By Raj Dodhiawala, President, Remediant
Over the years, the healthcare sector has had more than its fair share of cyberattacks. Just this month, the LAPSUS breach that hit big-named brands like Nvidia, Samsung, and Microsoft, prompted warnings from the DOH and HHS of future exploits — a now daily occurrence from industry and government organizations urging leaders to stay vigilant against the current backdrop of geopolitical strife and a volatile cyber landscape.
As a CIO or CISO, or even CEO and board member of a healthcare organization, the current reality is trifold: ransomware attacks in this sector are rising, disruption and business continuity due to these attacks are getting more expensive and the exploding cyber insurance premiums are substantially impacting bottom line numbers.
In the MITRE ATT&CK framework, Credential Access, Privilege Elevation, and Lateral Movement are amongst the top techniques used by attackers. At its core, these techniques all leverage “privilege sprawl” – or the always-on, always-available administrative access to servers, workstations, and laptops. Companies looking to combat this must recognize these vulnerabilities and ask themselves and their teams, “Is this 24×7 administrative access to all of our systems necessary?” They should then ask, “How do I discover my privilege sprawl?”
Well, how do they? Take Active Directory for instance: it’s near impossible to unravel admins that are provisioned in groups and nested groups and getting a holistic picture can take months of review and analysis. If a company is invested in a Privileged Access Management (PAM) product, not all of their admin credentials may be vaulted as well. Then there’s the issue of local admin accounts: shadow IT accounts often bypass policies for convenience.
The net effect is that healthcare organizations typically have a runaway privilege account sprawl that is hard to recognize and harder to control. And it is this very sprawl, the large privilege account attack surface, that attackers drool over. They look to exploit it every day and at every opportunity. An unpatched vulnerability, a business email compromise or stolen admin credentials: all these simply are the starting point for attackers. Once they’ve secured a toehold, the attacker will elevate privileges, move around laterally by virtue of implicit trust conferred to privileged accounts, then scrape more admin credentials from system memory. Eventually, they end up on systems containing the “crown jewels” of an organization to encrypt for a ransom or to cause a data breach.
The ailment of privilege sprawl therefore demands a health check today. There is no excuse to be without the comprehensive knowledge and visibility into all admin accounts across all systems. Info security leads should know which system has the greatest number of admin accounts and which specific account is provisioned on what systems (either directly or inherited from a group membership or via nested groups). Additionally, they should know the path of administrative access from any given endpoint to critical systems by virtue of implicit trust or additional credential compromise: the very path an attacker follows to successfully cause a breach on these systems.
The very reason that people take COVID tests (i.e., to avoid passing the virus laterally to family and friends), is the same reason to make systems immune to lateral movement. It is imperative, given today’s heightened risks of cyberattacks, to perform a health check that arms security executives with insights into privilege sprawl and the corresponding attack surface. Like with a COVID self-quarantine, only then will they know what actions to take to protect their organization from privilege escalation and lateral movement attacks.
The natural question that follows is, “Now that I know, what can I do to actually reduce my attack surface and prevent lateral movement?” Advances in cybersecurity have coalesced into a best practice called Zero Trust. Organizations must make their systems immune to these attack techniques and implementing Zero Standing Privilege is a compelling method for gaining such immunity. Why not remove the 24×7 access and local admin accounts (other than the necessary minimum) and make systems immune to privilege escalation and lateral movement techniques? Trust no one, and for sure, remove implicit trust. Zeroing in on Zero Trust, that now, is solid protection.
Zero Standing Privilege (ZSP) considers two important protective measures: (a) admin accounts do not need to be persistent (because that is a large attack surface) and (b) admins should not be allowed to log in whenever they please (a convenience that is readily exploited). When should an admin be allowed privileged access is perhaps more important than the fact that the admin needs access? ZSP aligns with the Principle of Least Privilege (PoLP) too. Over-privileging accounts on a system or allowing privilege access always violates this Principle.
Complementing ZSP is just-in-time administration (JITA). Once all admin accounts are removed, security and IT personnel can determine how to authorize the admin to do their job. Just-in-Time access enables access to the right system, at the proper time, for the appropriate duration. No more, no less. Once the time expires, the system is placed back in a Zero Standing Privilege state. Any exposure is therefore limited, and even if that single system is compromised during the admin’s session, lateral movement is averted because the compromised admin account does not exist on any other system. An added benefit of this controlled JITA process is that it can become the central point for other capabilities that bolster security and policies, for instance, multi-factor authentication.
The insights that a health check provides are imminently useful. Besides knowing the extent of an organization’s privilege sprawl, security leaders can also act based on privilege access risk by implementing ZSP and JITA to protect their organization. It’s like having the COVID vaccine available as readily as the test. If a person has Zero Trust that they won’t be infected with COVID from attending a crowded event, thus compelling them to take the right precautions, why not extend this kind of Zero Trust to your privilege sprawl?
Raj Dodhiawala has over 30 years of experience in enterprise software and cybersecurity,
primarily focused on bringing disruptive enterprise products to new markets. Currently serving
as President of Remediant, he is bringing focus, agility and collaboration across sales,
marketing, finance and operations and leading the company through its next phase of growth.