P
RIVILEGED
U
SERS AND
D
ATA
B
REACHES
:
A
M
ATCH
M
ADE IN
H
EAVEN
?
S
EPTEMBER
2014
2
Contents
Contents ... 2
Executive Summary ... 3
About the Respondents ... 3
Data Breaches and Privileged Accounts ... 5
Privilege Management and IT Operations ... 8
Conclusion ... 9
About Thycotic ... 11
3
Executive Summary
The list of major data breaches keeps getting longer every day. Organizations both large and small are being targeted aggressively by hacktivists, nation state actors, organized criminal teams, and more. Many organizations are also beginning to realize that attackers aren’t focused solely on monetary gain anymore. Rather, they are looking more for intellectual property,
blackmail and extortion opportunities, and compromised systems to add to their growing botnets. Several of the common trends that appear across recent attacks are quite disconcerting. First, people are often the first target of attacks today, more so than systems. Attackers are finding that social engineering efforts against users are incredibly
effective at gaining an initial foothold in many enterprises. Second, authentication in many organizations still relies on basic usernames and passwords, and stealing credentials from users is trivial for many sophisticated attackers. Finally, many organizations today are not properly managing the users and credentials with the “keys to the kingdom” in their environments - the privileged users who have access to and control over most of the critical
systems, data, and applications within the datacenter.
Organizations today are realizing they need to focus more attention on users, authentication, and especially the privileged user access to resources within their environments. Verizon’s 2014 Data Breach Investigations Report includes some unnerving statistics related to hacking and criminal activity. Cyber espionage has tripled, with 511 incidents this year1. The use of stolen or misused credentials is the number one way attackers gained access to information, and two out of three breaches exploited weak or stolen passwords. Insider attacks also increased in 2013-2014, especially with regard to stolen intellectual property, and 85% of insider and privilege abuse attacks occurred within the corporate network environment.2 It’s clear that security and operations teams need to focus on privileged user management more than ever before.
About the Respondents
IANS and Thycotic conducted a survey of 100 experienced security and IT operations
professionals. A broad mix of different professional roles was represented, primarily in systems engineering and IT directors, as well as CISOs and CTOs. Network administrators and
developers were a smaller percentage of respondents, as were security engineers. The full breakdown of roles is shown in Figure 1:
1
As of 9/26/2014
2
http://www.verizonenterprise.com/DBIR/2014/
Organizations today are realizing
they need to focus more
attention on users,
authentication, and especially
the privileged user access to
resources within their
4
Figure 1: Survey Respondents
The “Other” category was comprised of several IT or security consultants, with a fewer amount of managers and specialists in operations, engineering, finance and legal. The vast majority of organizations responding were above $500 million in annual revenue. One-third were between $1 billion and $10 billion in revenue, and almost a quarter were over $10 billion, as shown in Figure 2:
Figure 2: Respondent Organization Size
7% 13% 19% 25% 36% 0% 5% 10% 15% 20% 25% 30% 35% 40% Security Engineer Developer/Network Admin CISO/CTO Other (please specify) Dir of IT, Engineer
Respondent Roles
4% 1% 5% 12% 22% 33% 23%Organization Size
$10 million to less than $25 million
$25 million to less than $50 million
$50 million to less than $100 million
$100 million to less than $500 million
$500 million to less than $1 billion
$1 billion to less than $10 billion
5 Thus, the majority of respondents were security and IT operations professionals, mostly in
managerial positions, and primarily with very large organizations.
