Privileged Access Management

2018 Breaches: How PAM Could Have Helped Prevent the Worst of Them

There have been quite a few security breaches to hit the news in 2018. As each story broke, it seemed like it couldn’t get worse, only to find that the next data breach was just around the corner, and even more severe, exposing the data of millions of customers worldwide. We have had a few of those this year.

2018: A Year of Breaches

2018 has been a bad year for cybersecurity incidents. Similar to the last few years, there has been a succession of large-scale cyber disruptions and data thefts. Each event is troubling on its face, and when you look at the way the breach was carried out, it’s doubly worrisome. You start to understand the true depth of our vulnerability as cybersecurity controls and practices are revealed to be deficient in many major organizations.

Each of the 2018 breaches had its own unique circumstances and causes. However, in each situation, it’s possible to see how better management of privileged access could have prevented such a breach. At the very least, having effective privileged access management (PAM) solution in place could have led SecOps teams to catch the problems earlier and gain a better understanding of the attack before the worst of the impact occurred.

Most 2018 breaches could have been stopped if organizations had privileged access management solutions in place.

2018 Breaches: Reviewing the Worst of a Shocking Year in CyberSecurity

Well, 2018 has certainly been a year of doozies in the data breach category, for well-known and trusted businesses in every sector from retail to transportation and even defense. Here are some of the highlights, or, well, lowlights:

Marriott International – 500,000,000 customer records stolen, including passport numbers and credit card information
Facebook – 50,000,000 sets of user data stolen
Google – 500,000 Google Plus user accounts compromised
US Navy’s Naval Undersea Warfare Center – 600GB of top-secret, highly-sensitive military information stolen
Saks and Lord & Taylor – 5,000,000 credit card records stolen and offered for sale on the black market
Exactis – 340,000,000 consumer data sets breached, including hundreds of personal details for each person affected
Under Armour – 150,000,000 username and password credentials are stolen, affecting users of the MyFitnessPal diet and exercise tracking platform
British Airways – Theft of thousands of complete credit card data sets (name, email, credit card number, expiration date, CVV code)

These incidents come with costs and consequences. Under Armour is facing litigation over its breach. British Airways has promised to compensate victims. The US Navy is trying to figure out how to keep its sailors safe now that Chinese intelligence agencies apparently have secret submarine communication codes. Facebook and Google are embarrassed, their public image as elite engineering organizations now in doubt. And, this list is merely a sampling of serious 2018 breaches. There were many others throughout the year, including massive incidents affecting Panera Bread, the US Army (Strava Fitness App), Orbitz, TicketFly, The Sacramento Bee, and on and on. No sector was safe from data breaches.

Between all of the 2018 breaches, billions of people have had their information exposed.

Privileged Access Management (PAM) and Breach Prevention

Some cybersecurity experts say that the attacker will always get through, that it’s impossible to defend against a truly determined hacker. There is a great deal of truth to this, but it is definitely possible to mount as robust a defense as possible to deter anyone but the most determined and to reduce the impact of the breach if it occurs. It is also relatively easy to be diligent, avoiding the easy mistakes that seemed to have enabled quite a few of the bad 2018 breaches.

What is Privileged Access Management?

PAM is an IT discipline that takes on the important task of ensuring that only authorized users can access the administrative back ends of critical systems. A privileged user is someone (or something) who can control the way a system functions—setting up or modifying user accounts, changing configurations, accessing (or deleting) data, and so forth.

Privileged access management helps organizations control who has access to what systems with tools to monitor and record all actions performed.

From a security perspective, privileged users present a significant risk factor. Whether it’s hackers impersonating privileged users or former employees exploiting still-valid login credentials, a privileged user account is a door to real havoc if not properly guarded.

A PAM solution is a software platform that operationalizes PAM principles. It will, for example, enable super-admins to grant and revoke access privileges to users. In the case of the WALLIX Bastion, the PAM solution acts as an intermediary between privileged users and target systems. The user never actually logs into the actual back end, nor does he or she have the password, creating an airlock between users (or stolen user credentials) and sensitive assets.

PAM solutions also monitor and record privileged account sessions. This way, the SecOps team can detect breaches in progress or perform quick forensic analysis of suspicious events. They can answer the key questions that inevitably arise when there is a security incident: Who did what, when, and how?

