The 2020 Verizon Data Breach Investigations report found that 80 percent of breaches are caused by compromised or weak credentials. This makes privileged access management (PAM) strategies a must have. Not effectively managing and monitoring privileged accounts means the difference between keeping an organization secure and a catastrophic breach – like the one at Twitter, where the major breach illustrates the dangers of ineffective PAM strategies.
In July, hackers launched a cryptocurrency scam through 130 verified Twitter accounts. Twitter mainly verifies accounts of public interest, including accounts by high-profile users in music, acting, fashion, politics, religion, journalism, sports, or business.
What made the attack successful was the hacker’s ability to gain access to the credentials of each verified account. Typically, attackers impersonate high-profile accounts for scams, but rarely do they have access to the actual account. By obtaining access, the hackers made the scam look legitimate, resulting in a payday of more than $120,000.
Two weeks later, Twitter discovered that three teenagers were behind the attack. Using a “phone spear phishing” technique, the teenagers posed as IT staff to trick Twitter employees into giving up their credentials. With access to the employee accounts, the hackers were able to gain privileged access into an administrative tool that allowed them to interact with verified accounts.
This hack points to a lack of PAM policies in place at Twitter. Without an understanding of which employees have privileged access, IT can’t identify suspicious activity within the network. This made it almost impossible for Twitter to detect the hackers before the account takeover occurred.
Make identity the new perimeter
The Twitter breach shines a light on a problem companies have had for years: who should have access to what data and services? Ensuring PAM processes are accurate has never been a top focus for organizations. Instead, companies are focused on securing the perimeter.
However, because of the pandemic, the perimeter has drastically changed. With everyone working remotely, firewalls and VPNs can no longer defend employees against the new threat environment. To ensure a Twitter-size breach doesn’t occur, organizations need to make identity the new perimeter. Through strict PAM procedures, companies can ensure that every employee has the right access to the right system. Placing identity at the center lets the IT team identify and mitigate suspicious activity faster.
In the case of Twitter, a solid PAM strategy would have started with only a select number of employees having access to verified accounts. Through a strong understanding of its privileged accounts, the IT team could have quickly identified the suspicious activity, allowing them to immediately stop the hackers before they infiltrated the accounts.
How to stop future PAM breaches
The Twitter breach should cause every company to look into and correct any poor PAM practices. Start by remediating weak security practices. Here are a few quick wins companies can achieve right away:
- Reduce rights and access for each account to the bare minimum. Always enforce the principle of least privilege, meaning that each account should have the minimum rights required to carry out a specific task. For Twitter, this starts with reassessing who has access to verified accounts.
- Make sure the security team knows where privileged accounts exist and who uses them. Large enterprises running networks with thousands of servers and network devices often lack an accurate inventory of these assets. Keeping an accurate list of the employees with privileged access lets the IT department quickly identify and revoke access to employees accessing sections of the network they don’t belong in. Active Directory tools can also help automate this process, alleviating the leg work for IT pros who can’t keep up with the rapid changes happening internally.
- Teach users and admins the value of their identity and credentials. If both users and admins understand the potential for damage/loss to the organization because of a credential breach, they will use them more carefully and are less likely to share. Well-trained users and admins will never share a credential over the phone – ever.
At the end of the day, cybercriminals will always have an advantage when ineffective PAM strategies are in place. Only when companies put identity at the center of its security strategy will they have the upper hand.
Dan Conrad, field strategist, One Identity