Privileged Accounts are Sources of Vulnerabilities – Part 2

Pic Credit : Lavi Lazarovitz, CyberArk Research Lab Team Leader

This is a continuation from a previous article – Privileged Accounts are Sources of Vulnerabilities – Part 1.

In the previous article, Mr Lavi Lazarovitz, CyberArk Research Lab Team Leader, explains that hacking privileged accounts are as easy as 1-2-3-4. As much as it is easy for the attacker to pry the system, plugging the loopholes is no easy feat.

Lavi illustrates an analogy for explanation. Try spotting a checkmate on a board with thousands of pieces on it. The pieces represent many machines, accounts, serverless functions. Moreover, there are different policies and permissions which are used. Spotting the checkmate isn’t a case of black and white.

Lord Over the Darkness

Developers and engineers have their hands tied in such circumstances. Flexibility in their work demands a greater number of permissions.

However, Lavi is insistent that we should not restrict developers. He said, “[Instead] we need to restrict the permissions and some combinations. Some combinations are super privileged. If we are assigning a developer privilege, then he should be assigned top privilege account. It comes with a lot of requirements and things to do to secure this account. This might be multifactor authentication, monitoring and password rotations.”

However, he believes it is not the responsibility of the cloud developer to regulate how services are offered.

“The organisation itself decides,” he suggests thoughtfully but adds a hesitant rejoinder, “It is hard to say.”

“The cloud developer allows the flexibility. It is the flexibility which allows organisations to drive innovation. This is really awesome – to launch a new machine in a couple of seconds with one line of code – this is great!

But it is the responsibility of the organisation to know who has this combination of privileges that might allow the user or the attacker to compromise the credentials.”

This is where human intelligence intervenes to discern the gaps and plug it. Drawing on his expertise, Lavi says developers are working on abnormality identifying – identifying the gap between what the user actually uses, and the set of permissions granted. Often, the developer is granted way more permissions than are needed. The enlarged attack surface gives the attacker enough wiggle room to exploit or leverage.

Cyberark on their part advices, and are working on, to whittle down the gap to the bare minimum.

“Minimise the gap surface as much as possible,” instructs Lavi. “This can be done by learning from logs and network activity of what the user actually does – in an automatic way.”

Kingdom Come

The opportunities as well as challenges in a digital future clearly abound. Cybersecurity will be on our radars and the process of erosion on privacy has already begun.

Lavi thinks that the current state of technology is not mature enough to suppress the extensive forces which seek to invade our privacy. When asked if technology and cybersecurity are at loggerheads, Lavi responded, “Of course, absolutely.” Digital transformation necessitates an exponential increase in attack surface.

However, it’s not all doom and gloom. For the rest who are without access to privileged accounts, we can minimally play close attention to how our data is managed and how we surf the net.

As the future of work entails working remotely, researchers are working to hedge threats which accompany it. A knight of valour in the cyberworld, Lavi reiterates that security is not something trivial. We must keep our guard up.