PAM and the 2018 Breaches

Better access management would have reduced the likelihood of each of these breaches. Or, it could have reduced the impact. In the case of Marriott, one of the worst breaches of all time, an effective PAM solution could have detected the problem a great deal earlier. According to initial reports, Marriott noticed unauthorized attempts to access its databases in September of 2018. This triggered an internal review that finally revealed the true extent of the problem; hackers had been stealing, encrypting, and exfiltrating data for four years!

The fog of a merger (between Marriott and Starwood Hotels) was partly to blame. While it’s not clear that privileged account abuse was the direct cause of the breach, it’s fairly certain that better control over access privileges could have spotted a suspicious database user in less than four years. A good PAM solution gives super-admins an overview of all privileged users and flags suspicious activities automatically, in real-time.

The breaches at Facebook, Google, and the Naval Undersea Warfare Center all have a PAM-related factor in common: the abuse of third-party account access. Facebook and Google were breached using software that connected with the respective platforms. Using APIs, hackers were able to gain access and steal data. The Navy hack occurred via a defense subcontractor, which was allowed to download and store classified military data on its systems.

A PAM solution can (and should) be able to track privileged account access by third parties and employees alike. When a privileged user is outside the organization, that’s all the more reason to control and track his or her access. Stronger PAM could have deterred the breaches at Facebook, Google, and the Navy.

The Exactis incident, which was not shown to be an actual breach, seems to have been caused by carelessness and lack of monitoring. Someone somehow took a huge amount of data out of Exactis and posted it on an unprotected server. We may never know why or how this happened, but the result was comparable to a data breach. A lot of private information was exposed to malicious use. A PAM solution would at least log a record of who removed the data, as well as when and how it happened. If alerts were set up, as is possible with WALLIX, security teams could have been warned that someone was poking around in the database or could have automatically terminated the session. No one can “poke around” without permission as all access passes via the PAM platform.

Website compromises are being blamed for the breaches at British Airways, Under Armour, and Saks/Lord & Taylor. Again, PAM could mitigate this threat. A well-configured and -managed PAM solution restricts access to website admin controls and makes it less likely that a hacker could execute an internal attack. Forensically, PAM makes it easier to track down the problem and disrupt the attack sooner.

How PAM Solutions Mitigate Data Breaches

PAM solutions help mitigate the risk of a data breach through a streamlined, centralized system of privileged access control. They typically embody the following functional areas in a single platform:

Access Management—Governing access to privileged accounts with a single point of policy definition and policy enforcement for privileged account management. A super-admin can add/modify/delete privileged user accounts with granular control over systems and times of access.
Session Management—Tracking and monitoring all actions taken during a privileged account session for future review and auditing with thorough audit logs and recordings. Some session managers can even prevent malicious or unauthorized actions and/or alert Super Admins if suspicious activity is detected in real-time or automatically terminate a session after an unauthorized attempted action.
Password Vaulting—Keeping passwords in a secure and certified “vault.” All system access is via the password vault. End users never have direct access to root passwords and the password manager automatically rotates the password after use. This capability mitigates the risk of local overrides on physical devices.

2019 will probably be a year of breaches, too. But, with more focus on cybersecurity countermeasures, including better PAM, perhaps it will be a less catastrophic year.

Don’t want your organization to fall victim to a data breach in 2019? Get a live demo of the WALLIX solution or download a free trial.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
trackalyzer	1 year	This cookie is used by Leadlander. The cookie is used to analyse the website visitors and monitor traffic patterns.

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
messagesUtk	1 year 24 days	This cookie is set by hubspot. This cookie is used to recognize the user who have chatted using the messages tool. This cookies is stored if the user leaves before they are added as a contact. If the returning user visits again with this cookie on the browser, the chat history with the user will be loaded.

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_gat_UA-12183334-1	1 minute	No description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 9 months 23 days 12 hours 13 minutes	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
wp-wpml_current_language	1 day	No description

2018 Breaches: How PAM Could Have Helped Prevent the Worst of Them

2018: A Year of Breaches

2018 Breaches: Reviewing the Worst of a Shocking Year in CyberSecurity

Privileged Access Management (PAM) and Breach Prevention

What is Privileged Access Management?

Privileged access management helps organizations control who has access to what systems with tools to monitor and record all actions performed.

PAM and the 2018 Breaches

How PAM Solutions Mitigate Data Breaches

WALLIX is positioned in Gartner’s first Magic Quadrant for PAM

What is the Principle of Least Privilege and How Do You Implement It?

Related Blogs

Related Resources

Products

Solutions

Resources

About