Cybersecurity professionals need to learn to expect the unexpected
Long before Monty Python turned the phrase “expect the unexpected” into a catchphrase during a skit about the Spanish Inquisition, the Irish poet and play Oscar Wilde observed that being able to “expect the unexpected shows a thoroughly modern intellect.”
Cybersecurity professionals generally have confidence in their ability to rebuff external threats as cybercriminals test the strength of their defenses every day. However, as far as the actions of employees, contractors and suppliers are concerned cybersecurity confidence become far less certain. Two separate surveys published by BeyondTrust and Centrify, which are both focused on tools for managing privileged access management (PAM), illustrate the extent of the challenge.
The survey of 1.006 IT leaders conducted from BeyondTrust finds more than two-thirds of respondents (64%) believe their organization suffered either a direct or indirect breach due to employee access in the last 12 months. The survey further notes 62% of respondents believe there was a breach caused by a vendor accessing their systems. A quarter of respondents (25%) said they have confirmed a breach was caused by an external vendor accessing their systems.
The Centrify survey of 1,300 organizations finds that while 93% of respondents said they believe they are somewhat prepared to deal with threats involving privileged credentials being compromised, a full 79% conceded they did not have a mature Privileged Access Management (PAM) strategy in place. Over half (52%) said they didn’t even have a 52% a password vault, while 58% of organizations do not employ multi-factor authentication (MFA) for privileged administrative access to servers.
More troubling still, 52% of organizations are using shared accounts for controlling privileged access, and many do not control privileged access controls in place for cloud workloads (38%), Big Data projects (65%), and containers (50%).
The Centrify report suggests there is a certain amount of hubris occurring before the inevitable cybersecurity fall. Cybersecurity professionals need a certain level of confidence to rise to the challenges they face every day. However, cybersecurity professionals may not be accounting for all the myriad ways credentials can be compromised. Cybersecurity professionals would at the very least be well advised to at the very least have some of their assumptions concerning privileged access controls validated by a third-party.
In the meantime, many cybersecurity professionals might be chagrined to discover how many of those credentials are already floating around the Dark Web. A new report from the University of Surrey in the United Kingdom suggests that cybercriminals are focusing their efforts on specific business targets more than ever. The report finds that remote access credentials are available on the Dark Web for anywhere from $2 to $30 each, with the cost to purchase targeted attacks on enterprises averaged around $4,500.
There is, of course, plenty of blame to go around for the current sad state of cybersecurity affairs. It’s really only a matter of time before cybersecurity professionals find themselves dealing with a breach involving compromised credentials. The real issue is to what degree can cybersecurity teams first limit the number of opportunities for those credentials to compromised and then, as they come to expect the unexpected, limit the damage caused by that almost inevitable breach.