PRIVILEGED USERS AND DATA BREACHES: A MATCH MADE IN HEAVEN?

Transcription

1 PRIVILEGED USERS AND DATA BREACHES: A MATCH MADE IN HEAVEN? SEPTEMBER 2014 Commissioned By:

2 Contents Contents... 2 Executive Summary... 3 About the Respondents... 3 Data Breaches and Privileged Accounts... 5 Privilege Management and IT Operations... 8 Conclusion... 9 About Thycotic About IANS

3 Executive Summary The list of major data breaches keeps getting longer every day. Organizations both large and small are being targeted aggressively by hacktivists, nation state actors, organized criminal teams, and more. Many organizations are also beginning to realize that attackers aren t focused solely on monetary gain anymore. Rather, they are looking more for intellectual property, blackmail and extortion opportunities, and compromised systems to add to their growing botnets. Several of the common trends that appear across recent attacks are quite disconcerting. First, people are often the first target of attacks today, more so than systems. Attackers are finding that social engineering efforts against users are incredibly effective at gaining an initial foothold in many enterprises. Second, authentication in many organizations still relies on basic usernames and passwords, and stealing credentials from users is trivial for many sophisticated attackers. Finally, many organizations today are not properly managing the users and credentials with the keys to the kingdom in their environments - the privileged users who have access to and control over most of the critical systems, data, and applications within the datacenter. Organizations today are realizing they need to focus more attention on users, authentication, and especially the privileged user access to resources within their environments. Verizon s 2014 Data Breach Investigations Report includes some unnerving statistics related to hacking and criminal activity. Cyber espionage has tripled, with 511 incidents this year1. The use of stolen or misused credentials is the number one way attackers gained access to information, and two out of three breaches exploited weak or stolen passwords. Insider attacks also increased in , especially with regard to stolen intellectual property, and 85% of insider and privilege abuse attacks occurred within the corporate network environment.2 It s clear that security and operations teams need to focus on privileged user management more than ever before. About the Respondents Organizations today are realizing they need to focus more attention on users, authentication, and especially the privileged user access to resources within their environments. IANS and Thycotic conducted a survey of 100 experienced security and IT operations professionals. A broad mix of different professional roles was represented, primarily in systems engineering and IT directors, as well as CISOs and CTOs. Network administrators and developers were a smaller percentage of respondents, as were security engineers. The full breakdown of roles is shown in Figure 1: 1 As of 9/26/

4 Respondent Roles Dir of IT, Engineer 36% Other (please specify) 25% CISO/CTO 19% Developer/Network Admin 13% Security Engineer 7% 0% 5% 10% 15% 20% 25% 30% 35% 40% Figure 1: Survey Respondents The Other category was comprised of several IT or security consultants, with a fewer amount of managers and specialists in operations, engineering, finance and legal. The vast majority of organizations responding were above $500 million in annual revenue. One-third were between $1 billion and $10 billion in revenue, and almost a quarter were over $10 billion, as shown in Figure 2: Organization Size 1% 23% 4% 5% 12% $10 million to less than $25 million $25 million to less than $50 million $50 million to less than $100 million $100 million to less than $500 million 33% 22% $500 million to less than $1 billion $1 billion to less than $10 billion Over $10 billion 4 Figure 2: Respondent Organization Size

