Out With the Old, In With the New: Why Legacy SIEMs Aren’t Adequate in Today’s Threat Environment...
Managing Privileged User Rights with Multifactor Authentication and the Law of Least Privilege
Locking the Backdoor…Achieving Strong Privileged User Authentication Through PKI and F5
Increasing Prevalence of Phishing Attacks
In the past, exploiting user privileges was traditionally done through web servers. Today, phishing attacks are the way in the vast majority of the time. Hackers typically look to gain access through a user account with the goal of gaining domain access through a privileged user account, whether through domain controllers or other servers.
- In the last year, phishing attempts have risen in frequency by 65% (PhishMe).
- 95% of all attacks on enterprise networks are the result of successful spear phishing (SANS Institute).
- 30% of phishing messages are opened by targeted users. 12% of those users click on the malicious attachment or link (Verizon Data Breach Investigation Report).
Here’s the thing about users, rights, and digital identities: there can be confusion because people are often seen as individual users, and when cyberattacks are executed individual users are targeted. Keep in mind, though, that the real goal is to get privileged user access that enables the ability to reach the data itself, which is on servers and accessed/managed by a smaller set of privileged users.
Targeting Users with Higher Level Privileges
Most of the time, hackers target people with higher level privileges—whales, such as executive leadership, system admins, or both. From there, they’ll move laterally through the escalation of privileges. A basic user with no privileges will be limited to checking their email and surfing the internet, but typically won’t have access to backside servers and data, except through a front side application. Hackers target users who have access to the administration of the servers, applications and database. They focus on the systems that have the weakest link with only username and password. Since many administrators share usernames and passwords amongst themselves and across platforms or systems once the adversary enters a network it is a simple task to move laterally without some form of strong authentication or tiered permissions.
PKI as a Stronger Alternative to Usernames and Passwords
While usernames and passwords aren’t going anywhere, one way to strengthen security is through public key encryption. This creates a strong identity that’s comparatively difficult to crack versus a username and password alone.
The use of PKI credentials results in a much stronger level of security. If employed properly, all web app servers have some sort of PKI certificate, also known as TLS/SSL encryption. Outward facing apps with PKI encryption, combined with a strong form of authentication, whether through a common access card or PIV, is a solid method of defense.
How to Achieve Security When Servers and Old Mainframes Don’t Support Public Key Encryption
Combining PKI encryption with strong authentication is an effective defense method against cyberattacks such as phishing, however, the problem of old mainframes and non-compliant systems remains. The weakest link on a network is on the backside, where many appliances and old mainframes don’t support public key encryption. This leads many organizations to rely on third-party products that proxy PKI with weaker authentication, such as a username and password or RSA token; this method increases risk.
As a solution to this problem, August Schell partnered with F5 who developed a capability that uses your PKI credentials with an F5 device. F5 software allows you to leverage your PKI credentials, and prior to going to the council on a backside server, whether a database or some type of appliance used for networking, it proxies you and provides you the benefit of using your strong PKI credential to authenticate onto the server. We create an admin token that uses our PKI system to create a token for your admin role. The F5 devices allows you a secure means to authenticate on backside devices, rather than relying on usernames and passwords or other third party software solutions.
This is done using The F5 Privileged User Access Solution, which can add CAC/PIV authentication to network infrastructure that does not support this functionality natively. It does this without requiring the addition of client software or agents anywhere in the environment and allows you to fully leverage your legacy or non-compliant systems in a safe and secure manner. It integrates directly into DoD PKI systems and may be configured to work cooperatively with an existing RADIUS, TACACS, Active Directory, or a variety of third-party authentication databases. It also allows you to more effectively monitor system administrators actions through a central council feeding into your existing Security Information Event Management (SIEM) capability for real time reporting.
In the DoD and the Federal Government in particular, using a stronger level of authentication with existing PKI credentials has never been more critical, especially as attack methods such as phishing increase in frequency to compromise backside access. How are you approaching security when it comes to legacy and non-compliant systems? If you’re relying on usernames and passwords or tokens, your organization is at risk. To learn more about leveraging the F5 Privileged User Access Solution to improve your security posture and decrease the risk of cyberattacks, August Schell is here to assist you. Get in touch with an August Schell cybersecurity specialist, or call us to speak to someone today at (301)-838-9470.