Privilege escalation is at the center of the cyber attack cycle. Why? Because attackers need the credentials of an insider, and administrative credentials give them the power to move laterally throughout the data center, to access high value servers and to take over domain controllers. Organizations now realize that securing privilege access is the first step they need to take to protect their organization from damaging cyber attacks, but it’s important to remember that privilege access is a security challenge across the entire IT infrastructure – not just the data center.
Privilege accounts exist in EVERY piece of technology in the organization. Every server, every database, every application including SaaS, every domain controller, every hypervisor, and of course, every endpoint. Securing privileged access on the endpoint is just as important as securing privileged access to servers and domain controllers.
Ownership is Privilege
There are a number of reasons why privilege security at the endpoint is critical. I’ll keep it short and focus on one, very important concept – ownership of the endpoint. Privileged access provides a user with total control over the endpoint including the ability to decide who can do what on the machine. If control of the machine remains with a trusted systems administrator, the company controls it. The company retains “ownership” of the device. Once an attacker gains privileged access to an endpoint, s/he has total control over that machine. Ownership now belongs to the attacker. As a result, the attacker can decide who can access the machine, create and modify user accounts, change configuration settings, disable/uninstall anti-virus, install malware, reset local passwords, access data that belongs to others etc.
Microsoft’s Security Response Center’s 10 Immutable Laws of Security state this very clearly. There are multiple “laws” that articulate the need to secure admin credentials, but read #6 carefully:
A computer is only as secure as the administrator is trustworthy
“Every computer must have an administrator: someone who can install software, configure the operating system, add and manage user accounts, establish security policies, and handle all the other management tasks associated with keeping a computer up and running. By definition, these tasks require that the individual have control over the computer. This puts the administrator in a position of unequalled power.”
This also covers the authorized administrators that make mistakes or go rogue, as well as any unauthorized user or executable using an administrative credential.
Knowing this fact, it’s a mystery to me why organizations continue to add on layers of endpoint controls and detection without securing admin accounts. This most basic, but important, step in security control is missing.
Prioritize Privileged Account Security
Organizations have spent billions of dollars trying to protect their organizations from cyber attacks.Yet the number of attacks continues to grow. Industry benchmarks show cyber crimes cost an enterprise organization $15 million per year on average, with the overwhelming majority of attacks originating on the endpoint.
Attackers know that user log-ins are far easier points of infiltration than network or software exploits. Organizations try to train their employees not to click on malicious email, but phishing attempts persist and are increasingly sophisticated. Raising the bar for security literacy is a worthy endeavor in the digital age of business, but education will not contain an attack at the endpoint.
There will always be a new “threat du jour.” Taking a layered approach to security is smart, but there is no silver bullet. For this reason, it’s important to have measures in place to contain the damage of a breach and to mitigate risks. Remember the common denominator across every tool in your security toolbox: privileged accounts. For this reason and others, protecting privilege must be a priority.
CyberArk has focused on privileged account security for more than a decade, and we know what damage can be done when an attacker has access to privileged credentials. Some companies have learned the hard way – and locking down privileged credentials was among the first actions taken during remediation.
We continuously innovate our products to address market needs, and we recently introduced CyberArk Endpoint Privilege Manager to help organizations contain attackers early in the lifecycle by interlocking three core capabilities: privilege management, application control and new targeted credential theft detection. The goal is to stop and contain damaging attacks at the endpoint. Instead of adding layers of preventative endpoint security controls on a weak foundation, we offer a different, proactive approach.