5 Thus, the majority of respondents were security and IT operations professionals, mostly in managerial positions, and primarily with very large organizations. Data Breaches and Privileged Accounts Every single organization has had an attack of some type, which simply underscores the severity of the situation in information security today. When we asked how many of the survey respondents had experienced a significant attack or data breach in the past two years, one hundred percent of the responses were affirmative. Every single organization has had an attack of some type, which simply underscores the severity of the situation in information security today. The next key question we posed was straightforward - how did the attackers get in? Surprisingly, many organizations saw server-based exploits as the primary exploitation vector. Password breaches and social engineering attacks came in second and third, respectively. Of the respondents, 12% saw web application exploits as the first entry point for attacks, and 2% who answered other said that the attacks were due to insiders. The full breakdown of responses is shown in Figure 3: Initial Compromise Vector 45% 40% 39% 35% 30% 27% 25% 20% 20% 15% 12% 10% 5% 2% 0% Server exploit Password breach Social engineering attack Web application exploit Other Figure 3: Initial Compromise Vector in Attacks Clearly, password breaches and social engineering are collectively focused on end users. In situations where the end user has high levels of privilege or access to resources where privileged user credentials could be harvested, the attacks can be much more lucrative. 62% of professionals surveyed responded that attackers took advantage of excessive privileges to move laterally or escalate access within the organization during their incidents. 27% said this had not 5

6 occurred, and the remaining 11% weren t sure. By any measure, almost two-thirds of organizations experienced privileged account access or abuse during a security incident, which aligns with the results of the Verizon investigations report. This is definitely a growing issue, and security and operations teams are becoming more and more aware of it. How did these teams detect the use of privileged accounts and credentials during a breach? Network intrusion detection was the most common means of detection, by far, with 37% of respondents. Host-based intrusion detection was also very prevalent in detecting privileged account and credential misuse. Logging, account behavior, and anti-malware technology were listed, as well, with only a small percentage (3%) detecting this activity through the use of privileged user management tools as shown in Figure 4: 40% 35% 30% 25% Privileged Account Detection 24% 37% 20% 15% 10% 10% 10% 14% 5% 2% 3% 0% Other Privileged User Management Anti-malware technology Behavioral patterns of access attempts (not in logs) Local system logs Host-based intrusion detection Network intrusion detection Figure 4: Detection Methods of Privileged Account Abuse Two respondents marked other for this question, indicating that monitoring of chat logs tipped them off, as well as notification from law enforcement. Of these teams that managed to detect privileged account and credential abuse, 71% were able to determine how the attackers gained access to the privileged accounts in the first place. 29% were not, which could easily indicate a lack of root cause identification in the incident investigation. For those that could determine what happened, the majority (46.5%) found that a privileged user s workstation had been compromised, likely by social engineering or some other form of credential theft. Pure credential theft for access to sensitive data and other valuable resources made up 31% of responses, followed by Windows-based Pass the Hash attacks at 18.3% (shown in Figure 5): 6

7 Attacker Privileged Account Access The initial attack compromised a privileged user s workstation 46.5% A privileged user s credentials were stolen 31.0% A pass-the-hash attack was used in our Windows environment 18.3% Other 4.2% 0% 10% 20% 30% 40% 50% Figure 5: Attacker s Methods of Gaining Privileged Access The other category respondents stated that insider involvement led to the attackers already having privileged account access in the first place. Most respondents (51%) felt that the privileged account misuse had a relatively small impact on their organizations. This could be due to the attack(s) not resulting in a significant data breach, or possibly because the attacks were caught quickly. 12% stated that the attack(s) had virtually no impact at all, and only one respondent wasn t sure. The other 36% of respondents, however, had a significant impact, such as loss of sensitive data or impact to reputation. This is more than one in three incidents, which means that many more organizations are likely to experience this in the future as these attacks continue and become more targeted. The breakdown of impact analysis is shown in Figure 6: Impact of Privilege Misuse 1% Significant impact 12% 36% Minor impact No impact 51% Not sure Figure 6: Impact of Privileged Account Access/Misuse 7

