HOT TOPIC The five deadly sins that increase the risks of a data breach Despite prioritising privileged access management, a majority of enterprises fail to prevent the abuse or misuse of privileged credentials, says BeyondTrust’s vice president of technology, Morey J. Haber. B eyondTrust has announced its annual Privileged Access Management survey which identified the ‘Five Deadly Sins of Privileged Access Management,’ and how they prevent organisations from effectively protecting sensitive information. For years, security experts have outlined best practices for privileged access management (PAM) in an effort to reduce problems associated with the abuse of privileged credentials. Despite this, IT organisations continue to struggle with privileged access management. To understand why, BeyondTrust recently surveyed nearly 500 IT professionals from around the world with involvement in privileged access management. Because so many attacks start with the misuse of privi leged accounts, it is not surprising that respondents rated the following three security measures as somewhat to extremely important to their efforts: rivileged access management P (83%) P rivileged session management (74%) P rivilege elevation management (74%) When asked what issues keep them awake at night, respondents most often cited the misuse of personally identifiable information (86%), downtime of computing systems (85%), and loss of intellectual property (80%). Y et , d e s p i te t h e s e w i d e s p re a d co n c e r n s , Fo r re s te r 16 | September 2017 re s e a rc h f i n d s t h at 8 0 % of d ata b re a c h e s a re t h e re s u l t of t h e a b u s e o r m i s u s e of p r i v i l e ge d c re d e nt i a l s . T h e B e y o n d Tr u s t s u r ve y f i n d s t h e ‘ 5 D e a d l y Si n s of P r i v i l e ge d Acc e s s M a n a ge m e nt ’ a re to b l a m e fo r t h i s co nt ra d i ct i o n b et we e n t h e fa ct t h at s o m a n y I T o rga n i s at i o n s s t r u g g l e to s e c u re s e n s i t i ve i nfo r m at i o n d e s p i te t h e i r h i g h l eve l s of awa re n e s s a n d co m m i t m e nt to PA M : Apathy When asked to list the top threats associated with passwords, respondents listed employees sharing passwords with colleagues (79%), employees not changing default passwords their devices ship with (76%), and using weak passwords like ‘12345’ (75%). Despite knowing better, respondents admitted that many of these same bad practices are common within their organisation. A third of the respondents report users routinely share passwords with each other, and a fourth report the use of weak passwords. Shockingly, one in five report many users don’t even change the default passwords! Greed Users often insist they need full administrative privileges over their devices, and that creates problems for IT. Some 79% of respondents cited allowing users to run as administrators on their machines as their big gest threat, followed by not having control over applications on users’ machines (68%). Yet, nearly two in five respondents admit it is common for users to run as administrators on their machines. It is no surprise that many respondents say these practices have directly caused downtime of computing systems. Pride As the saying goes, pride cometh before the fall. One in five respondents say attacks combining privileged access with exploitation of an unpatched vulnerability are common. Simply patching known system vulnerabilities can prevent most of today’s commonly-reported attack vectors. Yet, too often, IT does not stay current on their patches. Ignorance Two-thirds say managing least privilege for Unix/Linux servers is somewhat to extremely important. One popular option is Sudo. However, just 29% say Sudo meets their needs. The most commonly cited problems with Sudo include being time- consuming to use (32%), complexity (31%) and poor version control (29%). Despite this, the typical respondent runs Sudo on 40 workstations and 25 servers. Envy Enterprises are rushing to embrace cloud computing. Yet, more than a third report that they are not involved in protecting SaaS applications from privileged access abuse.