There are dozens of breaches everyday in businesses across the UK. Some we hear about, some we don’t. Some disclose their breaches immediately, while others sit on the information for a long time before they make the details public. However, GDPR coming into action in May 2018 is set to change the landscape.
Some breaches affect more people than others, like when Yahoo admitted to a breach affecting 3 billion users, while others affecting a tiny group can have more far-reaching consequences. Like the John Podesta email hack that ultimately lost Hilary Clinton the POTUS crown. And it is these small but mighty breaches of important and privileged accounts that business need to be most careful about.
Joseph Carson, chief security scientist at privileged access management company Thycotic says it is in effect a ‘game over’ scenario for businesses as soon as privileged accounts get hacked. Privileged accounts are essentially root-based account, or ones that can set up more accounts and a breach there can lead to ‘catastrophic’ consequences for businesses because once access has been obtained, malicious actors can then go on to create and access accounts, create logs and steal information!
‘Most people, even those who are not on the internet, have been impacted by a data breach. This is the new reality. If you have an online presence, you will definitely be breached! In 2016, more than 3billion identities leaked… the number was higher than people using the internet.
‘We are also getting to the point where, that even without your self-created digital footprint, people around you are putting you online. Increasingly, people around you are tagging you, showing where you are and in effect creating your online profile for you.
‘It is now that [the ramifications of a data breach] is becoming more relevant to the individual because of the impact seen. Impact of what’s happened and how much of it is down to the availability of data also matters. Most consumers are not that bothered about data breaches but about their data not being available.
When it comes to individuals, it matters very much on what type of data is most at risk or being used. ‘Consumers are more concerned about personal information like health, photos, financial etc being breached than their logins on sites.
With 80% of data breaches a result of stolen or compromised privileged credentials, organisations need to make protection of these privileged accounts a security must and for this, Carson offers some pointers… If a business follows the checklist, they should be well protected against privilege account breaches:
- Try to understand from the outset, how important each of the privileged accounts are- how they are used and their impact. Run a proper risk assessment on them. Some organisations are very dependant on their privileged accounts for everything they do. So the account tied to the wifi access within the office and the admin account linked to the salesforce.com account should be given different weightage. One is obviously more important than the other and so the business should be more sensitive about who has access to which one.
- Categorising privilege accounts. We have found that many businesses fail to proactively discover privilege accounts. If it doesn’t discover them, there is a real risk of the business failing its audit. Often, the case is that businesses don’t even know the number of privileged accounts they have, and this is just the ones that have the ability to create other accounts. During audits, a business will usually find that it has 5 times more priviledged accounts than it had audited for, initially!
- Apply best practice security consoles. Auditing, 2-factor and multi-factor authentication are key to protecting privileged accounts and then making doubly sure they are secure. So businesses need to make sure that it is not just one password that gets you in. Additional controls need to be in place and putting privilege account management into a privilege account vault that will manage, rotate and secure them, is the easiest way.
‘Many organisations don’t realise that crucial accounts are covered by separate legislations and directives, including (and not restricted to) PCI-DSS, NIST, ENISA, GDPR, HIPAA, SOX and ASD in Australia and New Zealand. If a business doesn’t comply with the legal framework that applies to privilege accounts, it will fail its audits and it needs to start taking action now.
‘Investing time on addressing cyber fatigue and improve awareness is also very important as is getting employees to be better at breach response. Organisations are increasingly not responding to cyber fatigue… If I had to remember all my passwords, it would not be possible.
‘Not protecting privilege accounts exposes organisations to compliance failure as well as data breaches. The difference is that when you compromise a non-privilege account, it allows the cyber criminal to use just one account- emails from one person and contacts of that one person. But with a privilege account, it is a major incident at that point. Organisations can be attacked thousands of times but breached probably just 100 times and it will be down to what kind of account got breached.
At the end of the day, there is no right or wrong time for a breach disclosure. However, the concept of an ideal time does exist for breaches- like how Yahoo disclosed that it had been breached at the same time as the presidential election results were being announced and the media was distracted. There is a possibility of a breach getting overshadowed by bigger happenings in the media.
Carson signs off saying, ‘The breach getting overshadowed will not prevent bad press, that will definitely happen. The only way a business can stop a breach from happening is by making sure its privilege accounts are suitably protected.’