10.7.22 – SIW – Joseph Carson
Compromised identities are still the biggest cybersecurity risk to organizations
As more critical data and company information are stored on an organization’s network, we face increasing risk from cyber breaches and attacks. Any device that connects to the internet, including a seemingly harmless mobile app or a massive company’s computer system, leaves vulnerabilities that hackers can exploit to gain access and steal sensitive data.
Cybercrimes are rising at an alarming rate, thrusting cybersecurity into the forefront for governments and businesses all over the world. With many high-profile breaches, companies understand the potential risks to their finances and reputations if they don’t shore up their security.
Most cybersecurity measures are focused on protecting sensitive information from nefarious actors outside of the organization. But what about the threat from within?
Some of the most damaging and highly publicized attacks in recent years have been the result of insider threats – compromised identities. Whether accidental or intentional, these threats leave a huge gap in a company’s cyber risk.
The Threat from Inside Your Company
Some of the biggest breaches we’ve experienced recently have been executed by nefarious parties from foreign countries or massive technology failures that left companies vulnerable at the wrong moment. We can sit back and watch with some degree of removal, assuming that we’re not carrying the same risk.
Unfortunately, that couldn’t be further from the truth. Sure, major breaches like SolarWinds and Colonial Pipeline were executed by sophisticated parties in other countries, but they came from the same source – compromised identities.
Take the SolarWinds breach, for example. It was a sophisticated attack from foreign hackers, but its source was compromised credentials. The hackers waited for the best moment, which was during a routine software update.
A lot of pieces were in motion to make the breach happen. The compromised identity needed to download a tainted update and deploy it, then they needed to connect to the internet to give the hacker the ability to communicate with the servers.
The results were huge. Hackers found their way into the Cybersecurity and Infrastructure Security Agency, or CISA, at the Department of Homeland Security. Embarrassingly, this is the same organization that protects federal computer networks from cybercrime.
This situation isn’t limited to SolarWinds, however. The Colonial Pipeline attack also came from compromised credentials in the form of one password. Hackers were able to infiltrate the system to achieve their goal – disrupting the fuel supplies to the U.S. Southeast through key conduits that deliver fuel from the refineries in the Gulf Coast to the entire East Coast.
In this instance, simply implementing multi-factor authentication could’ve prevented hackers from gaining access. If the hacker had to go through this extra step and failed, they would not have gained access to the network to reach their goal.
The reality is that no matter how strict a cyber security protocol is, people are still the weak link. No matter the industry or size of the business, people are still involved in the process and may create openings for hackers – intentionally or otherwise.
These are the main kinds of insider risks:
- Human Error: Human error is always a risk when people are involved. Simple mistakes, such as having a device stolen or sending confidential data over an insecure network, can end up creating an opening for a hacker. The mistake may be small, but the results can be incredible.
- Leak Passwords and Malicious Intent: People will always be prone to mistakes and oversights that can cause a security vulnerability, but sometimes, employees deliberately leak passwords and other information to damage the company or for financial gain.
- Hijacked Identities: Cybercriminals know that people are a weakness and often try to hack identities to gain access to a network. This can be done with malware or phishing attacks, stealing credentials, and more. Once the hacker has access to the system, they can move freely to find the information they want.
Worse yet, when the threat comes from trusted sources, it’s not detected as quickly. Hackers can also cover their tracks and erase any evidence of their activities to make it more difficult for a forensic investigation to reveal the source.
Restrictive security policies are important for preventing and defending against cybercrime, but they don’t always include plans to manage compromised identities. Furthermore, strict cyber security measures may be a barrier to innovation and productivity.
Implementing Zero Trust
Along with a comprehensive cyber security protocol, zero trust architecture should be implemented to improve the user experience while addressing an organization’s security needs.
With zero trust, the basic principle is that everything comes from an untrusted source. The network is no longer trusted for the sake of it, and everything is assumed to be a breach unless proven otherwise – never trust, always verify.
This model requires all users to be authenticated, authorized and validated before they can gain access to the applications, network, or data. Implementing least-privilege access and micro-segmentation also prevent hackers from moving laterally in the system. If a breach does occur, analytics can be used to detect and respond to threats.
Zero trust relies on these principles:
- Evolving perimeter: Traditional cyber security used to require protection and defense of the perimeter, or “castle wall.” With remote workforces and cloud storage centers, perimeter protection is no longer enough. Zero trust integrates security throughout the network.
- Verification and authentication: All users must be authenticated and verified based on the available information, including device service, location, identity, workload, and more.
- Principle of least privileged access: The principle of least privileged access only provides privileged access as needed. Instead of retaining privileged access at all times, this principle gives users only the access they need, and only for as long as they need, then it’s taken away.
- Assume a breach: Zero trust is not only designed to prevent threats, but it minimizes the damage if a threat does occur. With microsegmentation, users have limited access to inflict damage and the “blast radius” of the breach is minimized. If a breach happens, analytics can be used to determine the threats and improve defenses.
- Zero inherent trust: Zero trust architecture assumes everyone is guilty until proven innocent. Any requests for applications and services must be verified first, at the perimeter level, before access is granted.
- Workforce, workplace, workload: Workforce refers to establishing trust levels of users and devices to assign privilege. Workplace refers to the implementation of trust-based access control. Workload refers to preventing unauthorized access within segmented networks.
- Continuous trust verification: Users have to establish trust by verifying their identity a number of ways, including multi-factor authentication and device location. This ensures the least privileged access.
Zero trust is a comprehensive approach that considers multiple ingress points, such as:
- Identities: Each identity is verified and secured with authentication
- Endpoints: Compliance and health status must be verified before access is granted
- Apps: Appropriate in-app permissions, gated access based on analytics, and monitoring and control of user actions limit app risk
- Data: Perimeter-based protection is secondary to data-driven protection. Intelligence classifies data, while encryption and access restriction limit access based on existing policies.
- Infrastructure: Telemetry is used to detect suspicious behaviors and detect attacks.
- Network: The network is fully protected using encryption, limited access, microsegmentation, and real-time threat detection.
Combat Security Threats from Compromised Identities
Zero trust has been around for over a decade, but in a world facing increased cybercrime, it’s never been more important. Companies have a wealth of sensitive data and geographically dispersed teams and networks, calling for more than just perimeter protection. Compromised identities are a risk to any organization’s cyber security, and the best way to tighten up security is with the least privileged access and the guiding principles of zero trust.
About the author: Joseph Carson is a cybersecurity professional with more than 25 years of experience in enterprise security and infrastructure. Currently, Carson is the Chief Security Scientist & Advisory CISO at Delinea. He is an active member of the cybersecurity community and a Certified Information Systems Security Professional (CISSP). Carson is also a cybersecurity adviser to several governments, critical infrastructure organizations, and financial and transportation industries, and speaks at conferences globally.