Cybersecurity threats seem endless and never stop evolving, so why should security systems behave any differently? It’s crucial you keep yourself updated on the latest attack vectors, and one of the most common and concerning trends in recent years has been the exploitation of third-party privileged credentials – aka your login credentials. If your company provides elevated access to its network, it can create a significant vulnerability. We’re going to help you prevent that by outlining potential weak spots in your security you need to be aware of and how to assess & improve them.
What Are Privileged Credentials?
Privileged credentials grant users access to sensitive and confidential information within an organization’s network. These are usually more than a general login, but you might be surprised how many people actually have access to confidential information about your company or your clients.
Whether it’s an ERP consultant (like our team members), head accountant, security guard on their first day, or any other personnel with elevated access, your company credentials essentially serve as keys to the kingdom. Generally, we recommend making those credentials unique for each person (no departmental or shared logins), requiring multi-factor authentication (MFA), and possibly offering Conditional Access.
What Does ‘Primary Intrusion Attack Vector’ Mean?
A “vector” is how a cyberattack actually happens or is the weak spot in security that was used. So when we say “primary intrusion attack vector,” we’re referring to the main way cybercriminals gain unauthorized access to systems or networks. You may assume phishing schemes, sophisticated malware, or direct breaches are the worst offenders. While they rank high as threats, shockingly 86% of the most significant intrusion events in recent years come from the compromise of third-party privileged credentials – or to put it plainly, login access.
You only have to look at some of the big cyberattacks recently at Home Depot, Michaels, and MGM. In each case, hackers used compromised third-party accounts with administrative privileges to get into the systems. Once in the system, they were able to get a hold of the customers’ personal information and most critically, their payment credentials. [Link to past blog for further details] The results cost the respective companies millions, demonstrating how severe an issue it is when you don’t understand your system’s primary intrusion attack vector – or weakest link.
Using the Principle of Least Privilege
Giving someone privileged credentials is just as the name says, a privilege, and should have a set of conditions, instead of just giving everyone full access, whether they need it or not. So, the theory behind the Principle of Least Privilege (POLP) is based on giving a person access to only what they need. For example, keeping the accounting team out of HR’s files may seem like common sense, but you’d be surprised how often everyone can access everything.
A report from the Ponemon Institute showed that 70% of third-party breaches came from granting too much access. Bafflingly, only 52% of those organizations who had a breach did anything to address the issue. That said, the issue doesn’t lie exclusively on the shoulders of management to limit access. Users are responsible, too, and it’s recommended they report access they don’t need in order to shore up security. Just because they’re not using all the information they can access, doesn’t mean someone else won’t if the credentials are compromised.
The Threats of Remote Work (and Access)
Since the rise of remote work, cyber security threats have increased, with 75% of IT specialists blaming the expanded threat landscape. When login credentials grant remote access along with privileged access, there are steps you can take to keep your data secure. We recommend having separate credentials for the network and the data access, creating a clear distinction between those privileges. There should be one password that gives you access to a network or VPN, and then another credential to access the system that you’re actually trying to get to. Think of it as a door to the office building, and then individual office doors in order to double the perimeter strength and protect access to specific information between teams or individuals. We don’t all have keys to all the offices in a building!
We realize that doesn’t apply to everything, as it all can’t hide behind a VPN. For example, Dropbox. Companies use Dropbox to share access to important and confidential documentation but it’s not going to be behind a VPN or extra security layer. By using unique credentials for each person though, any access can be tied back to the individual, not just “Sales access” that could be shared by an entire team or other parties. Again, you’ll also want to have MFA on as many logins as possible, as Microsoft, Google, and others have stated it’s 99% effective at preventing attacks.
So What Should You Do? Assess Your Logins
Regularly evaluating the credentials provided is one of the best ways to protect yourself, your company, and even your clients. Here’s a quick hit list of who to check:
- Accountant
- Managed Services firm
- Social media Management (Not everyone needs to be able to post from the corporate account)
- Security provider
- Past employees (Large red flag and a process should also be in place to remove all access as soon as no longer employed)
- ERP Partner/VAR
- HVAC provider
Every third-party entity with access should be scrutinized – who really needs access and what access do they actually need? Does your accountant have a team members who access your system and if so, do they need all of the access they have? Can a separate login be created for the team member so that if that person leaves the accounting firm, they can no longer access your information? If you’re not sure where to start, Managed Services teams, like ours, can help with infrastructure assessments or IT security reviews to reduce risks and liabilities. Compromised third-party credentials impact so many areas of a company. From social media to accounting to HR, or the worst case scenario of HIPAA-protected information that can lead into criminal liability.
Securing privileged login credentials is not just about protecting the business; you’re also safeguarding users and clients from potential harm. Prioritizing robust security practices and conducting thorough access assessments lower the risks to your company. Remember, cybersecurity is a shared responsibility with the company and the staff and it unfortunately requires constant vigilance and proactive measures to help you stay a step ahead. If you need help assessing who has access to what or where potential security risks could crop up, reach out to our Managed Services team to start a conversation.