«Keep the target small» – Minimize damage from cyber attacks

What can companies do to make life as difficult as possible for hackers? How can security resources be used efficiently and effectively?

Author: Christian Zeiler

In the age of digitalisation, it is inevitable that a company's systems will be opened up to the outside world. This opening promises more business value. But it also increases the risk of becoming the target of a cyber attack! What can companies do to make life as difficult as possible for hackers? How can the security resources of a company be used efficiently and effectively?

Many lectures and workshops at the European Identity & Cloud Conference 2016 have shown that the establishment of a Privileged Management System is an important step to secure the systems of a company.

Abuse of privileges as the most common cause

Verizon publishes a Data Breach Investigation Report (DBIR) every year, in which about 70 international companies participate. This report provides an overview of the major threats facing companies today. DBIR 2016 documents that over 80% of incidents are covered by just nine different threat scenarios. In second place in this list of threat scenarios is the scenario «Insider and privilege misuse» with 16.3% of incidents. This scenario is divided into further categories, with the category «Privilege abuse» being by far the most common. 70% of these attacks are discovered after months at the earliest and in the worst case only after years.

Figure 1: Figures on «Insider and privilege misuse». Source: Data Breach Investigation Report 2016

Hackers proceed systematically

A current example of such a cyber attack is the one on the Swiss arms company Ruag. According to current press releases (Tagesanzeiger: Ruag hackers have stolen 20 gigabytes of data) about 20 gigabytes of data were stolen in this attack. The Reporting and Analysis Centre for Information Assurance Melani has published a report on this cyber attack. It states that this cyber attack had already begun in September 2014. The hackers proceeded systematically. Step by step, they took control of the systems and thus obtained more and more permissions to continue their attack.

Figure 2: Time course of the cyber attack Ruag. Source: Melani - Technical Report about the Espionage Case at RUAG

Keep the target small

The Melani report clearly shows that 100% protection of a company's systems against such attacks can only be achieved with enormous effort. The goal of a good security concept must therefore be to use the available resources as efficiently as possible so that the playing field remains controllable and manageable for potential attackers - keep the target small!

Establish security principles

An important step in securing the systems of a company is certainly the establishment of an effective and efficient Privileged Management System (PxM system). When implementing a PxM system, the first step a company should take is to enforce the following basic principles.

Inventory of accounts with Privileged Access

Accounts that have more rights than a standard user account must be documented and managed. The company must define processes that continuously update this documentation.

Control of  «Shared Accounts»

Shared accounts are used for the administration or installation of software products and are used by several people. Processes and controls must be established to prevent the credentials from being known to several people at the same time.

Implementation of the «least privilege» principle

Accounts, whether used by people or machines, should have only as many privileges as they need to complete the current task.

Realization «Separation of Duties» (SoD)

There must be a clear separation between the creation, confirmation and implementation of a change request. It must not be possible for all these tasks to be performed using the same account.

Use of «Two-Factor Authentication»

For accounts with higher privileges, the system should require strong authentication. This will make it more difficult for hackers to use these accounts and will provide greater assurance of the person's identity.

Logging & Monitoring

The actions performed using privileged accounts must be recorded and monitored.

Automate enforcement of the principles

The implementation of these principles by a company is an important first step to minimize the vulnerability to cyber attacks and make life as difficult as possible for hackers.

As a second step, a company should plan to automate the enforcement of these principles where appropriate and expand the list of principles and measures. There are products available on the market for automation from various providers. This will be the subject of a future block.