Why Privileged Access Management Might Be the Most Important Layer of Your Ransomware Defenses

Steve Jump, CSO at Custodiet Advisory Services shares his tips on using a Privileged Access Management system to stop a breach before it happens

It starts with a phone call. ‘Can you explain why all of the CEO’s files have been encrypted?’ Then you know that your day is only likely to get worse.

Ransomware attacks on businesses of all sizes have been on the rise for several years, and this trend has accelerated since the onset of the COVID-19 pandemic.

A successful breach opens the door to stolen data, costly ransom payments, and irreparable reputational damage. Unfortunately, the encryption of data and locking of accounts often signals the end of a breach and not the beginning.

Speaking at CISO Africa, Steve Jump, CSO at InfoSec consultancy Custodiet Advisory Services explained why a privileged access management (PAM) system might be one of the most effective tools for spotting a potential breach before it happens. “When you hear about these things called advanced persistent threats with incredible long penetration durations, where they've been in your network for months,” he says. “In almost every case, it was because the PAM logs were not being examined for most of that period.”

Securing Administrative Accounts

As with much of information security, it is essential to be on top of the basics. For example, do you know how many administrative accounts your organization has?

As with much of information security, it is essential to be on top of the basics. For example, do you know how many administrative accounts your organization has?

For the hacker, getting access to an account with administrator privileges is they key to opening your systems. However, it may not be necessary to compromise a full administrator account if lesser accounts also have sufficient privileges.

“Everybody is authenticated to do the work they're entitled to do. But quite often, if someone wants to install software, they're given administrative privilege to install that software and then it is never revoked over years,” Jump says. “If you've never actually done a full audit of your active directory system, you might be surprised to find that 70 or 80% of your normal users have the ability to run administrator level commands.

This poses a serious risk to system-wide security if one of those users falls victim to a phishing attack. The problem becomes even more serious if that user has access to the operating system on that server. “No normal user should be able to even list processes on a server,” Jump advises. “That is your internal administrator privilege only.”

How to spot a security threat using PAM

Large organizations are likely to already have a PAM system deployed. Not only is it an effective tool for managing and auditing privileges, but it also helps ensure regulatory compliance and the onboarding of new technical staff.

It is also an important tool to spot unusual activity that may be a sign of an attempted breach, or even to catch a breach at an early stage.

One early indicator is unusual attempts to authenticate passwords. Once you have multifactor authentication in place, logging authentication attempts can become an important defensive control.

“Every attempt to authenticate needs to be logged, whether that is success or fail users should not be resetting their password very, very often,” says Jump.

“If you have multi-factor authentication, you would have extended your period between password resets,” he continues. “This is important. That actually becomes a defensive control because if the user doesn't change their password, every 120 days, then anyone who was changing it might not be the real user.”

One commonly overlooked area of access management is sufficiently logging and monitoring administrator-level processes. In the case of a breach of an administrator account this can be a dangerous vulnerability.

“Log all admin level processes on every one of your critical systems,” Jump advises. “You don't need to look at every single one, keeping a simple list of the process names, the times that they run and generally the memory and resources that those processes use.

“They should not be changing very much in a daily basis. You're interested in anything that's unusual. You are very interested in anything you've never seen before, and you are interested in something that happens at a time of day when no-one would normally be doing anything,” he continues.

Using PAM to effectively monitor your systems for the warning signs of a bad actor does not require a revolution in thinking, it’s more important to thoroughly cover the basics.

We're not talking rocket science here,” Jump concludes. “We're actually talking fundamental basics and making sure that only the right people have access to the right systems and that we are aware if anything new comes in.”

To discover more insights from the industry leaders who spoke at CISO Champions, Online US, register to view the on-demand sessions here.