the opinions of the hackers themselves when it comes to protecting privileged accounts,” says Joseph Carson, chief security scientist, Thycotic. “In today’s connected world, organizations can no longer rely only on the traditional cybersecurity perimeter controls.”
Instead, he says, organizations need to focus on protecting privileged account credentials and enhancing user passwords with multifactor authentication.
It’s not just the vendors saying this. The SANS Institute recently issued a report—the day before Equifax made its breach announcement—that says user credentials and privileged accounts are the most common data types involved in significant breaches. Why? Because access information grants the attackers the same privilege as their victims and with which they may escalate and spread their attacks.
Also, TD Bank, in a survey of 392 security professionals during a recent conference in Austin, Texas, says 91% anticipate that payments fraud will become a bigger threat in the next two to three years. More to the point, 64% of respondents say either they or their clients experienced a cybersecurity event in the past year. Most common incidents: business email compromise (20%), account takeover (19%), and data breach (15%).
SANS Institute, in an earlier study, highlights the need to protect against unintentional insider compromises.
“Malicious insiders have always been a threat, but the risk is increasing from unintentional insiders that are tricked into giving their login information to callers from fake help desks or clicking on attachments that release password-stealing malware,” says Eric Cole, SANS instructor. “Every organization is only one click away from a potential compromise.”
Building new and better walls
Shifting gears now to rethinking and restructuring security defenses.
To put it simply, according to the literature, many organizations have built up over time multiple defense systems, each of which target a specific type of threat or protect a specific business area—but which are siloed and easily flanked by attackers.
A survey by Forrester Research, on behalf of Endgame, an endpoint security firm, says the No. 1 priority for security executives is achieving complete breach intolerance, which requires fundamental changes to staff skill sets, processes, and tools.
“Preparing for and responding to … attacks requires a focused and resolute strategy of complete breach intolerance to stop system damage and data loss,” says Chris Sherman, senior analyst at Forrester Research. “Among other recommendations, enterprises should consider investing in a comprehensive endpoint technology that reduces complexity and burden on security operations teams.”
As part of the survey, Forrester found that 71% of respondents use five or more technologies in their system and organization controls, and 33% use eight or more.
Celent, in a recent report, maps out where banks have commonly employed security systems—one for anti-money laundering, six for various areas of fraud, and one each for trade compliance and corporate security. However, depending on the organization, the number of “solutions” can be much higher.
“Banks have stumbled over the convergence of large numbers of detection systems that have evolved as point solutions,” says Joan McGowan, Celent analyst, in a blog derived from her report. “Some of the larger banks report more than 30 AML and fraud detection systems across their organization. These systems have remained siloed along business lines and shaped their own data standards, data models, procedures, and controls for detection and case management of suspicious activities.”
Regarding this latter observation, Celent notes that most banks are in fact implementing a move toward focusing case management in each of the four areas—AML, fraud, trade compliance, and corporate security—which seems to be a positive step.
Still, the consultant recommends going a step further, and consolidating investigative case management of all four areas into one corporate function.
“By adopting a centralized investigative case management system equipped with innovative technologies, banks can address operational production inefficiencies and quickly realize considerable benefits,” McGowan says.
Of course, even worse than siloing automated protection systems, is depending instead on manual protection systems—which seems more common than one would think. SANS, in yet another study, this one co-sponsored by Infoblox Inc., surveyed more than 250 IT and security administrators, engineers, IT managers, developers, and privacy experts.
It finds that 59% of these respondents are using manual processes to identify sensitive assets, leaving their networks prone to massively automated attacks.
What’s particularly striking about this survey is what the main targets are—user credentials and privileged account information.
In a nutshell, Sean Tierney, director of Threat Intelligence at Infoblox, puts it this way:
“Those still relying solely on manual processes are doing themselves a disservice by opening up their networks and customer data to highly automated, targeted attacks. In order to counter the chances of compromise, they must know how data should flow and design an in-depth defense strategy to secure assets like user IDs, credentials, roles, and directories. Automating network processes helps uncover sensitive data in previously unknown areas of the network. It frees up time for IT admins to perform more important, high-level tasks.”
Sources used for this article include: