How PAM Can Protect Feds From Third Party/Service Account Cyber Attacks

For decades, Federal chief information security officers (CISOs) focused on protecting a traditional perimeter and the users within. Today, however, they recognize that there are a seemingly endless number of third-party partners, vendors, and customer accounts, as well as service accounts – accounts which are either not directly tied to employees, or non-human accounts– which could result in compromises.

They need look no further than Russia’s massive hack of SolarWinds software – which led to the accessing of emails at the U.S. Treasury, Justice, Commerce, and other departments – for an Exhibit A illustration of the vulnerabilities of their agency’s entire cyber ecosystem, as opposed to strictly internal digital assets and users.

That expanded security perspective proves necessary due to modern mission requirements and the resources needed to achieve them: Within an agency, multiple external parties and service accounts support every server and system. Constantly monitoring and routinely auditing it all is extremely complex, challenging, and tedious. Hackers are well aware of the situation, and target both third-party partners (i.e., the “people” part of this equation) and service accounts (the non-human, technical component) as lucrative weak links:

The U.S. government is reporting more than 28,500 cybersecurity incidents a year, and 45 percent of breaches result from indirect attacks, according to research from Accenture. It should come as no surprise then that 85 percent of security executives say their organization needs to think beyond defending the enterprise and take steps to protect their entire ecosystem.

“Organizations should look beyond their four walls to protect their operational ecosystems and supply chains,” according to the Accenture report that published the research. “As soon as one breach avenue is foiled, attackers are quick to find other means,” it says.

When asked to assess various technologies and methods, these executives ranked privileged access management (PAM) as one of the top approaches in reducing successful attacks, minimizing breach impact, and shrinking the attack surface. With the defense industrial base (DIB) and perhaps other Federal agencies seeking to adopt Cybersecurity Maturity Model Certification (CMMC) standards as part of their overall strategy, PAM has emerged as a highly effective means toward this goal.

As defined by Gartner, PAM solutions manage and control privileged accounts by isolating, monitoring, recording, and auditing these account sessions, commands, and actions. Third parties and service accounts cannot do their jobs a majority of the time without elevated privileges for access – thus making them a de facto part of the agency enterprise. While such arrangements play an indispensable role in terms of mission performance, productivity, and efficiency, they also expand the attack surface. That’s why CISOs must strongly consider PAM as part of their third-party/service account security strategy, to establish the following capabilities:

Comprehensive auditing. PAM ensures that all service account and privileged activity is audited. You record every session and watch it for anomalous and potentially suspicious interactions/patterns, just as if you were watching a movie.

Reduction of credential exposure. Without PAM, contractors will typically be provided elevated credentials to access a network area or database which is relevant to the task at hand. In the process, they may jot down on a piece of paper “Admin 123” to use as a password, or store it in some other insecure fashion. But these practices increase the risk of threats, especially if the password is weak and/or never changes. The SolarWinds attack was linked to password mismanagement. Through PAM, contractors instead log into a bastion host, which is a secured intermediary proxy, using standard user privileges, and then a connection is brokered without exposing the elevated credentials to the user.

Automation of password rotation. This is particularly relevant for the non-human service accounts. When a service account contacts an internal database server, for example, it will use a password to gain access. But the password often remains static – something a CISO has to address. Doing so manually, however, is logistically impractical if not impossible. PAM tools will automatically rotate passwords, as frequently as deemed necessary, sometimes even on a per-usage/session basis.

It’s clear that the government can’t accomplish its mission goals without the support of third-party partners and service accounts, just as they rely upon the talents and capabilities of their own employees and internal cyber resources. But CISOs can’t ignore the risk potential of the external entities which routinely gain access to their networks and digital assets. Through PAM, they ensure every interaction is tracked and audited, while significantly strengthening password management. As a result, they greatly improve the chances that their agency won’t end up as an Exhibit A illustration of what not to do to prevent a compromise.

About Miguel Sian
Miguel Sian is vice president of technology at Merlin Cyber.