CyberArk Labs doesn’t just employ security experts. It employs hackers to fight hackers. CyberArk’s hackers are White Hat hackers, and this is one of the ways the company delves into innovative cybersecurity research, actively hunting for new attack vectors and techniques.
And that’s not all, they’ve tripled their size and show no signs of stopping what they call an ‘offensive’ orientation. The company’s motto is “You start as hard as you can, and from that point on you constantly speed up”.
SecurityBrief spoke to Kobi Ben-Naim, CyberArk’s senior director of cyber research, about credential privileges, data breach notification laws, and the company’s goals for the future.
Privileged credentials can be stolen in many ways, but the most common method is targeting an endpoint that often has the most easily exploited vulnerabilities. A Verizon study found that out of 2260 breaches, two thirds of these were through weak, default or stolen passwords, Kobi says.
But it’s not just stealing passwords. Spear phishing, malware, identity theft and using rogue access points are all ways attackers can get in.
“Typically, an internet infrastructure as a whole will be probed for vulnerabilities, scanning for an opening that will allow a way in. Whatever method is used to effect a compromise, the goal is the same: to obtain credentials that can, in turn, allow for a privilege escalation,” he says.
CyberArk’s CISO View 2017 report, which found that employees are being given too many administrative privileges in areas where they are unnecessary.
“In these cases, attackers have used techniques that exploited vulnerabilities in the Windows environment to steal privileged credentials and move around the network without detection in order to gain full control of the organisation’s information systems. The risk of these attacks is increasing,” he says.
“Attackers have access to widely available toolkits that enable them to easily create tailored to conduct attacks. Microsoft itself recommends putting in place better controls of administrative privileges to people who do not need them, in order to reduce the risk.”
The advice couldn’t be more timely, as the Australian compliance laws start to come in effect, with no word yet on whether New Zealand and APAC will follow suit.
Australian laws make it difficult for enterprises to move sensitive information to cloud providers that store data outside of the ANZ region, he says.
“Many cloud providers have a significant presence in the USA. Under the USA’s Patriot Act, such cloud hosting companies might not only be forced to hand over hosted data to the government but also to do so secretly. This is obviously at odds with the requirements placed on Australian companies by Australian privacy law.”
“According to Australia’s privacy laws, companies are compelled to notify their customers about what they do with their data and also to protect this data from access by others. When your data is in a cloud that is hosted offshore, it is ‘resident’ in that particular country and is susceptible to that country’s privacy and confidentiality laws that may significantly differ from those of Australia. Not all Australian privacy laws can offer direct protection from the ramifications of foreign legislations.”
“One of the biggest risks identified by the Australian Signals Directorate (ASD) while updating its Strategies to Mitigate Cyber Security Incidents was the incidence of “spear phishing” attacks. Often used by criminals wanting to compromise a particular company’s network, spear phishing involves an email crafted to look like something seemingly innocent, such as a current job application, which is then emailed to the HR manager,” he says.
The ASD found those techniques are targeted and extremely successful. It’s hard to protect against them without enforcing strict security rules, which could negatively impact how employees and departments work, he says.
“However, if a user, application, or any network element is compromised, businesses need to be able to ensure that the security breach is quickly isolated and the network is locked down, thereby stopping the intruder from accessing core systems,” he says.
Risk mitigation strategies could protect against at least 85% of intrusions. CyberArk built a Privilege Account Security Platform around this very topic, addressing what Kobi says are the ‘essential eight’ risk mitigation strategies, including application whitelisting and restricting administrative privileges.
Risk also involves understanding, and Kobi says that security must be involved and come from the top down.
“Security will drive efforts to combat cyber threats, but affected systems are owned by the business, which means top-down impetus and, in turn, cross-functional support,” he says.
In the CyberArk CISO View report, the ‘sprint mindset’ is something that can help achieve rapid risk reduction.
“We are trying to achieve the same sense of urgency and progress as is often done in the wake of actual breaches - without the overarching pressure of resolving a breach. Some will baulk at the changes that must be made such as giving up access rights or following new processes. Buy-in and direction from leadership is crucial to move ahead rapidly,” he says.
He says the sprint methodology is a way of shutting down the ‘privileged pathway’ that attackers have used to gain access to critical assets and data.
“This goes beyond technology requirements to look also at the functions that need to be part of such an initiative, both laterally and involving senior leadership. There is even guidance on engaging the board successfully,” he says.
To do that, CyberArk will be working on its existing solutions, new products, cloud migration and its channel strategies this year.
What should organisations take away from the report and put into practice?
“I would like to emphasise that companies need to behave as if they have just been breached. Then, they have an imperative to put in place the controls that, right now, they think would be too problematic or too much effort to implement,” Kobi concludes.