Network Communications News (NCN) NCN-Sept2017 | Page 16

HOT TOPIC
The five deadly sins that increase
the risks of a data breach
Despite prioritising privileged access management, a majority of enterprises
fail to prevent the abuse or misuse of privileged credentials, says
BeyondTrust’s vice president of technology, Morey J. Haber.
B
eyondTrust has
announced its annual
Privileged Access
Management survey
which identified the
‘Five Deadly Sins of Privileged
Access Management,’ and how
they prevent organisations from
effectively protecting sensitive
information.
For years, security experts
have outlined best practices for
privileged access management
(PAM) in an effort to reduce
problems associated with the
abuse of privileged credentials.
Despite this, IT organisations
continue to struggle with
privileged access management.
To understand why,
BeyondTrust recently surveyed
nearly 500 IT professionals from
around the world with involvement
in privileged access management.
Because so many attacks start with
the misuse of privi leged accounts,
it is not surprising that respondents
rated the following three security
measures as somewhat to
extremely important to their efforts:
 rivileged access management
P
(83%)
P rivileged session management
(74%)
P rivilege elevation management
(74%)
When asked what issues keep
them awake at night, respondents
most often cited the misuse of
personally identifiable information
(86%), downtime of computing
systems (85%), and loss of
intellectual property (80%).
Y et , d e s p i te t h e s e
w i d e s p re a d co n c e r n s , Fo r re s te r
16 | September 2017
re s e a rc h f i n d s t h at 8 0 % of
d ata b re a c h e s a re t h e re s u l t
of t h e a b u s e o r m i s u s e of
p r i v i l e ge d c re d e nt i a l s . T h e
B e y o n d Tr u s t s u r ve y f i n d s t h e
‘ 5 D e a d l y Si n s of P r i v i l e ge d
Acc e s s M a n a ge m e nt ’ a re to
b l a m e fo r t h i s co nt ra d i ct i o n
b et we e n t h e fa ct t h at s o m a n y I T
o rga n i s at i o n s s t r u g g l e to s e c u re
s e n s i t i ve i nfo r m at i o n d e s p i te
t h e i r h i g h l eve l s of awa re n e s s
a n d co m m i t m e nt to PA M :
Apathy
When asked to list the top threats
associated with passwords,
respondents listed employees
sharing passwords with
colleagues (79%), employees not
changing default passwords their
devices ship with (76%), and
using weak passwords like ‘12345’
(75%). Despite knowing better,
respondents admitted that many
of these same bad practices are
common within their organisation.
A third of the respondents report
users routinely share passwords
with each other, and a fourth
report the use of weak passwords.
Shockingly, one in five report
many users don’t even change the
default passwords!
Greed
Users often insist they need full
administrative privileges over
their devices, and that creates
problems for IT. Some 79% of
respondents cited allowing users
to run as administrators on their
machines as their big gest threat,
followed by not having control
over applications on users’
machines (68%). Yet, nearly
two in five respondents admit
it is common for users to run as
administrators on their machines.
It is no surprise that many
respondents say these practices
have directly caused downtime of
computing systems.
Pride
As the saying goes, pride
cometh before the fall. One in
five respondents say attacks
combining privileged access with
exploitation of an unpatched
vulnerability are common.
Simply patching known system
vulnerabilities can prevent most of
today’s commonly-reported attack
vectors. Yet, too often, IT does not
stay current on their patches.
Ignorance
Two-thirds say managing least
privilege for Unix/Linux servers
is somewhat to extremely
important. One popular option
is Sudo. However, just 29% say
Sudo meets their needs. The
most commonly cited problems
with Sudo include being time-
consuming to use (32%),
complexity (31%) and poor version
control (29%). Despite this, the
typical respondent runs Sudo on
40 workstations and 25 servers.
Envy
Enterprises are rushing to embrace
cloud computing. Yet, more than
a third report that they are not
involved in protecting SaaS
applications from privileged
access abuse.