The compromised workstation
With privileged accounts we must make a clear assumption: that at some point in their life, workstations will be compromised. According to a study by Verizon, 86% of instances of loss of privileged credentials occur through compromised workstations.In addition, malicious code created ten to twenty years ago tended to be generic in its targeting. Malware today has the functionality to be organisation, or even individual, specific.
Time is also a factor. According to research by the Ponemon Institute, once a data breach occurs it takes an average of 98 days for financial services companies to detect intrusion on their networks.
For this reason, security policies mandate the regular refresh of passwords. In practice however, refreshing intricate passwords can be complex and cause delays. For this period of time, hackers can monitor, record and abuse privileged passwords.
Phishing attacks: a vault doesn’t protect you
Classic phishing follows a number of lines of attack. For example, an email or forged service ticket is sent. Privileged users then click on the ticket or link and are presented with a login screen. The screen appears to be the login for the system the privileged users want to access but is in fact fake. Users retrieve a password from the vault and inject it into the fake screen, which redirects them to the real system or, more commonly, gives an innocuous error message.
At this point, however, the password has been revealed. The attacker now has a window of opportunity to access the system until such as time as the password is changed.
Password sharing often applies to apparently minor network elements like switches or routers that multiple SysAdmins need to access - and sharing brings immediate security risks.
For systems with shared passwords it’s often a simple factor of conflicting priorities. The effort needed to make the changes to passwords (contacting and informing all the admins that need to access switches and routers) is outweighed by the need to keep systems running without disruption.
What’s more, shared systems are often important from a security perspective. For example, switches in port-mirroring mode can see and record traffic. Traffic may be encrypted but, should the cryptography be weak, or should an insider attacker have access to private keys, the potential for a serious breach is magnified.
The limits of the human cognitive load
To deter brute forcing, organisations frequently deploy complex passwords. For example, a security policy may specify the need for passwords to exceed 12 characters, contain uppercase, lowercase, digits and punctuation signs, with passwords changed every 30 days. The complexity of this approach however puts mounting demands on a user’s cognitive load. We estimate a limit of 6 to 7 complex passwords that users can reliably remember over a 12-month period.
In practice, what happens is that users soon adopt recognisable password patterns. A long word such as ‘Liverpool’, extended to ‘LiverpoolFC2018’, supplemented with ‘01#’ for January, ostensibly meets policy. But, it’s then changed in February to ‘LiverpoolFC201802#’, and so on every 30 days.This gives passwords with predictable date patterns, which become all too easy for a hacker to compute.
Shoulder surfing is a disconcertingly accurate description for the practice of reading sensitive information over a user’s shoulder, such as passwords and PIN numbers. For holders of elevated account privileges, the consequences are acute: one well-executed glance (ID typed in, PIN keystrokes entered) and they have keys to your network. As the surfed SysAdmin probably has little awareness of this happening, the resulting breach may not be immediately apparent either.
Separate People from Passwords
To avoid the pitfalls of stolen credentials, PAM solutions need to take a different approach. Don’t reveal passwords to users. Don’t put passwords on workstations. We promote an approach that offers a proxy connection between the user and the devices they manage, effectively isolating credentials. All privileged users need to do is verify their identity, from which they are granted access to systems on the basis of the roles and times assigned to them - “Identity in, Role out”.
You don’t want the cyber attacker to steal your passwords. Well, they can’t steal what’s not there.