2018 Breaches: How PAM Could Have Helped Prevent the Worst of Them
There have been quite a few security breaches to hit the news in 2018. As each story broke, it seemed like it couldn’t get worse, only to find that the next data breach was just around the corner, and even more severe, exposing the data of millions of customers worldwide. We have had a few of those this year.
2018: A Year of Breaches
2018 has been a bad year for cybersecurity incidents. Similar to the last few years, there has been a succession of large-scale cyber disruptions and data thefts. Each event is troubling on its face, and when you look at the way the breach was carried out, it’s doubly worrisome. You start to understand the true depth of our vulnerability as cybersecurity controls and practices are revealed to be deficient in many major organizations.
Each of the 2018 breaches had its own unique circumstances and causes. However, in each situation, it’s possible to see how better management of privileged access could have prevented such a breach. At the very least, having effective privileged access management (PAM) solution in place could have led SecOps teams to catch the problems earlier and gain a better understanding of the attack before the worst of the impact occurred.
Most 2018 breaches could have been stopped if organizations had privileged access management solutions in place.
2018 Breaches: Reviewing the Worst of a Shocking Year in CyberSecurity
Well, 2018 has certainly been a year of doozies in the data breach category, for well-known and trusted businesses in every sector from retail to transportation and even defense. Here are some of the highlights, or, well, lowlights:
- Marriott International – 500,000,000 customer records stolen, including passport numbers and credit card information
- Facebook – 50,000,000 sets of user data stolen
- Google – 500,000 Google Plus user accounts compromised
- US Navy’s Naval Undersea Warfare Center – 600GB of top-secret, highly-sensitive military information stolen
- Saks and Lord & Taylor – 5,000,000 credit card records stolen and offered for sale on the black market
- Exactis – 340,000,000 consumer data sets breached, including hundreds of personal details for each person affected
- Under Armour – 150,000,000 username and password credentials are stolen, affecting users of the MyFitnessPal diet and exercise tracking platform
- British Airways – Theft of thousands of complete credit card data sets (name, email, credit card number, expiration date, CVV code)
These incidents come with costs and consequences. Under Armour is facing litigation over its breach. British Airways has promised to compensate victims. The US Navy is trying to figure out how to keep its sailors safe now that Chinese intelligence agencies apparently have secret submarine communication codes. Facebook and Google are embarrassed, their public image as elite engineering organizations now in doubt. And, this list is merely a sampling of serious 2018 breaches. There were many others throughout the year, including massive incidents affecting Panera Bread, the US Army (Strava Fitness App), Orbitz, TicketFly, The Sacramento Bee, and on and on. No sector was safe from data breaches.
Between all of the 2018 breaches, billions of people have had their information exposed.
Privileged Access Management (PAM) and Breach Prevention
Some cybersecurity experts say that the attacker will always get through, that it’s impossible to defend against a truly determined hacker. There is a great deal of truth to this, but it is definitely possible to mount as robust a defense as possible to deter anyone but the most determined and to reduce the impact of the breach if it occurs. It is also relatively easy to be diligent, avoiding the easy mistakes that seemed to have enabled quite a few of the bad 2018 breaches.
What is Privileged Access Management?
PAM is an IT discipline that takes on the important task of ensuring that only authorized users can access the administrative back ends of critical systems. A privileged user is someone (or something) who can control the way a system functions—setting up or modifying user accounts, changing configurations, accessing (or deleting) data, and so forth.
Privileged access management helps organizations control who has access to what systems with tools to monitor and record all actions performed.
From a security perspective, privileged users present a significant risk factor. Whether it’s hackers impersonating privileged users or former employees exploiting still-valid login credentials, a privileged user account is a door to real havoc if not properly guarded.
A PAM solution is a software platform that operationalizes PAM principles. It will, for example, enable super-admins to grant and revoke access privileges to users. In the case of the WALLIX Bastion, the PAM solution acts as an intermediary between privileged users and target systems. The user never actually logs into the actual back end, nor does he or she have the password, creating an airlock between users (or stolen user credentials) and sensitive assets.
PAM solutions also monitor and record privileged account sessions. This way, the SecOps team can detect breaches in progress or perform quick forensic analysis of suspicious events. They can answer the key questions that inevitably arise when there is a security incident: Who did what, when, and how?
PAM and the 2018 Breaches
Better access management would have reduced the likelihood of each of these breaches. Or, it could have reduced the impact. In the case of Marriott, one of the worst breaches of all time, an effective PAM solution could have detected the problem a great deal earlier. According to initial reports, Marriott noticed unauthorized attempts to access its databases in September of 2018. This triggered an internal review that finally revealed the true extent of the problem; hackers had been stealing, encrypting, and exfiltrating data for four years!
The fog of a merger (between Marriott and Starwood Hotels) was partly to blame. While it’s not clear that privileged account abuse was the direct cause of the breach, it’s fairly certain that better control over access privileges could have spotted a suspicious database user in less than four years. A good PAM solution gives super-admins an overview of all privileged users and flags suspicious activities automatically, in real-time.
The breaches at Facebook, Google, and the Naval Undersea Warfare Center all have a PAM-related factor in common: the abuse of third-party account access. Facebook and Google were breached using software that connected with the respective platforms. Using APIs, hackers were able to gain access and steal data. The Navy hack occurred via a defense subcontractor, which was allowed to download and store classified military data on its systems.
A PAM solution can (and should) be able to track privileged account access by third parties and employees alike. When a privileged user is outside the organization, that’s all the more reason to control and track his or her access. Stronger PAM could have deterred the breaches at Facebook, Google, and the Navy.
The Exactis incident, which was not shown to be an actual breach, seems to have been caused by carelessness and lack of monitoring. Someone somehow took a huge amount of data out of Exactis and posted it on an unprotected server. We may never know why or how this happened, but the result was comparable to a data breach. A lot of private information was exposed to malicious use. A PAM solution would at least log a record of who removed the data, as well as when and how it happened. If alerts were set up, as is possible with WALLIX, security teams could have been warned that someone was poking around in the database or could have automatically terminated the session. No one can “poke around” without permission as all access passes via the PAM platform.
Website compromises are being blamed for the breaches at British Airways, Under Armour, and Saks/Lord & Taylor. Again, PAM could mitigate this threat. A well-configured and -managed PAM solution restricts access to website admin controls and makes it less likely that a hacker could execute an internal attack. Forensically, PAM makes it easier to track down the problem and disrupt the attack sooner.
How PAM Solutions Mitigate Data Breaches
PAM solutions help mitigate the risk of a data breach through a streamlined, centralized system of privileged access control. They typically embody the following functional areas in a single platform:
- Access Management—Governing access to privileged accounts with a single point of policy definition and policy enforcement for privileged account management. A super-admin can add/modify/delete privileged user accounts with granular control over systems and times of access.
- Session Management—Tracking and monitoring all actions taken during a privileged account session for future review and auditing with thorough audit logs and recordings. Some session managers can even prevent malicious or unauthorized actions and/or alert Super Admins if suspicious activity is detected in real-time or automatically terminate a session after an unauthorized attempted action.
- Password Vaulting—Keeping passwords in a secure and certified “vault.” All system access is via the password vault. End users never have direct access to root passwords and the password manager automatically rotates the password after use. This capability mitigates the risk of local overrides on physical devices.
2019 will probably be a year of breaches, too. But, with more focus on cybersecurity countermeasures, including better PAM, perhaps it will be a less catastrophic year.