8 Identity & Access Metrics To Manage Breach Risks
Measurables for improving security posture around access controls.
April 2, 2015
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltdb1fac9b2f068f77/64f0dbe8bd96cb46523bf79b/gate-229024_1280.jpg?width=700&auto=webp&quality=80&disable=upscale)
Another piece of low-hanging fruit, this is a good way to tell if organizations are again leaving the proverbial door wide open.
"This will inform you of all the various attack vectors that an intruder can try to leverage to gain unauthorized access," says Dustin Melancon, senior network engineer for Venyu. "After you are aware of all possible attack vectors, you can begin closing all unnecessary TCP/UDP ports and in effect minimizing your exposed attack surface."
If tracking the specific revocation window is too much for an organization, it should at least be able to keep track of the number of abandoned and orphan accounts sitting around the organization. This metric will offer insight into the susceptibility to fraudulent access.
"Many organizations have a surprisingly large number of accounts that remain accessible for 90, 180 or more days without being used," Johnson says. "Accounts that are not managed, particularly service accounts which often times have administrative privileges, represent an access risk."
"When an employee leaves a company or is let go, the systems and applications that the individual had access to during their tenure remain vulnerable to an insider attack until those account credentials are revoked and account passwords are changed," Wenzler says.
Organizations should be tracking this window and seeking to keep it as small as possible through structured policies around deprovisioning, he says.
While passwords are very crackable these days, improperly managing them is akin to leaving the car door open for car thieves. Sure, an attacker could break a window to get in, but when you leave it open you're just making their job even easier. Organizations should be tracking and trying to increase how frequently passwords are changed. This is especially true for privileged accounts.
"Routine changing of passwords on a scheduled basis or each time after a credential has been used is the most basic method of ensuring that privileged account passwords remain secure," says Nathan Wenzler, technology evangelist for Thycotic.
Access management isn't just about authorizing and authenticating people. With the rise of mobility and the Internet of Things, it is also about doing the same for devices.
The delta between the assumed device count and the actual number of devices connected to the network is sometimes referred to as the network visibility gap.
"Any vulnerability management tools, SIEM, and so on, that an organization uses needs to be working off of a complete set of network information in order to be truly effective," says Reggie Best, chief product officer for Lumeta Corporation. "Eliminating the network visibility gap is the starting point by which an organization can get a true assessment of its security posture."
As 2015 stacks up to be yet another banner year for breaches and attacks against enterprises, one of the most common factors to devastating compromises is the attacker's ability to move laterally through network resources and find ways to escalate privileges or abuse existing access.
Whether it is an insider who takes advantage of an overprivileged account, or a hacker who uses an open port to moves through the network until he or she finds a superuser account using default passwords, many of today's security problems eventually come down to poor access and authentication processes and configurations. Dark Reading recently caught up with a number of security experts about the best metrics for keeping access control in check. Here's what they say.
Administrator privileges are the proverbial brass ring for hackers and insiders seeking juicy information.
"An exploit might take advantage of someone running as a privileged user, either by social engineering or by simple password cracking," says Morey Haber, vice president of technology for BeyondTrust. "In addition, insider threats with excessive privileges can go undetected for long periods of time while sensitive data is extracted or misused."
Kurt Johnson, vice president of strategy for Courion, agrees.
"Organizations need to be asking who has privileged accounts, how many of these accounts are active, and do they have oversight," Johnson says.
Administrator privileges are the proverbial brass ring for hackers and insiders seeking juicy information.
"An exploit might take advantage of someone running as a privileged user, either by social engineering or by simple password cracking," says Morey Haber, vice president of technology for BeyondTrust. "In addition, insider threats with excessive privileges can go undetected for long periods of time while sensitive data is extracted or misused."
Kurt Johnson, vice president of strategy for Courion, agrees.
"Organizations need to be asking who has privileged accounts, how many of these accounts are active, and do they have oversight," Johnson says.
Another piece of low-hanging fruit, this is a good way to tell if organizations are again leaving the proverbial door wide open.
"This will inform you of all the various attack vectors that an intruder can try to leverage to gain unauthorized access," says Dustin Melancon, senior network engineer for Venyu. "After you are aware of all possible attack vectors, you can begin closing all unnecessary TCP/UDP ports and in effect minimizing your exposed attack surface."
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024