Data Breaches and Privileged Accounts
When we asked how many of the survey
respondents had experienced a significant attack or data breach in the past two years, one hundred percent of the responses were affirmative. Every single organization has had an attack of some type, which simply underscores the severity of the situation in information security today. The next key question we posed was straightforward - how did the attackers get in? Surprisingly, many
organizations saw server-based exploits as the primary exploitation vector. Password breaches and social engineering attacks came in second and third, respectively. Of the respondents, 12% saw web application exploits as the first entry point for attacks, and 2% who answered “other” said that the attacks were due to insiders. The full breakdown of responses is shown in Figure 3:
Figure 3: Initial Compromise Vector in Attacks
Clearly, password breaches and social engineering are collectively focused on end users. In situations where the end user has high levels of privilege or access to resources where privileged user credentials could be harvested, the attacks can be much more lucrative. 62% of
professionals surveyed responded that attackers took advantage of excessive privileges to move laterally or escalate access within the organization during their incidents. 27% said this had not
39% 27% 20% 12% 2% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Server exploit Password breach Social engineering attack Web application exploit Other
Initial Compromise Vector
Every single organization has
had an attack of some type,
which simply underscores the
severity of the situation in
information security today.
6
occurred, and the remaining 11% weren’t sure. By any measure, almost two-thirds of
organizations experienced privileged account access or abuse during a security incident, which aligns with the results of the Verizon investigations report. This is definitely a growing issue, and security and operations teams are becoming more and more aware of it.
How did these teams detect the use of privileged accounts and credentials during a breach? Network intrusion detection was the most common means of detection, by far, with 37% of respondents. Host-based intrusion detection was also very prevalent in detecting privileged account and credential misuse. Logging, account behavior, and anti-malware technology were listed, as well, with only a small percentage (3%) detecting this activity through the use of privileged user management tools as shown in Figure 4:
Figure 4: Detection Methods of Privileged Account Abuse
Two respondents marked “other” for this question, indicating that monitoring of chat logs tipped them off, as well as notification from law enforcement. Of these teams that managed to detect privileged account and credential abuse, 71% were able to determine how the attackers gained access to the privileged accounts in the first place. 29% were not, which could easily indicate a lack of root cause identification in the incident investigation. For those that could determine what happened, the majority (46.5%) found that a privileged user’s workstation had been
compromised, likely by social engineering or some other form of credential theft. Pure credential theft for access to sensitive data and other valuable resources made up 31% of responses, followed by Windows-based “Pass the Hash” attacks at 18.3% (shown in Figure 5):
2% 3% 10% 10% 14% 24% 37% 0% 5% 10% 15% 20% 25% 30% 35% 40%
Other Privileged User Management Anti-malware technology Behavioral patterns of access attempts (not in logs)
Local system logs Host-based intrusion detection
Network intrusion detection
7
Figure 5: Attacker’s Methods of Gaining Privileged Access
The “other” category respondents stated that insider involvement led to the attackers already having privileged account access in the first place.
Most respondents (51%) felt that the privileged account misuse had a relatively small impact on their organizations. This could be due to the attack(s) not resulting in a significant data breach, or possibly because the attacks were caught quickly. 12% stated that the attack(s) had virtually no impact at all, and only one respondent wasn’t sure. The other 36% of respondents, however, had a significant impact, such as loss of sensitive data or impact to reputation. This is more than one in three incidents, which means that many more organizations are likely to experience this in the future as these attacks continue and become more targeted. The breakdown of impact analysis is shown in Figure 6:
Figure 6: Impact of Privileged Account Access/Misuse
4.2% 18.3% 31.0% 46.5% 0% 10% 20% 30% 40% 50% Other A “pass-the-hash” attack was used in our
Windows environment
A privileged user’s credentials were stolen The initial attack compromised a privileged
user’s workstation
Attacker Privileged Account Access
36%
51% 12%
1%
Impact of Privilege Misuse
Significant impact
Minor impact
No impact
8
Privilege Management and IT Operations
In the organizations that responded to the survey, the split was fairly close as to distribution of systems administrators. 41% have a single team of operational admins, whereas 59% have multiple teams. It’s common for larger organizations to have dedicated teams for different operating platforms and system types (like mail servers and database servers). The challenge with a distributed team model is that managing privileged accounts and the use of those
credentials becomes even more difficult, especially if the teams are geographically dispersed or have some autonomy (many acquired companies’ IT teams still operate somewhat independently from the parent group, for example). Of the groups who participated, 86% also stated that they have some sort of privileged user management program in place. For the other 14%, privileged user management may be managed ad hoc, or simply not managed at all.
