+
EDITOR’S QUESTION
BRIAN CHAPPELL, SENIOR
DIRECTOR, ENTERPRISE &
SOLUTION ARCHITECTURE,
BEYONDTRUST
W
hile I don’t believe it’s becoming
easier for cybercriminals to
gain access to company data,
what’s alarming is that it’s not becoming
harder. We continue to see high-profile
organisations coming forward revealing
significant data breaches where losses can
number in the tens of millions of personal
records. The majority of these breaches
follow very similar patterns. The Verizon
Data Breach Investigation Report identifies
nine common patterns of attack, most of
which rely on one or more basic security
controls not being effective. It’s clear that
organisations are still falling somewhat
short of what I’d call the four foundational
elements of cybersecurity: vulnerability
management, shared privileged account
management, user privilege management
and identity management. The attack chain
for the cybercriminal has remained largely
unchanged for many years:
1. Identify and exploit a vulnerability
(technical or human)
2. Gain access to a privileged account
3. Move laterally across the network looking
for the jewels
4. Exfiltrate the data
The first point can be addressed through
effective vulnerability management. Again,
Verizon have stated that over the past five
or so years, over 90% of successful attacks
could have been prevented relatively easily.
Focusing on those vulnerabilities that have
known exploits published on the Internet,
or even included in commodity tools on
the dark web, will quickly help to eliminate
that risk. Recent DBIRs have highlighted
vulnerabilities that date back to 1999 and
1998 being used in the past few years, a
clear indication that the focus of many
organisations isn’t where it should be.
The second point is manifold encompassing
both the privilege that users have with their
www.intelligentcio.com
“
/////////////////
IT’S BETTER TO
BE AHEAD OF THE
WAVE THAN LEFT
FLOUNDERING
WHEN IT CRASHES
OVER YOU.
regular login accounts as well as the shared
privileged accounts they may have access to.
Vulnerabilities are also used here to gain local
privileges which then allow the harvesting
of directory-based privileged accounts such
as Domain Administrator (under Windows),
enabling lateral movement and data access.
It’s also all too common to find users with
either far more privilege than actually
necessary associated with their account or
with direct access to a second privileged
account. When combined with poor password
hygiene, you have a veritable gold mine for
the hacker. Points 3 and 4 are the outcomes
of the shortcomings in 1 and 2; if we can
tackle 1 and 2 effectively then we have the
best chance to limit the impact of, or even
prevent, 3 and 4. Tooling exists to take full
control over user access to the systems in
your organisation, not just those indicated as
critical and it’s not rocket science.
It’s crucial that organisations take all
necessary steps to make it harder for
cybercriminals to gain access to company
data, not least because much of it is mine
and yours’ personal data. The looming
GDPR is causing many to take a hard look at
their data controls which is great for us and
the organisations themselves as it provides
protection for us and an external driver for
the organisation. Many of the regulations
around data protection and data privacy
offer great toolkits from which to draw best
practices, even if they don’t apply to your
organisation yet. In our ever more connected
world, even if the regulations don’t apply to
you, they may apply to one of your partners
and will eventually apply to you too. It’s
better to be ahead of the wave than left
floundering when it crashes over you.
INTELLIGENTCIO
37