When global food and beverage giant Mondelez was hit with the NotPetya ransomware, the cost was reportedly as much as $US100 million and caused a major acquisition to be put on hold until the damage was remediated. You could argue they got off lightly. Credit reporting giant Equifax has spent over $1.2B cleaning up after its spectacular hack in 2017 which exfiltrated hundreds of millions of records.
Criminals, businesses and even governments have always tried to steal data in order to enrich themselves, win at commerce, war or some other endeavour. And while the computer age changed the way data is stored and shared, it took some time for online criminals to realise the value of data.
Increasingly those who would steal data have come to understand that it’s identity that connects users to their devices and apps — which themselves are connected to data, systems, and services, also through identity.
That is why business needs to employ an identity-centric security paradigm – one that will allow them to deliver secure access and privilege for any identity to any resource, using any device, from anywhere, says Thomas Fikentscher, Regional Director ANZ, CyberArk.
“Once you take on an identity-first mindset and look around your business, you’ll see that the type and number of privileged identities is rapidly expanding.”
This is important because as the threat profile evolves, the response needs to evolve – just faster and more effectively.
Until recently, only IT Admins were considered privileged users; this obviously expanded to admins using cloud consoles — but in today’s environment almost any identity can be privileged under certain conditions.
This could be a workforce team member who is also the admin of a sensitive HR or financial system, or even a non-human identity, like an automation bot that accesses sensitive applications during a routine task.
The era of the massive data breach started in November 2013, when Target in the United States of America was the victim of a breach resulting in the personal data of over 100 million customers being stolen and traded by criminals.
While threat actors ply their craft on all sorts of organisations running on myriad different systems, one thing remains true of most cyber attacks: they start by exploiting a weakness on an endpoint device.
Whether we are talking about ransomware attacks, data theft, or the latest attacks that use extortion to coerce victims to pay money or see their private data put into the public domain, criminals focus their attacks on endpoint devices — most often by exploiting privileged user access.
The impact of these attacks are significant, though not always obvious.
Even when a business is able to recover from an initial attack, there are ongoing consequences. As well as the lost revenue during the attack and the cost of the recovery effort, there remains the potential for data loss. When sporting goods retailer INSPORT was attacked in 2020, some data was never recovered. The company potentially sits on a ticking time bomb as it’s unsure what data the criminals accessed and still have in their possession.
The cyber attack on aged care provider Regis Healthcare resulted in data being encrypted, stolen and published by an overseas actor, with personal information released into the public domain. While this didn’t impact the organisation’s care of residents, it can have a material impact on its reputation.
Regardless of whether it’s an end-user’s computer, a server or a service running on a system, there is always a user account involved. Every user account associated with a system or network has some degree of privileges that allow the user to carry out their duties. For example, if an attacker is able to steal the user account belonging to a member of the accounts team, they can pretend to be that person. They might be able to create and process a false invoice, steal customer banking information or edit information so funds are redirected to their own accounts rather than to debtors.
What if that compromised member of the accounts team also has some access to the HR and payroll systems? They can send and receive email, access file-shares and other places where sensitive correlate information is held. Suddenly, the breach of a single user account can result in broad access to a huge part of the business.
If you’re a retailer, that could even extend to point of sale, warehouse and inventory systems. When Target was breached, the attackers spent several months in the company’s systems, and found a path through the network and laterally across systems from the air-conditioning system to point of sale terminals where they stole the customer data.
The systems we rely on are increasingly interconnected and, often, those connections are not obvious. While the link between finance and payroll is easily understood, the number of hops it takes to move from an air-conditioning system to a point-of-sale terminal is harder to understand.
These examples show that even business users or external users who occasionally need access to perform a work or service such as regular maintenance can become privileged users depending on what they do and the systems/data they access and use.
This is why systems that can monitor for privileged account activity and anomalous behaviour are so critical. Organisations need tools that enforce security policies and ensure that when a privileged account is used, the activity is recorded. For critical assets, it’s vital that they are isolated appropriately so users can’t access them unless it’s absolutely necessary.
It’s not just about limiting what a user account can do — it’s about limiting the service or application so only specific user accounts can access it. And when a user account is used, or an attempt to use an account for an unintended purpose is made, appropriate alerts are sent to your security operations centre.
Identity security is a core element of any robust security strategy. By ensuring user accounts can only be used for their intended purposes, applications and services are only accessed by specific accounts, and appropriate monitoring and alerts are in place to detect unexpected activity, businesses can feel more confident that their critical data and business assets are well protected.
This article was produced by Which-50’s Digital Intelligence Unit on behalf of CyberArk