It’s the stuff of thrillers — nation-state infiltrations, multimillion-dollar ransom demands, careless insiders, supply-chain attacks. If only it were limited to fiction.
But it’s happening in real life, with cyberattacks launched daily against corporations worldwide. Already the U.S. Cybersecurity and Infrastructure Security Agency has warned that Russia may intensify its assaults on U.S. targets as its war with Ukraine rages.
Yet there’s a stunningly simple defense available to all companies: “Zero standing privilege.” This approach minimizes the risk of breaches and stolen IT credentials. Unfortunately, most companies don’t use it.
To understand why they’re ignoring this optimal fix — and convince them otherwise — it’s important to understand the state of cyberthreats right now.
Almost all recent attacks start the same way: An attacker gains access to an administrator account, usually via a compromised password. The Colonial Pipeline breach is one well-known example. Russian threat groups, such as APT29, are suspected of breaching NATO-member government networks, as well as compromising SolarWinds’ supply chain.
Key to the castle
Think of it as thieves getting a key to the castle, with the crown jewels as their goal. Once inside, it’s a matter of wandering from room to room, trying all the doors and picking more locks until the glittering jewels are in their grasp.
An attacker needs only that single access point, the administrative toe hold, to move laterally from system to system. In their journey, they ignore low-value systems to probe others with large amounts of sensitive or proprietary data. Even more concerning: The intruders’ digital perambulations can range beyond the host company. They use existing privileges to infiltrate third-party software used by vendors, suppliers and customers.
It’s surprisingly common to see an organization with 20,000 employees have a third, or about 6,000 employees, with system administrator roles. Magnifying the problem, these workers may have more than 1.3 million instances of their accounts strewn across their corporate servers, workstations and laptops. That’s a massive and highly vulnerable attack surface that every cyber thief relishes.
Yet organizations are often too casual in their management of administrative accounts; they fail to remove the privilege or shut down accounts when admins move on. This “privilege sprawl” essentially multiplies the keys available to those prowling inside the castle.
How to block cybercriminals
The solution is straightforward: Remove standing privilege for the admins. When we block cybercriminals’ access to always-on, always-available accounts, it’s much harder, if not impossible, for them to move laterally. The crown jewels rest safely upon their velvet cushion. This is the zero standing privilege model.
This approach is often confused with the “zero trust” model, in which users must re-authenticate all accounts, every time.
Zero standing privilege takes the zero-trust approach further. ZSP removes all access to all systems unless you ask for access and get authorization. Only then can you log in with your username and password. Once in, your access is timed. Criminals can’t enter, even if they have your username and password; they don’t know they need to ask for authorization, and, essentially, your account doesn’t exist without that step.
It sounds easy, but you’ll find some resistance. Admins, available 24/7 and possessed of arcane knowledge, hold near-godlike status. Chief information officers (CIOs) or chief information security officers (CISOs) usually want their teams to be available to fix IT breakdowns or breaches immediately. They don’t want to waste time re-permissioning system administrators during emergencies. It’s a fair point, but in a well-executed zero standing privilege model, there are many ways to quickly reopen access to privileged users. Cyber chiefs just need to learn them and implement them.
Or maybe it’s not resistance: I’ve also found that many CIOs and CISOs have lost track of how many admins — past and present — have access to company systems. Without up-to-date knowledge, they don’t realize how wide the spread has become and how dangerous the sprawl is. The zero standing privilege approach fixes this problem, too.
When you reduce the number of admin standing privileges, you reduce the number of left-behind or spurious accounts criminal cybergangs use to enter, capture and hold information for ransom. You block more IP thieves from servers where they might otherwise scoop up satellite designs and drug formulas. You slash the chances for nation-states to disrupt essential infrastructure systems.
As incentive for change, look no further than the bottom line.
Cost per attack in 2021 averaged $4.24 million, according to the annual Cost of a Data Breach Report from the Ponemon Institute, a privacy research firm that surveyed 537 breaches worldwide last year.
Colonial Pipeline paid a $4.4 million cryptocurrency ransom after a May 2021 cyberattack forced a five-day shutdown of the nation’s largest pipeline. The 2020 Russian hack of SolarWinds software, used by federal agencies and Fortune 500 companies, came with an estimated cleanup cost of $100 million.
When such cyberattacks become public, companies tend to tout their quick responses. That’s a reactive solution, rather than the pro-active approach of zero standing privilege.
The former measure may limit damage. But it’s far better to keep every door in every corridor locked, rather than risk cyberthieves escaping with even a single bauble from the crown jewels.
Raj Dodhiawala is president of Remediant Inc.