For the 86% of respondents who currently have some sort of privileged user monitoring and management tools within their environments, 61% indicated that they currently use single sign-on (SSO) and Microsoft Group Policy controls. Over half (52%) use a central password safe, as well. Fewer organizations than we expected listed authentication and authorization logging and log management as a key control for privileged user monitoring and management (47%), and identity management and su/sudo for Unix and Linux were also listed (shown in Figure 7):
Figure 7: Privileged User Monitoring and Management Controls
Compliance requirements play a major role in how organizations approach account management, authentication and authorization, and privileged user monitoring and management. 90% of respondents stated that privileged user monitoring and control was required by compliance mandates within their organizations. This tends to drive IT operations towards implementation of controls that they wouldn't otherwise be aware of or feel the need to put in place. Respondents listed a broad number of compliance mandates, as shown in Figure 8:
31% 41% 47% 52% 61% 61% 0% 10% 20% 30% 40% 50% 60% 70% Su and sudo for Unix and Linux
Identity and Access Management (IAM) … Authentication and authorization logging …
Central password safe Group Policy controls Single Sign-On (SSO)
9
Figure 8: Privileged User Monitoring Compliance Requirements
Many organizations are beholden to more than one compliance or regulatory requirement, so some of the respondents chose more than one answer for this question. HIPAA and SOX were the most common requirements, which is not surprising given the size of the organizations participating. PCI DSS, GLBA, and FISMA were just under 30% of respondents for each, and NERC/FERC was only required in 11.1% of the organizations that responded. Others included NIST mandates and ISO 27001.
Conclusion
Most organizations that currently have a privileged user management strategy and program are really piggybacking on identity management and account management tools like Active Directory. Based on the current state of security breaches and attacks, it seems that many organizations are making more investments in privileged user monitoring and management. Most organizations that participated indicated that they are currently looking to invest in
privileged user management and monitoring (71%). Of this group, the majority is moving quickly - within the next 6 months. Only 16% of respondents weren’t sure what their timeline will look like for implementing a privileged user management strategy, as shown in Figure 9:
2.2% 11.1% 26.7% 27.8% 28.9% 42.2% 52.2% 0% 10% 20% 30% 40% 50% 60% Others NERC/FERC FISMA GLBA PCI DSS SOX HIPAA/HITECH
Privileged User Monitoring Compliance Requirements
Given that many intrusion
scenarios involve privileged
account access and/or misuse,
privileged user monitoring and
management is an area of
security that deserves more
10
Figure 9: Timeline for Privileged User Management Investment
This is a good sign for the industry as a whole. Privileged user accounts are some of the top targets for many attackers. By compromising a privileged user account, or leveraging it in any number of ways, attackers can often gain access to the “crown jewels” of most organizations. Investing in privileged user management can help organizations start to get a handle on this problem, and 84% of the security and IT operations teams who participated have a timeline for doing just that.
20%
40% 24%
16%
Investing in Privileged User Management
Immediately
In the next 6 months In the next 12 months Not sure
11
About Thycotic
Thycotic deploys intuitive, reliable solutions that empower companies to remove the complexities associated with proper control and monitoring of privileged account passwords. A 2014 Inc. 5000 company, Thycotic is trusted by more than 100,000 IT professionals worldwide – including members of the Fortune 500, enterprises, government agencies, technology firms, universities, non-profits and managed service providers.
http://www.thycotic.com
About IANS
IANS is the leading provider of in-depth security insights and decision support delivered through research, community, and consulting. Fueled by interactions among IANS Faculty and
information security practitioners, IANS’ experience-driven advice helps IT security, risk
management, and compliance executives make better, faster technical and managerial decisions. IANS was founded in 2001 as the Institute for Applied Network Security. Inspired by the Harvard Business School experience of interactive discussions driving collective insights, IANS adapted that format to fit the needs of the information security community.