8 Privilege Management and IT Operations In the organizations that responded to the survey, the split was fairly close as to distribution of systems administrators. 41% have a single team of operational admins, whereas 59% have multiple teams. It s common for larger organizations to have dedicated teams for different operating platforms and system types (like mail servers and database servers). The challenge with a distributed team model is that managing privileged accounts and the use of those credentials becomes even more difficult, especially if the teams are geographically dispersed or have some autonomy (many acquired companies IT teams still operate somewhat independently from the parent group, for example). Of the groups who participated, 86% also stated that they have some sort of privileged user management program in place. For the other 14%, privileged user management may be managed ad hoc, or simply not managed at all. For the 86% of respondents who currently have some sort of privileged user monitoring and management tools within their environments, 61% indicated that they currently use single sign-on (SSO) and Microsoft Group Policy controls. Over half (52%) use a central password safe, as well. Fewer organizations than we expected listed authentication and authorization logging and log management as a key control for privileged user monitoring and management (47%), and identity management and su/sudo for Unix and Linux were also listed (shown in Figure 7): Privileged User Management Controls Single Sign-On (SSO) Group Policy controls Central password safe Authentication and authorization logging Identity and Access Management (IAM) Su and sudo for Unix and Linux 31% 41% 47% 52% 61% 61% Figure 7: Privileged User Monitoring and Management Controls 0% 10% 20% 30% 40% 50% 60% 70% Compliance requirements play a major role in how organizations approach account management, authentication and authorization, and privileged user monitoring and management. 90% of respondents stated that privileged user monitoring and control was required by compliance mandates within their organizations. This tends to drive IT operations towards implementation of controls that they wouldn't otherwise be aware of or feel the need to put in place. Respondents listed a broad number of compliance mandates, as shown in Figure 8: 8

9 Privileged User Monitoring Compliance Requirements HIPAA/HITECH 52.2% SOX 42.2% PCI DSS GLBA FISMA 28.9% 27.8% 26.7% NERC/FERC 11.1% Others 2.2% 0% 10% 20% 30% 40% 50% 60% Figure 8: Privileged User Monitoring Compliance Requirements Many organizations are beholden to more than one compliance or regulatory requirement, so some of the respondents chose more than one answer for this question. HIPAA and SOX were the most common requirements, which is not surprising given the size of the organizations participating. PCI DSS, GLBA, and FISMA were just under 30% of respondents for each, and NERC/FERC was only required in 11.1% of the organizations that responded. Others included NIST mandates and ISO Conclusion Most organizations that currently have a privileged user management strategy and program are really piggybacking on identity management and account management tools like Active Directory. Based on the current state of security breaches and attacks, it seems that many organizations are making more investments in privileged user monitoring and management. Most organizations that participated indicated that they are currently looking to invest in Given that many intrusion scenarios involve privileged account access and/or misuse, privileged user monitoring and management is an area of security that deserves more attention. privileged user management and monitoring (71%). Of this group, the majority is moving quickly - within the next 6 months. Only 16% of respondents weren t sure what their timeline will look like for implementing a privileged user management strategy, as shown in Figure 9: 9

10 Investing in Privileged User Management 16% 20% 24% 40% Immediately In the next 6 months In the next 12 months Not sure Figure 9: Timeline for Privileged User Management Investment This is a good sign for the industry as a whole. Privileged user accounts are some of the top targets for many attackers. By compromising a privileged user account, or leveraging it in any number of ways, attackers can often gain access to the crown jewels of most organizations. Investing in privileged user management can help organizations start to get a handle on this problem, and 84% of the security and IT operations teams who participated have a timeline for doing just that. 10

11 About Thycotic Thycotic deploys intuitive, reliable solutions that empower companies to remove the complexities associated with proper control and monitoring of privileged account passwords. A 2014 Inc company, Thycotic is trusted by more than 100,000 IT professionals worldwide including members of the Fortune 500, enterprises, government agencies, technology firms, universities, non-profits and managed service providers. About IANS IANS is the leading provider of in-depth security insights and decision support delivered through research, community, and consulting. Fueled by interactions among IANS Faculty and information security practitioners, IANS experience-driven advice helps IT security, risk management, and compliance executives make better, faster technical and managerial decisions. IANS was founded in 2001 as the Institute for Applied Network Security. Inspired by the Harvard Business School experience of interactive discussions driving collective insights, IANS adapted that format to fit the needs of the information security community. 11