As evidenced by the recent Twitter breach, cybercriminals increasingly target users as a way to gain unauthorized access to privileged locations in an organization’s IT ecosystem. The Twitter breach is a bit of an anomaly in terms of data security events. While employees can seek financial gain by leveraging their access to internal documents, the 2020 Data Breach Investigations Report found that over 80% of hacking breaches involved either brute force attacks or lost/stolen credentials. Limiting user access and monitoring how they use access provides a layer of security often considered an afterthought when compared to the focus on external monitoring controls.
How Cybercriminals Use Lost/Stolen Credentials
Credential theft is when a user’s login ID and corresponding
password are compromised, often then sold on the dark web. Despite media
portrayals of hackers in dark basements furiously typing code, brute force
attacks tend to be less glamorous. They occur when a cybercriminal sends a
flood of requests to an organization’s systems, networks or software, hoping to
find a user ID that corresponds to one of the commonly used password
Malicious actors download software from the dark web, then
apply an organization’s user ID formula. Most organizations use some
combination of email@example.com or
firstname.lastname@example.org. The software then allows the cybercriminal to
try various combinations of names and passwords that they hope allow them
access to the organization’s IT ecosystem.
Once the cybercriminal finds a match, he or she can access
any information that credential provides the user, allowing the threat actor to
move within the company’s systems and networks undetected. Since the
cyberattacker used valid credentials, the activity appears normal, ultimately
flying below the security team’s radar.
Working with your IT department is critical when trying to
reduce access risk arising from lost/stolen credentials. You can only mitigate
risk when you understand the full scope of your IT controls’ effectiveness.
Why Privileged Credentials Are Risky
While all user access levels can lead to a data security
incident, the jackpot of credential theft is the privileged access or user.
Users with privileged access have “superuser” powers within a company’s IT
ecosystem. Privileged access is riskiest because it grants the user higher
access rights than standard users, including making/deleting users or updating
For example, to do their job, IT administrators need nearly
unfettered access to an organization’s ecosystem. They need to create accounts
and grant access to other users. However, that also makes them a high risk user
since they could, conceivably, create fake accounts and grant them privileged
access then engage in malicious data theft or credential theft, moving around
in the organization’s systems and networks without looking suspicious.
Problematically, organizations today have a variety of
privileged users, both human and electronic. Many organizations use robotic
process automation (RPAs), computer programs that automate mundane, repetitive
tasks to reduce operational costs. However, since many of the tasks for which
they are used require privileged access, any misconfiguration that can
compromise the RPA becomes a privileged access risk to the entire IT stack.
As a risk management professional, this means that you need
to look at both the human users accessing your systems, networks, and software,
and also the potential digital or machine identities that can increase your
cybersecurity risk profile. Working closely with your IT team can help you
better understand the types of machine identities being used and the ways in
which they can compromise your risk mitigation strategies.
Enforcing Identity and Access Controls as Best Security
Best security practices pose problems for organizations, as
no set definition exists because cybercriminals continue to evolve their methodologies.
With most organizations embracing remote workforces for the foreseeable future,
on-premises security controls no longer provide the necessary protection. As
your organization uses more cloud-delivered technologies and services, you need
to re-assess your IT and identity risks.
To secure data and protect privacy, companies should look to
the identity perimeter to limit access and monitor privileged access within
their ecosystems by taking the following steps:
Apply the Principle of Least Privilege
The first step to creating best Identity and Access Management (IAM) practices is to ensure that all users have only the access they need to fulfill their job functions and nothing more. For example, someone in human resources might need access to an employee’s address, but not all the banking information attached to the record if they are not in the payroll area.
Mitigating these risks means understanding how users access
information and what information they need to access. Reducing the amount of
data users access reduces the likelihood that users will accidentally leak
Apply Attribute-Based Access Controls
Remote employees can now access sensitive information from anywhere—home, coffee shop or even smartphone. By increasing the number of access locations, they also increase the attack surface. Leveraging attributes that directly address these new risks can help you reduce the likelihood of a data breach by limiting how, when, or where user access information. This limitation enforces your access policies and mitigates the risks associated with an account takeover by preventing suspicious-looking access.
Most IAM strategies start by assigning users to roles within
the organization. For example, someone is an HR manager, so they need a certain
set of rights within the organization’s system. However, role-based access
controls (RBAC) only limit access based on what the user does in the company.
With attribute-based access controls (ABAC), organizations can set additional
contextual attributes such as geographical location, IP address, or time of
day. This additional context allows the organization to limit access to high
risk resources on a more detailed level. With the explosion of remote work,
ABAC provides a way to limit users’ access when the organization has determined
that a location or time of day would be considered riskier. For example,
someone using a public WiFi is at a higher risk of a “man in the middle” cyberattack
than someone using their home WiFi. If the organization sets trustworthy IP
addresses, then users cannot access sensitive information from public WiFis,
reducing the attack surface.
Continuously Monitor Access
The same continuous monitoring mantra that exists at the network perimeter also holds true at the identity perimeter. With user access monitoring, organizations can review the resources accessed to ensure they are appropriate to the users’ needs. Organizations need a way to detect suspicious access to sensitive information. For example, if an HR representative is accessing health care information at 2 a.m., the organization needs to know whether that employee typically works late at night or whether this signals a potential data security incident. Without visibility into when and how users interact with data, organizations cannot prove that they enforced their access policies as a best practice.
Visibility into anomalous data access reduces risk by helping
you identify a potential data security incident before a cybercriminal steals
information. In the alternative, should a cybercriminal manage to steal
sensitive data, your continuous monitoring can help you reduce the time spent
in your IT stack and trace the risky access.
Digital Transformation, Remote Work and Securing Data
Digital transformation, accelerated by the rapid move to
remote working, streamlines productivity but also increases risks. With more
users connecting more devices from more places at less regular times, identity
and access must be an integral part of an organization’s data security.
Establishing and enforcing strict access policies is now
more important than ever before. Malicious actors will continue to look for
user accounts that act as backdoors to organizations’ systems, networks, and
software. To secure data, risk managers need to be more actively engaged in
monitoring access and mitigating potential threats arising from compromised