We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Cyberattack warnings have become so frequent that it’s easy to tune them out. Your company has loaded up on security tools and run its Red Team drills. You’re confident you’ve done all you can.
Executives at Microsoft and the chip-making giant Nvidia were likely feeling the same way until the companies suffered excruciating breaches through common, easy-to-exploit holes. It just goes to show that even the most tech-savvy companies are at risk. Cyberattacks in the U.S. more than quadrupled last year and hackers are still gaining entry in ways both sophisticated and obvious. Here are three common holes they’re exploiting in corporate cyber defenses, plus some easy-to-implement solutions:
Cyber defense and privilege escalation
Say you’ve hired someone on the help desk, granting them privileges to install patches and software. Later, the employee is transferred elsewhere in the organization, but their privileges remain. That’s because most companies have strict protocols for handing them out – but not many for withdrawing them. This lack of withdrawal is a major cybersecurity weak point.
As the help desk situation is repeated across your organization, companies become laden with unneeded privilege. Each account pushes you closer to a successful attack. Privilege escalation was the root cause for a breach at Block, where an ex-employee leveraged access that should have been removed.
Some organizations de-emphasize the problem. Most CISOs know hackers gain little by burrowing into frontline workers’ accounts. Without admin privileges, there’s no way to install malware or ransomware. Yet as privilege escalates, more fruitful points of entry multiply.
Take the recent breach of Okta, which was as simple as it was effective. Hackers exploited the privileges of a subcontractor’s engineer, installed code downloaded from the internet and soon had the keys to a $23 billion cloud software firm.
Then they gained access to about 366 Okta customer accounts. To add insult to injury, Lapsus$, the group responsible, posted screenshots of its bounty and publicly taunted Okta for its failings.
Though no cyber defense is perfect, companies can reduce risk by allowing privilege only as needed – and employ even greater vigor to withdrawing it. Protect your company by stopping the problem before it starts.
The risk of lateral movement
Hackers aren’t much different from bank robbers. They both need reconnaissance to be successful. They get it by laterally moving through your organization.
After capturing one system, criminals can move to the next and the next, sizing up defenses and probing for a path to your crown jewels. To be sure, breaching an administrator’s account for shipping and receiving might not bring treasure in the form of confidential information, privilege escalation or lateral movement. But if hackers can access someone in the financial group, devops or even the CEO’s executive assistant, they’ve found a route to sensitive material.
At some companies, an administrator credentialed for one part of a network is automatically granted access to another. It’s a recipe for disaster. If there’s no pressing need for them to be there, it only adds another gateway to attack.
One solution is air gapping, meaning there’s no direct connection between one part of your network and another. Preventive software then adds a second rampart, allowing for adjustments on the fly. When an attack is identified, it automatically air gaps critical data, isolating data you can least afford to lose.
A stale response plan
You already have an incident response plan. How fresh is it? If you haven’t been running tabletop exercises – staging varied levels of attack to check for vulnerabilities – you’re likely at risk. As modes of assault change, you need to know how effectively your defenses can adjust. How quickly can you respond? Who’s responsible for shutting down which systems? Who needs to be informed at various levels of a breach?
We once got a call from a Fortune 500 medical technology firm with an attack in progress. Privileged escalation and lateral movement were happening at network speeds: As soon as a system was reinstated with its golden image, it was compromised again, literally in milliseconds. At the same time, alarms were ringing across the entire network, with tens of thousands of systems at stake. The incident response plan simply couldn’t keep up.
Hackers continue to escalate their game by writing new ransomware and dusting off old tricks thought to be solved. CIOs and CISOs respond by throwing the latest software at the threats and implementing new responses. Yet the real danger lies in complacency. Sometimes it pays to get back to basics: Review privilege escalation, shut down lateral movement and never stop updating and testing response plans.
The time and money a company invests in its cybersecurity today is nothing compared to what comes after a breach. No one wants to explain to one’s customers why your efforts weren’t enough.
Raj Dodhiawala is president of Remediant.