Privileged accounts are gold mines for malicious actors. They offer persistent access to valuable corporate resources and pose massive risk to organisations. Once authentication has been breached and credentials are obtained by an adversary, moving laterally, and accessing multiple resources, is too easy.
The most privileged access is not always granted to the most senior employees. Administrative and personal assistants often have the greatest access to corporate resources. They are low hanging fruit for attackers -usually among the least well-prepared to deal with breaches or attacks like phishing emails. Privilege promiscuity like this creates challenges around not only Privileged Access Management (PAM), but also other digital risk controls.
Scaling PAM is Complex
Think of PAM as a way of stopping people from abusing privilege. Imagine that you need a handyman for some repairs. The handyman is granted access to your house through the front door and is guided to the kitchen. The handyman is monitored and exits the kitchen as soon as the job is completed. The handyman then leaves the house. The worst outcome is a shoddy job or perhaps the theft of small pieces of cutlery or a few fridge magnets. In other words, the handyman’s access has been managed and privilege was only granted as needed. This is good PAM.
Bad PAM is a scenario where the handyman is granted access to your home and nobody is in to monitor the handyman’s activities. The handyman could be honest do the job and then depart. But, there is a significant risk that the handyman takes advantage of the privileged access granted. The handyman has access to all the rooms in the house and all the items in the house. The handyman can invite other people into the house, including a friend who can remove and copy data from all resident hard drives in the house. This access enables the handyman to steal credit cards, jewelry, PII, credentials and more.
Now, imagine that there are hundreds of handymen and other workers entering and exiting a house at varying times and for different purposes – each with distinct tasks and a need for access to different rooms and items, 24/7. This is the challenge faced by security operations – there are often hundreds or thousands of users with differing privileges to manage. Organisations are struggling to keep up with the sheer scale of the PAM challenge with all its moving parts. PAM also needs to consider the ongoing change in roles and responsibilities of staff, which directly impacts requirements for privileged access.
Privilege Sprawl and Privilege Overkill is Rife In Asia
Once an adversary breaches a privileged account, and is able to move laterally, they can access email accounts, intellectual property, employee data, customer data, sales data, invoicing approvals, expense approvals, and many other systems and processes. In addition to being exposed to short-term financial risk, an organisation also faces operational, legal, and reputational risk from such a breach. The attacker can unload ransomware or other malware to sabotage operations. They can steal PII and credentials, to sell them or use them to cause reputational and legal damage to the victim.
Privilege sprawl is common in Asian organisations. IT departments often struggle to keep track of who has access to what. Worse, IT departments typically over-provision their stakeholders with access. They are usually more concerned with getting positive feedback for the IT resources they provide from the business, than in aggressive risk management.
Specialised PAM solutions have emerged to mitigate the risk associated with unauthorised account access. The term privileged access management is a bit of misnomer. Today’s organisations need to ensure that all access is managed correctly. With an expanding number of devices, bots and people accessing corporate resources, the scope of PAM solutions is much broader than managing privileged accounts alone.
A Zero Trust Approach to PAM is Necessary
Organisations need to take a zero trust approach to PAM. Just-in-time access (JITA) needs to become the norm, ending persistent privileged access. Access needs to be granted for the minimum amount of time with the minimum rights required, ending privilege promiscuity. Zero standing privilege needs to be the default state of systems and networks. Access must be denied as soon as necessary work is complete and only provisioned when needed again. This approach is needed for risk management but few organisations in Asia have achieved this goal. The sheer number of moving parts involved in such an exercise makes it particularly onerous – this is where PAM solutions play a role.
Here’s a list of Ecosystm’s top five predictions that will affect enterprises, cybersecurity leaders, remote workers and the security posture in 2021. Signup for Free to download the report.
Cybersecurity Industry Call for Innovation in collaboration with 10 participating organisations, including the Integrated Health Information Systems (IHiS), Jurong Town Corporation (JTC), Keppel Data Centres, Ministry of Defence (MINDEF), and Ministry of Health (MOH). The aim is to build capability in areas such as:
2020 is a significant year for Singapore’s Smart Nation vision, as the Government takes stock of what they have achieved and shape their journey forward till 2025 (or 2030, in some instances). Singapore Digital (SG:D) has introduced several initiatives to empower small and medium enterprises (SMEs) with cloud-native solutions and digital payments. Cybersecurity remains a concern and the Cyber Security Agency (CSA) was established in 2015 with the express purpose of making cybersecurity a foundation for digital adoption in enterprises and citizens. Late last year the CSA and TNB Ventures announced the 2019- Cyber Readiness. To support cyber self-assessment and ensure overall cyber preparedness
- Industrial Protection. To defend Operational Technology (OT) systems against potential cyber threats
- Secure Access. To help users manage authentication and ensure safe systems access
- Smart Detection. To identify anomalies and intrusions and provide intelligent threat analysis.
CSA recently announced that 9 cybersecurity organisations have been selected to receive USD 0.70 million to build security capabilities to boost Singapore’s defences in critical industries such as Healthcare, Energy & Utilities, Smart City and Public Sector, under the Co-innovation and Development Proof-of-Concept Funding Scheme.
The organisations selected – Group-IB; Secure IC; Acronis; Amaris AI; Scantist; SecureAge; Insider security; EY Advisory; and Emerson – bring a range of cybersecurity capabilities product and service capabilities, to address critical cybersecurity challenges in analysing and predicting attacks from various sources, threat actors and cybercriminal identities.
Singapore’s Continued Focus on Cybersecurity
Singapore has witnessed various threats and breaches at industrial and Government level. Ecosystm Principal Advisor Andrew Milroy says, “The Singapore Government faces an increasing risk for malicious cyber activity. The SingHealth breach of 2018 highlighted the importance of up-to-date cybersecurity within Singapore government agencies. Of particular concern is the growing threat from nation state actors – this is particularly difficult to guard against. These advanced and persistent threats are common and often difficult to detect.”
“Of particular importance is taking a zero-trust approach to cybersecurity – once someone gets into your network, their access to resources must be restricted. Tight control of privilege is also often overlooked so Privileged Access Management (PAM) is critical. CSA is working with these 9 local cybersecurity companies to provide ‘best-of-breed’ customised cybersecurity solutions that will strengthen the cybersecurity posture of government agencies and minimise operational, reputational and legal risk.”
In October last year, CSA announced it’s Operational Technology (OT) masterplan to secure systems in the OT environment, develop OT cybersecurity training programs, strengthen OT policies and mitigate emerging OT cyber threats. One of the key challenges that organisations face in implementing cybersecurity measures is the lack of cyber skills. CSA’s Cybersecurity Career Mentoring Programme provides career guidance to young aspiring professionals and tertiary students who are keen to pursue their career in cybersecurity. In June CSA partnered with SCS to organise the program.
Through such programs and initiatives, Singapore aims to strengthen its cyber resilience and make cyber capability a foundation for its Smart Nation vision.