Story image

CyberArk talks credential privileges, data breach laws and the 'sprint method'

28 Feb 2017

CyberArk Labs doesn’t just employ security experts. It employs hackers to fight hackers. CyberArk’s hackers are White Hat hackers, and this is one of the ways the company delves into innovative cybersecurity research, actively hunting for new attack vectors and techniques.

And that’s not all, they’ve tripled their size and show no signs of stopping what they call an ‘offensive’ orientation. The company’s motto is “You start as hard as you can, and from that point on you constantly speed up”.

SecurityBrief spoke to Kobi Ben-Naim, CyberArk’s senior director of cyber research, about credential privileges, data breach notification laws, and the company’s goals for the future.

Privileged credentials can be stolen in many ways, but the most common method is targeting an endpoint that often has the most easily exploited vulnerabilities. A Verizon study found that out of 2260 breaches, two thirds of these were through weak, default or stolen passwords, Kobi says.

But it’s not just stealing passwords. Spear phishing, malware, identity theft and using rogue access points are all ways attackers can get in.

“Typically, an internet infrastructure as a whole will be probed for vulnerabilities, scanning for an opening that will allow a way in. Whatever method is used to effect a compromise, the goal is the same: to obtain credentials that can, in turn, allow for a privilege escalation,” he says.

CyberArk’s CISO View 2017 report, which found that employees are being given too many administrative privileges in areas where they are unnecessary.

“In these cases, attackers have used techniques that exploited vulnerabilities in the Windows environment to steal privileged credentials and move around the network without detection in order to gain full control of the organisation’s information systems. The risk of these attacks is increasing,” he says.

“Attackers have access to widely available toolkits that enable them to easily create tailored to conduct attacks. Microsoft itself recommends putting in place better controls of administrative privileges to people who do not need them, in order to reduce the risk.”

The advice couldn’t be more timely, as the Australian compliance laws start to come in effect, with no word yet on whether New Zealand and APAC will follow suit.

Australian laws make it difficult for enterprises to move sensitive information to cloud providers that store data outside of the ANZ region, he says.

“Many cloud providers have a significant presence in the USA. Under the USA’s Patriot Act, such cloud hosting companies might not only be forced to hand over hosted data to the government but also to do so secretly. This is obviously at odds with the requirements placed on Australian companies by Australian privacy law.”

“According to Australia’s privacy laws, companies are compelled to notify their customers about what they do with their data and also to protect this data from access by others. When your data is in a cloud that is hosted offshore, it is ‘resident’ in that particular country and is susceptible to that country’s privacy and confidentiality laws that may significantly differ from those of Australia. Not all Australian privacy laws can offer direct protection from the ramifications of foreign legislations.”

“One of the biggest risks identified by the Australian Signals Directorate (ASD) while updating its Strategies to Mitigate Cyber Security Incidents was the incidence of “spear phishing” attacks. Often used by criminals wanting to compromise a particular company’s network, spear phishing involves an email crafted to look like something seemingly innocent, such as a current job application, which is then emailed to the HR manager,” he says.

The ASD found those techniques are targeted and extremely successful. It’s hard to protect against them without enforcing strict security rules, which could negatively impact how employees and departments work, he says. 

“However, if a user, application, or any network element is compromised, businesses need to be able to ensure that the security breach is quickly isolated and the network is locked down, thereby stopping the intruder from accessing core systems,” he says.

Risk mitigation strategies could protect against at least 85% of intrusions. CyberArk built a Privilege Account Security Platform around this very topic, addressing what Kobi says are the ‘essential eight’ risk mitigation strategies, including application whitelisting and restricting administrative privileges. 

Risk also involves understanding, and Kobi says that security must be involved and come from the top down. 

“Security will drive efforts to combat cyber threats, but affected systems are owned by the business, which means top-down impetus and, in turn, cross-functional support,” he says.

In the CyberArk CISO View report, the ‘sprint mindset’ is something that can help achieve rapid risk reduction. 

“We are trying to achieve the same sense of urgency and progress as is often done in the wake of actual breaches - without the overarching pressure of resolving a breach. Some will baulk at the changes that must be made such as giving up access rights or following new processes. Buy-in and direction from leadership is crucial to move ahead rapidly,” he says.

He says the sprint methodology is a way of shutting down the ‘privileged pathway’ that attackers have used to gain access to critical assets and data. 

“This goes beyond technology requirements to look also at the functions that need to be part of such an initiative, both laterally and involving senior leadership. There is even guidance on engaging the board successfully,” he says.

 To do that, CyberArk will be working on its existing solutions, new products, cloud migration and its channel strategies this year. 

What should organisations take away from the report and put into practice?

“I would like to emphasise that companies need to behave as if they have just been breached. Then, they have an imperative to put in place the controls that, right now, they think would be too problematic or too much effort to implement,” Kobi concludes.

Forget endpoints—it’s time to secure people instead
Security used to be much simpler: employees would log in to their PC at the beginning of the working day and log off at the end. That PC wasn’t going anywhere, as it was way too heavy to lug around.
DimData: Fear finally setting in amongst vulnerable orgs
New data ranking the ‘cybermaturity’ of organisations reveals the most commonly targeted sectors are also the most prepared to deal with the ever-evolving threat landscape.
IXUP goes "post-quantum" with security tech upgrade
The secure analytics company has also partnered with Deloitte as a reseller, and launched a SaaS offering on Microsoft Azure.
ExtraHop’s new partner program for enterprise security
New accreditations and partner portal enable channel partners to fast-track their expertise and build their security businesses.
Hackers increasingly ‘island hopping’ – so what does it mean?
Carbon Black's Rick McElroy discusses this new trend and what it means for the new age of cybercrime.
Trust without visibility is blind – Avi Networks
Enterprises are wanting to gain the trust of their customers, but are often found blindly defending themselves.
How to avoid becoming a cryptojacking victim - Bitglass
Large-scale cryptojacking is a lucrative business due to the popularity and value of cryptocurrencies like Bitcoin and Ethereum.
Symantec, Ixia combine efforts to secure hybrid networks
Ixia’s CloudLens and Symantec Security Analytics now feature complete integration, which allows Symantec customers to gain real-time visibility into their hybrid cloud environments.