Using Privileged Access Management to Protect Against the Unexpected

By Adam Bosnian, Executive Vice President, CyberArk

Organizations are working to defend themselves on an increasing number of fronts – external adversaries, internal forces, and even hidden threats in existing tools and supply chains. These fronts are dynamic and can be unpredictable and difficult to prepare for, but these “known unknowns” can be planned for. What really causes sleepless nights are when attackers open up a whole new front of digital warfare on a front – or fronts – that we didn’t even know existed.

Driven by both the rush to digitally transform and the environmental change that is the “new normal,” enterprises are being pushed to run faster, be more agile, and operate as efficiently as possible. As a result, CIOs are constantly adopting new technologies to move data and workloads to the cloud, automate existing processes, bring new revenue-generating applications to market faster than competitors, and enable new mobile and social customer experiences.

There is good news for the CIO, such as increasing their ability to impact the success of these wider business initiatives. There is also bad news, as this proliferation of initiatives and the related technology that enables them equals increased vulnerability to attack. Some of these will be predictable…and some of them less so.

Predictable threats are ones that we have always faced or are obviously going to come as the result of a planned business initiative. They may on occasion be damaging, but they are a known risk, and an experienced CIO can plan for them.

Lessons From History: Unpredictable Attacks Are the Most Damaging

Threats that come from out of the blue are the ones that have the potential to cause deeper disruption. There are lessons from history that illustrate what can happen when threats come from an unexpected direction. One marked example is the sack of Rome in A.D. 410. While the glory days of the Roman Empire were gone, Rome itself had survived invasion and siege for over 800 years.

While it was no secret that the Visigoths – our external attackers in this case – wanted to hold the city to ransom in order to force the Romans to cede land and power to them, the city’s walls were strong. Compromises were made to allow supplies to citizens, and attempts at military reinforcements were made.

However, once it became apparent that Rome would never accede to the Visigoths’ demands, agents within the city – malicious insiders if you will – opened Rome’s Salarian Gate and 40,000 invaders marched into the city, razing much of it to the ground virtually unopposed. 

In the present day, two recent events serve to demonstrate the potential severity of attacks on an undefended front.

The first was driven – and still is being driven – by the ongoing global health crisis. As organizations worldwide pivoted to remote working, CIOs suddenly had to cope with a hugely expanded and in some cases an entirely new set of vulnerabilities. Our own research showed that the home workforce immediately adopted behaviors that could threaten the security of critical assets and data. These behaviors included, but were not limited to: password re-use; letting family members use corporate devices; and using unmanaged, insecure bring-your-own-device (BYOD) products to access corporate systems.

The reason these behaviors create grave risks to enterprise security is that they tightly align with the modus operandi of the majority of attackers. Every corporate device that becomes vulnerable and every password that is re-used or saved in a browser becomes a target and amplifies the risk of a breach or malicious incident. This is especially true when it comes to privileged credentials – these credentials should be considered the most important in any organization because they provide elevated access and permissions to accounts, applications, and infrastructure.  

The second is a more practical demonstration of just what attackers can do when they compromise privileged access. In the case of the attack on Twitter, employees with administrative access were targeted in a social engineering attack – designed to trick unsuspecting employees into making security mistakes, such as giving up passwords, clicking a malicious link, and more. Once the attackers were able to steal and exploit this privileged access, they could access the internal controls used to manage accounts, ultimately taking control of high-profile accounts like those belonging to Barack Obama, Elon Musk, and more.

These situations both show why attackers covet privileged credentials – by exploiting them, they can elevate their level of access to move from an endpoint into networks, applications, cloud, and more. This allows attackers to target and steal sensitive data while exponentially increasing potential damage.

Prioritizing Privileged Access Management to Guard Against the Unpredictable

Put simply, cyber attacks cannot be stopped if privileged access is not secured. This means everywhere – in the cloud, on the endpoint, in applications, in automated processes, and throughout the DevOps pipeline.

Protecting privileged access should be on the mind of every CIO and indeed on that of the entire leadership team and board of directors, because regardless of the organization’s size or location, privileged access is being targeted and used to facilitate devastating attacks. 

This is why privileged access management is firmly established as a top CIO priority, one that provides proactive controls that can provide peace of mind when battling in these dynamic environments, and preparing for whatever front – however unexpected – we must defend next.

To learn more about how privileged access management can help protect organizations’ most critical data, infrastructure and assets, download a complimentary copy of the Gartner 2020 Magic Quadrant for Privileged Access Management¹:

https://www.cyberark.com/gartner-mq-pam/

1. Gartner, Magic Quadrant for Privileged Access Management, Felix Gaehtgens, Abhyuday Data, Michael Kelley, 4 August 2020

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.