If an end-user accidentally clicks on an e-mail that releases malware that wreaks havoc in your organisation’s IT infrastructure, you have only yourself to blame, Daniel Comarmond of Thycotic told a packed hall of IT security specialists at ITWeb Security Summit 2019 yesterday.
“It’s our job to protect end-users. Expecting them to be good in how they use Web browsers, where they click on Web sites, or what e-mails to open is simply not fair. They are not idiots,” he said, referring to Amazon’s vice-president and CTO Werner Vogel’s now infamous comment in a talk earlier this year. Lamenting the effectiveness of phishing e-mails, Vogel reportedly said: “There is always an idiot who clicks that link.”
“We expect end-users to know better. There’s a lot of talk about education and policy, but while that is important, the sheer quantity and sophistication of malicious e-mails flooding into businesses requires a different approach,” Comarmond said.
He added that the volume of e-mails that specifically target accessing user names and passwords exploded in 2018, with malware attacks now outnumbering ransomware.
And sometimes, the malware is hidden behind ransomware – as the publisher of the LA Times and Chicago Tribune discovered last year after an attack timed for when the newspaper was at its most vulnerable (just before deadline and when most IT staff were away for the Christmas holidays) left malware circulating in its systems months after they had paid the ransom demanded.
“We ask – or tell – users to change their e-mail and system log-in passwords regularly. We tell them to remember them and not to write them down. That’s quite a burden. But who is responsible for managing the passwords that are used to log in to administration accounts, financial and internal accounting systems, procurement systems, customer databases, even corporate social media accounts, all of which could be termed privileged accounts?
“How often are these passwords changed to comply with the password policy? How is that enforced? More importantly, do we know what individuals who have access to those privileged accounts do while they are accessing them?” he asked, pointed out that in the past two years, the focus of cyber crime had largely shifted internally.
Comarmond maintained that the best way to deal with the problem was to implement a Privileged Account Management (PAM) system that held all passwords for both individuals and systems in a secure vault. Those passwords could then be changed regularly – without the user being aware of the changes.
In that way, users only have to remember their own log-in password – while the PAM would change those and other critical admin-type passwords regularly in the background. At the same time, the PAM should be able to record not only who had logged into a privileged account, but how long that person had been there, and what he or she had done while there.
Share