Privileged credentials: They're like diamonds for criminals
FYI, this story is more than a year old
Gartner recently released the first-ever Magic Quadrant for Privileged Access Management¹. Gartner also listed privileged access security the number one security project, saying that “CISOs should focus on these ten security projects to reduce risk and make a large impact on the business².”
That’s no surprise considering cybercriminals most often target login credentials and passwords. One of the most common ways privileged credentials are stolen is through targeting of an endpoint with easily-exploitable vulnerabilities.
Threat actors will also use different methods of attack and toolkits to look for vulnerabilities in any internet infrastructure. They are looking to steal any credentials that could allow for privilege escalation.
That research is backed up by real-life scenarios – just look at any major data breach that has compromised staff usernames and passwords. Back in 2008, San Francisco’s IT department felt the heat.
An engineer by the name of Terry Childs built and operated a FiberWAN network that was crucial to many online services. He consolidated control of all sys-admin passwords.
A smart move, you might think. But after he got into a dispute, he took total control of the network and would not share details of privileged accounts used to run the network. The result? San Francisco’s IT infrastructure ground to a halt. Insiders can also abuse privileged accounts too. Whatever his reasons, Edward Snowden did the same thing.
Privileged access management is no longer something that can be ignored or done haphazardly just to tick compliance or security boxes.
Privileged access management software enables organisations to secure privileged access to critical assets, meaning only those with the correct credentials can access business-critical information.
Privileged access management technologies should also help organisations meet compliance requirements through a process of securing, managing, and monitoring both privileged accounts, as well as access to those accounts.
Privileged access management is not just limited to one piece of software or infrastructure – it can span operating systems, network devices, hypervisors, databases, middleware, applications, and cloud services such as infrastructure-as-a-service, platform-as-a-service, and software-as-a-service.
IT professionals need to architect the right privileged access controls to prevent against cyber threats, exploitation, and to resist advanced persistent attacks; administrative privileges must be given only to those who absolutely need them to reduce the risk of privileged access attacks.
CyberArk is the pioneer in privileged access management technologies. The CyberArk solution is designed to protect networks, meet requirements and reduce security risk without the additional operational complexity.
Now, we believe that Gartner has reaffirmed that strong security starts with ensuring good cyber hygiene and securing the known credentials and accounts that attackers seek to accomplish their goals.
CyberArk encourages IT and security leaders to become more aware of the dangers of unsecured privileged access, which is why it is making the Gartner report available for download. Access your complimentary version here.
¹ - Gartner, Magic Quadrant for Privileged Access Management, Felix Gaehtgens, Dale Gardner, Justin Taylor, Abhyuday Data, Michael Kelley, 3 December 2018
² - Gartner, Smarter with Gartner, Gartner Top 10 Security Projects for 2018, June 6, 2018. https://www.gartner.com/smarterwithgartner/gartner-top-10-security-projects-for-2018/.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.