If privileged access management is a top cybersecurity priority, why are there still so many related breaches of cyber defences?

Not surprisingly, the passwords, tokens, keys and certificates that come with privileged access are prime targets of cyber criminals. Unfortunately these accounts are often protected by weak passwords that can be changed manually and easily shared with colleagues and teams. Forrester[1] estimates that at least 80% of data breaches have a connection to compromised privileged credentials.

Businesses that are not securing and managing these high-value targets also have an increased risk of insider threat and fraudulent employee activity.

Internal Audit’s response

Given that privileged access potentially provides a vital key to unlocking our cybersecurity defences, what should we, as IT internal auditors, be doing to ensure threat actors, either internal or external, can’t get hold of it? Or if they do, that they are then are constrained in how it can be used? In answering this we’ve considered each of the five key functions of the NIST cybersecurity framework: 

·      Identify: IA is ideally placed to perform an independent assessment of the inherent and residual risk posed by privileged accounts. Challenging and understanding the key inherent and residual risks for related processes is vital. For example, these cover risks such as:   

o  No or low visibility of how privileged accounts are managed, created and decommissioned

o  Lack of monitoring of the actions of privileged accounts

o  Administrators having continuous access to privileged accounts

o  Privileged application accounts, service accounts and accounts set to “password never expire”

o  Sharing of passwords of privileged accounts

o  Lack of approval mechanisms, or expiry not set, for shared accounts

·      Protect: In recent years there has been, and continues to be, considerable time and cost invested in the deployment of PAM tools. These tools, provide the automated foundation for addressing the key risks aligned with the provisioning, monitoring and decommissioning of privileged access. Where such deployments are planned we are seeing considerable interest and value in IA assessing the PAM solution deployment project. Deploying a solution is a highly complex process, which requires appropriate planning, execution and the choice of an appropriate product to match the enterprise’s specific needs. Key aspects of any such review are ensuring that the PAM solution and controls align within an integrated IAM (identity access management) process and technology framework, and with other tools (e.g., security information and event management (SIEM)); ensuring that wider business and process transformation needs have been considered; and confirming that the change has appropriate sponsorship at an executive level.

·      Detect: Testing the design and operating effectiveness of key controls established to monitor the assignment and usage of privileged access via a targeted audit is another key activity through which IA can add value. Ensuring that the measures in place remain aligned to evolving industry and regulatory expectations is key. Another important aspect is being able to answer a variety of questions including: is there an accurate and up-to-date inventory of privileged accounts supported by a discovery tool; can unused accounts be identified and are they removed or disabled; are accounts checked out and checked in; is the usage of key accounts monitored, recorded and tracked to expected behaviours, and correlated with information from other solutions (e.g., SIEM); is multi-factor authentication in place controlling access to a PAM tool; and are requests for privileged access appropriately managed and approved?        

·      Respond: The response to an identified breach is likely to involve key stakeholders from across the organisation, led by an incident management (IM) team, and in turn supported by a defined IM process. Ensuring that this process has been adequately defined, approved communicated and tested for a variety of scenarios including unauthored or inappropriate use of privileged accounts is another key means by which IA can add value.     

·      Recover: Although the IM team will take the leading role in managing the immediate response to any identified misuse of privileged accounts, IA can play a crucial role through the “recover” step. IA is ideally positioned to lead and provide independent analysis and assistance during a post-incident review. Leveraging the lessons learned from such an exercise can add real value to the organisation, helping it to stay ahead of future threats and reducing the potential impact if there should be a recurrence.

As can be seen we are ideally placed to assist our organisation's to address the key risks posed by privileged access, with both tactical and strategic preparations, or support during, and subsequent to, any incidents that may arise. And the expectations of key stakeholders, both internal and external, for us to do so is ever-increasing. 

[1] The Forrester Wave™: Privileged Identity Management, Q4 2018

Note: The views reflected in this article are the views of the authors and do not necessarily reflect the views of the global EY organisation or its member firms.