Unfettered Access Leaves Local Government Vulnerable to Cyber Threats

It is no secret that the theft or exploitation of credentials is key to the majority of reported data breaches. In fact, Forrester research has shown that privileged credentials are involved in approximately 80% of breaches.

Password re-use is commonplace, both at work and at home. Employees can be using their same weak login and passwords for both personal and company systems, introducing additional challenges when a B2C website or service is breached. Compounding this is the struggle of timely management of user accounts, including the retiring of non-active accounts (or those of departed employees) and updating the appropriate privileges of users.

The problem has been succinctly called out in a recent NSW Auditor General’s report on local government where it noted that “where robust access management processes are not in place, inappropriate access may exist, increasing the risk of unauthorised transaction or modification of sensitive data and transactions.”

It was in the same report that the NSW Auditor General called out that more than half of all NSW Local Councils did not monitor privileged accounts’ activity logs. While over a third of councils “did not perform a periodic user access review to ensure users’ access to key IT systems are appropriate and commensurate with their roles and responsibilities.” These findings were considered high risk by the Auditor General and are the focus of ongoing audits.

But it is not just a problem at the local government level. The Australian Cyber Security Centre recognises the vulnerabilities around user accounts and credentials through various aspects of the Essential Eight — its core strategies for mitigating cyber risks within organisations — recommended for businesses of all sizes but particularly large enterprise.

The Essential Eight includes strategies such as Application Control, User Application Hardening, and Restricting Administrator Privileges. The objective of these strategies is to reduce the attack surface of an organisation’s systems while also minimising the capabilities of an attacker to inflict damage to the victim.

Reducing The Risk

So how do the above aspects of the Essential Eight help local councils better protect themselves from modern cyber threats?

Application control is amongst the most effective cybersecurity controls that organisations can implement to reduce risk. The reason being is that it only allows approved applications — and their code — to be executed. It can also stop unauthorised applications to be installed, reducing the potential for vulnerabilities to be introduced to an organisation through such applications.

User Application Hardening offers organisations further protection, where attackers may try to evade application control by introducing malicious scripts or piggyback off an approved application’s legitimate functionality. In doing this, application hardening can limit the ability of malicious applications, such as ransomware, to run and cause damage.

Restricting Administrator Privileges is another highly effective security risk mitigation strategy and supports the implementation of a security philosophy such as Least Privilege. A recent report from the Identity-Defined Security Alliance (IDSA), highlighted that timely reviews of privileged access was actually the most cited (50% of respondents) security control that could have prevented or mitigated a breach experienced by the respondents. Privilege creep is a real risk and is easy to overlook. Roles change or people leave the company, yet access and accounts remain active, including access for cloud resources.

In restricting administrator privileges, organisations also limit the capabilities of malware, including ransomware. Where such malware attempts to exploit security vulnerabilities, limiting admin privileges on the account reduces the ability of the malware to gain the privileged access to run the scripts it needs to successfully propagate and persist on a device. For attackers who gain credentials through phishing attacks or other means, limiting privileges reduces their ability to move around an organisation’s network and gain a stronger foothold.

How PAM Plays a Part

Privileged Access Management (PAM) plays a significant role in the Essential Eight, and PAM controls are specifically called out in the NSW Auditor General’s report as a glaring deficiency across local government. So what does it do and how does it help you to reduce your organisation’s security risk?

With stolen credentials continuing to be a primary attack vector for criminals to access organisations’ networks, security teams need to gain greater visibility into how, where and when credentials are being used. PAM privileged password management solutions discover, onboard, and vault human, application, and machine credentials, enforcing credential security best practices (complexity, uniqueness, rotation after use etc).

While anti-virus and anti-malware solutions have a place in defending against known attacks, they struggle when it comes to unknown or zero-day attacks. These traditional solutions are reported to miss 60% of attacks, leaving organisations highly vulnerable to undocumented malware or ransomware. Enter least privilege.

Though least privilege is recognised as one of the most fundamental IT security strategies, the public sector has lagged in implementing it across endpoints. Least privilege focuses on delivering the right level of privilege at the right time — and only for a limited time — for the completion of an activity or task. This is a highly effective control at reducing the threat surface from insiders and external threat actors, including ransomware.

Ransomware continues to be a leading threat to organisations around the world. Australia is no different. The Australia Cyber Security Centre (ACSC) has called out ransomware as the biggest threat to Australian organisations. Endpoint Privilege Management (also referred to as privilege elevation and delegation) is the PAM solution set used to enforce least privilege across user, server, networked devices, and IoT.

In addition, leading endpoint privilege management solutions also provide application control capabilities, providing instant ‘allow or deny’ decisions for application access or privilege elevation based on allow listing, block listing, and grey listing policies. This further mitigates risks around application security helping to stop malware in its tracks.

PAM solutions should also have a secure remote access component that extends PAM best practices beyond the perimeter, such as to third-party vendors and remote employees. Over the past 18 months, VPNs have become the workhorse of remote access. However, as some high-profile ransomware attacks have shown, VPNs can be insecure if not appropriately managed and can allow attackers significant access to networks once logged-in. Secure Remote Access allows proxy access to control planes and other applications while limiting the access of users to just what they need to do their job.

In addition, PAM solutions should provide robust monitoring and management of every privileged session, whether it involves a human, machine, application, vendor, or employee. Every action should be tied to a single identity for an unimpeachable audit trail.

A Leader in PAM

BeyondTrust is recognised by every major analyst as a leader in Privileged Access Management. Our Universal Privilege Management model provides the most complete approach to securing every privileged user, asset, and session, with solutions including Privileged Password Management, Endpoint Privilege Management and Secure Remote Access.

Furthermore, unlike traditional PAM approaches, the Universal Privilege Management model allows you to start with the use cases that are most urgent to your organisation, and then seamlessly address remaining use cases over time.

Image credit: ©stock.adobe.com/au/denisismagilov