What are five lessons from privileged access management experts in the wake of 2019 data breaches?
Throughout 2019, enterprises learned the hard way about the necessity of privileged access management to prevent data breaches. Indeed, privileged access solution provider Centrify found 74% of data breaches begin with a compromised privileged account.
However, enterprises continue to neglect their privileged access management even as the data breaches pile up. Centrify found 52% of enterprises don’t have a password vault and 65% still share their privileged access. Moreover, 21% still don’t use multifactor authentication. Regardless if this stems from neglect or ignorance, this must change.
If any of this applies to your enterprise, you need a wake-up call. Here are five lessons from privileged access management experts to help you in 2019 and beyond.
Five Lessons From Privileged Access Management Experts in 2019
The Quest Diagnostics Breach
“Today, more than ever, hackers are exploiting weak and stolen credentials to gain unauthorized access to sensitive systems and data. The best way to prevent unauthorized access is by enforcing multi-factor authentication (MFA); Requiring users to authenticate with a 2nd factor (via a mobile app, smart card, one-time-passwords, etc) ensures that only authorized users can access sensitive systems. Yet most of our sensitive systems still rely on password-only authentication mechanisms, which can be easily bypassed.”
The Chipotle Credential Stuffing Attack
“While password reuse across sites is what makes credential stuffing attacks so successful, credential stuffing isn’t the only weapon in an attacker’s arsenal. The use of weak, default, or stolen passwords period is enough to make an account vulnerable, especially with alternative techniques like Password Spraying. With Password Spraying, an attacker can try a small number of highly common passwords against large numbers of accounts while also staying below lockout thresholds, compromising accounts without any elevated privileges and likely without detection.”
With so little information, it’s hard to say for sure if additional techniques are in play. But the point is that just like there’s more than one way to build your burrito bowl, there’s (way) more than one way to compromise your account.”
The VFEmail Incident
“The fact that attackers were able to access and erase all the information demonstrates that the systems were not protected in an effective way. Critical systems, such as these that host customer data, must be protected with enhanced security and all operations must be protected using intelligent Multi-Factor Authentication solutions. If those controls were in place, an operation that deviates from trusted behavior would have raised the friction towards the attackers and provide immutable logs showing that the attack was in progress, allowing VFEmail to react quickly and potentially stop the breach before data was destroyed.”
The State Farm Credential Stuffing Attack
“Credential stuffing attacks are becoming a frequent threat as companies such as PCM, Sky and Dunkin’ Donuts have all learned this year. The fact is that the credential stuffing attacks are just one attack vector companies must be prepared to defend against. Organizations are tasked with the cumbersome burden of continuously monitoring all assets across hundreds of potential attack vectors to detect vulnerabilities.
This involves analyzing tens of billions of time-varying data signals, a task that is not a human-scale problem anymore. The key to thwarting future attacks like what State Farm has suffered is to leverage security tools that employ AI and ML to observe and analyze these data points in real-time and derive insights to prioritize which vulnerabilities to fix first, based on risk and business criticality. Proactively managing risk must become the new norm.”
The MoviePass Data Exposure
“What’s also clear is that KBA (knowledge-based authentication), which relies on the notion of shared secrets, should be heavily scrutinized as a reliable means of authentication.
Why? Given that more and more of our supposed shared secrets are now available for pennies on the dark web, the job of the fraudster—especially those focused on account takeovers—just got a little bit easier.”
How to Learn More
Thanks to our privileged access management experts for their time and expertise! To learn more, be sure to check our 2019 Privileged Access Management Buyer’s Guide; you can also download our 2019 Identity Management Buyer’s Guide. We cover the top solution providers in both markets and their key capabilities. Also, we provide a Bottom Line analysis on each vendor.
Latest posts by Ben Canner (see all)
- 5 Critical Business Identity Governance Use Cases - January 24, 2020
- The 7 Best LinkedIn Identity Management Groups You Should Join - January 23, 2020
- The Benefits of Identity Management for Healthcare Businesses - January 21, 2020